WEBVTT 00:00.000 --> 00:03.460 So the other teams in further detail were 00:03.460 --> 00:04.000 to be able to participate in the 00:04.000 --> 00:05.900 world discussions and 00:05.900 --> 00:09.660 immediate improvements in through 00:10.940 --> 00:13.040 theαν but 00:13.040 --> 00:14.940 East drift 00:14.940 --> 00:17.680 later on when outwakes 00:18.180 --> 00:20.180 in. 00:24.180 --> 00:25.980 All we have to do is 00:25.980 --> 00:28.960 to get touted on the 00:28.960 --> 00:32.760 I mean, the first time I see it's actually from last year. 00:32.760 --> 00:33.960 I was both yours. 00:33.960 --> 00:35.960 So how do you deal with it? 00:35.960 --> 00:36.960 Yeah. 00:36.960 --> 00:37.960 Okay, take your seats, guys. 00:37.960 --> 00:38.960 Yes. 00:38.960 --> 00:40.960 We are starting. 00:40.960 --> 00:42.960 Please, please, take your seats. 00:42.960 --> 00:43.960 Is it everybody? 00:43.960 --> 00:44.960 Okay. 00:44.960 --> 00:46.960 No worries. 00:46.960 --> 00:49.960 All right. 00:49.960 --> 00:52.960 The next one is going to be something very special. 00:52.960 --> 00:57.960 This is the panel, which is called from minimum compliance to 00:58.960 --> 01:00.960 the minimum stewardship. 01:00.960 --> 01:01.960 Take it away, Marlene. 01:13.960 --> 01:14.960 Can you hear me now? 01:14.960 --> 01:15.960 Yeah. 01:15.960 --> 01:16.960 Yeah. 01:16.960 --> 01:17.960 So, thank you. 01:17.960 --> 01:18.960 Hello. 01:18.960 --> 01:20.960 Thank you very much for staying with us. 01:20.960 --> 01:26.960 As Roma said, we have some kind of different panel today. 01:26.960 --> 01:32.960 Talking about new stewards and more specifically from minimum compliance 01:32.960 --> 01:34.960 to minimum stewardship. 01:34.960 --> 01:39.960 I'll start with a briefing trial about what is an open source steward 01:39.960 --> 01:42.960 and how that's defined by CRA. 01:42.960 --> 01:46.960 Nothing that I want to use my wonderful panelists. 01:46.960 --> 01:48.960 We'll continue from there. 01:48.960 --> 01:50.960 By the way, my name is Marlene. 01:50.960 --> 01:52.960 I'm your policy advisor at OpenSF. 01:52.960 --> 01:54.960 And I think that's enough. 01:54.960 --> 01:58.960 I don't want to bore you with useless things about me. 01:58.960 --> 02:02.960 So, open source software steward means a legal person, 02:02.960 --> 02:07.960 other than a manufacturer that has the purpose or objective of systematically providing 02:07.960 --> 02:11.960 support and sustained basis for the development of specific products, 02:11.960 --> 02:12.960 with digital elements. 02:12.960 --> 02:15.960 Qualifying as free and open source software, 02:15.960 --> 02:17.960 and intended for commercial activities, 02:17.960 --> 02:20.960 and that ensures the viability of those products. 02:20.960 --> 02:23.960 It was okay. 02:23.960 --> 02:26.960 I'm not the CRA opens source software stewards 02:26.960 --> 02:28.960 or given a light touch regime. 02:28.960 --> 02:30.960 But it's not an empty one. 02:30.960 --> 02:33.960 Article 24 sets out concrete obligations. 02:33.960 --> 02:37.960 What CRA doesn't define is what good looks beyond satisfying 02:37.960 --> 02:39.960 those requirements. 02:39.960 --> 02:43.960 It doesn't tell us when a policy meaning fully improves security 02:43.960 --> 02:46.960 or when it simply exists to be shown to an authority. 02:47.960 --> 02:51.960 That gap between meeting Article 24 obligations on paper 02:51.960 --> 02:54.960 and actually threatening open source ecosystems 02:54.960 --> 02:56.960 is what we are here to explore. 02:56.960 --> 03:00.960 And I have wonderful people here joining me in this panel. 03:00.960 --> 03:03.960 Could you please briefly introduce yourself 03:03.960 --> 03:07.960 and explain how your organization fits or doesn't fit 03:07.960 --> 03:10.960 the series definition of open source software steward. 03:10.960 --> 03:12.960 Pavel can you start? 03:12.960 --> 03:13.960 Hello everyone. 03:13.960 --> 03:15.960 My name is Pavel Hruza and I represent the redhead. 03:15.960 --> 03:20.960 So my company in this fits to both roles as a manufacturer 03:20.960 --> 03:23.960 and also as a steward. 03:23.960 --> 03:27.960 So we'll leave kind of as a dual citizen in this. 03:27.960 --> 03:30.960 And as I'm responsible for the CRA program, 03:30.960 --> 03:33.960 and I'm in charge because we have to run it as a program. 03:33.960 --> 03:34.960 It's a big company. 03:34.960 --> 03:37.960 So I have kind of a little bit different inside 03:37.960 --> 03:40.960 than probably my colleagues who are way more technical. 03:40.960 --> 03:42.960 So maybe I will bring also some, 03:43.960 --> 03:46.960 let's say business inside today. 03:46.960 --> 03:47.960 Kate? 03:47.960 --> 03:48.960 Sure. 03:48.960 --> 03:50.960 I'm Kate Stewart. 03:50.960 --> 03:53.960 For this panel, purposes of this panel, 03:53.960 --> 03:56.960 I'm here with my Zefer role, 03:56.960 --> 03:59.960 where we have open source art tasks. 03:59.960 --> 04:03.960 Zefer actually has a security team, a piece of team, 04:03.960 --> 04:05.960 and so we've been doing a lot of work. 04:05.960 --> 04:08.960 Make sure that the project is ready for CRA 04:08.960 --> 04:11.960 and compliance to the CRA. 04:11.960 --> 04:14.960 And with that then, I will hand it over. 04:14.960 --> 04:15.960 Salve? 04:15.960 --> 04:16.960 Thank you. 04:16.960 --> 04:18.960 My name is Salve Nissen. 04:18.960 --> 04:21.960 I'm part of something called the CPAN security group. 04:21.960 --> 04:24.960 We tried to improve the security posture 04:24.960 --> 04:27.960 and the oldest open source ecosystem 04:27.960 --> 04:30.960 as the comprehensive pearl arcade network. 04:30.960 --> 04:34.960 We've been around for just a little bit more than 30 years now. 04:34.960 --> 04:36.960 And we're still around. 04:36.960 --> 04:39.960 And we're still operating on a volunteer basis. 04:40.960 --> 04:42.960 Nobody's going to pay it literally. 04:42.960 --> 04:44.960 And we still have to pay along. 04:44.960 --> 04:46.960 And we're part of this new regime. 04:46.960 --> 04:49.960 The EU Commission has envisioned for us. 04:49.960 --> 04:52.960 And I want to know the people in the CPAN security group 04:52.960 --> 04:54.960 who has been looking at policy, 04:54.960 --> 04:56.960 at the Stewart organizational, 04:56.960 --> 04:59.960 how the metadata fits in all of this 04:59.960 --> 05:02.960 and a bunch of other issues. 05:02.960 --> 05:03.960 Thank you. 05:03.960 --> 05:07.960 So we have already heard three different interpretations 05:07.960 --> 05:09.960 of what the Stewart means. 05:09.960 --> 05:12.960 Let's go a little bit deeper into details. 05:12.960 --> 05:15.960 From your perspective, let's start with Kate, maybe. 05:15.960 --> 05:18.960 Now, what is the real difference between 05:18.960 --> 05:20.960 minimum compliance and meaningful stewardship? 05:20.960 --> 05:22.960 This is the title of this panel. 05:22.960 --> 05:24.960 And where do you see most organizations 05:24.960 --> 05:26.960 currently lending today? 05:26.960 --> 05:30.960 Minimum compliance is putting out exactly what 05:30.960 --> 05:33.960 the act is calling for and no more. 05:34.960 --> 05:36.960 meaningful compliance is making it easy for 05:36.960 --> 05:39.960 manufacturers to use your open source project 05:39.960 --> 05:42.960 as part of their products. 05:42.960 --> 05:45.960 I think that and so basically making sure that we can make 05:45.960 --> 05:48.960 the transition when they bring in your open source project. 05:48.960 --> 05:50.960 They actually have an easy way of getting the artifacts 05:50.960 --> 05:54.960 that they need to build upon for their compliance as well. 05:54.960 --> 05:55.960 That's wonderful. 05:55.960 --> 05:58.960 Solidar. 05:58.960 --> 05:59.960 Yeah. 05:59.960 --> 06:04.960 So, but the minimum is what it says in a state. 06:04.960 --> 06:08.960 But I'm also thinking of this from a practical minimum. 06:08.960 --> 06:13.960 Because after all, the whole of the REST starts with 06:13.960 --> 06:17.960 a recital 1 and 2 about the whole point with this exercise. 06:17.960 --> 06:19.960 And that is to think increase the security 06:19.960 --> 06:22.960 of products in the whole of the European Union. 06:22.960 --> 06:24.960 And that means we actually have to play along. 06:24.960 --> 06:27.960 And while the manufacturers are there with the library 06:27.960 --> 06:30.960 and have the work to do to make sure their products are secure, 06:30.960 --> 06:32.960 they cannot do it alone. 06:32.960 --> 06:36.960 They have to get their suppliers so to speak in on the game. 06:36.960 --> 06:41.960 And for anybody who have a complex product like a service using 06:41.960 --> 06:44.960 a programming language which might be open source and have a ecosystem 06:44.960 --> 06:49.960 like CPAN backing up that might involve hundreds of projects. 06:49.960 --> 06:52.960 Or thousands or even tens of thousands depending on the complexity 06:52.960 --> 06:55.960 of what's going on behind the curtain. 06:55.960 --> 07:01.960 And all of these have to, we have to figure out how they play along. 07:01.960 --> 07:06.960 And so a meaningful minimum is something that takes into account 07:06.960 --> 07:11.960 the limitations also of the ecosystem that everybody depend on. 07:11.960 --> 07:17.960 And all the projects and communities and volunteers that are actually doing 07:17.960 --> 07:23.960 an unpaid work taking care of this, this digital infrastructure. 07:23.960 --> 07:28.960 And if we don't do that, we risk having this whole project for the part. 07:28.960 --> 07:33.960 That means we kind of have to think about this from a cultural standpoint 07:33.960 --> 07:38.960 of making an attitude change in how we, as a society and businesses 07:38.960 --> 07:42.960 and communities and stewards interact in this. 07:42.960 --> 07:47.960 And for me, a student rolling there is a facilitator to make all this happen. 07:47.960 --> 07:49.960 Thank you. 07:49.960 --> 07:50.960 Turning to your power. 07:51.960 --> 07:55.960 And maybe from my side, we've heard what's the minimum and I fully agree 07:55.960 --> 07:59.960 but what does meaningful mean for us because you all know how red it is built. 07:59.960 --> 08:03.960 We built on communities, we built on the upstream, 08:03.960 --> 08:09.960 which means that it has to be natural support of what we do 08:09.960 --> 08:13.960 and how we build our software, our products. 08:13.960 --> 08:19.960 Because without being good stewards, helping our upstream projects, 08:19.960 --> 08:24.960 most of our upstream projects, we won't be able to deliver to our customers 08:24.960 --> 08:27.960 and be the good downstream. 08:27.960 --> 08:32.960 So that's a critical role and that's what meaningful means for me. 08:32.960 --> 08:35.960 Thank you very much, very insightful. 08:35.960 --> 08:37.960 The mic is at you. 08:37.960 --> 08:41.960 You mentioned that red had operates both as manufacturer 08:41.960 --> 08:44.960 and in few cases also steward. 08:44.960 --> 08:48.960 This is also your, you are here on in this panel. 08:48.960 --> 08:53.960 Think about the future when both obligations will be necessary 08:53.960 --> 08:55.960 to be fulfilled. 08:55.960 --> 09:00.960 What tensions do you think that will arise when compliance obligations in communities 09:00.960 --> 09:05.960 to what should goals collide and how to decide which responsibility takes. 09:05.960 --> 09:09.960 Yeah, getting back to the meaningful. 09:09.960 --> 09:13.960 Because if I say it from the business perspective, 09:13.960 --> 09:18.960 there are no penalties for stewards not doing their duties, 09:18.960 --> 09:21.960 but there are huge penalties for manufacturer, 09:21.960 --> 09:23.960 not fulfilling the requirements. 09:23.960 --> 09:26.960 Meaning the business decision would be clear. 09:26.960 --> 09:28.960 Big no. 09:28.960 --> 09:33.960 Because that comes back to the meaningful and meaningful for us means 09:33.960 --> 09:37.960 that we need to work with our communities with the upstream 09:37.960 --> 09:42.960 and I'm glad that ladies just in a previous lighting talk 09:42.960 --> 09:45.960 where community managers and brought out that topic. 09:45.960 --> 09:49.960 Because if we have a good community managers, 09:49.960 --> 09:54.960 we have an asphalt and working with our communities, 09:54.960 --> 09:59.960 this is something how we can get back to our manufacturers role 09:59.960 --> 10:01.960 and build on that. 10:01.960 --> 10:06.960 So when it collides, legal versus, 10:06.960 --> 10:08.960 I don't want to call it common sense, 10:08.960 --> 10:11.960 but let's call it common sense for this purpose. 10:11.960 --> 10:16.960 Yes, we have to fulfill our legal obligations, no discussion, 10:16.960 --> 10:22.960 but also if there is some big pork needed, 10:22.960 --> 10:25.960 which has to be done on our side as a manufacturer, 10:25.960 --> 10:30.960 we will do so even though upstream will not accept that change 10:30.960 --> 10:32.960 or that fix at the moment. 10:32.960 --> 10:34.960 We will have to do that on our own expense, 10:34.960 --> 10:38.960 because that's our problem, we serve our customers. 10:38.960 --> 10:41.960 And then we continue working with the community. 10:41.960 --> 10:43.960 That's what I care the most, 10:43.960 --> 10:47.960 because this is the business model we built on. 10:47.960 --> 10:52.960 So for me, the meaningful is the work of the day, 10:52.960 --> 10:54.960 how to do that, 10:54.960 --> 10:58.960 to provide something back to the communities 10:58.960 --> 11:01.960 because then we get from this community, 11:01.960 --> 11:03.960 especially right ahead. 11:03.960 --> 11:04.960 Thank you. 11:04.960 --> 11:07.960 Moving to Kate, now, I have the pleasure to read. 11:07.960 --> 11:10.960 On your website, 11:10.960 --> 11:14.960 your way of documenting the CRE related compliance work. 11:14.960 --> 11:16.960 You have them in tremendous job already there, 11:16.960 --> 11:19.960 and I think you're one of the most advanced projects 11:19.960 --> 11:24.960 from the Linux Foundation for Zefe. 11:24.960 --> 11:27.960 In this way, or in this path, 11:27.960 --> 11:30.960 to document the CRE related compliance work, 11:30.960 --> 11:33.960 what has surprised you most so far, 11:33.960 --> 11:36.960 particularly when regulatory expectations 11:36.960 --> 11:39.960 don't align neatly with hope and source projects, 11:39.960 --> 11:42.960 actually work. 11:42.960 --> 11:45.960 I think the biggest thing that was, 11:45.960 --> 11:47.960 this can be a challenge, 11:47.960 --> 11:51.960 is the aspects of notification for open source projects. 11:51.960 --> 11:53.960 We're going to have to figure out which C-Certs 11:53.960 --> 11:55.960 we're going to work with here in the EU. 11:55.960 --> 11:58.960 Now, some open source projects are already CNAs, 11:58.960 --> 12:02.960 and have been used to working with the CVD numbering authority people, 12:02.960 --> 12:07.960 and working on working in the relationships and adjusting, 12:07.960 --> 12:09.960 and so forth, but a lot of open source projects 12:09.960 --> 12:12.960 don't have a dedicated vulnerability channels. 12:12.960 --> 12:15.960 In Zefe, we do, and we also have ways 12:15.960 --> 12:17.960 that people who are shipping products 12:17.960 --> 12:20.960 can register to be notified by us. 12:20.960 --> 12:21.960 Okay. 12:21.960 --> 12:23.960 Now, you have to prove that you actually have a product, 12:23.960 --> 12:25.960 you're not a bad actor. 12:25.960 --> 12:27.960 Okay, but if you do have that, 12:27.960 --> 12:29.960 then you can just basically sign up for free, 12:29.960 --> 12:31.960 and we will push you notification 12:31.960 --> 12:34.960 when we have a vulnerability fix ready. 12:34.960 --> 12:37.960 Getting these fixes out and then through the downstream, 12:37.960 --> 12:38.960 so we actually have products, 12:38.960 --> 12:41.960 I think it's going to be a challenge for a lot of open source projects. 12:41.960 --> 12:44.960 And we've got a partial, we've got our solution right now, 12:44.960 --> 12:46.960 but I think other open source projects 12:46.960 --> 12:50.960 are going to just tackle this part of that notification aspect, 12:50.960 --> 12:52.960 I think that's a big gap right now. 12:52.960 --> 12:53.960 Okay. 12:53.960 --> 12:55.960 Moving to Sullivan. 12:55.960 --> 12:57.960 Yeah, many open source ecosystems 12:58.960 --> 13:01.960 like yours, don't have a single vendor foundation 13:01.960 --> 13:06.960 or huge legal department that handles the legal aspects. 13:06.960 --> 13:09.960 In a theory world, what does stewardship 13:09.960 --> 13:12.960 realistically look like for communities like yours 13:12.960 --> 13:15.960 that are decentralized very much volunteer driven 13:15.960 --> 13:18.960 and also resource constraint? 13:18.960 --> 13:19.960 Yeah. 13:19.960 --> 13:22.960 I've been struggling a lot with that question. 13:23.960 --> 13:26.960 The percol communities, in a sense, 13:26.960 --> 13:29.960 an example of the classic open source community 13:29.960 --> 13:32.960 where everybody is working just on the things that 13:32.960 --> 13:35.960 gives them something that is found 13:35.960 --> 13:37.960 or interesting as they come learned from it. 13:37.960 --> 13:43.960 And that basis of motivation is throughout everything. 13:43.960 --> 13:47.960 All the systems and service and projects and components 13:47.960 --> 13:50.960 and the relationships are tooling is based 13:50.960 --> 13:53.960 on the foundation of volunteerism. 13:53.960 --> 13:57.960 And finding people who want to care about policy 13:57.960 --> 14:00.960 and compliance and stuff is like 14:00.960 --> 14:03.960 who is how long on a software developer 14:03.960 --> 14:06.960 gets care of and strange people like me. 14:06.960 --> 14:10.960 There are a handful of us. 14:10.960 --> 14:13.960 But we still can't have to do something. 14:13.960 --> 14:17.960 So we have a percol nation, 14:17.960 --> 14:19.960 which has a few things. 14:19.960 --> 14:21.960 But it doesn't have the capacity 14:21.960 --> 14:24.960 or competence or speaking the willingness 14:24.960 --> 14:26.960 to approach this problem. 14:26.960 --> 14:28.960 So we have a luxury in the sense 14:28.960 --> 14:31.960 that we can look at this whole new thing 14:31.960 --> 14:34.960 with the cybersecurity sector from our first principles perspective. 14:34.960 --> 14:38.960 Like what does a student look like for us 14:38.960 --> 14:42.960 like this ecosystem with its shape 14:42.960 --> 14:44.960 and requirements? 14:44.960 --> 14:49.960 And look at what we need to make it work. 14:49.960 --> 14:52.960 And that's a fantastic journey to figure out. 14:52.960 --> 14:55.960 And I think I don't know how much I would love to go 14:55.960 --> 14:56.960 into that of course. 14:56.960 --> 15:02.960 But the core of it is protecting the culture we have 15:02.960 --> 15:05.960 and the volunteerism is actually number one. 15:05.960 --> 15:07.960 It's the maintainers and their projects. 15:07.960 --> 15:10.960 And secondly, 15:11.960 --> 15:15.960 it has to also be the communities that support them 15:15.960 --> 15:16.960 and not rather. 15:16.960 --> 15:19.960 And in third comes the downstream usage 15:19.960 --> 15:22.960 because in the manufacturers that are required 15:22.960 --> 15:26.960 the cooperation of these communities and these maintainers. 15:26.960 --> 15:29.960 And it has to be like that 15:29.960 --> 15:34.960 given the fact that we are operating without any resources. 15:34.960 --> 15:36.960 If we have more resources, 15:36.960 --> 15:40.960 something we hope to look at as a consequence of the introducing 15:40.960 --> 15:42.960 the CRA, then things like change. 15:42.960 --> 15:45.960 We can do the extra work like organizing 15:45.960 --> 15:48.960 the things that make a community proper community. 15:48.960 --> 15:51.960 Like for example, we have something called the Permongers 15:51.960 --> 15:53.960 a meetup community or global, 15:53.960 --> 15:55.960 where we are organized a lot for beer 15:55.960 --> 15:58.960 and talk about the interesting things. 15:58.960 --> 16:01.960 And it's been around since 2000, I think, 16:01.960 --> 16:02.960 or 2001. 16:02.960 --> 16:05.960 And it's a fantastic set of communities 16:05.960 --> 16:08.960 that this is also beginning of the conferences that are 16:08.960 --> 16:11.960 in this where people can share their projects 16:11.960 --> 16:14.960 and create the open source community that we have are. 16:14.960 --> 16:17.960 And so in a sense, 16:17.960 --> 16:21.960 if we're going to help secure the maintainers 16:21.960 --> 16:22.960 software, 16:22.960 --> 16:26.960 we have to also keep making sure that the foundations 16:26.960 --> 16:30.960 that are necessary to make this actually work 16:30.960 --> 16:32.960 are protected and supported. 16:32.960 --> 16:34.960 And so it's not only about the maintainers, 16:34.960 --> 16:36.960 they are the core, 16:36.960 --> 16:39.960 but it also needs to be the rest. 16:39.960 --> 16:42.960 And most manufacturers and businesses out there 16:42.960 --> 16:44.960 it's too much for them. 16:44.960 --> 16:45.960 So in a sense, 16:45.960 --> 16:47.960 supporting organization, 16:47.960 --> 16:50.960 if it's a separate steward or a foundation, 16:50.960 --> 16:53.960 the things about these things and make that happen, 16:53.960 --> 16:55.960 I think is key for making this work. 16:55.960 --> 16:57.960 Thank you very much. 16:57.960 --> 16:59.960 Would you like to add something? 16:59.960 --> 17:00.960 Okay. 17:01.960 --> 17:05.960 I would have like to keep the mic at a selfie 17:05.960 --> 17:10.960 because I introduced or started to talk about manufacturers 17:10.960 --> 17:14.960 and this kind of collaboration between manufacturers, 17:14.960 --> 17:16.960 communities, 17:16.960 --> 17:19.960 ecosystems in the end. 17:19.960 --> 17:20.960 From your perspective, 17:20.960 --> 17:22.960 from your huge experience, 17:22.960 --> 17:25.960 where does that collaboration work well 17:25.960 --> 17:27.960 and where does it break, 17:27.960 --> 17:29.960 especially from cybersecurity perspective? 17:30.960 --> 17:33.960 It's always been an opt-in thing. 17:33.960 --> 17:35.960 People who wish to do something, 17:35.960 --> 17:37.960 they do so. 17:37.960 --> 17:38.960 It's like, 17:38.960 --> 17:40.960 I think it's called actocracy, 17:40.960 --> 17:42.960 or democracy or something like that. 17:42.960 --> 17:45.960 Those who step up and do the work they get to decide. 17:45.960 --> 17:48.960 And that goes both from the businesses that 17:48.960 --> 17:52.960 decide to hire people that can know this technology, 17:52.960 --> 17:54.960 to use those technologies 17:54.960 --> 17:57.960 and whether or not they support it by sponsoring events, 17:57.960 --> 18:02.960 for example, or allowing their engineers 18:02.960 --> 18:04.960 to spend time on open-source things. 18:04.960 --> 18:06.960 And on the community side, 18:06.960 --> 18:09.960 it's always been about what is done, 18:09.960 --> 18:11.960 strictly speaking, 18:11.960 --> 18:12.960 and interesting. 18:12.960 --> 18:15.960 And one core insight, 18:15.960 --> 18:17.960 I've learned, 18:17.960 --> 18:18.960 after being like, 18:18.960 --> 18:20.960 one of the community guys 18:20.960 --> 18:21.960 in the Perlain Sea, 18:21.960 --> 18:23.960 by community in Europe, 18:23.960 --> 18:25.960 helping do this stuff is that 18:26.960 --> 18:29.960 having open-source projects 18:29.960 --> 18:33.960 that multiple people care about the same thing, 18:33.960 --> 18:35.960 and do that over time, 18:35.960 --> 18:39.960 that's fertile ground for creating friendships. 18:39.960 --> 18:42.960 And most people who come into the Perlain community, 18:42.960 --> 18:45.960 they stay there because it's awesome people. 18:45.960 --> 18:47.960 And they go to places like foster them, 18:47.960 --> 18:50.960 because we get to meet those awesome people again, 18:50.960 --> 18:52.960 and again, they go what would be there. 18:52.960 --> 18:56.960 That's part of the culture that we want to protect. 18:56.960 --> 18:59.960 And it's also basis for making things work, 18:59.960 --> 19:01.960 and figuring out how to help each other, 19:01.960 --> 19:03.960 and well where the problems are, 19:03.960 --> 19:07.960 and we would love to have more of our structures in on this game, 19:07.960 --> 19:09.960 but they have to kind of decide for themselves. 19:09.960 --> 19:12.960 They have to opt into the open-source community 19:12.960 --> 19:13.960 that they depend on. 19:13.960 --> 19:15.960 We can't force them as the same way, 19:15.960 --> 19:18.960 strictly speaking, they can't force the maintainers 19:18.960 --> 19:20.960 to play along in the needs they have. 19:20.960 --> 19:23.960 So this is a choice of goodwill. 19:23.960 --> 19:25.960 And if everybody has goodwill, 19:25.960 --> 19:27.960 I think we can make this work. 19:27.960 --> 19:29.960 I think this can be awesome, actually. 19:29.960 --> 19:30.960 Okay. 19:30.960 --> 19:33.960 You mentioned that you were multiple hats. 19:33.960 --> 19:35.960 Here are your representatives of here, 19:35.960 --> 19:37.960 but you're involved also in SPDX, 19:37.960 --> 19:39.960 you're involved in open SSF, 19:39.960 --> 19:41.960 and in many other communities. 19:41.960 --> 19:43.960 And from your perspective, 19:43.960 --> 19:46.960 where does this collaboration work very well 19:46.960 --> 19:48.960 and where does this breakdown? 19:48.960 --> 19:53.960 And how do you see that the improvements are needed? 19:53.960 --> 19:56.960 Okay, so the one area I'm worrying about personally 19:56.960 --> 19:59.960 is the communities may have volunteers. 19:59.960 --> 20:03.960 Some of those volunteers work for manufacturers, 20:03.960 --> 20:08.960 and there's various penalties on manufacturers 20:08.960 --> 20:10.960 for notification. 20:10.960 --> 20:13.960 And so what I don't want to see 20:13.960 --> 20:17.960 is manufacturers pulling their staff off of the security teams 20:17.960 --> 20:19.960 because of this penalty. 20:19.960 --> 20:21.960 So I really want to make sure that it gets clarified 20:21.960 --> 20:23.960 that if you've got working with an open source project 20:23.960 --> 20:25.960 to volunteer hat on, 20:25.960 --> 20:28.960 that doesn't count against your company. 20:28.960 --> 20:29.960 Okay. 20:29.960 --> 20:31.960 Who's paying your salary to some extent, 20:31.960 --> 20:32.960 from some cases. 20:32.960 --> 20:35.960 So this is the area I'm worried about 20:35.960 --> 20:38.960 personally between on the implementation side. 20:38.960 --> 20:41.960 But I think we've got a lot of, 20:41.960 --> 20:43.960 a lot of tooling. 20:43.960 --> 20:44.960 There's a lot of things that have been emerging 20:44.960 --> 20:45.960 over the last five years, 20:45.960 --> 20:48.960 and how they're playing into this like the SBOM world. 20:48.960 --> 20:50.960 You know, we're being asked for SBOMs if you generated 20:50.960 --> 20:53.960 the projects we're starting to generate them now automatically. 20:53.960 --> 20:56.960 And so some of these pieces of metadata 20:56.960 --> 20:59.960 that's going to be necessary, that's all emerging. 20:59.960 --> 21:02.960 So I think we're seeing maturity emerge 21:02.960 --> 21:04.960 that we can actually take in leverage. 21:04.960 --> 21:08.960 However, I do worry about the interactions 21:08.960 --> 21:10.960 between manufacturers of manufacturer obligations 21:10.960 --> 21:13.960 and how that's going to work with the projects. 21:13.960 --> 21:15.960 Which probably leads me right to you. 21:15.960 --> 21:16.960 Exactly. 21:16.960 --> 21:18.960 Or I think at you, why would you like to add 21:18.960 --> 21:20.960 to this question? 21:20.960 --> 21:22.960 Because sometimes you're a manufacturer, 21:22.960 --> 21:23.960 you're still at it. 21:23.960 --> 21:25.960 But I imagine that you are still 21:25.960 --> 21:28.960 contributing directly to the code upstream. 21:28.960 --> 21:32.960 Well, for the support, 21:32.960 --> 21:36.960 and so I've already mentioned that the critical thing I see 21:36.960 --> 21:38.960 is some organizational background, 21:38.960 --> 21:40.960 meaning, you know, 21:41.960 --> 21:44.960 voluntary groups, foundations, 21:44.960 --> 21:45.960 working groups. 21:45.960 --> 21:48.960 We are all members of many of them, 21:48.960 --> 21:52.960 and that's something what I see as one 21:52.960 --> 21:54.960 of the key success factors, 21:54.960 --> 21:57.960 because we then know each other 21:57.960 --> 21:59.960 we meet on many occasions, 21:59.960 --> 22:02.960 and eventually when we are part of, 22:02.960 --> 22:04.960 let's say, standardization committees, 22:04.960 --> 22:08.960 we can influence it, which is a critical part for us. 22:09.960 --> 22:11.960 Where does it fall apart? 22:11.960 --> 22:13.960 If there is no clear ownership, 22:13.960 --> 22:16.960 and that's my problem, it's closer to my heart, 22:16.960 --> 22:18.960 as you know, managing programs, 22:18.960 --> 22:21.960 that you need to have a clean ownership of everything, 22:21.960 --> 22:23.960 otherwise you won't get results. 22:23.960 --> 22:26.960 It doesn't touch just open source, 22:26.960 --> 22:27.960 it's everything. 22:27.960 --> 22:32.960 So, I would say that the critical part is that 22:32.960 --> 22:33.960 collaboration, 22:33.960 --> 22:38.960 I especially, I would like to appreciate, 22:38.960 --> 22:40.960 you know, the volunteers, 22:40.960 --> 22:42.960 and these organizations, 22:42.960 --> 22:44.960 foundations or working groups, 22:44.960 --> 22:47.960 which are organized by bigger entities, 22:47.960 --> 22:49.960 which invest to this, 22:49.960 --> 22:51.960 with currently, 22:51.960 --> 22:54.960 if I take it to the business, 22:54.960 --> 22:56.960 we have no idea what will be ROI, 22:56.960 --> 22:59.960 but we still do this today, and that's the key. 22:59.960 --> 23:01.960 That's great. 23:01.960 --> 23:04.960 Yeah, time flies when we are having fun, 23:04.960 --> 23:08.960 and such and such as some amazing guys, 23:08.960 --> 23:11.960 we still have only two or three minutes, 23:11.960 --> 23:13.960 if I'm not mistaken. 23:13.960 --> 23:16.960 Let's move viewers, 23:16.960 --> 23:20.960 and we first forward few years, as I said, 23:20.960 --> 23:22.960 and the theory has generally improved 23:22.960 --> 23:24.960 upon subsequent, let's imagine that. 23:24.960 --> 23:26.960 Let's do this kind of exercise. 23:26.960 --> 23:28.960 What criteria would you say that an ideal 23:28.960 --> 23:30.960 steward must meet, 23:30.960 --> 23:32.960 especially in a decentralized market-driven 23:32.960 --> 23:33.960 voluntary ecosystem, 23:33.960 --> 23:35.960 and what is the greatest challenge 23:35.960 --> 23:38.960 on the path towards this future? 23:38.960 --> 23:40.960 Pavel, if that's done? 23:40.960 --> 23:42.960 So, I would say, 23:42.960 --> 23:44.960 I see the CRA as a great opportunity, 23:44.960 --> 23:46.960 especially for the big companies, 23:46.960 --> 23:49.960 to stick more to the upstream and clear. 23:49.960 --> 23:50.960 And with that, 23:50.960 --> 23:53.960 if I imagine CRA or 23:53.960 --> 23:56.960 the industry in 2030, 23:56.960 --> 23:57.960 I would say, 23:57.960 --> 24:01.960 I'd like to see steward as a invisible middleman. 24:01.960 --> 24:04.960 Just something, what's there, 24:04.960 --> 24:06.960 what naturally helps 24:06.960 --> 24:09.960 to community with everything, 24:09.960 --> 24:12.960 all these hidden investments, 24:12.960 --> 24:13.960 like a tooling, 24:13.960 --> 24:16.960 and I don't know compliance support, 24:16.960 --> 24:18.960 let's call it compliance as a service, 24:18.960 --> 24:19.960 if you will. 24:19.960 --> 24:21.960 And with that, 24:21.960 --> 24:25.960 I believe that if steward's won't be mentioned, 24:25.960 --> 24:28.960 that much in 2030 or in five years, 24:28.960 --> 24:30.960 that will be the success. 24:30.960 --> 24:34.960 And then you challenge on this path? 24:34.960 --> 24:36.960 Legal, 24:36.960 --> 24:38.960 I would say, 24:38.960 --> 24:39.960 pardon my French, 24:39.960 --> 24:41.960 but this is something, 24:41.960 --> 24:45.960 what we face day to day with the CRA, 24:45.960 --> 24:47.960 and we need to get, 24:47.960 --> 24:48.960 we need to get unified, 24:48.960 --> 24:51.960 because I know that in all these working groups, 24:51.960 --> 24:53.960 we all have our say, 24:54.960 --> 24:56.960 and the standardization committees, 24:56.960 --> 24:59.960 resolving all the comments is a long-term run. 24:59.960 --> 25:01.960 And of course, 25:01.960 --> 25:02.960 nations, 25:02.960 --> 25:04.960 push their interests, 25:04.960 --> 25:05.960 companies, 25:05.960 --> 25:06.960 push their interests. 25:06.960 --> 25:09.960 So this is just something where we need to, 25:09.960 --> 25:10.960 we need to grab it, 25:10.960 --> 25:11.960 and as I said, 25:11.960 --> 25:12.960 as I see the CRA, 25:12.960 --> 25:14.960 the opportunity for the big companies, 25:14.960 --> 25:16.960 especially now representing the big company, 25:16.960 --> 25:18.960 this is the way to go, 25:18.960 --> 25:21.960 and the big companies would see that opportunity as well. 25:21.960 --> 25:24.960 I believe this is the challenge we could, 25:24.960 --> 25:25.960 overpass. 25:25.960 --> 25:26.960 Thank you. 25:26.960 --> 25:27.960 Kate, 25:27.960 --> 25:28.960 from your perspective, 25:28.960 --> 25:30.960 how an ideal storage for the new client? 25:30.960 --> 25:31.960 In an ideal situation, 25:31.960 --> 25:33.960 we've increased the quality of the code, 25:33.960 --> 25:34.960 the open source code. 25:34.960 --> 25:37.960 We've got more resources coming in from the manufacturers 25:37.960 --> 25:39.960 to get things right upstream, 25:39.960 --> 25:42.960 and we improve our technologies for getting things right. 25:42.960 --> 25:44.960 If we do this, 25:44.960 --> 25:45.960 you know, 25:45.960 --> 25:48.960 we have projects out there that everyone's using, 25:49.960 --> 25:52.960 where the back ports are one per hour. 25:52.960 --> 25:53.960 Okay. 25:53.960 --> 25:57.960 Getting the quality up in these open source projects, 25:57.960 --> 25:59.960 so that the security improves. 25:59.960 --> 26:01.960 If we've done this right, 26:01.960 --> 26:03.960 there's motivations to make this happen. 26:03.960 --> 26:05.960 As far as I'm concerned. 26:05.960 --> 26:09.960 And the challenge is, 26:09.960 --> 26:11.960 is actually making it happen. 26:11.960 --> 26:12.960 Yeah. 26:12.960 --> 26:14.960 Southern, from your perspective. 26:14.960 --> 26:15.960 Okay. 26:15.960 --> 26:16.960 Ideal. 26:16.960 --> 26:18.960 How does it look like? 26:18.960 --> 26:21.960 I'm a little bit agreeing that it's true, 26:21.960 --> 26:22.960 or in session, 26:22.960 --> 26:23.960 if it's invisible, 26:23.960 --> 26:24.960 that would be fine. 26:24.960 --> 26:26.960 But I think that's not possible. 26:26.960 --> 26:30.960 I think it has a role to play. 26:30.960 --> 26:34.960 It is a facilitator in solving real problems. 26:34.960 --> 26:36.960 And in identifying them, 26:36.960 --> 26:38.960 the needs of the manufacturers, 26:38.960 --> 26:40.960 and connecting those to the relevant projects. 26:40.960 --> 26:43.960 And making that a smooth experience, 26:43.960 --> 26:46.960 and making sure that it is funded. 26:46.960 --> 26:50.960 Because the work we're talking about here, 26:50.960 --> 26:53.960 is mind-numbering the boring. 26:53.960 --> 26:57.960 It's really, really not fun at all. 26:57.960 --> 27:00.960 And asking a volunteer to do that, 27:00.960 --> 27:03.960 is actually not a friendly thing at all. 27:03.960 --> 27:06.960 And we should try to make sure that they get the resources 27:06.960 --> 27:08.960 that they need to be able to take part, 27:08.960 --> 27:12.960 because we have to include the maintainers in one way. 27:12.960 --> 27:17.960 The alternatives, almost all of them, are much more expensive. 27:17.960 --> 27:20.960 In solving the open source projects, as they are now, 27:20.960 --> 27:22.960 that is the cheap option. 27:22.960 --> 27:24.960 It will not be as free as it used to be, 27:24.960 --> 27:28.960 but it's definitely not as expensive as trying to go 27:28.960 --> 27:30.960 in a proprietary direction, 27:30.960 --> 27:33.960 or in housing, or the other options. 27:33.960 --> 27:37.960 Thank you very much. 27:37.960 --> 27:40.960 Yeah, I have to bad guys here, 27:40.960 --> 27:45.960 thank you so much for everything that you have said here. 27:45.960 --> 27:47.960 That was an amazing part. 27:47.960 --> 27:49.960 Thank you so much. 27:49.960 --> 27:52.960 Okay, thank you very much.