FOSS Backstage: Free software between regulation and digital sovereignty

Free and Open Source (FOSS) has become an integral part of commercial software development, but the extent of the dependency is astonishing: in his presentation at the seventh FOSS Backstage Conference, which took place last week in Berlin, Max Mehl from DB Systel cited an average of 125 dependencies per internal project.

His statement is based on an analysis of over 32,000 internal repositories. Such dependencies pose risks, for example because dependencies are no longer maintained, are subject to a license change or have security vulnerabilities. The xz gap, which was only discovered by chance, should be mentioned here.

Dependencies as a security risk

Governance – One of the core topics of FOSS Backstage with its 75 or so events – in this context means designing the organizational framework conditions in a company in such a way that they minimize the risks associated with the use of open source. In addition to setting compliance and security standards and managing contributions to the open source community, the strategic added value for a company should also be maximized.

This is because the large number of FOSS dependencies also means that a company does not have to develop the respective functionality itself and thus gains a financial advantage from using open source. In many contributions and discussions, it was clear that companies should not limit themselves to the role of pure user, but should also help financially and actively with development.

This is the only way to minimize the risks resulting from overloading individual FOSS technology providers. Weighing up and balancing the opportunities and risks of FOSS use is the task of an Open Source Program Office (OSPO) in many companies today – The subject of two presentations at the conference.

A risk assessment begins with a detailed analysis of the company code, which in turn is based on a Software Bill of Materials (SBOM), i.e. a compilation of all direct and indirect dependencies of software projects, including associated versions and licenses.

Tools such as the Open Source Security Foundation (OpenSSF) Scorecard or the Linux Foundation project CHAOSS help to identify security or community-related risks.

Balancing act between liability and digital sovereignty

Additional difficulties for companies that use FOSS commercially arise from new EU regulations, in particular the Cyber Resilience Act (CRA) and the Product Liability Directive 2024/2853 (PLD), which were mentioned in what felt like every second presentation.

Both protect users and oblige companies to deliver more secure and sustainable software. Companies must ensure that their software – including all open source components – complies with the standards defined in the CRA, which is to be achieved through a security-by-design principle and comprehensive risk management processes. The responsibility for the integrated open source components lies entirely with the provider of the products, who must implement appropriate testing and control mechanisms. The PLD extends the term product and includes software – both stand-alone and integrated into other products – if it is sold commercially.

There were differing opinions on the impact of the CRA and the PLD on open source development. For example, the PLD generally excludes FOSS from liability if it is not provided commercially. However, if it is integrated into a commercial product or distributed commercially, product liability applies.

For purely private developers, this could mean that companies are more willing to support them financially in order to obtain high-quality software. However, this is precisely where the question arises as to when the FOSS author crosses the line into commercial distribution. So if an open source developer secures a lucrative income through the quality of their work, is it a commercial activity?

The uncertainty about this point was almost palpable at FOSS Backstage. Clarity in this matter is only likely to result from case law or a refinement of the PLD and the CRA.

The fact that clarification is urgently needed is made clear by the last, truly all-encompassing topic of the conference: FOSS is of central importance for the digital sovereignty of the EU, which was emphasized in the keynote speech by Jutta Horstmann (CEO of the Center for Digital Sovereignty, ZenDiS) on the topic of "Digital Sovereignty and Open Source – Shaping an answer to geopolitical instabilities".

If open source is to be promoted and not hindered, it is hardly in the EU's interest to place too many barriers in the way of FOSS protagonists. After all, the need for long-term maintenance and the provision of security updates resulting from PLD and CRA need to be financed.

Two fringe events took place on the second day of the conference: Firstly, the "FOSS Backstage Design", which dealt with user experience design issues that are not entirely unimportant for the acceptance of FOSS in a new Europe. The second was the InnerSource Gathering under the direction of Isabel Drost-Fromm, who, together with Stefan Rudnitzki, had originally initiated the FOSS Backstage.

Overall, the FOSS Backstage was a thoroughly successful event with lots of highly interesting information on current, but exclusively non-technical FOSS topics. Recordings of the current and previous FOSS Backstages can be viewed on YouTube.

(mack)