作者：ROMAN SHAPOSHNIK

翻译：刘天栋 Ted

A few months ago, Tanya Dadasheva and I got invited to the Open Source Congress 2023. The event will be held in Geneva this week (7/27/2023) and is one of those really nice get-together soirees that Linux Foundation graciously hosts to make sure that folks working in different Open Source organizations have a chance to talk to each other. After all, as long as there’s been open source there have been fragmentation concerns of the greater open source community (and with techno-nationalism on the rise it is not like things are trending in the right direction even for Open Source).

Less Council of Elrond; more like a nice academic retreat with an emphasis on cross-disciplinary collaboration. Or it would be like that in any other year, but apparently not in 2023.

Turns out, I wasn’t the only one thinking that. My good friend Mike Dolan and I exchanged notes and the following is a sort of an edited transcript of our exchange. All eloquence in the following is his and all the mistakes are mine.

With the war raging in Europe, US/China rivalry heating up and AI promising to completely redefine our way of life, it is of little surprise that Open Source communities have increasingly heard alarm bells go off. As an overarching community, we've dealt with export controls and are suddenly being told to exclude contributors to projects. We've seen valuable contributors from certain countries excluded simply because of actions their leaders took that they had absolutely no path to influence. Some even fled their country and moved their entire families and lives. We've been asked how to handle contributions of AI-generated code by hundreds of maintainers. We've had to defend and remind people that OSI is the organization that decides what licenses qualify as "open source" (particularly with SDOs). We’ve even had the perpetual “are you dead yet?” argument thrown around.

Even if you consider just the regulatory issues facing open source in 2023 - including the CRA, PLD, AI Act (EU), Securing Open Source Software Act (US) and other examples - it is clear that the least various Open Source organizations can do is to educate the lawmakers on the consequences of their [in]actions and then prepare for the inevitable fallout (if they don’t listen). This includes preparing for things that will, if mandated by law, put an additional burden on all of Open Source organizations:

• 我们将如何应对新的网络安全法规？

How will we address new cybersecurity regulations that could be used to justify just about anything?

• 我们将如何应对/实施数字主权或哪些寻求排他性的出口管制？

How will we respond/implement Digital Sovereignty or export controls that seek to exclude?

• 我们将如何解决多元化、公平性、包容性 (DEI: Diversity, Equity, Inclusion) 问题？

How will we address DEI issues?

• 我们将如何处理人工智能为我们的开源项目带来的贡献?

How will we address AI-generated contributions to our open-source projects

• 以及其他许多

And many others

Geneva congress is really meant to help us start preparing to answer these questions not as individual organizations in a fragmented ecosystem, but rather collectively sharing a common approach and best practices while learning from each other. Or to put it differently: to up-level the open source ecosystem and present a professional, coordinated response to new challenges.

Many of these challenges come from outside our ecosystem - and those actors don't understand us. Presenting a united front doesn’t mean losing our individual voices (more on that later) but rather manifesting “standing together”. And if we're to address issues can we start from a common set of principles we agree on? Our hypothesis is if we can express the core principles we already share in words, we can better articulate our shared principles in the face of new challenges. The goal of the Congress is not to formally consent to a statement document on the day of Congress as much as it is to convene discussions around the ideas within a document, and to use this as a shared foundation upon which we can work together to address present day and future challenges more cohesively. There’s much we as a community already agree on. Recent collaboration on the CRA, shared guidance being drafted on AI generated content, open letters and multi stakeholder actions against patent trolls provide evidence of this. Some of us have already shown we can come together when we are facing mutual challenges. Can we improve on how we're doing that? Can we mobilize sooner than just before a regulation is voted upon? Can we expand the circle to include other organizations? Perhaps there is more that we can do to better coordinate these efforts, and we seek to discuss these ideas in Geneva, and hopefully beyond it.

But remember, Open Source is not a corporation, it isn’t a government it is a community. So don’t expect any kinds of resolutions being ratified and communiques being published. Who could even decide anything for "the community"? We all have communities. The LF is composed of 900+ project communities, each with their own views on any topic. The ASF is composed of close to 400. I know LF can't speak for "the community". I know ASF can’t. And if anybody is suggesting otherwise - they probably have a political agenda or an axe to grind. If anyone thinks the LF, ASF or any other Open Source foundation is conniving enough to somehow get a number smart leaders in a room and "decide for the community" you're overestimating us by a billion miles.

One way to look at this is to focus on “us” at this moment — the members of the community — and our needs. But what makes it surprisingly difficult in 2023 is that some of the voices twisting what is really going on are coming from "inside the house". With all the external pressures mounting, the internal stress (and as a consequence early splintering) is now palpable. Curiously, the shape it seems to take (at least around me) is also very apropos 2023: people who used to be the most staunch rationalists and old school open source hackers are now engaging in paranoia and conspiracy theories like it is Tucker Carlson's show.

There's some garden variety "all Open Source Foundations are nothing but shills for US or Chinese corporations" paranoia on one end of the spectrum, there's "what's happening in EU right now is exactly like the crypto wars of the 90s and we must deal with it the same way" coming from the other end. The one that rubs me the wrong way the most though is this one: "All open source is under siege and the situation is so dire that we must surrender our individual voices in the fear of being misinterpreted or taken out of context as the position of large Open Source organizations".

And this is not coming from some random tech journos either -- these are otherwise very reasonable and respected open-source developers suggesting it. I feel nothing can be more dangerous than giving into this kind of mindset -- after all "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety...."

Take me, Roman Shaposhnik as an example. I volunteer for the Apache Software Foundation as a VP of Legal Affairs. I am not employed by the organization (ASF has extremely few paid positions to begin with) I am an unpaid volunteer. I am also a card-carrying member of the organization. I am one of hundreds of members tho. There's nothing special about my volunteer position. It gives me no authority to speak on behalf of the ASF at public events or enter into kind of agreements with public or private sector actors (that power is only vested into the ASF's board and, to some extent, the office of the President). Yet, I do get invited to events like the Open Source Congress in Geneva. Why? Not because of what my position is called -- I assure you -- but rather because of the kind of experience that position allowed me to have. It just so happens that the opinions of people with exactly this kind of experience are valuable.

Do I share these opinions (solicited or not) while at these types of events? You betcha! Do I say "In my experience volunteering for ASF as VP of Legal Affairs, I found that..." Of course, I do! Does any of that bind the ASF to any kind of position? Of course not! That would be as ridiculous as assuming that talking to somebody whose badge says "Kubernetes" would bind that entire project AND community to anything!

Why, among all the things discussed so far, is this the one that triggers me the most? Because anyone (and I do mean ANYONE -- in any position of authority) who tells you not to share your opinions because of the greater good or even because they may be misconstrued has a hidden powerplay/political agenda and I hate that the most.

Personally, I'm lucky enough, to be at a point in my career where I can tell anybody like that to simply shove it. But not everybody is like me. I get it. And if you remember anything from this post -- remember this. Regardless of where you are at in your open-source career -- don't let anyone silence you. We owe it to each other to have "strong opinions; loosely held" and there's no use in them unless they are articulated clearly every time we get a chance. And to hell with being misconstrued -- haters gonna hate and politicians gonna politique!

So... catch me in Geneva this week if you're around. I'll be the loudmouth guy telling everybody what I really think about CRA, PLD, AI Act, and more! And if you argue well with me — I may even buy you [ridiculously overpriced] beer!

注：

[1]https://newsletter.cote.io/p/waiting-for-the-close-of-open-how

[2]https://fossforce.com/2023/07/bad-news-for-open-source-eu-committee-approves-the-cyber-resilience-act/

[3]https://www.openlogic.com/blog/securing-open-source-software-act

[4]https://www.apache.org/legal/generative-tooling.html

[5]https://zh.wikipedia.org/wiki/%E5%A1%94%E5%85%8B%C2%B7%E5%8D%A1%E6%A3%AE