WEBVTT

00:00.000 --> 00:12.360
Hello everyone, as you probably know, both Alex and I are co-organizes in the dev room.

00:12.360 --> 00:19.160
And as we were finishing out the schedule, we started to realize that the entire afternoon

00:19.160 --> 00:26.680
was going to be about CRA, and I said we should have another session on the CRA, in fact.

00:26.760 --> 00:32.680
And I think, by the fact that this individual here is willing to leave their hand up the entire

00:32.680 --> 00:39.680
time between the break, just to get the first question on the next panel, shows we made a good choice to give you a lot of CRA content.

00:39.680 --> 00:47.200
This particular panel, I want to focus on the question exclusively of open source stewards, who is going to be them,

00:47.200 --> 00:54.680
where they're going to do, and in particular speaking as someone who is in the leadership of a US nonprofit,

00:54.680 --> 01:04.680
charity that is the home to many open source and free software projects, we are struggling to figure out what our obligations are going to be.

01:04.680 --> 01:14.680
Should we be an open source store? Should we not as we heard in the last session? It's kind of a choice, but we're afraid if we don't do it, someone else will come in for one of our projects and do it poorly.

01:14.680 --> 01:21.680
So we are just desperately, and I send these frantic emails to Alex with lists of questions.

01:21.680 --> 01:27.680
And he sometimes answers me, which is great. I did send him one earlier this week, and he's not answered yet.

01:27.680 --> 01:33.680
But we're really appreciative of our European colleagues who can explain this to us and help us participate,

01:33.680 --> 01:41.680
because we might have heard my talk this morning, there's some things in the CRA, I don't like, but much of the CRA is a very good policy.

01:41.680 --> 01:47.680
And so we want to do the right thing, but we don't know what to do, and we don't understand what's happening.

01:47.680 --> 01:57.680
And so instead of you all having to email Alex, which we just fill is inbox, I figured I should bring the two of them here and have both of you tell us everything.

01:57.680 --> 01:59.680
So tell us everything.

01:59.680 --> 02:06.680
Before we start telling everything, I think it's also important for you to know who we are.

02:06.680 --> 02:20.680
Gradually in the civil society, but this is pretty interesting for you, is from the market surveillance also, and this is of interesting, they are the ones that ultimately check everything.

02:20.680 --> 02:29.680
So basically, maybe you want to tell us a bit of how your daily work will look like in 2021.

02:29.680 --> 02:34.680
And I apologize for those watching this recording later that we just had a panel with these two America.

02:34.680 --> 02:40.680
So everybody in the audience basically knows who they are, but we should all introduce ourselves to totally right Alex.

02:40.680 --> 02:42.680
Just a bit.

02:42.680 --> 02:57.680
Yeah, I started working at the market surveillance of the BSI, and right now in Germany, it's not clear, it still has to, there still has to be made a decision on who's becoming the market surveillance.

02:57.680 --> 03:06.680
But since time is of importance, we already started to look at the CIA and see what we can get out of it.

03:06.680 --> 03:23.680
And what implications the CIA might have for us is, if we in a certain way get a part in the market surveillance, and then have to look at all the stuff.

03:23.680 --> 03:25.680
So no.

03:29.680 --> 03:33.680
You might as well just say the questions, the hands are flying up.

03:33.680 --> 03:35.680
So we'll go for it.

03:35.680 --> 03:38.680
Well, I saw another hand.

03:42.680 --> 03:44.680
Thank you.

03:44.680 --> 03:47.680
So I've got the question around Stuart.

03:47.680 --> 03:50.680
And I've been working for Android for a long time.

03:50.680 --> 03:56.680
I've led longevity, I've worked with European regulators on digital market sack.

03:56.680 --> 04:00.680
And I've kind of pictured that crazy graph that you showed earlier.

04:00.680 --> 04:03.680
And I was like, there's no way in hell this is going to happen.

04:03.680 --> 04:08.680
So I left Google to build some of the tooling that I think is missing around that space.

04:08.680 --> 04:11.680
So we'd love to connect with you and chat some more about us.

04:11.680 --> 04:21.680
But on the Stuart's aspect, there was a definition earlier version of the CIA of something akin to software underdog.

04:21.680 --> 04:24.680
Banks have this concept.

04:24.680 --> 04:32.680
Where if a company goes past or for whatever reason that company doesn't exist or doesn't want to support some piece of some device,

04:32.680 --> 04:36.680
then there's someone else that has access to that code base.

04:36.680 --> 04:43.680
There are a lot of folks here that are on sort of like linear GIS or versions of Android that run open source software.

04:43.680 --> 04:50.680
A lot of those folks are actually suffering from that concept not existing and not having access to that software.

04:50.680 --> 04:59.680
So is that something that's still in the latest version, the concept of our underdog and how would that come into effect?

04:59.680 --> 05:03.680
It was very, very poorly defining earlier versions.

05:03.680 --> 05:05.680
Is that something that you can answer?

05:05.680 --> 05:12.680
It was from what I could tell, there was a lot of acronyms on your crazy graph slide.

05:12.680 --> 05:21.680
But from what I could tell, there wasn't a software underdog on that size slide.

05:21.680 --> 05:25.680
I have had a more complicated question if you want, but I could read those for you.

05:25.680 --> 05:27.680
It's a problem.

05:29.680 --> 05:32.680
I'm not sure if it's still in the text.

05:32.680 --> 05:39.680
I know that Binder might have to look at it for companies that go out of business.

05:39.680 --> 05:49.680
The commission has the rights to step in in what way we have to find out.

05:49.680 --> 05:57.680
And if it's an important product for the EU market, then they can do some things.

05:57.680 --> 06:02.680
And if that what you just described is still in there.

06:02.680 --> 06:06.680
I can't remember from the last time I've read it, but.

06:06.680 --> 06:09.680
It's one of those things that only works if you do it the head of the enterprise.

06:09.680 --> 06:14.680
Once the company's best software is done, you need to think about that at a time.

06:14.680 --> 06:18.680
Could I get that more of our phones are super important to the EU market?

06:18.680 --> 06:23.680
Because you have millions, tens of millions of millions of millions of millions of millions of millions.

06:23.680 --> 06:25.680
We have to be careful with the mic.

06:25.680 --> 06:26.680
Okay.

06:26.680 --> 06:27.680
Give it one more.

06:27.680 --> 06:28.680
Thank you.

06:28.680 --> 06:32.680
Sorry, I was just saying that it's probably one of those things that you want to define a head of

06:32.680 --> 06:33.680
time, right?

06:33.680 --> 06:37.680
Because if you're an undertaker, you need to define that from the beginning of a product.

06:37.680 --> 06:41.680
You could define, you could make it claim that mobile phones and some of these devices are

06:41.680 --> 06:43.680
super important, right?

06:43.680 --> 06:45.680
You have all sorts of data on it.

06:45.680 --> 06:48.680
Very critical to our usage.

06:48.680 --> 06:50.680
Anyway, I can take that to find.

06:50.680 --> 06:57.680
It sounds like more clarity.

06:57.680 --> 07:00.680
Maybe like in between, we can, as well.

07:00.680 --> 07:01.680
Okay, good, good.

07:01.680 --> 07:06.680
So then I'll take the next break.

07:06.680 --> 07:12.680
I have two questions and I'm using the mic now to ask them, but they are very much related.

07:12.680 --> 07:19.680
So if my company opens or sees something as a new open project, which is not part of any of

07:19.680 --> 07:26.680
products, is my company becomes a steward automatically or the related question.

07:26.680 --> 07:33.680
Are there any open projects without steward?

07:33.680 --> 07:39.680
I'd say yes, so I mean, there's no, there's not really a rule that says you need to be a steward

07:39.680 --> 07:44.680
and even then there are also not that many rules that tell you what to do as a steward.

07:44.680 --> 07:51.680
So this is a bit like what for coming to it to say, you can even pick as a steward specific

07:51.680 --> 08:00.680
roles, activities you follow, but there's nothing in the law where clearly says you will be the steward.

08:00.680 --> 08:06.680
Yeah, and on the point of the applications for steward, the steward has the obligation to

08:06.680 --> 08:09.680
cooperate with the market surveillance also, Richie.

08:09.680 --> 08:18.680
And he has to provide technical documentation if the market surveillance has a reasonable request.

08:18.680 --> 08:25.680
He has to report vulnerabilities and severe incidents.

08:25.680 --> 08:35.680
And he has to do the policy on how to develop secure products and how to do vulnerability handling effectively.

08:35.680 --> 08:43.680
So there aren't that many applications, the manufacturers reporting and working together with the market surveillance.

08:43.680 --> 08:50.680
That's the main applications.

08:50.680 --> 08:53.680
Because Mark is next to that he's my friend.

08:53.680 --> 08:56.680
He won't be mad that I ask my question.

08:56.680 --> 09:01.680
But one of the reasons we put this panel together was a reason I wanted to put this panel together.

09:01.680 --> 09:04.680
I want our Alex and ask him questions.

09:04.680 --> 09:14.680
And one of the questions that is burning in our mind at the charities in the United States who are homes to open source and free software projects is that we don't

09:14.680 --> 09:17.680
want to be an open store star steward and we do.

09:17.680 --> 09:25.680
And what I mean by that is what I look at the CRA, my fear, and this is the fear I don't know, is that there's going to be kind of a libertarian

09:25.680 --> 09:31.680
of free market of stewards running around pitching to projects saying, oh, we can be your steward.

09:31.680 --> 09:33.680
We know how to do it all for you.

09:33.680 --> 09:35.680
We're going to raise money for you and so forth.

09:35.680 --> 09:37.680
And there's to be quite fine about it.

09:37.680 --> 09:44.680
There are organizations in the US right now making those kinds of pitches to projects, including projects that are already affiliated with software freedom

09:44.680 --> 09:46.680
Conservancy where I work.

09:46.680 --> 09:51.680
And so we feel like most of you jump in and being open source steward, but we're not commercial.

09:51.680 --> 09:55.680
It seems like all the open source steward requirements are regarding commercialization.

09:55.680 --> 09:57.680
So we're in a weird situation.

09:57.680 --> 10:01.680
And Alex, you tell us what to do, we'll do it.

10:01.680 --> 10:08.680
So I don't believe that normally you want to be a steward.

10:08.680 --> 10:16.680
So I would recommend to become a steward, but not just do it, so you should learn.

10:16.680 --> 10:22.680
And this is, I mean, if I would be in your position, I would talk to the market surveillance also.

10:22.680 --> 10:34.680
And what ask this person, how me as a steward could make sure that there is not that pressure coming from the manufacturer on the one hand.

10:34.680 --> 10:45.680
And that I'm also sure that I'm like capable of fulfilling the obligations and that maybe we come even to a point that the manufacturer is supporting the steward.

10:45.680 --> 10:48.680
To support the manufacturer.

10:48.680 --> 11:01.680
And this is basically, I'd say it's a possible thing to achieve in the next year that we can manage it to bring.

11:01.680 --> 11:07.680
So at the moment, I'd say there are manufacturers that just like take free software and don't contribute back.

11:08.680 --> 11:17.680
But this is here, we have the possibility to bring the pressure to the manufacturer to contribute back to these projects or code that they are coming from.

11:17.680 --> 11:22.680
And this is possible, and that's why I'd say it's a good idea to become a steward.

11:22.680 --> 11:26.680
So maybe we have this discussion again in the next year.

11:26.680 --> 11:32.680
And then we have a bit more like guidance, a bit more text, and then it's a bit more clearer.

11:32.680 --> 11:40.680
Really a good idea, but at the moment, in general, I'd say for us as the free software community, we should go in the direction to have steward.

11:40.680 --> 11:53.680
And that we have a good relationship between manufacturers and steward's written in guidance that we can make sure steward will never be under pressure and happy to fulfill the obligations that are there.

11:53.680 --> 12:06.680
And the good thing that the guidance right now isn't there, and has to be written, somebody has to write it, and somebody has to contribute to the guidance which will be written.

12:06.680 --> 12:17.680
So if we figure, or if the open source community figures out how they want to use this steward, or how they want act as a steward.

12:17.680 --> 12:31.680
And in an even better way, if they can get together with the manufacturers and figure together out a way to interact with one another, so that everybody benefits from that.

12:31.680 --> 12:38.680
And that gets into the guidance, then we do have a really good chance to get something good out of this.

12:38.680 --> 13:02.680
And maybe if you ask yourself, how to contribute to such text, there is a project by the BSI and the FSI where we are trying to get questions from the audience and best practices of communities working together with manufacturers that we could use as a blueprint for such text, for example.

13:02.680 --> 13:21.680
Or if you have any ideas what should be there, then it's a good idea to tell this to us and we will ventilate this in the project and it has good chances to end up somewhere.

13:21.680 --> 13:39.680
I'm trying to reformulate my question based on all this, but basically my question was about fear of somebody else becoming a software steward, to me that sounds fantastic.

13:39.680 --> 13:49.680
But really, I'm not packaging my own software, someone else does, let that person be the software steward.

13:49.680 --> 13:59.680
Why are you afraid of somebody else becoming the software steward?

13:59.680 --> 14:13.680
I would love somebody else to step in and say, oh, I'll do all the bureaucratic European marketing stuff.

14:13.680 --> 14:23.680
So I can address why we're afraid for basically two reasons where a US-based organization, and we did a lot of work to comply with GDPR.

14:23.680 --> 14:29.680
GDPR is a great law and we are glad to comply with it, but as a small charity, it's difficult.

14:29.680 --> 14:41.680
I literally didn't, I was handling somebody's GDPR requests when I was supposed to be prepping my talk for this morning, because they write in and then there's like, oh, what day, where is their stuff stored and so forth.

14:41.680 --> 14:48.680
So our concern about the CRA is, it's first of all that, we need experts like these folks in Europe to explain to us what to do.

14:48.680 --> 15:06.680
The other concern we have, and I'm going to say something slightly annoying to developers in the crowd, but developers have a tendency to want to work on the things that are interesting to them, and exactly how you feel mark is like, oh, you're going to take care of this for me.

15:06.680 --> 15:09.680
Great, I don't want to think about it because I just want to be hacking.

15:09.680 --> 15:25.680
The problem is it's going to be very difficult, I'm worried, that it's going to be very difficult for you to figure out who to trust, because you will probably, if your project is important, get pitched by a lot of organizations saying they can be your steward, and they might be bad at it.

15:25.680 --> 15:42.680
And the relationships with your users are really important to you, so even though you're non-commercial, you know, free software or volunteer hacker, the people who use your project are doing it commercially, they need an open sort of steward in between, and what if they screw up, and then they hate your project because the open source steward grew up.

15:42.680 --> 15:56.680
Those are things I'm worried about, whether I see no in the crowd, we don't know whether we should worry about it, and it sounds like we just have to help you write the wigs so that we don't have to be worried anymore.

15:56.680 --> 16:03.680
Hi, thank you, I'm not sure if this is relevant, but yeah, it's okay if you cannot answer it.

16:03.680 --> 16:12.680
So this is about the scope of the area. I mean, there was a mention that cars are not automotive industry are exempted.

16:12.680 --> 16:31.680
I'm just wondering if they're exempted outright fully because the referencing in CRA refers to UN regulation, UN R155, which is about type of rule, like manufacturers getting their product like cars approved before releasing it to the market.

16:31.680 --> 16:50.680
So I mean, this regulation doesn't really say much about software and security used in cars, and then comes CRA, and it also references like, there's remote access, which creates vulnerabilities, but more specific regulations should be applied, that then comes CRA.

16:50.680 --> 17:06.680
So there's a gap when CRA is exempting this industry, but in reality it's not really sure, so I'm just wondering if you have any thoughts on that.

17:06.680 --> 17:26.680
Yeah, so I'd say, so even if cars are exempted, it's, so if you're, there will be still parts in the car that have a CE label, so for example, if you put the fridge in the car, the fridge.

17:26.680 --> 17:30.680
There's a rules covering cars, help on the trim system.

17:30.680 --> 17:35.680
Yeah. They already have rules, so they're covered by those rules.

17:35.680 --> 17:43.680
The CRA explicitly covers, and I think that there's a lot of everybody watching the video, can't anything right now.

17:44.680 --> 18:06.680
Yeah, the thing is, in those other regulations, there are a very specific on what's the car, and what's the medical device, and what device, force under that directive or that law, so they know what to do, and there are cyber security, or there is cyber security stuff in those regulations.

18:06.680 --> 18:21.680
That's why they're out of scope from the CE, and every part in the car, which doesn't fall under those other regulations, then they have to comply to the CE.

18:21.680 --> 18:35.680
Quickly, one request again, if you lower your hand in between, it's somehow for me assuming it's gone, and if I'm next to you, I will leave you from doing it, but else it really helps me if you keep it up to have the order.

18:37.680 --> 18:43.680
Yeah, I just want to add good news from Mark, actually, I am your steward.

18:43.680 --> 18:54.680
So, whether that's a joke, but who has something to be steward, and can they be multiple steward, and can anybody be the steward from anyone?

18:57.680 --> 19:03.680
Well, that's something we have someone in the audience who knows the answer.

19:03.680 --> 19:05.680
Otherwise, that's...

19:19.680 --> 19:27.680
So, the principal of the CERA says that if somebody like you decides that you just want to be a country,

19:27.680 --> 19:36.680
pushing your code out there and have no responsibility for it, multiple people can fork your code and do whatever they want.

19:36.680 --> 19:47.680
And then, if somebody multiple different organizations decide that they want to be steward for those things, they can keep forking your code.

19:47.680 --> 19:54.680
You will lose control over anything that you're doing, but that will be the consequence for this.

19:54.680 --> 20:05.680
If you don't decide to have a relationship and assert some level of sovereignty, because you can just fork the open source projects, that's what will happen.

20:05.680 --> 20:10.680
Now, in a very small project where nobody cares, this is not relevant.

20:10.680 --> 20:21.680
But somebody's going to come along and say, I, some manufacturers going to want security from somebody, and they're going to look for somebody that they can have a commercial relationship with.

20:21.680 --> 20:30.680
If you don't want to be that thing, if it's important enough and there's enough money, somebody else will fork your stuff.

20:30.680 --> 20:37.680
If it isn't important, then nobody's going to touch it, and there's going to be a band gap created,

20:37.680 --> 20:43.680
where there will be projects which people will run after, and there may be multiple of them, and they may fork them in different areas.

20:43.680 --> 20:51.680
So red hat may say, we'll do the red hat flavor, and Susan will say, we'll do the Susan flavor, and they'll all do their thingy.

20:51.680 --> 21:00.680
And you're still doing stuff, maybe, maybe they just keep taking your updates and you're living where you are, and that's okay.

21:00.680 --> 21:02.680
And maybe you like that.

21:02.680 --> 21:06.680
Or you feel unloved because nobody appreciates the work you're doing.

21:06.680 --> 21:09.680
You need to make a call, right?

21:09.680 --> 21:14.680
There's a consequence that's going to be driven into the market because of this.

21:14.680 --> 21:22.680
So if you submit a talk and we forgot to accept it, I apologize, or we did try to invite people on the panels who submitted talks about it,

21:22.680 --> 21:25.680
and you should definitely submit a talk about this next year.

21:25.680 --> 21:30.680
I think we have people in the queue for the question.

21:30.680 --> 21:36.680
Yeah, so this is going to be the elephant in the room, I think.

21:36.680 --> 21:46.680
Last year, I was in Johnson where there are an ounce that's serious stuff, and I was so surprised, I didn't raise my hand.

21:46.680 --> 21:54.680
And well, it's probably more for the commission, but the room is full.

21:54.680 --> 22:06.680
Free software exists just because hardware vendors and software vendors were not held accountable for not publishing the documentation of their hardware for 30 years.

22:06.680 --> 22:16.680
And now we are supposed to be held accountable for stuff rewards that is based on stuff that's not known to us.

22:16.680 --> 22:28.680
So first question, did anybody waste entire nights reversing engineering things to write specs, to write drivers for free software staff?

22:28.680 --> 22:44.680
And then do you know how many drivers there are in Linux, just Linux alone that are based on reversing engineering that absolutely nobody can certify that they will not burn your computers or just burn your car for the matter.

22:44.680 --> 22:54.680
So yeah, how dare they held us accountable for stuff we cannot be held accountable.

22:54.680 --> 23:23.680
So my question is sort of related to that, from the point of view of a developer, is there a conflict, a licensing conflict between an open source license,

23:23.680 --> 23:33.680
and the downstream beneficiary, because most open source licenses are give the software without a warranty.

23:33.680 --> 23:38.680
And now it feels like the CRA is imposing a warranty, which is a conflict.

23:38.680 --> 23:56.680
I'll form it in the as a as a question, is that a conflict of the software license open source software license or and or is it a conflict of the social contract as Bradley would like to say, is it altering the deal.

23:57.680 --> 24:14.680
Looking upstream, potentially a project might have a hundred upstreams and now what do I do as a developer if you know 50 of them are abandoned.

24:14.680 --> 24:25.680
So if you call me out, I'll start. I think I don't have any, I don't see any problem as the resident copy left expert with selling warranties.

24:25.680 --> 24:33.680
In fact, for years, it's been made clear that selling warranties was a was a useful practice to engage as a free software business.

24:33.680 --> 24:41.680
So to the extent to which open source stewards are selling warranties of some sort of a fashion, no problem there.

24:41.680 --> 25:01.680
My bigger concern in what you're asking, which you didn't actually ask, so I'm going to do the thing where I turn the question into the one I want to ask, which is I'm very concerned about the other issue of the fact that many of the manufacturers who need an open source steward are also the same manufacturers who refuse to comply with copy left.

25:01.680 --> 25:13.680
So we have this weird situation, especially for us, it's all for freedom conservancies, since we are both going to say open source steward not by defined by CRA, but we were on the root of corner solves that before the CRA was written.

25:13.680 --> 25:26.680
But we also enforce copy left for our projects. So we have this weird situation where what if we end up at open source steward and we have a manufacturer who is relying on us as open source steward who is violating copy left.

25:26.680 --> 25:31.680
I have no, what am I supposed to do then?

25:31.680 --> 25:37.680
I mean documentation can also be.

25:37.680 --> 25:46.680
And that's what it is. So to be honest, I'm not sure if this will be a real problem.

25:46.680 --> 25:52.680
So I don't know, but at the moment I couldn't imagine.

25:52.680 --> 25:55.680
So at the moment, I think this is one of the problems.

25:55.680 --> 25:59.680
And again, I mean, we are basically talking about workflows.

25:59.680 --> 26:09.680
So you end the C-label. So it's about you have some workflows and you check, do you have a secure product, you put the C-label bank.

26:09.680 --> 26:13.680
So I mean, you can really compare it from the physical product world.

26:13.680 --> 26:17.680
And how we use C-label's there and what we do is the C-label.

26:17.680 --> 26:21.680
So there's still a lot of crap on our market.

26:21.680 --> 26:26.680
It gives us a bit more in the direction of cybersecurity.

26:26.680 --> 26:32.680
And it's also not the market surveillance authority that these are 5,000 people just checking everything.

26:32.680 --> 26:37.680
So I mean, you can even compare it to the data protection.

26:37.680 --> 26:40.680
I mean, it's not that we have data protection all over Europe.

26:40.680 --> 26:42.680
Now just because we have data protection law.

26:42.680 --> 26:47.680
So we are just going with this thing in a direction of more cybersecurity.

26:47.680 --> 26:52.680
And ultimately, just it's the E-label and the time is up.

26:52.680 --> 26:55.680
Thank you all.