|
|
Log in / Subscribe / Register

European Commission issues call for evidence on open source

[Posted January 7, 2026 by jzb]

The European Commission has opened a "call for evidence" to help shape its European Open Digital Ecosystem Strategy. The commission is looking to reduce its dependence on software from non-EU countries:

The EU faces a significant problem of dependence on non-EU countries in the digital sphere. This reduces users' choice, hampers EU companies' competitiveness and can raise supply chain security issues as it makes it difficult to control our digital infrastructure (both physical and software components), potentially creating vulnerabilities including in critical sectors. In the last few years, it has been widely acknowledged that open source – which is a public good to be freely used, modified, and redistributed – has the strong potential to underpin a diverse portfolio of high-quality and secure digital solutions that are valid alternatives to proprietary ones. By doing so, it increases user agency, helps regain control and boost the resilience of our digital infrastructure.

The feedback period runs until midnight (Brussels time) February 3, 2026. The commission seeks input from all interested stakeholders, "in particular the European open-source community (including individual contributors, open-source companies and foundations), public administrations, specialised business sectors, the ICT industry, academia and research institutions".


to post comments

Consultation strategy

Posted Jan 7, 2026 21:13 UTC (Wed) by alx.manpages (subscriber, #145117) [Link] (45 responses)

I'll paste the 'Consultation strategy' section, which I think is quite relevant: 
 This call for evidence aims to gather feedback from different interested stakeholders,
to enrich the strategy with various perspectives.

More specifically, stakeholders are invited to reply to the following questions:

1. What are the strengths and weaknesses of the EU open-source sector? What are the
main barriers that hamper (i) adoption and maintenance of high-quality and secure
open source; and (ii) sustainable contributions to open‑source communities?

2. What is the added value of open source for the public and private sectors? Please
provide concrete examples, including the factors (such as cost, risk, lock-in, security,
innovation, among others) that are most important to assess the added value.

3. What concrete measures and actions may be taken at EU level to support the
development and growth of the EU open-source sector and contribute to the EU’s
technological sovereignty and cybersecurity agenda?

4. What technology areas should be prioritised and why?

5. In what sectors could an increased use of open source lead to increased
competitiveness and cyber resilience?

The call for evidence will remain open for four weeks and will be promoted through
the Commission’s institutional channels, including on social media.

This is the opportunity to write a wish list

Posted Jan 7, 2026 22:06 UTC (Wed) by hailfinger (subscriber, #76962) [Link] (43 responses)

If your favourite FOSS projects needs compute power, hosting, source code scans for security bugs, infrastructure, publicly funded developer meetings, documentation, migration scripts to help users convert from a proprietary product to your project, an awareness campaign, someone helping you navigate the legal hurdles of public procurement or anything else, write it down.

The European Commission (together with the European Parliament) can and will improve laws, and they are very willing to invest boatloads of money in anything which improves the FOSS ecosystem in general and lots of projects in particular.

- Your favourite open source project needs a high-performance buildbot service for the CI pipeline? Tell the European Commission, they could establish a free (as in freedom and in money) buildbot service for FOSS projects.
- Someone should (I know, right) finally write easy-to understand documentation for your project and all the developers are too busy? Tell the European Commission, they could establish a Technical Writer Task Force providing a free service to FOSS projects.
- The marketing of your project is non-existing or sucks badly? You solve the same thing as a proprietary piece of software, but nobody knows about your project? Tell the European Commission, they could help you get listed on one of the public "FOSS alternatives from Europe" websites curated by government agencies.
- There is a feature gap you want to close to become a viable alternative to some proprietary product and someone would have to spend half a year full-time to get that done? Tell the European Commission, they could either establish a new funding mechanism for that or direct you to one of the existing EU/national funding mechanisms.
- Maintenance of your project is lacking because all developers focus on new features instead? Tell the European Commission that having a part-time maintainer (or funding for it) would improve software quality. They could either establish a new funding mechanism for that or direct you to one of the existing EU/national funding mechanisms.

If you agree with even a single point above, use that public consultation to be heard. No, reading my text is not the same as submitting such an idea yourself. Don't delay, this is your chance to get something implemented in the whole EU instead of facing an uphill battle in every single EU member state.

This is the opportunity to write a wish list

Posted Jan 7, 2026 23:16 UTC (Wed) by cen (subscriber, #170575) [Link] (41 responses)

You are over complicating things, we just need Sovereign tech Fund and NLNET Foundation type of thing x100 to fund good projects.

This is the opportunity to write a wish list

Posted Jan 7, 2026 23:21 UTC (Wed) by alx.manpages (subscriber, #145117) [Link] (40 responses)

NLNET is not good IME.

It's goal-oriented, but most of the work we need is not goal oriented. Maintenance of projects isn't goal-oriented.

FWIW, they refused a submission from me for maintaining shadow-utils and improving its source code. The only feedback I got from them was something like "why don't you rewrite from scratch in Rust?". That's terrible. If EU wants to be serious, it needs to give money to projects without telling projects how to spend it.

This is the opportunity to write a wish list

Posted Jan 8, 2026 0:16 UTC (Thu) by josh (subscriber, #17465) [Link] (1 responses)

I think there's room for both. There's room for paying maintainers to do what they're already doing, and there's room for paying maintainers to do things they might not otherwise have done if not financially supported to do so.

This is the opportunity to write a wish list

Posted Jan 8, 2026 1:01 UTC (Thu) by alx.manpages (subscriber, #145117) [Link]

Agreed. Once vital support is guaranteed, some work might need to be incentivized.

This is the opportunity to write a wish list

Posted Jan 8, 2026 11:24 UTC (Thu) by coriordan (guest, #7544) [Link] (35 responses)

> If EU wants to be serious, it needs to give money to
> projects without telling projects how to spend it.

Kinda. But they do have to have criteria for giving money to people and there has to be a mutual agreement on how the money will be spent. They have obligations to be careful in spending tax money.

They might have made a bad decision in the case you mention, and maybe they need to learn more about dealing with free software, but we can also improve our position by learning to better deal with them.

There are consultancy firms that are expert in writing funding applications. If good free software projects give up due to frustration, then that just means more and more funding goes to specialists in writing funding applications.

This is the opportunity to write a wish list

Posted Jan 8, 2026 11:38 UTC (Thu) by alx.manpages (subscriber, #145117) [Link] (33 responses)

> Kinda. But they do have to have criteria for giving money to people

The criteria should be pay for projects that you use or intend to use. You use the linux kernel? Pay its (European) maintainers. You use GNU coreutils? Pay its (European) maintainers. Etc.

> and there has to be a mutual agreement on how the money will be spent. They have obligations to be careful in spending tax money.

Do they ask $BIGCOMPANY how it spends license money when they pay them?

It's essentially the same: you want to use some software, and you pay the people responsible for that software. In the end, the main difference is that they get to see the source code they use in the case of free software.

> There are consultancy firms that are expert in writing funding applications. If good free software projects give up due to frustration, then that just means more and more funding goes to specialists in writing funding applications.

I think that's perpetuating the problem. IMO, the solution is to fail quick and fail hard. That should show them that they're not doing the right thing.

It should be project users who do the work of paying project maintainers and making sure they're doing well.

Asking volunteers to demonstrate that they're doing a good job seems wrong; they already show by the fact that their project is working and being used.

This is the opportunity to write a wish list

Posted Jan 8, 2026 12:26 UTC (Thu) by coriordan (guest, #7544) [Link] (1 responses)

> Do they ask $BIGCOMPANY how it spends license money when they pay them?

No. But maybe they should.

They should have criteria about what they get for their money when they buy licences, and those criteria include that they want to be able to audit and adapt the software to meet their needs. I.e. it should be free software.

My point is that poor procedures around the purchase of licences doesn't necessarily imply that they should stop being picky about how they allocate grant money.

Abstaining from these grant procedures won't make the grants fail. It'll just mean we get less money for free software.

This is the opportunity to write a wish list

Posted Jan 8, 2026 12:53 UTC (Thu) by coriordan (guest, #7544) [Link]

(I just noticed that this thread started with a comment about NLnet but my replies were about EU funding. But the issues are often similar: if your application for funding gets rejected, by whoever, its usually better to look at ways to improve future applications.)

This is the opportunity to write a wish list

Posted Jan 8, 2026 13:02 UTC (Thu) by ebee_matteo (subscriber, #165284) [Link] (30 responses)

> Do they ask $BIGCOMPANY how it spends license money when they pay them?

Absolutely yes, they do. It might not be as direct as "I give you 100 EUR, hire 10 programmers". But they still set priorities and ask for things to be implemented, in terms of SLAs for instance. Most enterprise contracts also include fines if SLAs are not met.

I helped write public tenders. If people want money, they need to provide a certain level of service. There is no "here some money, do with it as you please, see you next year".

Even big companies like Microsoft and Apple. They are paying sums that makes them relevant customers whose requirements are taken in account. And when they don't behave like the EU wants, with taxpayer money, they enforce laws and apply fines.

This is the opportunity to write a wish list

Posted Jan 8, 2026 13:46 UTC (Thu) by alx.manpages (subscriber, #145117) [Link] (29 responses)

Of course if you contract some service you get some SLA for it.

But we're not talking about contracting services, we're talking about funding free software. The main problem in free software is (most often) not lack of features or lack of service. Companies and entities aren't donating to projects to get services from them or new features. They're donating to allow them to keep them working as they're currently working. The problem is that programmers are not paid to do what they do, and they only do it as much as they have free time to donate.

When companies want new features (e.g., kernel), they do hire programmers to implement specific features. But when companies/individuals/entities donate to some project, they just want it to survive; they don't ask for features or services or anything.

Similarly, when someone buys a basic software license, they're just paying to be able to use it. Of course, you may pay extra to get service from the provider, but that's not a basic license, and that's not what should be asked of free software projects to get grants.

Requiring the programmers to do bureaucracy is just wasting their time and energy.

> There is no "here some money, do with it as you please, see you next year".

I'll quote exactly what $SOMEFAANG said to me when they offered funding for the Linux man-pages project a couple of years ago (after <https://lwn.net/Articles/989215/>):

"I just saw your announcement on LWN. How much would you need to continue the work you've been doing?"

Just as simple as it looks.

This is *exactly* what I think should be done. If you (in this case EU) depend on a project, go to its maintainers, and ask them what they need to continue doing what they do.

This is the opportunity to write a wish list

Posted Jan 8, 2026 14:07 UTC (Thu) by euclidian (subscriber, #145308) [Link]

The issue is that the goal of buying the license isn't to keep the project healthy but to get access to the software. While you can charge for a license there is nothing stopping someone else undercutting you unless you add something extra like maintenance.

When governments (within the EU) give out grants to (for example) keep industries alive it normally comes with quiet a few strings attached and requires some feedback or proof of what it is going towards.

This is the opportunity to write a wish list

Posted Jan 8, 2026 14:24 UTC (Thu) by kleptog (subscriber, #1183) [Link] (24 responses)

> we're talking about *funding* free software.

> They're *donating* to allow them to keep them working as they're currently working.

Herein lies the problem. When buying licenses there's a contract with terms. But the language here: "funding", "donating" is all implying giving money with no strings attached. And I get it that people working on free-software would like to just receive money every month without having to justify to anyone what they are doing. I mean, that sounds like everyone's dream-job.

Getting that kind of money is really hard, looks at all the experiments in UBI. It's precarious because you're permanently getting people asking what you're doing. Your funding could be cut next year because you can't show you're producing any value.

If instead you reframe the discussion: you get money and in return you promise to patch any vulnerabilities reported to you, distribute the results and work on features by popular demand. Now you're providing a service. You're not getting funding anymore, you're getting paid to support critical infrastructure. Suddenly you're a strategically important industry for supporting digital sovereignty. People/businesses/governments can now send you money without having to fill in grant forms and justifying why you want to send 100 euro to some guy to do what they're doing already. They're now buying a service, or if you like, a CE mark.

As long as free-software depends on governments donating money we're not going to make progress.

This is the opportunity to write a wish list

Posted Jan 8, 2026 14:32 UTC (Thu) by ojeda (subscriber, #143370) [Link]

I may be missing context here, but "funding" in the general case doesn't imply giving money with no string attached, and in fact some funding in open source happens based on actual contracts, possibly with reporting requirements etc.

This is the opportunity to write a wish list

Posted Jan 8, 2026 15:17 UTC (Thu) by paulj (subscriber, #341) [Link] (22 responses)

I guess open-source projects should have a commercial entity that sells licences for the software (GPL, MIT, whatever the project licence is), plus support (with a best effort SLA). Purchase orders, recurring billing, etc. This would potentially make it much much easier for people to put through a "purchase" for essential software + support via normal processes within their companies.

This is the opportunity to write a wish list

Posted Jan 8, 2026 17:08 UTC (Thu) by Wol (subscriber, #4433) [Link] (1 responses)

Bear in mind, it's impossible to sell a licence for FLOSS software if you're not the copyright holder or appointed representative thereof. Which means it's pretty much impossible to sell a licence full stop.

But there is nothing to stop you offering support and maintenance contracts. And as mentioned elsewhere, if a company needs a "CE for software" mark, and you're the maintainer, brilliant (if that's what you want)! Sign a maintenance contract that says "you pay me £X, and I'll take care of the legal headache".

Which basically means providing a few important documents about how you intend to handle bug reports, how you will handle security problems, etc etc. Just remember that those documents (which you wrote) now have legal binding force over you. And the company will probably say "if you're not dealing with bugs, we expect you to deal with (our) feature requests".

Cheers,
Wol

This is the opportunity to write a wish list

Posted Jan 8, 2026 17:33 UTC (Thu) by paulj (subscriber, #341) [Link]

Well, the point is the service can be minimal and equivalent to what the buyer would get just downloading it. So the contract will be "I supply you with the GPL software for you to further develop and/or deploy in your own system, and I will support it for X time including giving you the updates on a best-effort basis". (This obviously doesn't preclude having other offerings, with more meaningful SLAs).

You don't have to do much. You just have to do something minimal, and fit in with standard corporate purchasing processes.

To wit: Signing off on spending (say) €200/annum to purchase some necessary software (inc. as per above) could be something a fairly low-level manager has the authority to sign-off on within the standard processes of the company. Where "donate €200 to a Free Software developer each year" would be something not covered in those processes and require an exceptional process to be followed, that ends up on the desk of a VP or higher.

Make it easy to do within standard corporate processes, and maybe more will do it?

This is the opportunity to write a wish list

Posted Jan 8, 2026 17:36 UTC (Thu) by alx.manpages (subscriber, #145117) [Link] (19 responses)

The problem with that would be that CRA would then apply to the project in its entirety.

That's something that most programmers are probably not interested in.

In general, I think users (including the EU) should consider two separate things:

- Feeding the bees that produce software.
- Hiring companies for support.

Whether the programmers are happy to be hired for support beyond maintenance is orthogonal and secondary.

This is the opportunity to write a wish list

Posted Jan 8, 2026 18:06 UTC (Thu) by paulj (subscriber, #341) [Link] (8 responses)

The entity offering the best-effort support "make corp processes easy" thing (and whatever else) could be a separate entity from the project, couldn't it?

If there is no way to supply software on corporates on a commercial basis without becoming encumbered by the CRA (can you not have a contract that says "this is supplied on R&D terms, and CRA obligations wrt any product on the market are yours"?), I guess then dealing with those becomes part of the offering (with whatever costs you need to add).

This is the opportunity to write a wish list

Posted Jan 8, 2026 23:58 UTC (Thu) by Wol (subscriber, #4433) [Link] (2 responses)

> can you not have a contract that says "this is supplied on R&D terms, and CRA obligations wrt any product on the market are yours"?

Of course you can! Everything is down to what the contract says! And if the contract says you work on an hourly R&D basis or whatever, and don't provide CRA guarantees, then the regulator will look at that and say to your customer "your supplier explicitly disclaims responsibility, it's down to you to sort it". If that means they have to throw money at you or get their own staff to do it, well if the contract says those are the terms then the regulator will enforce those terms!

Chances are your customer won't accept those terms, but that's down to them ...

Cheers,
Wol

This is the opportunity to write a wish list

Posted Jan 9, 2026 0:14 UTC (Fri) by alx.manpages (subscriber, #145117) [Link]

> Chances are your customer won't accept those terms, but that's down to them ...

That's the problem. I hope the EU --the customer here-- realizes that free software is essentially beekeeping. You need to make sure the bees are happy, giving them flowers and forest; in return, the bees will give you honey and even pollinate your vegetables. You can't sign a contract with them trying to regulate the amount of honey they must produce, or negotiate how many flowers you are willing to provide them. Of course, if the bees don't produce honey after some time, you may consider finding other bees; but as long as the bees do their job, one should just keep them.

Of course, the EU needs to make sure which projects it should protect, to not waste taxpayer money.

This is the opportunity to write a wish list

Posted Jan 9, 2026 14:26 UTC (Fri) by paulj (subscriber, #341) [Link]

> Of course you can! Everything is down to what the contract says! And if the contract says you work on an hourly R&D basis or whatever, and don't provide CRA guarantees, then the regulator will look at that and say to your customer

Ok, then if that's the case, and the CRA obligations can be kept devolved to your commercial customer by contractual agreement, then... that's a pretty simple option for a developer/maintainer who wants to provide a procurement-process-friendly "it's a purchase, not a donation, see" best-effort support option that doesn't entangle said dev in CRA obligations.

Perfect.

(Course, handling CRA obligations for customers may be a good way to get more customers).

This is the opportunity to write a wish list

Posted Jan 9, 2026 0:42 UTC (Fri) by raven667 (subscriber, #5198) [Link] (4 responses)

I think in some cases the CRA could provide the motivation for an ambitious developer to start a small company around their software and accept contracts with downstream companies which use their code in commercial products, accepting the liability with proper insurance as well, if the downstream companies are willing to pay. Maybe a number of developers could come together and share overhead costs. The liability of the CRA might make companies selling products chock full of FOSS more likely to open up their wallets and negotiate with _all_ the developers which make their products work, since they are going to have to put more resources into maintenance in any case.

This is the opportunity to write a wish list

Posted Jan 9, 2026 11:03 UTC (Fri) by paulj (subscriber, #341) [Link] (3 responses)

To the extent the CRA obligations are basically turning the job that good Free Software maintainers do into something that is legally required by commercial operators, it may well be a very good thing for said maintainers. Previously, commercial operators attached little to /no/ value to Free Software maintenance, and it was a thankless task and difficult to get funding for. If the CRA attaches a value to it, then that may change that situation for the better.

This is the opportunity to write a wish list

Posted Jan 9, 2026 11:21 UTC (Fri) by alx.manpages (subscriber, #145117) [Link] (2 responses)

The thing is, programmers have fun programming. They might not have so much fun doing bureaucracy. In some cases, they might, and that's fine for those. But maintainers shouldn't be discriminated because of that.

Maintainers should be funded by what they do already, which is valuable and should be paid.

If some maintainers are happy to take more work for some extra money, that's great, and more money could be paid to those. Some maintainers may also be interested in consulting about their projects for extra money.

But programmers that just want to maintain their projects should still be funded, as long as their projects are depended upon, as they're doing valuable work.

Also, consider that the bureaucracy might take time from other maintenance tasks, so you may want to have more people. Some dedicated to programming, and others that will help with the bureaucracy and other tasks.

Consider for example kernel maintainers. They usually work for companies, to implement features, which uses time that they could otherwise use to improve robustness and safety of the source code.

This is the opportunity to write a wish list

Posted Jan 9, 2026 15:21 UTC (Fri) by raven667 (subscriber, #5198) [Link] (1 responses)

As i understand it donations don't trigger obligations from the CRA, only commercial sales and contracts, so a hobbiest volunteer who isn't maintaining a software project in a commercial professional capacity should be clear of liability to whoever finds it on the internet and decides to integrate it into a commercial product. That's why I tried to be clear that this may be an opportunity for those developers who _want_ to commercialize their software maintenance activity, by prodding their downstream commercial integrator to put more value on it and maybe be willing to pay to exchange the liability. European insurance providers should research what a cyber-insurance policy should look like for a small FOSS maintainer who makes this kind of business arrangement, what's the risk and what's the liability, because an actuary can probably put some solid numbers around that, so a FOSS maintainer knows what they need to charge to continue maintenance and make their downstream whole if they make a mistake. The real-world cost of a CVE in some library is not generally infinite.

This is the opportunity to write a wish list

Posted Jan 9, 2026 16:17 UTC (Fri) by paulj (subscriber, #341) [Link]

To be honest, many (most?) Free Software projects would be at little risk from the CRA, even if they fell under its obligations. Given those obligations appear generally to be "Follow good development practices" which many Free Software projects do anyway. The most onerous obligations would be the requirements to provide security reports and updates for X years (is it 10?!!!).

There's been much discussion about the CRA here on LWN, but I'm still unclear as to exactly what the worst-case/hardest to meet obligations are, for any project that happened to be swept up in it somehow.

This is the opportunity to write a wish list

Posted Jan 8, 2026 23:53 UTC (Thu) by Wol (subscriber, #4433) [Link]

> The problem with that would be that CRA would then apply to the project in its entirety.

And?

The point is, (a) only the entity that agreed to provide the support contract would be on the hook, and (b) they would only be on the hook to the customer they signed the contract with! In other words, (a) it's opt-in, and (b) other people can't be co-opted in if they don't want to be!

If I decided to sign a contract to provide support for ScarletDME, yes the CRA would bite as far as I am concerned, but if anything happens, the regulator would go to my customer and say "Scarlet is broken, what are you going to do about it", my customer would point to the contract and say "there is my support contract", and the regulator would come after me. I'm then on the hook to provide a fix, BUT MY FELLOW PROJECT MEMBERS CANNOT BE TOUCHED. (Unless I have a formal deal with them, of course.)

As a FLOSS project, me and my fellow collaborators would be "Open Source Guardians" under the CRA, so they cannot be touched as Guardians; and because *I* signed the support contract, in my capacity as a freelance programmer, it's only *me* that has any real obligations under the law - signing the contract means I voluntarily resigned my status as a Guardian and took on the status of a commercial provider.

Cheers,
Wol

This is the opportunity to write a wish list

Posted Jan 9, 2026 13:59 UTC (Fri) by kleptog (subscriber, #1183) [Link] (8 responses)

> The problem with that would be that CRA would then apply to the project in its entirety.

That's not how it works. The CRA applies to a contract between two parties, not to a project. It's perfectly possible for someone other than the project maintainers to supply a CRA-marked version of software. In fact, if some business started selling a version of Debian Trixie with a CE-mark, I could probably convince management to pay for it. Even if it were literally standard Debian Trixie with a stamp on it. Because buying a software is a standard procurement process, donating money to a free-software project is something I've never gotten approved ever (and I've tried a few times).

Of course, I would prefer that money actually went to the Debian project (or even the maintainers) but it seems unlikely the Debian project itself is going to provide this service any time soon, so I'd want to find a middleman who promises to send some of the money to Debian (and/or the maintainers).

> - Feeding the bees that produce software.
> - Hiring companies for support.

The thing is, we don't need support for many of the open-source projects we use. What we need is an assurance it will be maintained and issues will be fixed. Simply donating doesn't give us that.

This is the opportunity to write a wish list

Posted Jan 9, 2026 14:21 UTC (Fri) by alx.manpages (subscriber, #145117) [Link] (6 responses)

> > - Feeding the bees that produce software.
> > - Hiring companies for support.
>
> The thing is, we don't need support for many of the open-source projects we use. What we need is an assurance it will be maintained and issues will be fixed. Simply donating doesn't give us that.

It is not sufficient, but it is necessary.

You could give the money with a contract that says the maintainer should do a good effort to maintain the project and fix issues. FWIW, I have such a contract at the moment with the three companies that give me money for maintaining the Linux man-pages project. That's something reasonable to ask when giving money.

But I would consider it unreasonable if the contract said I had to maintain stable branches with some conditions (maybe 5 years of support, for example). I decide what's best for the upstream project, and a contract must respect that. This falls into what I consider "support", and which must be bought separately, and possibly through a different supplier.

This is the opportunity to write a wish list

Posted Jan 9, 2026 22:44 UTC (Fri) by kleptog (subscriber, #1183) [Link] (5 responses)

> But I would consider it unreasonable if the contract said I had to maintain stable branches with some conditions (maybe 5 years of support, for example)

But that's fine. It's a negotiation, you say what you offer for what price and the buyer can take it or leave it. If you don't want to maintain a branch for 5 years then don't offer that. If I'm looking for that then I'll find someone else (or not).

The CRA is just the beginning of the process. What are maintainers willing to offer? At what price? What do businesses actually want from them? Which part do they want maintainers to do, and which parts themselves? How can we organise all this to minimise the overhead? This all needs to be worked out.

As a company we use hundreds, maybe thousands of open source packages, we can't go negotiating individual contracts for each one...

This is the opportunity to write a wish list

Posted Jan 9, 2026 23:07 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

> As a company we use hundreds, maybe thousands of open source packages, we can't go negotiating individual contracts for each one...

Radio stations solved that via mechanical rights. Each time a radio station plays a song, they pay a small fee to an organization that represents the collective rights of musicians. It then redistributes the fees as royalties.

It's going to be more complicated for OpenSource, but perhaps something like this is the future.

This is the opportunity to write a wish list

Posted Jan 10, 2026 0:59 UTC (Sat) by euclidian (subscriber, #145308) [Link] (1 responses)

I do see it as a possibility of a number of open source projects pooling together so you can buy a single CRA license and it covers all the projects in the pool and all the dependencies.

For example GNU could run a pool containing all the applications / libraries under it's general banner.

This might encourage a slightly tighter control of dependencies as well. As you would have an advantage to all your dependencies being in the same pool as you.

This is the opportunity to write a wish list

Posted Jan 10, 2026 13:28 UTC (Sat) by paulj (subscriber, #341) [Link]

> This might encourage a slightly tighter control of dependencies as well.

Not sure about the social logistics of projects pooling together. However, regardless, it sounds like the CRA makes tighter control of dependencies valuable. (Which would generally be good).

This is the opportunity to write a wish list

Posted Jan 10, 2026 14:27 UTC (Sat) by kleptog (subscriber, #1183) [Link]

> Radio stations solved that via mechanical rights. Each time a radio station plays a song, they pay a small fee to an organization that represents the collective rights of musicians. It then redistributes the fees as royalties.

Except in the US notably. But yes, that is one solution, generally with some statutory basis (mainly, radio stations don't need to ask permission). It would be awesome if something similar existed for movies/series so you wouldn't need to figure out which streaming service has which movie. But I digress.

> It's going to be more complicated for OpenSource, but perhaps something like this is the future.

I don't see that happening for software though. There are simply way more businesses using many more pieces of software than the number of radio stations. And music has a clearer definition of "released" and "ownership".

But who knows, we're just at the beginning of the process, who know where this will go.

This is the opportunity to write a wish list

Posted Jan 10, 2026 15:53 UTC (Sat) by Wol (subscriber, #4433) [Link]

> Radio stations solved that via mechanical rights. Each time a radio station plays a song, they pay a small fee to an organization that represents the collective rights of musicians. It then redistributes the fees as royalties.

But! And I don't know whether it describes the way things work in America, or over here, or both, but there have been plenty of studies that show mis-reporting by people playing music is rife. "We played this music by that artist on the other channel" - except that what is reported never happened when you check up (and the agencies never check, it's far too much work). It's not deliberate, people don't make notes at the time, and memory is fallible (don't I know it!!!)

This almost always favours the big artists. Then of course, there's the collection agencies fees and expenses - which are mostly flat rate. So little artists never get a penny because their royalties don't add up big enough. On top of being gouged by mis-reporting.

So this mechanism is probably going to seriously fail that lone developer in Nebraska, which probably covers 90% of the guys doing the work and needing support, and is much more likely to benefit the big guys who - frankly - probably don't need it.

It's going to have to be something like the little guys band together and form a collective, so they can appoint a collections agent with the authority (and ability) to say "I have a team of ten programmers (each with their own project) who have banded together to jointly offer a software CE mark on their projects". The agent can then distribute the money according to how much work everybody is doing (including themself :-), and everybody is on the hook to pile in and help should a CRA vulnerability arise.

Cheers,
Wol

This is the opportunity to write a wish list

Posted Jan 9, 2026 14:22 UTC (Fri) by paulj (subscriber, #341) [Link]

You are exactly the scenario I was describing in: https://lwn.net/Articles/1053329/ ;)

This is the opportunity to write a wish list

Posted Jan 8, 2026 21:25 UTC (Thu) by hailfinger (subscriber, #76962) [Link]

> This is *exactly* what I think should be done. If you (in this case EU) depend on a project, go to its maintainers, and ask them what they need to continue doing what they do.

That's how I'm interpreting this call from the European Commission. Except that they know that if they talk to individual maintainers, they are going to miss some crucial (but pretty much invisible) project, so they published that call instead of asking projects individually.
And given that some maintainers do read LWN, this call is already reaching some of the right people.

This is the opportunity to write a wish list

Posted Jan 9, 2026 9:43 UTC (Fri) by joib (subscriber, #8541) [Link] (1 responses)

> I'll quote exactly what $SOMEFAANG said to me when they offered funding for the Linux man-pages project a couple of years ago (after <https://lwn.net/Articles/989215/>):

> "I just saw your announcement on LWN. How much would you need to continue the work you've been doing?"

> Just as simple as it looks.

> This is *exactly* what I think should be done. If you (in this case EU) depend on a project, go to its maintainers, and ask them what they need to continue doing what they do.

I mean, ideally yes, and I'm happy it worked out this way for you. But that's not generally how the public sector, or the EU in particular, works. If you boycott their way of giving out money, they will just give the money to somebody that plays by their rules. Which might, or then might not, be particularly helpful to the FOSS cause.

This is the opportunity to write a wish list

Posted Jan 9, 2026 11:07 UTC (Fri) by alx.manpages (subscriber, #145117) [Link]

> I mean, ideally yes, and I'm happy it worked out this way for you.

Thanks! :-)

> But that's not generally how the public sector, or the EU in particular, works.

> If you boycott their way of giving out money,

I'm not saying I'll boycott their way of giving out money. I'll indeed write to them and provide my point of view. Hopefully, they'll take it into account. I believe they can learn. I was stating that I don't like how NLNET is acting, but the EU might be better; we don't know yet.

> they will just give the money to somebody that plays by their rules.

However, if they ignore me, I certainly won't play by their rules. At that point, it's up to them to evaluate if what they do will benefit them or not. After all, they're the interested client looking for a provider.

> Which might, or then might not, be particularly helpful to the FOSS cause.

I believe FOSS is in a strong position. Just imagine if a non-negligible amount of maintainers decided to stop doing volunteer work for a year. The world would certainly notice.

This is the opportunity to write a wish list

Posted Jan 9, 2026 8:27 UTC (Fri) by rwmj (guest, #5474) [Link]

The trouble is even if the OP did the (unnecessary) "rewrite the project in Rust", the new code will still need maintenance after that, and who is going to provide that?

NLnet

Posted Jan 9, 2026 11:07 UTC (Fri) by Gladrim (subscriber, #45751) [Link] (1 responses)

In my experience, feedback from NLnet aims to guide you towards something they can fund given the terms of the funding they manage from the EU.

They don't want to tell you what to do, but they do push back to check that you know what you are doing, that you have considered alternatives, and to try to fit what you want to do into one of the active funds. They WANT to fund projects, but each fund has guidelines. Some funds have specific requirements from the EU, such as improving security, and perhaps they might have been able to move your project into such a fund if they had an angle such as memory safety to work with.

Of the projects I've seen fail to get funded, many have become frustrated and given up at the second round of questions.

I'd strongly encourage you to apply again. Talk to them about what you want to do. They are very flexible.

NLnet

Posted Jan 9, 2026 11:23 UTC (Fri) by alx.manpages (subscriber, #145117) [Link]

I'll give them another chance. Thanks!

This is the opportunity to write a wish list

Posted Jan 9, 2026 10:36 UTC (Fri) by fermigier (guest, #12330) [Link]

I (co)wrote one last year, with 70 ideas, see my comment https://lwn.net/Articles/1053421/

Consultation strategy

Posted Jan 9, 2026 10:22 UTC (Fri) by fermigier (guest, #12330) [Link]

70 propositions from the European Alliance for Industrial Data, Edge and Cloud, written in part by yours truly (in early 2025, i.e. before the "Trump effect" was in full force) and published by the Commission in July 2025:

https://ec.europa.eu/newsroom/dae/redirection/document/11...

The document is also known as "The “Open Source Way to EU Digital Sovereignty & Competitiveness” thematic roadmap".

Here is the complete list of proposals from the roadmap, translated into English and organised by pillar.

### Pillar 1: Technological Development

- Define technical specifications as open standards for European Open Source cloud, edge and IoT environments.
- Fund interoperability pilot projects that prioritise the use of European Open Source technologies.
- Require all EU-funded digital infrastructure projects to adhere to these interoperability standards.
- Promote and enforce the implementation of open standards throughout the EU.
- Create a ‘European Open Source Sovereignty Fund’ (EOSSF) dedicated to essential projects. [NB: this would now be called the EU-STF].
- Offer targeted grants for the security, maintenance and strengthening of the sovereignty of Open Source projects.
- Foster in-depth collaboration with European academic institutions and Open Source Programme Offices (OSPOs).
- Develop a practical guide for public procurement managers to evaluate European Open Source solutions.
- Create sector-specific reference architectures based on European Open Source technologies.
- Launch large-scale demonstration projects to illustrate the practical benefits of European Open Source solutions.
- Produce and distribute comprehensive ‘playbooks’ for the deployment of European Open Source solutions.
- Implement policies to actively encourage the adoption of these reference implementations in public procurement.

### Pillar 2: Skills Development

- Organise industry-focused training workshops with a European emphasis on Open Source tools and platforms.
- Offer targeted training grants to SMEs and public sector organisations for European Open Source skills development.
- Launch certification programmes for mastery of European Open Source technologies and standards.
- Establish EU-funded retraining programmes to help professionals transition into European Open Source roles.
- Collaborate with industry partners to create hands-on learning and placement opportunities in Open Source.
- Offer financial incentives to companies that participate in retraining programmes and use European Open Source.
- Develop a European Open Source resource platform that brings together training materials, best practices, and case studies.
- Integrate European Open Source principles into STEM (Science, Technology, Engineering, and Mathematics) curricula from secondary school to university.
- Support the creation of European Open Source ‘centres of excellence’ in universities.
- Develop EU-wide coding competitions and hackathons focused on European Open Source solutions.
- Introduce training on European Open Source business models into vocational training.
- Create vocational training modules for European Open Source project management.
- Establish certification for mastery of European Open Source business skills.

### Pillar 3: Public Procurement Practices

- Launch a consultation with public sector bodies and Open Source providers to identify challenges related to public procurement.
- Make ‘Public Money, Public Code, Open Source First, European Preference’ policies mandatory in public procurement.
- Develop comprehensive guidelines for public procurement to evaluate and select European Open Source solutions.
- Fund demonstration projects showing the success of replacing proprietary systems with European Open Source.
- Establish clear criteria for defining what constitutes a ‘European’ Open Source solution.
- Provide a practical guide for public procurement managers to evaluate Open Source solutions.
- Collaborate with industry and standardisation bodies to develop accessible evaluation criteria for Open Source.
- Create a public directory of recommended European Open Source solutions.
- Encourage public sector organisations to adopt solutions developed under the Next Generation Internet (NGI) initiative.
- Launch cross-border pre-commercial procurement (PCP) projects focused on European Open Source.
- Create knowledge-sharing platforms for feedback on PCP initiatives and Open Source best practices.
- Actively involve European Open Source providers in the co-design of solutions in the PCP process.
- Publish guidelines to help public sector organisations manage and support European Open Source.
- Promote the active participation of public sector representatives in European Open Source communities.
- Support training programmes for public sector staff on project management and Open Source compliance.
- Engage stakeholders to collaboratively refine and simplify procurement practices for Open Source.

### Pillar 4: Growth and Investment

- Create a European Open Source Investment Platform (EOSIP) to centralise information on funding.
- Organise information workshops for European SMEs and start-ups on how to obtain investment.
- Establish partnerships with private investors to form a network of venture capital funds focused on European Open Source.
- Expand the Next Generation Internet (NGI) initiative with a focus on Open Source cloud, edge and IoT.
- Regularly assess the impact of funding programmes on community growth and market adoption.
- Allocate dedicated funding to high-impact European Open Source projects that meet strategic needs.
- Develop co-investment models that combine public funds with European private sector investments.
- Launch accelerators and incubators specifically designed for European Open Source technologies.
- Develop an EU-wide branding strategy to highlight the quality and sovereignty of European Open Source.
- Showcase European Open Source successes on international platforms through marketing campaigns.
- Form strategic partnerships with European industry organisations to increase project visibility.
- Establish public-private R&D consortia on European Open Source for high-priority projects.
- Offer incentives for private sector contributions to critical European Open Source initiatives.
- Develop platforms for knowledge exchange and cross-sector collaboration within the European ecosystem.

### Pillar 5: Governance

- Conduct vulnerability assessments for critical European Open Source projects.
- Collaborate with European cybersecurity agencies to develop threat models for Open Source environments.
- Publish findings and best practices from security assessments to the European ecosystem.
- Offer tailored compliance advice to help European Open Source projects navigate EU regulations.
- Facilitate accessibility to Cyber Resilience Act (CRA) certification for European Open Source projects.
- Provide resources and support for the documentation and auditing of European projects.
- Ensure stable, long-term funding for core European Open Source infrastructure.
- Establish mentoring programmes focused on developing European talent for critical projects.
- Create a European Open Source Advisory Board to oversee project funding and direction.
- Require EU-supported European projects to adhere to transparent governance and accountability practices.
- Support European community involvement in Open Source project governance.
- Facilitate community input into European Open Source policy development.
- Publish guidelines on best practices for managing the lifecycle of European Open Source projects.
- Provide resources for responsible maintenance and end-of-life support for European projects.
- Encourage comprehensive documentation and knowledge sharing within the European ecosystem.

Twelve Step TrustABLE IT : VLSBs in VDNZs From TBAs

Posted Jan 7, 2026 23:19 UTC (Wed) by NZheretic (guest, #409) [Link]

From over two decades ago Twelve Step TrustABLE IT : VLSBs in VDNZs From TBAs
Twelve Step TrustABLE IT:

Virtualized Linux Standard Base (VLSB)

in Virtual Demilitarized Network Zones (VDNZ)

from Trusted Build Agents (TBA)


Since 2004, the Linux Standard Base has been abandoned, somewhat replaced by the three de facto standard Debian, RedHat & Arch Linux distribution clone/compatibility & containerization under Docker/Podman & Flatpack etc.

[12] Governments, organizations and individuals are becoming increasingly concerned about software compatibility, conflicts and the possible existence of spyware in the software applications they use. If you have access to the source code, then you can check it and compile it for yourself. This is not an option for closed source proprietary applications, and not everyone has the resources to check each line of source code. One solution for these issues is to employ a trusted third party, separate from the application developer, who is tasked with maintaining a trusted build environment, to build the binaries from source code. The Trusted Build Agent (TBA) would hold the source to each build in escrow, releasing the source code for only open source licensed code. Competing businesses providing a TBA service in a free market would compete with each other in not only price and level of certification, but also on the ability to detect hostile, vulnerable, incompatible or just plain buggy source code. You could request a trusted build from multiple TBAs test the ability to detect defects. Defects would be reported back to the application developers, along with any patches and suggestions that provide a fix. To a lesser extent, most Linux distributions and other operating system vendors that build and redistribute open source licensed code already provide this role.

Using Debian's Reproducible builds set of software development practices, the Trusted Build Agent compilations can be verified.

Given the widespread adoption of container based deployment for backends & services, such as Docker & Podman, backend deployments as well as could also under such inspection & rebuild by Trusted Build Agents as well.



From two years earlier Our Data:an appeal - a "Plimsoll line" for apps
The onus is not only on the automotive industry itself but also on the users. Most countries require that all automobiles undergo regular inspection and maintain an up to date "Warrant of Fitness".

In the same way, if you want a secure IT infrastructure, eventually the software design, implementation and each deployment will have to undergo the same type of regulation and scrutiny.

do your own homework

Posted Jan 8, 2026 7:45 UTC (Thu) by taggart (subscriber, #13801) [Link] (9 responses)

I'm not sure why my initial reaction this is so negative...

So the past policies have failed so badly and you admit FOSS is probably a better idea and now you expect the FOSS community to do a bunch of unpaid labor to further document what needs to be done? Despite the fact that for 20+ years we've already been doing so to convince you and you either ignored us or just used FOSS as leverage to negotiate cheaper prices from Microsoft?

Start throwing some real money at projects that need it and then people might pay attention.

do your own homework

Posted Jan 8, 2026 10:42 UTC (Thu) by dsommers (subscriber, #55274) [Link] (4 responses)

I believe one of the most obvious reasons why it's been so much back'n'forth with FOSS in the public sector is that Microsoft, Apple, Google, Amazon (#MAGA?) has an enormous pile of money they can spend on lobbying politicians.

For a politician, taking a path which deviates considerably from what people are used too is a hard sell for them to convince the voters that this is a better path. In the 80's and 90's, there was the saying that "You'll never get fired for choosing IBM". Today, that has changed to the Big Tech companies mentioned above.

There are quite few FOSS based companies who are strong enough to compete against the lobby capabilities of the large Big Tech companies. Red Hat/IBM is probably the largest one these days. And IBM most likely pushes that "responsibility" to Red Hat. But there is only so much Red Hat can do alone without support from others as well.

No software is free (gratis). Someone need to spend time developing it and maintaining it. So funding is clearly important. Politicians understands this. That's why large FOSS based companies are crucial to be involved in these discussions with the EU. Because these companies can at least provide some more credible numbers to EU politicians of the cost of running a FOSS software stack.

And another related aspect, which Big Tech can push hard on is the support side. Getting an software stack infrastructure up and running is just one piece of the puzzle. Having a sustainable and reliable support channel when something breaks must also be considered.

For example, Microsoft provides an enormous software stack - going from the OS to the core software components politicians need to do their work, and there is a lot of expertise they can offer if something breaks. Microsoft can give the politicians a concrete number of the cost of using that stack. (Whether these numbers are correct in practice, is a different discussion).

For FOSS, you need companies like Red Hat to provide a similar number - because no politician will start digging into all the various components needed for them to be able to do their job and calculate a cost spread across thousands of open source projects and then figure out the expertise need for the maintenance and support. That won't fly well, and they won't really task this to their expertise groups if they don't initially believe it's worthwhile.

And I think that's why FOSS struggles to get a strong foothold within the public sector. Those few companies who can provide a functional "solution package" based on FOSS are drowning in the lobby efforts of the large Big Tech companies. And then the cost of a FOSS solution is not seen as credible by politicians.

Politicians need to be given a simple, clear and convincing answer to their complex need with a clear price tag.

In that regards, the current world political situation is shaking the cage enough for politicians to actually look at alternatives - due to the way the Trump 2 administration operates - it is clearer that depending too much on the US based Big Tech is making it too risky for EU in a longer run, Europe gets in a vulnerable position. That is what EU politicians begins to realize now.

The paradox is that Red Hat is a US based company owned by IBM, which gives Red Hat a huge downside to their credibility against the other US based Big Tech companies. On the other hand, what Red Hat brings to the table is a software stack not really owned by them, but is more a collection of independent open source software projects. So if shit its the fan for Red Hat in the future, it is possible to escape a vendor hostage situation. For FOSS companies in Europe, this might be a golden opportunity - but it will be hard to compete against a de-facto FOSS company as Red Hat has become over many years. It is not impossible though, by putting efforts into following what Red Hat delivers today and the direction they're taking - to shadow that for a bit and build up expertise and credibility for the future.

Organizations like FSF, Software Freedom Conservancy and similar FOSS advocates only provides a guidance to where too look and why to consider FOSS from an angle which doesn't really provide a "software stack with a price tag" answer to politicians. These organizations provides more to the philosophical aspects to the discussions rather than a concrete software stack solution.

Politicians won't start throwing money at FOSS projects unless they see a clear win in it. The FOSS projects themselves are not unified in a way where they can convince politicians that they have the best option for them. They need someone in front of them who can handle the business politics and provide a unified solution across all the needed projects. And this organization can start sponsoring concrete FOSS projects.

do your own homework

Posted Jan 8, 2026 14:22 UTC (Thu) by Wol (subscriber, #4433) [Link]

But this is where groups like the E-FSF have an important role. While I hate suggesting the big consultancies should be handed more power, the EU should be demanding that government projects either do a lot of software stack work in-house, where they will use FLOSS software as a matter of course (and gain experience with it) or, given the propensity of governments to outsource, they need to demand joint copyright in all work written for them and get consultancies to build it for them.

Either version would result in a very good outcome, real supported software (either in-house or via a contract with a consultancy), plus hopefully consultancies employing or placing on retainer the software maintainers. For example, LibreOffice is tied up with - is it Collabra? - which comes over as being a support consultancy for LibreOffice.

If people like this (even American foundations, provided they open a European office to support European contracts) can get contracts that expand, that will achieve many of the EU's aims.

Cheers,
Wol

do your own homework

Posted Jan 8, 2026 17:39 UTC (Thu) by rgmoore (✭ supporter ✭, #75) [Link]

For FOSS, you need companies like Red Hat to provide a similar number - because no politician will start digging into all the various components needed for them to be able to do their job and calculate a cost spread across thousands of open source projects and then figure out the expertise need for the maintenance and support. That won't fly well, and they won't really task this to their expertise groups if they don't initially believe it's worthwhile.

This is where the civil service needs to get involved. If a politician really wants to think about replacing proprietary software with FOSS, they should consult their own in-house experts. Politicians may not have the expertise or motivation to figure out what it would cost to develop their own FOSS solution, but governments do have large IT departments that have the expertise needed to answer those kinds of questions. Maybe some of those experts are in the pockets of Big Tech and will inflate the cost, but I'm sure some of them are just as fed up dealing with Big Tech as the rest of us and would love to replace everything with a FOSS stack that's under their control.

I would even suggest that hiring FOSS authors as civil servants is a practical alternative to hiring some big tech company like Red Hat. For the price they'd pay a big tech company like Red Hat- much less what they're currently paying to Microsoft, Google, et. al.- a national government could probably afford to hire dozens or even hundreds of their own developers. That would be plenty to make their own customized version of an existing distribution that would serve their specific needs.

do your own homework

Posted Jan 9, 2026 9:31 UTC (Fri) by joib (subscriber, #8541) [Link]

If the EU commission doesn't want to give money to IBM/RH for FOSS maintenance, then there's SUSE as a European option. I haven't really followed SUSE, but going from wiki they don't seem to do that well, with them being acquired over and over and then ultimately being delisted from the stock exchange due to doing so badly.

In any case, be it SUSE or something else, some kind of umbrella organization is probably needed for this kind of maintenance effort. It doesn't seem sensible that some individual maintainer of shadow-utils or whatever needs to write an application, multiplied by every small but still critical project.

do your own homework

Posted Jan 11, 2026 14:09 UTC (Sun) by poruid (subscriber, #15924) [Link]

The Netherlands in 2006 officially declared a policy (Nederland Open in Verbinding, Ministry of Economic Affairs) that open source software and open standards are mandatory unless there are strong specific reason to not adhere (comply or explain).

In practise this policy has been disgustingly well frustrated by the incumbent closed source providers. Also at that time a (good) architecture was published for all governmental bodies (public sector) and an ICT organisation was instituted that centralised much of the work and knowledge (Logius, formally known as GBO). Not long after this, Microsoft got an arguably non-compliant order for initially 50.000 desktops (misnamed Desktop Goud, gold). From there on things seem to have become only worse, e.g. in terms of vector lock-in.

Strange as it may seem, organisations like Logius have, or should have, the required resources to assemble and maintain the software stacks needed by governmental organisations, based on FOSS, mostly anyway. Countries like France have already invested more on such stacks and with more cooperation within the EU good progress should be possible. Most certainly if the prevalent IT culture changes, be it for geopolical reasons.

do your own homework

Posted Jan 8, 2026 13:14 UTC (Thu) by malmedal (subscriber, #56172) [Link]

> not sure why my initial reaction this is so negative...

It's a common one to have. I believe this type of reaction is why so many leftist movements fail or splinter. Many people want to be acknowledged as having been right all along rather than work towards the ostensible goal.

do your own homework

Posted Jan 8, 2026 15:08 UTC (Thu) by jzb (editor, #7867) [Link] (1 responses)

On the other hand, imagine the reaction if the EC just popped out a fully formed plan without the consultation. I expect people would react quite negatively to that. (They may also be required to do this consultation by regulation/statute/whatever, as well?)

do your own homework

Posted Jan 9, 2026 10:43 UTC (Fri) by coriordan (guest, #7544) [Link]

Yes. A consultation is a standard part of the process for the EC to draft a legislative proposal.

do your own homework

Posted Jan 8, 2026 15:49 UTC (Thu) by ballombe (subscriber, #9523) [Link]

> Start throwing some real money at projects that need it and then people might pay attention.

This is exactly what the EU has done since 15 years, through various funding channels.

Nepotism and corruption affect Open-Source too

Posted Jan 9, 2026 14:27 UTC (Fri) by asenz (guest, #172098) [Link]

This sort of poll is what the US used to do 30 years ago, in the infancy of the open source software movement. I wasn't facing much of anything beyond the standard sabotage at work and school because of my Orthodox religion, as well as being outright insulted and attacked when presenting at startup conferences. That ultimately led me to open-source my work.

I think a lot of discussion is missing the point of open source...

Posted Jan 9, 2026 17:29 UTC (Fri) by Heretic_Blacksheep (subscriber, #169992) [Link] (1 responses)

... in that just throwing money at the FOSS community will magically create a healthy native ecosystem in that somehow magically results in digital autonomy from sources other than corporations that can't be trusted.

That's just not how FOSS works. That's how corporations work. Some FOSS projects will undoubtedly gain extra funding this way, sure, but the majority of FOSS contributors and maintainers don't want to make their hobby projects their full time jobs, and they often aren't qualified to do so either because they're not trained to create secure, maintainable code, and/or they're not trained how to manage the burden of dealing with the requirements of public or private external funding. Or if they are, they're happy with their day job and its benefits and don't want to lose them.

If the EC wants to nurture an open collaborative environment, then they need to understand it's not just about money. They have to actually create an *open* as in freedom of research and collaborative environment rather than trying to control the spread and use of technologies like encryption and DRM-busting tools, research into existing software security and operations, oppressive copyright and patent maximalism, and other barriers to collaboration that merely favor corporate monopolies. They need laws that protect reverse engineering, the sharing of discoveries in security research, protect the rights of individuals and companies that publish PoCs, bypass harmful bad faith software locks even if they're from European corporations (like that train situation couple years back), or security scanners designed to facilitate improving security (like Metasploit), take measures guard the human rights of individuals traveling to freely express their findings and hosting more conferences in the EC zone like 3C. Policy is even more important than money in this case. Protecting the powerless from the powerful goes a long way in facilitating a true grass roots FOSS community, not just astroturfing from primarily corporate controlled theoretical open source.

In some ways, the EC zone needs to become the opposite of what the US is currently becoming and fully champion the human right to collaborate, learn, and share their learnings (and materials) whether or not it challenges the political agendas of its member country's politicians.

It pains me to say that as a US citizen, but *someone* has to stand up for truth in a global environment where the light of reason and recognition of fact appears to be growing dim because it sure isn't the US right now, if it ever was (I've never believed in any kind of exceptionalism, American or European).

I think a lot of discussion is missing the point of open source...

Posted Jan 11, 2026 14:24 UTC (Sun) by poruid (subscriber, #15924) [Link]

The EU has put in a lot of effort to create new laws for the digital age, starting in the nineties (e.g. consumer protection in the digital world) and the last few years with an avalanche of new statutes (some of them replacing/updating previous): DMA, SDA, CRA, GPRD, etc. In most of these special provisions exist for FOSS. It is not that the EU lacks initiative, but it has to cope with lots of pressure.

I and 169 have replied so far

Posted Jan 9, 2026 21:59 UTC (Fri) by bagder (guest, #38414) [Link]

I responded.

I signed it with "Daniel Stenberg, president of the European Open Source Academy". Figured it would sound better than just "Code Emitting Organism in the curl project".

Trying to Find It in Canada

Posted Jan 16, 2026 19:34 UTC (Fri) by kmcmillan (guest, #181901) [Link]

In Canada, we have a national directive to use open source software:
4.3.22 Ensuring that open source software is encouraged and where used, contributing to the communities whose work is being leveraged (part of the Directive on Service and Digital).

Unfortunately, I do not know at this time if it is informing funding (for example, Health Transfer funding to the province and territories), if it is being applied (ie. state of compliance), or what it is based on (ie. background evidence), but I will post again if I get any info on these factors.

-Katie


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds