[opensource-wg] Contribution and credits policy BCP draft

[Maria Matejka via opensource-wg]

Dear fellow OSS WG participants,

following up on my talk today, I'm sending here the BCP draft for
further discussion.

> Open-source projects SHOULD publish their contribution and credits policy and
> be open about how (and if) people can contribute. Open-source project
> maintainers SHOULD adhere to the published policy and update it when
> circumstances change.
>
> To create such a policy, maintainers can use a [policy 
> guide](https://github.com/contribution-credit/policy/blob/main/policy_guide.md)
> as a starting point. Maintainers are advised to be as open and friendly as 
> they can.

For reference, you can also
[replay my talk](https://ripe88.ripe.net/programme/meeting-plan/os-wg/) or
[see RIPE 87 OSS WG 
session](https://ripe87.ripe.net/programme/meeting-plan/os-wg/).

And here are some previous relevant threads in this list:
- [first 
draft](https://www.ripe.net/ripe/mail/archives/opensource-wg/2023-December/000218.html)
- [second 
draft](https://www.ripe.net/ripe/mail/archives/opensource-wg/2024-January/000236.html)
- [article at 
LWN](https://www.ripe.net/ripe/mail/archives/opensource-wg/2024-May/000270.html)

And that's probably all information you may need for context so please
comment and roast this BCP draft.

Happy contributing and crediting!

Maria

-- 
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
___
opensource-wg mailing list
opensource-wg@ripe.net
https://lists.ripe.net/mailman/listinfo/opensource-wg

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/opensource-wg

Re: [opensource-wg] Hello!

[Maria Matejka via opensource-wg]

Hello Patrick,

I have never seen people neither introducing themselves upon joining public 
mailing-lists, nor saying hello to newcomers.

This may look strange on first sight, but if you count the number of people 
involved, the complexity is quadratic. If 10 people were already in the list 
and other 10 joined, you're asking for 145 e-mails just for welcoming. This 
doesn't scale. The same way OSPF doesn't scale for routing the whole Internet. 

This is not isolated to mailing-lists – some people on Facebook, after being 
added to a group, like to post there "thanks for letting me in". It's annoying 
when you see 50 such messages every day and the actual topics are lost in the 
noise. There were even groups where posting this "thank you for accepting" 
message would get you an instant ban.

This is also not a discord server where people's activity can be measured by 
how much are they terminally online. Many of us are here for just coordinating 
and discussing stuff, and when there is nothing to say, then we say nothing. 
This just means that we currently don't have anything to say, not that we are 
inactive.

I can see how this may be strange and unwelcoming for some people, especially 
if you're neurotypical. Anyway, this is what happens at most of the 
mailing-lists I'm in and I don't see any reason to have it here differently.

Also, just by the way, all the archives are public. You are not spying on us by 
subscribing and I doubt that anybody would feel spied on by somebody 
subscribing to a mailing-list and not saying hello. More than that – it's 
perfectly ok to just subscribe and listen in.

The best way to introduce yourself is actually to bring a topic or to 
contribute to one. With that, we can react and have a meaningful discussion. 
With just a hello, don't be surprised that nobody reacted – to not react to 
hellos is the right thing to do to keep the noise ratio low.

Thank you for your understanding.
Maria


On 13 February 2024 16:31:39 GMT-05:00, Patrick Masson 
 wrote:
>Maybe the perspective of a newbie might be of some help--or maybe not--but...
>
>I discovered RIPE NCC from an article on the Open Source Initiative's website, 
>"The ultimate list of reactions to the Cyber Resilience Act [1], which led me 
>to a page on the European Commission's website [2].
>
>I had to do a bit of hunting around to find out more about RIPE NCC and the 
>organization's open source activities (as I would expect), but a quick search 
>[3] led me right to the Open Source WG [4].
>
>The information there must have been complete/relevant enough to entice me to 
>join. I will admit I had to do a bit more searching/investigating to learn 
>more about RIPE as the page and working group noted that the list and WG were 
>for the "RIPE community" and "open source projects related to the RIPE 
>community." So MAYBE if I was a bit more shy (or considerate) I would not have 
>joined as neither are exactly in line with my area of 
>work/development/interest, i.e., education technology, higher education, 
>research computing, etc. However as open source was the theme and I am 
>interested in learning and working more with folks in the EU, I thought I 
>would reach out.
>
>Once I joined the list (easy to do), I introduced myself; which I feel is the 
>considerate thing to do, just so no one feels I am spying on them.
>
>I was very happy to get a friendly reply from the WG chair that not only 
>welcomed me and introduced himself (and the list) but also included a few 
>topics of shared interest which sparked a few more exchanges. I felt like the 
>list was active and grateful for my participation.
>
>So, if my experience is any indication, I think "on-boarding" went pretty well.
>
>If I were to offer any suggestions,
>
>- I can understand how, if the reply is only to me, others might not know (and 
>therefore be concerned) if I received a reply. I can also understand not 
>wanting to pollute the list. Maybe create a generic reply so the list members 
>can see the new member was welcomed? I'd also encourage others to say hello as 
>well. Both Martin and Luka said Hi. I assume there are three people active on 
>the list!?
>
>- The WG page *could* be a bit more descriptive so that those unfamiliar with 
>RIPE or the discussions could learn more. But this might be a never ending 
>quest, as I suspect there will always be additional information that could 
>help the next person. I did search the list archives [5] before actually 
>joining to try and determine if the discussions would actually be of interest 
>to me--and if my interests would be of interest to you all. I am not sure if 
>other potential members would do this.
>
>I hope this helps,
>Patrick
>
>
>1. 
>https://blog.opensource.org/the-ultimate-list-of-reactions-to-the-cyber-resilience-act/
>2.
> 

Re: [opensource-wg] Second draft: Credit policy for open source projects

[Maria Matejka via opensource-wg]

Hello Valerie and others,

I drafted a full new section about how to actually name people correctly. 
(Thanks to Valerie for indirectly pointing at this issue.)

The text is probably too sarcastic at some places, reflecting some of my 
experience (mostly) outside IT. Feel free to smoothen the rough edges.

Also feel free to continue working on it from other perspectives which I may 
have missed when typing this on my phone while commuting.

Have a nice day, night, fortnight or whatever you wish!
Maria


On 8 January 2024 20:28:41 CET, Valerie Aurora  wrote:
>Hi all,
>
>Thanks for the useful feedback on the first draft of the credit
>policy! Thank you especially to Maria, who wrote many useful
>additions, all of which are now integrated.
>
>My plan is to get one more round of comments on this within the OS wg,
>then do a public call for comments, then make an initial release.
>
>Please review the current version, included inline below and in the
>Google Docs link (suggestions for better co-editing tools welcome).
>
>In addition to Maria's contributions, I made one additional change to
>the document: a proposed credit and license section using Creative
>Commons Zero 1.0 Universal license:
>
>"This credit policy by RIPE NCC Open Source Working Group and lead
>authors Valerie Aurora, Maria Matějka (project BIRD, CZ.NIC), Martin
>Winter, and Marcos Sanz is marked with CC0 1.0. If you create a
>derivative work, we request but do not require that you voluntarily
>give credit to the above contributors."
>
>This is about reducing friction. The CC BY-SA 4.0 license would
>require crediting every person who ever contributed by name or risk
>legal problems, which often causes people to decide it is too much
>trouble to use. CC0 would allow people to use their judgement on who
>to credit, without worrying about legal requirements. As such, it is
>in the spirit of the credit policy itself. My personal view is that
>the kind of person adopting a credit policy will likely give credit
>voluntarily.
>
>Thoughts?
>
>https://docs.google.com/document/d/1A4PVQ8iAZFPWySxMdY-EYDArII3BrlK_t70Cek6iwhc/edit
>
>Valerie
>
>Credit policy for open source projects - working draft
>
>
>Introduction
>
>The problem: people disagree about credit for contributions
>
>Our solution: a written policy
>
>Scope of a credit policy
>
>Credit for this policy
>
>Real-world examples
>
>Policy structure
>
>Preamble options
>
>We welcome a broad range of contributions from as many contributors as possible
>
>We welcome contributions that do not need much work
>
>We accept outside contributions rarely
>
>We prioritize speed of development
>
>Only bug fixes welcome
>
>My personal project subject to my personal whims
>
>Our corporate project not open to outside contributions
>
>Our research project not open to outside contributions
>
>[YOUR PREAMBLE HERE]
>
>Credit assignment options
>
>Correcting mistakes in credit
>
>Reporting problems with credit
>
>Introduction
>
>The purpose of this document is to develop an example credit policy: a
>written description of how an open source software project gives
>credit for contributions.
>
>
>This project was created and led by many members of the RIPE NCC Open
>Source Working Group:
>
>
>https://www.ripe.net/participate/ripe/wg/active-wg/os
>
>The problem: people disagree about credit for contributions
>
>Open source software projects receive a wide variety of contributions
>from many different people and organizations. Each contributor has
>their own assumptions and expectations for what kind of credit
>contributions should receive. When there is a mismatch between the
>credit a contributor expects to get and what they actually get, both
>the project and the people around it suffer. This is an especially
>important problem for open source software because the main motivation
>for contributing is often recognition and credit; when people don't
>receive what they expect, they are less likely to contribute in the
>future. This also applies for upstreaming local changes. Even though
>the main motivation may seem to be some reduction of future
>maintenance costs, all the parties benefit from proper crediting, e.g.
>when some changes in the contributed code are proposed in future and
>consulting with the original authors is handy.
>
>
>Two concrete examples:
>
>
>How I got robbed of my first kernel contribution – Ariel Miculas
>
>
>Someone sends in a contribution that needs a little more work. The
>other contributors are too overworked to review the contribution. Some
>time later, another person fixes the same problem without ever seeing
>the first contribution. The first person says, "Hey, why did you
>rewrite my work without giving me credit?"
>
>Our solution: a written policy
>
>Our proposed solution to this problem is for each project to write
>down and publish a formal credit policy (or contribution policy, or
>anti-plagiarism policy - whatever name seems best). This policy
>describes what kind of credit and 

Re: [opensource-wg] Call for support of co-chair candidates

[Maria Matejka via opensource-wg]

On 2023-12-21 20:18, Ines Skelac wrote:


Thank you for your quick response. It's important for me to clarify my 
position regarding the RIPE chair selection process, and equally 
important to receive responses to my points that remain unanswered.


This is NOT a RIPE Chair selection process. I haven't heard about Mirjam 
Kühne stepping down. This is RIPE OpenSource Working Group Chair 
selection process. Please don't mix these two together.


Firstly, with respect to Luka Perkov, our interactions have been 
within a professional context. It is through these professional 
interactions that I have been introduced to RIPE and its various 
activities on multiple occasions. Regarding the other candidates, I 
assure you that my vote was cast following a thorough and informed 
examination of their profiles and contributions.


I believe that you voted based on a thorough and informed examination. I 
don't believe that you voted in good faith.


During my research, I observed an instance where an individual 
associated with RIPE used their official ripe.net  
email address to cast a vote. The deliberate choice of using a RIPE 
email implies a certain awareness of the influence it carries. This 
early vote, seemingly endorsed officially, subtly suggests a process 
that might appear, to the cautious observer, as conveniently arranged. 
When combined with the evolving narrative of whose votes count and 
whose don’t — as if the rules are being written and rewritten in 
real-time — it certainly raises eyebrows about the true consistency 
and impartiality of this process. In light of our commitment to 
transparency, I'm curious – will this vote be counted, or are we 
continuing to adapt the rules to fit the moment?


You're nitpicking on a completely irrelevant topic. There is no 
officiality in Vesna's endorsement.


In our dialogues, a recurrent issue is the cycle of new questions that 
emerge following my responses, often sidestepping the depth of the 
answers I've already provided. This pattern of continuously shifting 
focus hinders our ability to delve deeply and transparently into the 
core issues. Moreover, when discussions reach a significant point, 
they are frequently concluded with statements and conclusions like 
"you did not convince me," which serve more as conversation enders 
than as constructive contributions. Given this, will my points raised 
in the previous email be thoroughly addressed? The absence of a 
detailed response will be quite telling and, in itself, a significant 
answer, especially in light of the critical issues I have brought forward.


To reiterate, my decision to participate in the voting was informed by 
a thorough understanding of RIPE, the Open Source Working Group, and 
the qualifications of all the candidates. I trust this message 
clarifies my position well.


Considering the observations and discussions above, I am looking 
forward to your responses to these points, as well as to the 
unresolved topics I mentioned in my previous email. Clear answers to 
these concerns are to allow everyone within the community to 
contribute more effectively.


The recurrent issue is your complete misunderstanding of the state we're 
in now. It's not whether your vote is going to count. It's not about 
code of conduct, nor about any other documents, written rules, not even 
mailing-list activity. Yes, you are technically right that there is no 
actual formalized selection process. Yes, it definitely looks fishy from 
the outside and you're completely right that the selection rules have 
changed during the process. However, that's not the point at all.


The final and only question is – is the community going to respect Luka 
Perkov as OSS WG chair? And what I must say for myself, I won't. I 
actually don't care about the votes. I won't attend OSS WG meetings if 
he should get selected, and I'm going to actively ask other active 
participants to boycott the WG as well.


Why? There is literally no documented contribution of Luka himself to 
the RIPE meeting community. No talk, no comment, no question, literally 
nothing. This is not about his contribution to open-source software. If 
Linus Torvalds or Richard Stallman came and asked to be selected for 
RIPE OSS WG chair, I would refuse them as well. I honestly didn't expect 
anybody in this position to even think about running for WG chair … but 
he not only did, but a bunch of voters emerged from the void, and when 
called out, they wrote long concerned e-mails packed with buzzwords. I 
can't trust Luka Perkov now, after all of this, regardless whether he's 
himself actually contributed to this state or not.


I'm utterly disgusted.

Maria


uto, 19. pro 2023. u 22:06 Martin Winter  napisao je:

Ines,

thanks for the introduction. However, I'm less concerned and about
your professional background and was actually asking on how you found
about the Open Source WG and the election going on. You mentioned that
 

Re: [opensource-wg] Call for contributions: Example credit policy

[Maria Matejka via opensource-wg]

Hello Paul,

(replies inline)

On 2023-12-20 14:14, Paul Menzel wrote:

[…]


(I always wonder, why a Open Source group use proprietary software 
like Google Docs. Does RIPE offer alternatives already? Otherwise, I’d 
suggest some Git repository.)
There are projects like HackMD useful for this, but for me, it's 
Valerie's discretion to choose the tools. Anyway, thank you for 
inspiration for another credit issue example.

Two concrete examples:

How I got robbed of my first kernel contribution – Ariel Miculas


[…]

I took the time to read Ariel’s article, and I think this is blown out 
of proportion. Ariel was credited, and the subsystem maintainer 
Michael apologized. Things happen.


Has this issue come up more often in the RIPE related Open source 
projects (BIRD, Quagga, OpenBGPD, XORP, DHCP, RRDtool, ntop and 
Nagios, …), that the working group wants to take this on?


At least with BIRD, we had issues (not escalated tho) when contributions 
were credited poorly, and we already did some internal decisions to try 
to credit the contributions properly. I also suspect that some 
contributors actually got discouraged by our approach to their 
contributions in farther history. This way, having a written policy how 
to do it, is a step which seems to be helpful at least for us.


Have a nice holiday season!
Maria

--
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
___
opensource-wg mailing list
opensource-wg@ripe.net
https://lists.ripe.net/mailman/listinfo/opensource-wg

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/opensource-wg

Re: [opensource-wg] Call for contributions: Example credit policy

[Maria Matejka via opensource-wg]

Hello Valerie and others,

(replies inline)

On 2023-12-20 03:27, Valerie Aurora wrote:

Thanks for everyone's enthusiasm at the RIPE session about the open
source project credit policy! While recovering from COVID I managed to
put together a starting draft that included all of the suggestions I
could remember.
Thank you for proceeding with this topic! I was missing your thoughts 
and all these discussions since the RIPE meeting.

Please edit the draft, via comments, suggestions, or direct edits:

https://docs.google.com/document/d/1A4PVQ8iAZFPWySxMdY-EYDArII3BrlK_t70Cek6iwhc/edit?usp=sharing

Added some suggestions and comments there.

Thank you in particular to Maria Matějka, Martin Winter, and Marcos
Sanz for many excellent points and solutions.


Wow, you actually got my ě in my surname correctly, that's uncommon, I 
appreciate that.



Credit for this policy

If you contributed to this policy, please add your name here. We will
decide how to credit the contributors as we develop this policy.


Valerie Aurora

Maria Matějka


The comment I added to the doc but I also put it here – I have added my 
affiliation to this. It's not only my personal work, but I'm involved in 
this as BIRD team leader, employee of CZ.NIC – and even though this is 
mostly about people, the companies also deserve being credited, 
especially if they pay us to do the contributions.


That's it, looking forward to a fruitful discussion.

Also I'm going to draft a credits policy for BIRD to try using this 
document for a real project, so there will be some feedback also from 
this process.


Have a nice holiday season!
Maria

--
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
___
opensource-wg mailing list
opensource-wg@ripe.net
https://lists.ripe.net/mailman/listinfo/opensource-wg

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/opensource-wg

Re: [opensource-wg] Call for support of co-chair candidates

[Maria Matejka via opensource-wg]

Hello Marcos and WG!

This is indeed a good way to resolve this, even though it maybe should have 
been better announced before the voting took place. Anyway, better to do the 
filter now than never.

I support your decision fully.
Maria

On 16 December 2023 08:56:51 CET, Marcos Sanz via opensource-wg 
 wrote:
>Dear working group,
>Dear RIPE community,
>
>The two weeks period to express preferences for one (or more) of the 
>candidates to the open co-chair position is over. First and foremost: thanks 
>to everyone who actively participated in the mailing list.
>
>After the somehow unusual traffic in the list during the past two weeks, 
>Martin and I decided that we would like to prioritize the voices of active 
>participants in the working group or the RIPE community at large towards the 
>voices of those who could not be identified as such. Trying to find hard 
>criteria for this is not easy, but nevertheless we had to, so this is the 
>result of our deliberations:
>
>We will not consider the vote of those who a) were not subscribed to the RIPE 
>open source mailing list as of the beginning of the voting window (last 30th 
>November, day of the OSS wg meeting) AND b) have not attended a single RIPE 
>meeting since RIPE 80, neither in presence nor remote. A bit of rationale 
>about the latter: we took RIPE 80 because it is the point in time where 
>Meetecho support was mature enough for the RIPE meeting to be organized 
>completely virtual (admittedly, in
>kind of involuntary manner ). That entails everyone wanting to join a meeting 
>could have done so, even if lacking the financial means.
>
>We believe that we want votes from the active community who is involved in the 
>future and was involved in the past with the Open Source WG / RIPE and are 
>familiar with our past work and the candidates for the new WG chair position. 
>As such, we do believe that new signups with no prior history of involvement 
>in the community should not qualify to vote this time. We do believe that we 
>have three excellent candidates and each of them has some great skills, but 
>understanding the skills required to further improve this group is hard to be 
>judged by anyone who was never part of RIPE. Please do not misunderstand this 
>step as a sign of hostility towards newcomers: you are and always be welcome 
>to join the community at anytime and to start participating in our open source 
>arena as of now!
>
>We have presented this process and its rationale to the RIPE chair and no 
>opposition was expressed for us to move ahead. Based on these criteria we’ll 
>now review all expressions of support in the mailing list and plan to provide 
>you with an outcome as soon as possible. If you think we are making a wrong 
>decision, please speak up within the next few days.
>
>Best regards,
>
>Marcos and Martin
>Open Source WG Chairs
>
>> -Mensaje original-
>> De: opensource-wg  En nombre de
>> Marcos Sanz via opensource-wg
>> Enviado el: jueves, 30 de noviembre de 2023 10:27
>> Para: opensource-wg@ripe.net
>> Asunto: [opensource-wg] Call for support of co-chair candidates
>> 
>> Dear all,
>> 
>> 
>> 
>> as explained today during the working group session, three people have
>> volunteered to fill the one open co-chair vacancy. Sorted by sha256() over
>> their full name, the candidates are
>> 
>> 
>> 
>> -Christian Scheele
>> 
>> -Luka Perkov
>> 
>> -Sasha Romijn
>> 
>> 
>> 
>> Big thanks to all of them for their offer to support the community, we are
>> happy to see such an interest! The candidates have introduced themselves
>> and their motivations also during today’s session. In case you missed it, you
>> can watch the specific recordings here:
>> 
>> https://ripe87.ripe.net/archives/video/1214
>> 
>> https://ripe87.ripe.net/archives/video/1217
>> 
>> 
>> 
>> 
>> 
>> Now this is a public call for support of the candidates, open for TWO WEEKS
>> starting now and ENDING 14th December (EOB UTC). If you want to support
>> one (or more) candidate(s), please send a public message doing so to this
>> mailing list. Statements of support cannot be anonymous, so please finish the
>> e-mail with your name.
>> 
>> 
>> 
>> It’s also possible (even helpful) to support more than one candidate (to be
>> able to break potential ties). If you’d wish to do so, please deliver your
>> statement of support with the candidate names sorted by preference.
>> 
>> 
>> 
>> Now it’s your time to contribute by choosing the new co-chair: help the
>> community!
>> 
>> Marcos Sanz & Martin Winter
>

-- 
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.___
opensource-wg mailing list
opensource-wg@ripe.net
https://lists.ripe.net/mailman/listinfo/opensource-wg

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/opensource-wg

Re: [opensource-wg] Call for support of co-chair candidates

[Maria Matejka via opensource-wg]

+1 for Sasha.

Maria

On 30 November 2023 17:29:12 CET, Massimo Candela  wrote:
>
>
>On 30/11/2023 17:18, Nat Morris wrote:
>> On Thu, 30 Nov 2023 at 10:27, Marcos Sanz via opensource-wg
>>  wrote:
>>> 
>>> Dear all,
>>> as explained today during the working group session, three people have 
>>> volunteered to fill the one open co-chair vacancy. Sorted by sha256() over 
>>> their full name, the candidates are
>>> -Christian Scheele
>>> -Luka Perkov
>>> -Sasha Romijn
>
>+1 for Sasha
>
>
>Ciao,
>Massimo
>
>___
>opensource-wg mailing list
>opensource-wg@ripe.net
>https://lists.ripe.net/mailman/listinfo/opensource-wg
>
>To unsubscribe from this mailing list, get a password reminder, or change your 
>subscription options, please visit: 
>https://lists.ripe.net/mailman/listinfo/opensource-wg

-- 
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.___
opensource-wg mailing list
opensource-wg@ripe.net
https://lists.ripe.net/mailman/listinfo/opensource-wg

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/opensource-wg

Re: [opensource-wg] Call for Opensource-WG Presentations (RIPE87, Rome, 27 Nov - 1 Dec 2023)

[Maria Matejka via opensource-wg]

Hello Martin, Marco and others,

remembering what was said in Rotterdam, we got here into a discussion
about where and how to present updates in existing open-source products,
reiterating the concerns about the OS-WG group somehow canibalizing 
Routing WG.


I'm planning myself to propose a non-product presentation in OS-WG
mostly about how we organize work on BIRD and what problems we deal with.

I'd like to ask you for opinions whether we shall aim for Routing WG
with BIRD updates, or whether we shall stay here.

Thank you and see you all in Rome!
Maria

On 2023-09-26 15:22, Martin Winter wrote:

Call for Opensource-WG Presentations (RIPE87, Rome, 27 Nov - 1 Dec 2023)

The next RIPE Meeting is coming up again - your chance to present about
some interesting Open Source

If you would like to give a presentation during the OpenSource WG
session, then please contact us (the WG chairs).
In general, each talk is 15-30 mins (depending on how much time is
needed).

If you have some idea and are not sure how/if you should present something
then feel free to contact us as well to discuss the idea.

For small project updates, we are planning to reserve 30 mins again at
the end of the WG session.
These short 5..10(max) min updates/talks are decided on the day before
the WG session on a time/space available basis.
No need to submit anything for these talks at this time.

Thanks,
Martin Winter & Marco Sanz
OpenSource WG Chairs

___
opensource-wg mailing list
opensource-wg@ripe.net
https://lists.ripe.net/mailman/listinfo/opensource-wg

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please 
visit:https://lists.ripe.net/mailman/listinfo/opensource-wg


--
Maria Matejka (she/her) | BIRD Team Leader | CZ.NIC, z.s.p.o.
___
opensource-wg mailing list
opensource-wg@ripe.net
https://lists.ripe.net/mailman/listinfo/opensource-wg

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/opensource-wg

Re: [opensource-wg] concern re: Cyber Resilience Act effects on open source?

[Maria Matejka via opensource-wg]

Hello!

[ These are my personal opinions. I have some degree of understanding of 
law, yet I'm not a lawyer at all. I'm an employee of CZ.NIC, yet this is 
not an opinion of my employer, I'm writing on my own behalf. ]


I would like to understand the number of people/organisations on this 
list who are concerned about the European Commission's Cyber Resilience 
Act proposal effects on open source software development.


This topic was presented at RIPE85 [1] and covered in a recent blog (see 
below, should have cross-posted), which was republished at RIPE Labs 
last week:


https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/ 



You would help both me and RIPE NCC staff that are tracking the proposal 
by speaking up on list. Answers by both developers and users are valuable.


Regarding the liability act, I think we may simply declare that only the 
cases covered by automated testing is the intended use case and if 
anybody wants to run BIRD outside these cases, they have to check it on 
their own risk or they have to pay us to implement and test these 
scenarios for them. It's just the wording in the documentation to be 
amended.


Regarding the CRA:

Definition of the exception in (10) is one thing, definition in article 
3 (18,23) doesn't exempt non-commercial development at all.


* article 13 (9) and 14 (6) doesn't work at all for open-source products 
where the manufacturer is a group of people and orgs all around the 
world; probably this may be covered by articles 15 and 16, yet the 
wording is quite fuzzy


* article 24 where it speaks about critical software is completely 
unreasonable even for fully commercial developers. Everybody uses some 
underlying technology, e.g. we'd have to assess LibSSH security 
probably, and who knows, maybe even the GCC / CLang security or the 
build system itself? Who's gonna assess Debian security?


Reading the CRA more thoroughly, if the audits are done strictly, I 
foresee this:


* RedHat and SUSE are going bankrupt as the amount of work needed to 
audit the whole Linux infrastructure is totally out of their scope.
* Everybody using Debian / Arch / whatever non-commercial distribution 
must be considered a software importer and therefore has the same 
liabilities as a manufacturer.
* Hardware router manufacturers go bankrupt as well or have to raise 
their prices significantly.


Or the audits can be done somehow to do the paperwork just to assure the 
Commision that something is being audited. In this interpretation, it's 
only the paperwork with no real impact on the actual security, and 
therefore it's probably just a waste of money and effort.


My suggestions for regulation amendments:

* the regulation should strictly exempt products distributed completely 
freely (for zero money and in exchange for nothing, not even a single 
bit of personal / user data) case-by-case
* if the software is both sold (e.g. with technical support) and 
distributed freely, the regulation applies only for cases it's sold → 
then we can explicitly state what features are covered by the contract
* if anybody uses a software which they got for free, they are 
responsible for that and possibly also for auditing


We may also create an NCC which would perform all the necessary audits 
for open-source software in a reasonable (non-profit) price range.


To be honest, while thinking about it more, I'm starting to see the 
proposed acts as a kind-of way how to push the (big commercial) users to 
contribute more with real money to open-source development, yet it must 
be stated strictly enough that everybody can either contribute to have 
the audit done by the manufacturer, or they are responsible for auditing 
their intended use of the software completely themselves.


We may also simply stop selling technical support for BIRD and also stop 
releasing any final versions. All BIRD versions will be only testing 
releases and we can simply sell another product "based on" BIRD, with 
all the audits needed and marked CE, completely commercial.


In all cases, I think that the regulation needs much more care regarding 
open-source software as it looks like the authors don't know much about 
that. The regulation also doesn't care much about the sole fact that IT 
systems are typically built from multiple blocks joined together and the 
liability and auditing responsibility is not well defined in these cases.


Thank you for raising this issue.

Maria
developer of BIRD
on my own behalf


smime.p7s
Description: S/MIME Cryptographic Signature
___
opensource-wg mailing list
opensource-wg@ripe.net
https://lists.ripe.net/mailman/listinfo/opensource-wg

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/opensource-wg