Transcripts

FLOSS Weekly 728 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Jonathan Bennett (00:00:00):
Hey, this week we're joined by Mike Milinkovich, the director of the Eclipse Foundation, but not to talk about ides this time, it's the Cyber Resilience Act outta the European Union, a well-intentioned law that may have some serious ramifications for all of us. You do not wanna miss this one, so stay tuned.

Leo Laporte (00:00:19):
Podcasts you love from people you trust. This is TWiT.

Jonathan Bennett (00:00:28):
This is FLOSS Weekly, episode 728, recorded Wednesday, April 19th, 2023. Open season on Open Source.

Leo Laporte (00:00:36):
Listeners of this program, get an ad free version if they're members of Club TWiT. $7 a month gives you ad free versions of all of our shows, plus membership in the Club. Twit Discord, a great clubhouse for TWiT listeners. And finally, the TWiT plus feed with shows like Stacy's Book Club, the Untitled Lennox Show, the Gizz Fizz and more. Go to TWiT.tv/Club TWiT and thanks for your support.

Doc Searls (00:01:04):
[Inaudible] Or wherever it is, wherever you are. I am Doc Searls. This is Philosophy <laugh>. And our guest is Smiley because he's in Belgium, <laugh>, and he speaks at least one of the native languages there, <laugh>, but we're not bringing him on yet. Gonna build suspense while I bring him. I don't bring him in. Aunt. Bring us him in our producer to Jonathan Bennett <laugh> from Oklahoma.

Jonathan Bennett (00:01:27):
Yes. the flyover, the flyover country. The

Doc Searls (00:01:29):
Flyover

Jonathan Bennett (00:01:30):
Country go by.

Doc Searls (00:01:32):
We enjoy. I I, I like flyover Oklahoma. I, I, I used to look at Indiana as a flyover state, but now I live there too, so <laugh>. But right now I'm in, I'm in the most reverberant room in downtown or what used to be downtown Silicon Valley. I'm in the Computer History Museum in Mountain View. I have Bayview here right now. I can't, I'm not gonna turn the computer around and show you cuz it's just trees. I can turn a little bit, you see there's a mirror there. Oh, that's reflecting a door. Oh, well. But yeah, I'm in Silicon Valley here at a conference where you can tell 'em at a conference cuz they have a name badge. Here we go. <Laugh>. And it's one that I helped put on. I helped, I started it actually the internet identity workshop to solve internet identity. We are on our 36th so far because we'll never solve it. We have two a year and it's impossible. So everybody comes. <Laugh>

Jonathan Bennett (00:02:27):
One of those problems. It'll never be done.

Doc Searls (00:02:29):
So how are you doing there, <laugh>, Jonathan? You, you're, you're kid full now, you have like three kids.

Jonathan Bennett (00:02:35):
Yeah. Got three of 'em running around and it's sort of a handful, but we're doing well. Everybody's doing pretty well. Got a couple of little things going on that we're trying to get worked out as far as health goes, but making really good progress.

Doc Searls (00:02:45):
Yeah. Well, there's, the good thing about having a number of kids between my wife and I, we have four that are all older adults that do <laugh> in three other cases, possibly older than our guests as well. But is that you think you've got it down? A a quick one. My youngest, my, my, my, my two oldest, I, I had a potty training worked out. You guys know how to, how to do this now we're gonna sit in the bathroom until you do it. Okay. There's this wrong, we're gonna do this. And it worked out with him. It was my youngest who could already walk and talk like by, at nine months and was, and tall as well. So he reached everything and he voluntarily went in and used it and showed off. And I thought, oh my God, we set a record, we're done. And then he decided he'd go in his pants for the next three years and he was insistent about it. So you never know <laugh>. That's about right. And if he's watching, he'll kill me. There you go. <Laugh>. Of course. So did you do any homework on this one, Jonathan?

Jonathan Bennett (00:03:50):
So I, I have in a way this is actually one of the stories that I have been following and doing a little bit of writing about too. And we're, we're kind of gonna break a rule because it's, it gets sort of political. But it's important enough that, boy, we, we really need to talk about it. And that is what happens when the government swoop in and tries to fix cybersecurity <laugh>. And

Doc Searls (00:04:16):
I think you and I are one mind on this already.

Jonathan Bennett (00:04:20):
That statement terrifies me. Yeah, yeah. But I'm gonna try not, we're gonna try not to get too terribly political about it and actually stick to the facts. But I, I like what Robert Graham said, it's, it's kind of like Homer Simpson walking in as the safety guy at the Atomic Plant been saying, safe

Doc Searls (00:04:40):
Up,

Jonathan Bennett (00:04:41):
Safe enough. You <laugh>. And so our, our government has walked in and is pointing at all of us and going secure up, make secure software. <Laugh>.

Doc Searls (00:04:50):
Oh my God. I know there, there's a guy here at this conference at the internet Identity Workshop better know his I w who is I is the nsa. He's from one of the government agencies. Mm-Hmm. <affirmative>. But, and he was, he is been here before and, and and he says, I'm from the government and I'm actually really here to help and to listen and, and talking to him. You get this, but this guy, it's true. But how many others are there? <Laugh>? So it's a little, it's a little scary. Well, let's let, let's, let's get down to it. So, so our guest is Mike Milinkovich, who Simon Phipps who introduced us and would be on the show today. And for all I know may call in at some point. He's dealing with some personal issues, unfortunately. But he is very excited about this. Mike is the longtime executive director of the Eclipse Foundation and deeply informed on the Cyber Resilience Act, which Jonathan and I were, is talking about in Europe, which by the way now means the world like, you know, the GDPR we're all dealing with that. The C C P A we're all dealing with that and is also on the in, has an emerging position in the us. He is running one of the most consequential software nonprofits in the world. So, Mike, welcome to the show.

Mike Milinkovich (00:06:07):
Thank you very much. Sure. To be here.

Doc Searls (00:06:09):
Your background is blurred, but you're not. That's good. <Laugh>. Yeah. And do I have it right? You're in Belgium? It's somewhere at this point, or,

Mike Milinkovich (00:06:16):
Yeah, so I'm in, I'm in downtown Brussels about 300 meters away from the headquarters of the European Commission as we speak.

Doc Searls (00:06:25):
So I may be presumptuous in saying this, but you just said a boot. So I'm thinking you're from Canada, is that right?

Mike Milinkovich (00:06:29):
I am, I am. I don't, I I said about not boot, but

Doc Searls (00:06:34):
Man, you can't conceal that.

Mike Milinkovich (00:06:36):
Yeah, no, I'm, so, I'm a native Canadian and I, I still my main base is Ottawa, Canada. That's where that's where my family and I live. And but I spent an awful lot of time in Europe because you mentioned earlier that you've got some background with the foundation and you have some of the history, you know, some of the history there. But the foundation is actually now the largest open source foundation from Europe. We moved, we moved our legal domicile to Europe three years ago. And we are firmly a, a European organization now. So that's actually something, and that's part of the reason why I've become so familiar with the, with the ins and outs of the Cyber Resilience Act, is because you probably heard this, this old joke about the, the difference between involvement and commitment.

(00:07:27):
You know, when you sit down for breakfast and you have your bacon and eggs, the chicken is involved, but the pig is committed. And so the Eclipse Foundation is, is committed to, to Europe. And so however, the, the Cyber Resilience Act you know, evolves we're we are here to, to to, to interpret it and make it, make it work as much as best as we can for, for Europe. And so that's, that's a little tiny bit of background on the foundation. We're actually, you know, we're, we are one of the, the largest open source foundations in wor in the world. And, but we're definitely the, the largest open source foundation in in Europe and from Europe. And we have staff right now we're about 65 people, about 32 of which are in Europe. We've hired eight people in Europe just since January 1st.

(00:08:23):
 So the, the, the, the move to Europe has worked out really well for us as an organization. And we've been, over the last couple years, we've actually now become the, the home or the steward of some of consequential open source projects in Europe related to initiatives that are very important to Europeans. Such as, you know, you hear phrases like digital sovereignty and the like, and data spaces. You might have heard of things like Gaia X or digital twins, these kinds of indu, industry 4.0, the open source projects that are in behind each one of those strategic initiatives for Europe have found a home at the Cooks Foundation.

Doc Searls (00:09:07):
So I I, I wanted to go back over, just touch this much on Eclipse because I was an editor for Linux Journal for 24 years. And early in that, or maybe we sort of toward the middle of it, cause it's a long time. I ran the turn of the millennium. I b m very publicly got involved with Linux and very, got involved in open source. And it was a really, on the one hand it was like a, a brilliant strategic move, but really they were following their own engineers because their engineers said, we're all on Linux here, guys. You know, we just, we just, we just adopted Samba in 10 million old PCs and that are now doing file and print, you know running on, running an open source. So but they, they bragged about, we're spending 2 billion on Linux, which is no way, or or on open source without really specifying how that was. But a big part of that was where they turned over to the Eclipse Foundation. They formed the Eclipse Foundation to basically be the house for some of the stuff they were already, what that was. So if you could just give us, go back to that, just so I'm up to date on, on how that's evolved from the start.

Mike Milinkovich (00:10:20):
Yeah. So, well, there was two big bets that IBM placed way back in the day. And, and the one that you're most familiar with is Linux. But in addition to that, there was, was Java was another big bet. And one of the, the issues that they, they identified in the Java ecosystem was they didn't, compared to what Microsoft had with Visual Studio Java didn't have great tools for developers. And so the original, the, the brand eclipse, when you talk to a lot of developers to date they still think that they still associate that with, with the Eclipse i d the integrated development environment that was super popular amongst Java developers and also CNC plus, plus PHB and the like. And so the Eclipse was the, the home of the original Eclipse project, just like Apache started with the Apache project and then became a home for a multiple a projects.

(00:11:15):
The Eclipse Foundation started with the Eclipse project was very focused on Java development tools and CNC plus development tools. But over the, over the last 19 years, now time flies and you're having fun. We have turned into I think we could call it an umbrella open source organization. We're no longer tied to any particular technology or platform. We're, we are similar to the Apache Software Foundation in that we have a, a strong ethos and a idea like they have the Apache way. We have the a Equips development process that talks about how we do source projects. And but we have staff in a very sort of professional environment similar to the Linux Foundation. So if you're just sort of like a if, if the Apache Software Foundation and the Linux Foundation were to have a child that might be the Eclipse Foundation.

(00:12:11):
 So it's true, we're really trying hard to sort of take the, the best of the best from, from both of, of our peers in, in the, in the open source community. And so we have projects now, the, we, we talk about having four main focus areas, of course, tools for developers is still a main focus area. And we have lots of new development tools like Eclipse. They eclipse che but we're also very, we have the largest op open source community for IOT and Edge Compute. It's another major focus area. We have a, we're very involved in cloud native Java, and so we actually now operate the successor to, to Java, the Java EE specification. And then finally automotive, which of course is near and dear to the hearts of the European economy is a big a big area of focus focus for us. So, for example, we have on our board, we have Mercedes and and Bosch largely because of their interest in, in what we're doing in automotive.

Jonathan Bennett (00:13:13):
Hey, I wanna jump in if I can, and ask, and this may segue to what we want to talk about, why the move to Europe. I'm really curious what led to that? What, what was kind of the the, the impetus behind it?

Mike Milinkovich (00:13:24):
That's a great question. And so it all started at a board meeting in October, 2019 just before the pandemic hit. And we had our board member from Bosch said, you know, Hey, you guys seem to be doing really well in Europe. You should look at, you know, strategically look at, you know, why that is and, and, and, and what you could do about it. And when we ran the numbers, we, we, it was one of those sort of like boil the frog moments where you hadn't noticed something was happening until you actually went and looked. And, and it turned out that 70% of our paying members and 70% of our committers and projects were European. So we, we thought about that for a while and we decided that in addition to that, so we had become European almost without noticing.

(00:14:13):
But in addition to that, we noticed that there was a lot of initiatives like, you know, digital sovereignty and, and the like, that we're going to need an open source component to the strategy. And we came to the conclusion that if we didn't become the open source foundation of choice for Europe somebody else was gonna do it. Because the, the need was that strong. So we decided that to make, to make a commitment to Europe and move our legal domicile. And so we're an international nonprofit association legally registered in Brussels. That's, that's our,

Jonathan Bennett (00:14:52):
All right. So that is probably is a good segue to talk about what we really want to talk about. And that is, there's, there's something going on in Europe and in the United States too Yep. And other places around the world, but it's, it's kind of a, a big deal in Europe. And that is the, oh, let's get the title exactly right. It's the cyber

Mike Milinkovich (00:15:12):
Cyber

Jonathan Bennett (00:15:12):
Resilience Act. Yes, thank you. The Cyber Resilience Act. And it it, it kind of worries a lot of us because one of the things that it does is it, it pushes some responsibility onto, onto companies, but also potentially onto individuals that write code. And there's no clear, there's no clear line as, you know, even if someone is doing it as a hobbyist. And so o open source has this, it's had its moment, and it's, it's everywhere. And so you have people that are hobbyists slinging code for their own little thing. You know, I may, I may write a piece of code because I have a thousand books over here, and I want a way to organize them. Well, I write some code that does that. I put it on GitHub, and the next thing you know, some major library system is pulling little pieces of my code in their stuff.

(00:16:05):
And that's because, you know, we use an open source license, and that's how it works. Well, then what happens if, say, and this is a weird example, but if that library gets hit by ransomware and it happens to be a bug that was in my code, and, and, and the Cyber Resiliency Act, as well as the executive order that happened here in the United States, there, there is a possibility that that can flow back even to, in this example, to me, the, the the port developer that, you know, doesn't have any money and didn't do this for profit, and suddenly I'm on the hook for some of these damages. So first off, tell me, is my so example here, is that the crux of the issue? Is that what you're looking at as a problem? And, and then take it from there. What's next? What does this look like?

Mike Milinkovich (00:16:49):
Yeah, there's a, so, you know, there's a lot to unpack there. So, so the first thing I'll say is no, I, I don't think that the Cyber Resilience Act would impact the, the hobbyist. So I don't think, I don't think that fear is, is the issue. There is a, a carve out and a clear intent that that the hobbyists perhaps working for charities but the people that, that, that are just doing writing code for fund, if you will, I don't think, I don't think they are implicated in, in the Cyber Resilience Act. But I think the, the issue is is, you know, 98% of open source software, and certainly I'd say close to a hundred percent of the open source software that really matters isn't hobbyist. It is, you know, o open source now makes up 70, 90, 70 to 90% of the code in, you know, most of the products around the world, certain, you know, most of the software products and that code is not, necess is rarely coming from hobbyists, right?

(00:18:08):
The, the sort of the old stereotype or caricature of open source is, you know, something that somebody does as a hobby from their mom's basement hasn't been true for a really, really long time. You know, Kubernetes and Linux and Eclipse, and, you know, all these, you know, all these projects are being done by professional software developers because they, they are, and in most ca in many cases, either being paid to or are making a living from the software that they're developing. And, and that's, I think the issue with the Cyber Resilience Act is that there's, what, what they are targeting is the phrase that they use in the act is software developed or supplied under a commercial activity. And, and one of the things that a lot of people have a misunderstanding about is they, well, they go well, okay, so that means that a, you know, that rules out us because, you know, you know, we're providing code under the Apache license that's not commercial.

(00:19:16):
So obviously this doesn't apply to us. Right? I can remember reading the, the slash thread on the Cyber Resilience Act, and, you know, a whole lot of the comments were of the, so, you know, this says right here that it's not commercial, and we're not doing commercial, so it doesn't apply to us. Well, the, the problem is, is that the phrase commercial activity actually has a specific meaning in European regulations mm-hmm. <Affirmative>. And what it means is it's, it doesn't mean what you think it means, right? So when they say commercial activity, they, there's a three part test regularity, the characteristics of the product and the attentions of the person that, or entity that's, that's making the product. And let's just take you know, the Apache Web server for the Apache HDP server, for example, it ships on a regular release cadence, right?

(00:20:04):
 And it is intended to be used in a commercial setting. People run commercial websites using this. And it has all the characteristics of a robust commercial product and including security patches and the like. So our read, and I've checked this with a number of different lawyers both our lawyers and in conversations with others, the, the consensus opinion of the folks that I'm talking to is most of the important, like all of the important software that we consider in the open source world, whether you're talking Linux, Kubernetes, Apache, eclipse, jetty, Tomcat, you, you name it, they would all fall under the full weight of the Cyber Resilience Act. And, and so, so what does that, what, so what do I mean when I say the, the full weight of the Cyber Resilience Act? So what the Cyber Resilience Act does is regulate the software industry.

(00:21:04):
So it's important to understand that. So, so I'm here to talk about what this means for open source, but what the Cyber Resilience Act is doing is taking the entire software industry from an unregulated industry to a regulated industry. And by the way, the Europeans are doing this first, but as far as I, if you read like the National Cybersecurity Strategy that was published by the White House a couple of weeks ago, he has a better carbon for for open source. But it's pretty clear that the, you know, the US government is kind of headed in the same direction just this week the text of the draft, text of the Restrict Act was published in the US and it includes open source on the list of technologies that Chinese companies are not going to be allowed to access any longer. So, you know sort of somewhat tongue in cheek said the the other day that, you know, you know, great, we finally convinced governments that open source is important hoops <laugh>.

(00:22:05):
 And so back to, you know, what does Cyber Resilience Act do? And, and actually before I get there, I wanna say something, I think it's really important. Why is this happening? Is important to understand and recognize that there are good intentions behind the, these attempts to to government by various governments to regulate the software industry. There's been a lot of, you know, very well publicized attacks and hacks some of which have been traced back to to open source one. So whether you're talking about, you know, Equifax and the, the struts bug where you're talking log for J SolarWinds, like, there's a lot of various things that, that the heart bleed with open ssl, there's a lot of, there's been a lot of you know, well-publicized hacks and exploits, and some of them have been traced back to open source, but be even taking open source out of the equation.

(00:23:09):
There's a lot of interest in by governments to help the software industry by regulating it. So where, so now, why does this apply to open source? Well, in the case of the Cyber Resilience Act, there's, there's the, there is no real car vote for open source. So it, the, the weight of the act applies to, to open source. And what is it doing for software in general? Well, it's saying that all software made available in the European market will need to go through a CE mark conformance analysis assessment. So if you've ever bought, you know, a mobile phone or a radio, if you look on the back, there might be something you see that says CE on it. And, and that is the, the mark that is used throughout Europe to say that that device has been certified as complying with some some set of reg one or more regulations.

(00:24:08):
So the CE mark has been used historically for regulated devices like radios and stuff also hazardous devices like boilers and so on. And so I'm gonna slightly exaggerate to make a point, but over the next couple of years, software is gonna go from a completely unregulated industry to a re a Regis industry that is being regulated like a hazardous product. And that's going to apply to open source code as well. And so actually, I could keep rambling for a long time, but maybe I'll just pause there and see if that's spurred any questions from, from either of you.

Jonathan Bennett (00:24:51):
Oh, I mean, goodness, of course it has <laugh>. Doc, you wanna

Doc Searls (00:24:54):
Go? Yeah. I, I, I want to go back and get that as a pull quote. We just said that we're, we're going from a completely unregulated it's not even an industry, but I think they imagine it's an industry to being treated as a hazardous product when it, I mean, this is a little bit like saying we're gonna start regulating gravity here because everybody uses it and it's really important. So we're gonna, we're gonna tell you what you're gonna do with Gravity. You know, or what people do with gravity, you know, it's just and yet because people don't understand software, I think, and that's really kind of a critical thing. There was a former FCC chairman, I wouldn't say who, and I've mentioned may have mentioned this on a show before, who, when a group of us were talking to him about net neutrality is a concept a bunch of people who were very pro net neutrality is a concept anyway, not necessarily is something you needed to regulate.

(00:25:56):
He said, I have talked to everybody in Congress, and I could tell you almost to a person, there are two things. None of them know anything about. One is economics, the other is technology. Good luck. Okay? Because they're going to want to regulate these things. And fortunately, the the US does not have it nearly as together at the bureaucratic level as Europe does or any of the sur the, the larger countries in Europe. So what's the, what's the ho what's the hope here? Do, I mean, here's a, a question I might have is what are you, are you working lobbying ful people in here saying, excuse me, but this is absurd over here what you're trying to do, and we really want to help you with it. And also, what is it like, I'm going back to this conference where all of the, every single session that we have no panels, we have no keynotes, it's all breakouts on any topic.

(00:26:52):
So if I go back in there today and say, I want to have a session on the c r and I'm recruiting people, and we have a lot of Europeans here. We've got Germany, France, Czech Republic, lot of them and some are going back over to the enterprise Identity conference in Berlin. I may even be going there next month. What do we tell em? What do we do? What do you do? What do you doing? And what do we do whoever we are? Cause we're software geeks. We wanna make something happen.

Mike Milinkovich (00:27:21):
Yeah. So one of the most important things I understand is, so you sort of nailed it there. A lot of what's going on here is, is based on a, a misunderstanding of both the technology and the economics of, of software. And, you know, good intentions are great, but getting it right is important to the future the future prosperity and innovation of Europe. So, and, and worldwide. So we're obviously very motivated to try to fix this. Unfortunately, one of the things I understand is where we are at this point in the process in Europe is this is now in the realm of politics. So the way their process works is the commission is drafted a piece of legislation and is, that's been now submitted to the two decision making bodies, the parliament and the council. And so there's, as you'd expect, there's parliamentary committees you know, similar to congressional, congressional committees that are reviewing the text in, you know, seeking advice on potential amendments and the like.

(00:28:29):
And what, so what we're doing is we are reaching out to members of European Parliament to representatives of, of the member states in the council. And we're, you know, we're law we're, which is unprecedented in my career and, and certainly in the history of the Eclipse Foundation. And I think in most open source foundations, we are now in the realm of politics and lobbying. Which is, is, you know, that that's entirely new and un and honestly somewhat uncomfortable territory for us. But that's where we are. And we're telling everybody that we can that and including our, our, our own member companies. And we're telling everybody that we can get to listen to us, that they in turn need to lobby. That, that the could be the Cyber Resilience Act is so first of all, you know, the fact that it's regulating the, the entire software industry is a very, very big deal.

(00:29:27):
And it's important to, to, to, you know, to keep you keep that in mind. But what it's doing to the open source community has the potential to, I don't wanna, I'm trying to think of the right word cause I don't wanna exaggerate here. It has the potential to do enormous harm to what has been the most innovative process ever devised by man. And I, and I say that it's the way that open source works today with the, with the free flow of ideas implemented in software is incredible. As in the original definition of the incredible, as in it defies credibility, right? It's just, it's, it's beautiful to see how software is developed in the open, how it evolves quickly, how it, and then how it's commercialized. And if harm is done to that process through any of the regulatory processes, whether they start in Europe or the US or China or anywhere else it is it will do great harm to the future prosperity of the entire human race.

(00:30:50):
Cause if you look at everything that's happened in the last 20 years in terms of how we've moved society forward, that is being driven by software, and that's now that's now in, you know, I think had great threats. And one of the example that I used in a, in a conversation the other day that I, I think that, you know, the worldwide web was invented at CERN by Tim Burner's Lee. And if he was, if a similar situation happened a couple of years from now the inventor of the web would have to get a CE mark, do a CE mark assessment for his code before he could make it available and share it with his friends, and certainly share it with anybody who would have an interest in commercializing it. And if you think about what a dampening effect that would have on innovation I think that is it frightens me and I hope it frightens others.

Jonathan Bennett (00:31:56):
So I wanna jump in and ask I've got fittingly a raspberry pie, and it's got, I don't know if you can see that. Yeah, right there. It's got a CE mark on it. Sure. And so that means on a piece of hardware that they have what tested it to failure, right? So they've, they've turned it on and they've put it in an oven and they've run it up to probably a hundred degrees Celsius and sees what happens. They've shorted all the various pins, they've given it too much voltage, they've tested this thing, there's a laboratory somewhere that has, you know, a bunch of copies of this, they've tested it to failure, and they make sure that it doesn't explode catastrophically, right? That's essentially what it CE mark means for a piece of hardware, right?

Mike Milinkovich (00:32:31):
Yep. the CE mark might be there on primarily because of the wifi radios and the like. Sure could, but, but yeah, but the, the analogy is correct. Sure.

Jonathan Bennett (00:32:42):
Okay, what does a CE mark mean for software then? Okay, what, what does this process even look like? Are we talking about a full security audit? Which I mean is great, don't get me wrong. There, there's a part of, there's a part of me that says, let's do this. I would love to see Microsoft have to get windows fully audited before they can sell another copy in the European. You, like, there's a very, very evil part of me that's just gleeful at that, but at the same time, I understand what a disaster that would be for all of

Mike Milinkovich (00:33:10):
Us. Yeah. So okay. So and by the way, I just wanna warn you in advance that I have personally deeply rattled on this topic over the last couple of months. I've read the CRA from front to back. I've studied it up and down. So I apologize, stop me if I start getting too deep on this. But, okay. So here's, here's what, here's what a potential future world looks like. So the, the, the c basically sets that regulates what they call all products with digital elements, including pure software. So it's not just about in you know, embedded devices like the Raspberry Pi or your, your, the web can you have in your house. It includes pure software. And so the, there's three classes of products with digital elements, products with digital elements, critical products with digital elements and highly critical products with digital elements.

(00:34:12):
And these are, and that these are, there's annexes which define these, these three things. But just to give you an example of a critical product with digital elements it would be an operating system intended for a desktop or a mobile phone. So that's a product that's a highly critical product with digital elements. An example of a high sorry, sorry. That's a critical product. An example of a highly critical product is an operating system other than one for a desktop or a mobile phone. So think of a an operating system like Zephyr that's intended for iot. That would be an example of a highly critical product. So what you would, so with critical or highly critical products, before you can make the product available in the European Union in the future, you'll have to get a CE mark affixed to it by working with an external auditor from what's called a notifying body.

(00:35:11):
So think of in Germany as assu or one of those or the, in the US it would be like the equivalent of the underwriters laboratory kind of, kind of approach. And, and this external auditor would have to validate that the product had been built with in conformance with the standards expected for a product of that type. And I, I've never gone through this process. I've been told anecdotally that for a piece of hardware it can take you know, as much as, you know, for actually extreme example, a medical device of which of course, we all wanna be super safe and super secure, it can take on the order of 12 months and you know, a million euros to, to get a CE mark for it. So I don't really, I personally, I don't even understand how this will work in the software case because the volume of release cadence is typically measured in months, not years.

(00:36:20):
 And the and the other element, the other thing that, the other thing I just wanna mention is that in the past CE Mark conformance has, there's been a, a European harmonized for every previous example of CE mark conformance, there has been a European harmonized standard that if you follow that standard, you have a presumption of conformance. Well, there is no standard in existence that I'm aware of that describes software development in general. And the, so in the case of secure software development, there's things like the NIST s sdf but even that is sort of like a portfolio of other standards that you need to go and, and look at and implement in order to, to, to fully conform. So the, the utter, the disaster scenario in my mind is imagine a world a couple of years from now where to ship a product in a software product in Europe, you need to conform to a CE mark that is based on a standard that has not yet been written that will require an external auditor to, to verify that you conform to the standard that has not yet been written.

(00:37:39):
And I, and you know, I'm not sure how, I'm not sure how that's going to work out in the real world.

Jonathan Bennett (00:37:49):
I, I have lots of follow up questions. <Laugh>, I wanna start, I wanna start with this one though. And, and this is just kind of my, my personal hobby opinion, and I'm curious whether you agree, I am not convinced that it's possible to write a standard that would actually result in Bulletproof Code or Bulletproof Software products. I've seen so many oddball security vulnerabilities. Yeah. I'm just not convinced that you know anything less than you, you must be formally mathematically verify, which there, there are a couple of projects that are out there looking to do that. But anything less than that, I'm just not convinced that it would be possible to write the sort of standard that would actually make much of a

Mike Milinkovich (00:38:34):
Difference. Is, is it, what do you think? I, I couldn't agree more. I mean, so I, so I've been in the software. I'm older than Doc thinks. I'm, I've been in the software business for 40 years. A long, long time ago I start part of my early career was working at Northern Telecom with building developer tools for the people that build tele telecommunications equipment. And they're basically with the equipment that they were building, had a meantime between failure of 25 years which is anybody who's been involved in the software business in any way knows that that's extraordinary. E even to aspire to nevermind achieve. And, and yet there was no standard that was generally app applicable to how, how you did that. So, I mean, I I share your concern that it seems implausible that such a standard could, could be made.

(00:39:35):
 And but I mean, but, so actually I think we're kind of di diving down one particular rat hole, but let, just give me, maybe I'll just pop the stack and, and give you another example of mm-hmm. <Affirmative> of the kinds of things that are in the cra. Two that come to mind that I think, you know, anybody is involved in, in open source or software in general with Will, will Twig is the CRA in its current form would says that you are not permitted to publish intermediate builds of your software. What, unless they're marked as unless they're marked as for testing purposes only and provided under licenses that make sure that you couldn't actually deploy that into a product. And so I like thinking from the Equips Foundation, it's like all of our projects do nightly builds at least, and our nightly builds are published under, under open source licenses that allow, you know, any use for any purpose at any time.

(00:40:42):
And I don't know, and it's, and this has been sort of defacto best practices for open source software development with C I C D for, I dunno, for as long as I've been around. And so, you know, the, i the notion that that would be prohibited by law steams shall we say, interesting. An another, another phrase, just a, you know, one sentence in very deep in, in the midst of the CRA that I think software professionals would find interesting is it says, you are not per, you are not permitted to ship a product, any product with a known exploitable vulnerability. Which if interpreted literally means you can't publish. I, I dunno know well, I guess no one, I mean, but but there's no, the thing is, there's no there's no analysis of the risk, right?

(00:41:45):
So there's lots of times where software gets published where there might be a no exploitable vulnerability, but the risk is deemed to be so low that it doesn't prevent it from being shipped, right? There's, and so there's, there's a lot of, there's a lot of little gems like that in the, in the, in the Cyber Resilience Act that that need to be fixed. And we've, and we have suggestions on how to fix all of these. But but we're focused on the, you know, the open source part of this. Obviously others will have, others will have to take up the, the mantle of arguing for, you know, software in, in, in general.

Jonathan Bennett (00:42:29):
I know, I know Doc has some questions he wants to ask about the fallout from this, particularly in Europe. But I wanna tell you about something else real quick before we go there. And that is Club Twit. Goodness, you should be on Club Twit. And that is the, that's the membership program we have@TWiT.tv. And it's, it is a incredibly reasonable $7 a month, and that gives you shows ad free that gets you access to the members-only Discord. And that gets you access to a handful of members-only shows we have hands-on Mac, hands-on Windows. And the show that I get to host the Untitled Linux show, you would like to think of that at Hands-on Linux. It's about the same thing. But we're, we're we're the open source folks. We had to have a bit more fun name. And so we are the Untitled Linux show, and we would love to see you there. But even more importantly, we would love to see you as a part of Club Twit. Go check it out and sign up today. And doc, why don't you why don't you take it there, and I know you want to ask about this. Go ahead and take it away.

Doc Searls (00:43:32):
Yeah, I, well, boy, I host so many thoughts, but one of the, a cynical one is would we be able to have this show in Europe after after this thing passes? Because this seems to have so many unintended and naive and ill-informed and other possible downstream consequences. But, but one of them is is it, is it po I mean, what happens if companies or developers of all kinds? Because what, what I think the muggles of the world in which I, I take bureaucrats to be don't recognize about open source wizards, is that rules for the natural world don't apply in the digital one, many of them. And it's, it's, it's simply impossible to, to, to regulate some of these things. And it's a good thing that it's impossible. But once you try, suddenly, let's say the CE mark is required on every damn thing there is what if companies, developers just boycotted and Europe does, you know, Europe sits there in the past waiting for bureaucrats to approve stuff and gets left out, you know, is that a possibility? Is that a real serious possibility?

Mike Milinkovich (00:44:48):
Well, I wanna say this. So everything I've been talking about so far is based on the original draft of the, of the cra. And no, I'm quite confident that the final law that is eventually passed is going to be, is going to be different than, than, than what we have here. But the history of the c R A is, as I understand it is, and was that it was a reaction to effectively, you know, shoddy consumer iot devices. And again as I understand it, you know, product law in, in, in Europe, in, in the way most regulations have always been written, have assumed that what you're talking about is a physical device. And I think a lot of the, the truly worrisome implications of the CRA arise from extending these kinds of regulations from past cyber physical goods into pure software.

(00:46:01):
 And so our, you know, if, if, if, if the CRA was limited to cyber physical goods and it was limited to applying to the companies that are monetizing the open source as opposed to the open source projects and communities themselves that are, you know, operating on a shoestring, on a, on a nonprofit basis, you know, if those two things were true, then I think at least arguably you're moving, you're, you're doing something, you know, that will help consumers. And perhaps, you know, I could understand the, the sort of the net benefits of, of this. It's what's, what in its current form, what it's, what it's doing is it's extending it to all all software including pure software, and it's extending it across the whole value chain, right? So it's, it's, you know, the upstream projects are going to have to get the CE mark in when it's, you know, in its current form is a, as a non-profit.

(00:47:17):
So the Eclipse Foundation would have to get the CE mark on its projects, and then the first thing that happens is some company picks that up and wants to put it into a product, and then they have to get the CE mark on their product. The difference, of course, being that companies make money on their, on their, on their products. And I think one of the misunderstandings on an economic basis is that as it as it relates to open source, is that companies can make a economic decision to, to make, to, to certify a product because they can, if, if all else fails, they can pass the cost along in the price that they charge their consumers. Open source is free. It's both, you know, free as in free speech, but also free as in royalty free. So if organizations like eclipse and Apache and Mozilla and so on are, are expected to continue to supply free software and all of a sudden we have an order of magnitude, greater costs a rational economic response could be, you can't use this software in Europe.

(00:48:34):
 And, you know, that is I'm fairly certain that that's not the intended consequence of the cra, but it's, it would be a logical response. And, and you know, Brian, a guy named Brian Fox, who's the works at a company called Sonotype who runs Maven Central, which is the central repository of Java artifacts that everybody uses when they're building Java programs. You know, used out in a blog post back in December about, you know, if the CRA was to pass in its current form shutting off Maven Central or N P M pi, you know, pi, pi, those kinds of repository centers, you know, shutting off access to Europe would be a perfectly rational result because who wants to assume liability for who wants to assume liability for something that you're giving away for free?

Jonathan Bennett (00:49:33):
I've gotta, I've gotta jump in and ask real quick, there, there's a potential problem here. Doesn't the, the GPL and a bunch of other licenses expressly prohibit turning off access because, just because of where someone has asked.

Mike Milinkovich (00:49:45):
So the interesting thing is, I think a lot of open source developers put a lot more credence to what's in the license than than is actual actually faxed. So for example, every open source license has a clause that says you know, we're not accepting any liability and we're not giving you any warranty. Mm-Hmm. <affirmative>. Well, the fact of the matter is, is that there are laws that say that you are accepting some liability and you might be providing certain circumstances might have an implied warranty, whether you write it in your license or not. And the same is true for you cannot, you cannot ignore export controls. So if you write a piece of software in the, in, in the US and, and the, you know, the government decides to iar it you can't export it, whether it's open source or not. I mean, it's, that's just the way it's, and the same thing is, is true your, your, if Europe passes these regulations doesn't matter what it says in the license, you have to comply with the law you, or put it another way. You can't, you can't contract away the law.

Jonathan Bennett (00:50:56):
Yeah. But what, what does that do then to the contract? Does, does the open source license survive at all?

Mike Milinkovich (00:51:02):
Most, most open source licenses, if they, if they're, you know, longer than the MIT or BSD will say, will have a sev a severance clause, you know, that says, you know, if any, you know, portion of this document, this is a pretty standard contractor, you know, if any portion of this contract is, is deemed invalid, the rest of the, the rest of the document still applies. But I, and I am not a lawyer, <laugh>

Jonathan Bennett (00:51:23):
We, we started with that. None of us are. Yeah,

Mike Milinkovich (00:51:25):
Yeah. So, yeah. But, you know, well, but I've hung around with a lot of lawyers. So, but anyways, but, so I'm not a lawyer. This is not legal advice. But I think I think my lawyer friends would say that I'm not too wrong,

Jonathan Bennett (00:51:41):
<Laugh>. All right. Before I hand it back over to daca, I want to ask one more thing, and that is, is there anything in the C that you actually like, and I will give an example. Cause I've looked, I've looked into this some one of the things that I, I really like that they put in there is you need to have a contact address for vulnerability reporting. I cannot tell you how many times I've covered stories where, you know, loan researcher finds a really big problem in some pieces of software, tries to disclose it, and can't find a disclosure address. And I just love the fact that we just make this little note that says, Hey, if you're gonna sell software, you need to put an email address out there so the security researcher can get ahold of you. I think that's a good idea. What, is there anything else in there that you actually like?

Mike Milinkovich (00:52:24):
Yes, by the way, sunset here, Russell. So I'm getting weird glow on the side of my head. Apologize. so the, so yeah, there's, there's a bunch of really good stuff that's a, a good example. Just the simple fact that if you ship a product with software, as long as you keep that product in the market, you're responsible for doing security fixes. You know, that's, that's not a bad idea. And there's, so there's, there's lots of, there's lots of good stuff in there along those lines. But you know, again, the concern is, is kind of going from, I actually, lemme think about, I actually agree philosophically with the idea that the software industry, the tech industry, we've had a really great run for, you know, 50, you know, some years, whatever, is it a completely unregulated industry? I could get behind the idea that some modicum of regulation is, you know, is appropriate and things like, you know, making sure that if you ha have a product, that there's a place where you can report a vulnerability and making sure that security patches are available for some reasonable amount of time.

(00:53:37):
Or, you know, as you keep the product in the field, you know, these are not crazy ideas. And maybe the time has come to, to, to put those into, into some form of regulation. But, you know, going from where we are today, which is as a completely unregulated industry to a, you know, a what could be a heavily regulated industry in a pretty short period of time is, is you know, seems kind of frightening, you know, and, and along sort of, and by the way, along those lines you know, when, when the, in the preamble of the cra where the, the commission wrote its, its analysis of, you know, or, and mo documented its motivations for this and where it came from one of the, one of the things that really caught my attention was they estimated that the costs of implementing the c as 29 billion euros annually. And I think that's off by my gut says that's off by at least two orders of magnitude. And, you know, time will tell whether the commission is right or I'm right. But this feels like an extremely expensive proposition the way it's the way it's currently the way it's currently written.

Doc Searls (00:54:59):
So we're I, our back channel both the actual back channel and our own back channel between Jonathan and me has been very active on this one. We could go three hours is one of the, one of the things you're saying easily, we could go days. And, and there's so many questions, and I'm looking here, I actually broke out some things you said. There's topics, iott edge tools, open source communities, cloud native, Java, and automotive. And, and that doesn't even cover you know, a, a question the eclipse open v SX marketplace for vs code extensions. I, there are so many things we could touch on here, but the sort of encompassing one I'd just like to lay on you is, is there one thing that we haven't touched on yet that you'd like to visit quickly before the end of the show?

Mike Milinkovich (00:55:53):
Trying to think of which one, which of the many things I could say right now. I so actually, so I think if I closing thought for the audience, and I, you know, I'm assuming that most of the audience here are people that come from a technology background and, and have a, have some love for software and a love for open source. I think the thing to understand is that we have all been focused on our keyboards, you know, writing code and, and making, making, you know, we think the world a better place through software. You have to start paying attention to the regulatory environment that's coming our way. It's, this is this is, this requires a level of activism for a lack of a better phrase that this is to to be clear for me personally for our members for our projects, for our community.

(00:56:53):
This is an all hands on deck kind of situation. To not only try to shape the regulatory environment so that it, you know, it doesn't kill the goose that's laid the golden eggs for the, you know, the last couple of decades to, to, you know, to make sure that the regulatory environment is, is feasible. But also to make sure that at the same time, you know, we are making the world a better place. And I think, you know, I think we can do both, but it's going to involve a lot of people that have never really been engaged with you know, politics and regulation and these kinds of things before in their lives. You know, that I can, can I count myself in that, in that, in that camp? I've never been involved in anything like this before in my career or in my life. But this is something that I think is extremely important and both for our industry, but also for our societies and our economies. This is, this is a really big deal.

Jonathan Bennett (00:57:56):
I just, I just had a thought, and I wanna get your thoughts on it. What has the European Union unleashed now that they are forcing millions of geeks and nerds around the world who, generally speaking, would love to stay out of politics, kind of forcing our hand and forcing us to get into politics that's gonna have sort of a knock on effect in other areas? Don't you think this, this could be sort of transformational?

Mike Milinkovich (00:58:24):
Yeah, I hope so. I hope so. In, in a good way. You know, there's, and we've seen this in action, unfortunately I wasn't at FOD this year. I'm not sure if you're familiar with fod, but it's the it's a fantastic event if you've never been. It's the European open source developers and it's, it's held in Brussels every first weekend in February every year. And some of the people from the commission who are here in Brussels came and gave a talk on the C and I think they as I wasn't there, but I was, cuz my son got married that weekend. But I was told by a lot of people that a lot of passion was exhibited in the room when, when developers understood that, that that open source was in the cross airs. And, and, and, and just actually one thing I haven't mentioned before that is that, that's important to understand is the inclusion of open source in the CRA was not an accident. Right. I think it's particularly misguided, and I think it's, I an un a misunderstanding of the consequences is part of what's driving us. But with good intentions they decided that open source needed to fall within the realm of regulation. And I'm sure your audience will agree with me that that's a mistake.

Doc Searls (01:00:03):
See, its just amen to that <laugh>. It's the it's, we're, we're at an inflection point here and it's a pretty big one. And it covers a lot of territory and, and we have to have you back. We say this to almost everybody, but some stuff's gonna happen here. And I can't think of any, anybody who's more informed or in at the front as it were on this fight for all of us, the many thousands that listened to us. We have thousands of listeners and over a dozen thousand as a matter of fact and have been with us for 16 years. It's a, it's substantial. So maybe they can be active on this too. It's a wake up call. We always close with two questions which are, what, what are your favorite text editor and scripting language? This is a very technical question, <laugh>, and it could be that your, that you know, your, your text editor is, is a bullet from, you know, I don't know. So

Mike Milinkovich (01:01:05):
So I, so first I have to confess that my programming days have been behind me for quite some time. But I, I did spend a lot of time with fooling around with raspberry pies and the like. I'd say that just in on from that favorite text editor is, I don't laugh with Nano and favorite scripting language is Python. Although

Doc Searls (01:01:27):
That's great. <Laugh>. Well, when you mentioned Brian Fox earlier, I was wondering if that's the same Brian Fox who invented Bash the Bash shell. Is it possible?

Mike Milinkovich (01:01:36):
Don't think so.

Doc Searls (01:01:37):
So Okay. Is a fairly common name. He's been on the show too. I reckon people go back and listen to that and recognize it has nothing to do with today's show. It's just worth listening to <laugh>. Anyway, so Mike, thanks so much, man. This has been great. I really appreciate it.

Mike Milinkovich (01:01:52):
Yeah, thank you.

Doc Searls (01:01:53):
Good evening there. While we're still having a morning back here in the West Coast, us

Mike Milinkovich (01:01:58):
Thanks so much for the opportunity. And I, I look forward to hearing what folks think when they spend a little time reading up on the cra themselves and, and understanding you know, where the, where this is all headed.

Doc Searls (01:02:13):
Wonderful. Thanks a lot man. <Laugh>. So Jonathan, that was rock and roll, wasn't it? <Laugh>? Yeah, <laugh>.

Jonathan Bennett (01:02:21):
So I, I, I have this thought. One of the things that I find really neat is to, to read back kind of the history of the history of hacking and the history of sort of our, our industry and where all these things started. And one of the things that you find pretty often is a lot of these roots go all the way back, like to the phone Freakers sort of one of the, one of the stream root streams of open source. And it's always kind of this nostalgic feeling because there was a day before some laws passed, that phone freaking was totally legal, and you could have a blue box and you could do all those things. And then the laws got passed and people started getting arrested. And there's this sort of nostalgic feeling about the good old days of, of playing with the phone system. And I have this feeling that we may one of these days look back and think of these days as being the good old days where just anybody could do stuff with open source and software, but laws got passed that messed it up for everybody. And I, I hope that's not the case, but I just have this feeling that we, we are at a a point of change and things will ever quite be the same.

Doc Searls (01:03:24):
Well, the, the, the, the freedom that Mike was talking about that we all operate in and we still take for granted a, a great deal. Mm-Hmm. <affirmative> freedom from regulatory not just capture, but just regulatory drag. I'm thinking about, he mentioned it a lot came out of Tim Lee and his work. Well, Tim and a bunch of high energy physicists went to the phone companies in Europe and said, do you mind if we use this like T C P I P to run HT HTTP over? Because that's our little protocol that we used to share documents. And that was a Trojan horse inside every phone company on earth and nobody knew it. Right. And had regulators been on top of that, regulators were totally captive of the phone companies. Would they ever have allowed it? They never would've. They would've, what are the tariffs we could get on this? We could, where, where can we, where can we put the gates and nor national borders? They never did that. And there's just so much that isn't as appreciated about the way hacking works. And even things like the G P L, you know, we want other people to have the same freedom with this that we do. There's nothing like it in, in in the traditional corporate world, the natural world even. It's kind weird, but yeah, I

Jonathan Bennett (01:04:32):
Guess,

Doc Searls (01:04:33):
Hey, Mike, go ahead. Pretend shows that over.

Jonathan Bennett (01:04:38):
Yeah,

Mike Milinkovich (01:04:38):
Sorry. It's like see,

Doc Searls (01:04:40):
Can't resist it.

Mike Milinkovich (01:04:41):
I got attracted into open source because I was like, what really motivated me to take this job almost 20 years ago now was I was really interested in how hacker communities over the internet could do so much cool stuff. And that was, but I was looking at it from a, from a business perspective, that was, that, that's, that's where I came from. I was, you know, that's and what I've evolved to over the last 19 years is to realize that the, the vision of free software is just, is al amongst its other attributes is just a way better way to do business. And that's, you know, part of the reason why open source is taken over the world is because it just makes so many things more efficient and effective. And it's, you know, that that freedom has been a huge benefit. We, there's so many, you know, so many aspects to society.

Doc Searls (01:05:39):
So I we have to, we're almost, we're way over time. So I have to quickly end the show so <laugh> and we get to hang out though. So Jonathan what do you wanna plug real quick? You got Hackaday. I know for sure. Sure.

Jonathan Bennett (01:05:52):
We, so we, we plug the Untitled Lenox Show on Club Twit. The other thing I wanna mention is at Hackaday we cover, well we cover lots of stuff on Hackaday, but I kind of take the security and open source beats there. And so you can check out my work all 284 articles worth goodness. There, that's a bunch. But every Friday the security column goes live. And that's just the things in the security world that I found interesting throughout the week. And then we also cover things like the c r A and so follow my work there and keep up with me. It's, it's a blast.

Doc Searls (01:06:23):
And, and thanks so much. I have to quickly check who we have on next week. Where is the schedule quickly? Or is okay. It was, and now it is. I don't know. Okay. We have somebody. Oh, oh, stormy Peters. Is that next week? Oh yeah. Oh yeah. It's, it's Stormy Peters okay. Stormy's. Very cool. She's great. <Laugh> Another fact channel's telling me Stormy Peters. So Stormy Peters is gonna be on and she's, she's, anyway, she's great. And and we'll see you then in the meantime. Be sure to evangelize this show. I think it's really important one, and we'll see you next week.

Jason Howell (01:07:02):
It's midweek and you really wanna know even more about the world of technology.

Mikah Sargent (01:07:06):
So you should check out Tech News Weekly, the show where we talk to and about the people making and breaking the tech news.

Jason Howell (01:07:11):
It's the biggest news. We talk with the people writing the stories that you're probably reading. We also talk between ourselves about the stories that are getting us even more excited about tech News this week. So

Mikah Sargent (01:07:21):
If you are excited, well then join us. Head to TWiT.tv/tnw to subscribe.

All Transcripts posts