* the actual code that will be made public (in particular enabling all sorts of things to be built on top of the Commissions policy / legal know-how and rules)
* the signalling, encouragement and precedent that this provides to other public sector instances that may have been sitting on the fence, unsure or even oblivious to open source
Keep in mind that the open source projects being mentioned as examples on this press release only tend to affect people established as residents in the European Union.
For example, from the press release:
> “ An example of the benefits of open sourcing is eSignature, a set of free standards, tools and services that help public administrations and businesses accelerate the creation and verification of electronic signatures that are legally valid in all EU Member States.”
In order to use an eSignature, you need to have an eID (electronic ID) card from an EU member state, which is placed in a smart card reader. Some people in the EU do not have eID cards yet. Yes, some countries have apps that allow you to use an eSignature, but generally speaking, your eID is your best bet. Typically, your eID provides the highest authentication level, in terms of security, when dealing with EU or national (country) level services.
> In order to use an eSignature, you need to have an eID (electronic ID) card from an EU member state. Some people in the EU do not have them.
This is false. eIDs are a common way of doing it, since they already have a process for verifying identity obviously and are smartcards matching the required security level, but not required, you can just get a generic matching smartcard loaded with the cert.
In practice, countries recognize only eID cards they produced and signed themselves (well, ordered from Gemalto, Giesecke and Devrient or IDEMIA).
Now, once the use of eID cards expands, all these use cases will require software. So far, countries do on their own. Belgium writes its own software, Estonia as well. The point is that most of that software could be reused.
So far, only open source parts are reused, like opensc.
The Estonian e-signature software is fairly well written, open source and easily extensible to other countries eIDs. Latvian and Lithuanian are already supported.
>Typically, your eID provides the highest authentication level, in terms of security, when dealing with EU or national (country) level services.
Not really, at least in here (Poland). "Qualified electronic signature" which you can buy from several approved suppliers, provides highest authentication, you can use access all government services with it and is legally equivalent to paper signature. Meanwhile "personal signature" you get on government issued electronic ID is not eIDAS-compliant, isn't equivalent to paper signature, and some government services are not available (like these VAT tax forms using Adobe Reader plugins, ugh).
> The Commission will make its software available as open source in one single repository
Let's hope this is not a git monorepo...
I wonder where they will release it? Github would be the easy choice. They could self-host a forge or just a web frontend, publish tarballs, etc.
An interesting choice would be to use SourceHut, which is now based in the Netherlands with ddevault. (edit: well, maybe it's still incorporated in Delaware).
Well, given the resource requirements to host GitLab and the number of potential visitors, I think this is unlikely.
Moreover, I wouldn't be surprised if they just opened the code, not the development process. And old, frozen projects with no contributing directions are most likely what we'll get at first.
However, hosting OSS code like this is a public service. It would be nice to see the EU commission competing against GitHub for Open Source hosting, but that's probably a pipe dream for now.
The really promising part is what this will enable going forward:
> The dissemination of software under an open source licence will no longer require a Commission Decision.
> The Commission now allows its software developers to contribute to open source projects with improvements that they developed as part of their work.
So it might become at the team's discretion. The code will probably end up being developed on GitHub or somewhere else, with a mirror of sorts on the EU commission's "repository" website.
While 'competing' may not be a good word for it, there's an argument to be made that some software belongs in the commons. This sort of signature/certificate infrastructure is a good example.
So why not have it hosted by a public entity? Maybe entrust a couple large libraries with operating and cross-mirroring repositories?
The European institutions run the Atlassian suite internally so if they self-host anything, which they most likely will, it will be Bitbucket because that's what their IT is experienced with.
Existing Gitea instance for FOSS-only is a nice option. Codeberg is hosted in Germany and contributes to the wholly community-driven Gitea project: https://codeberg.org
This should be the norm for software developed as work for hire for all kinds of governments, everywhere, if only for the reason that it would save a lot of redundant development of software used by governments. There are obvious exceptions for weapons technology. But the presumption should be that governments must look to existing open source software before they contract for software development, and they should contribute newly developed software to the pool.
Absolutely agreed. Public money, public code. So much software can be shared between various governments it's not even funny how much money was wasted on useless huge vendors like Accenture and IBM.
I like the sentiment, but have struggled on mechanism. Basically, we need to incentivize creating & running good OSS projects: the more direct the incentives, the harder for non-maintainers to game the system.
I suspect the current proposal tilts the bias even further to consulting companies who explicitly rather compete on butts in seats writing code vs OSS product teams wanting to build quality code that minimizes servicing needs. On any individual contract, the product team would be more expensive and thus less competitive, and no longer have a proprietary advantage built up over time to defend against that: the services team can hack the same code.
My observation is 100% as a product person who sees these bids go out and contractors take either most or all of a contract because of this dilemma. If we open sourced even more, we'd get even less interest, despite writing measurably better code.
Instead, I've been thinking something like "X% budget / yr should be grants to SMB OSS project maintainers" based on a few flavors (gov use, commercial use, ...). Incentivize creating popularly used OSS, vs more services. Like take the SBIR budget and make a 20% match to SMB OSS. Maybe a DAO that'd actually help :)
The workflow is not trivial though: (assuming the relevant systems are critical) you must also have a number of security experts monitoring the code full time, delaying the in-production stage accordingly...
Interestingly, the fault tolerance is increased, as less care from some project beneficiaries will be compensated by the extra care of others (instead of the former being just liabilities).
This is great. I've long thought that every line of code developed with govt. money should be open sourced, and that a country that got serious about this would likely get a lot more people interested in working for them.
Hopefully there can be EU supported remedies for GPL violations. It's kind of absurd. The Estonian eSignature software (FOSS) could fairly easily automatically support many countries eSig, IF the drivers are added to OpenSC ...
This is definitely a good move, but I was hoping the EU would also announce investment into current open source projects. Maybe a program for people to present their OS project and get funding.
I'm not 100% knowledgeable on the topic but wasn't the issue with (A)GPL that even linking libraries in the runtime to your project would mean that your project can't be proprietary?
> This makes no obstacle for linking Code A with another software component (Code B) that could be proprietary. There is no kind of “viral effect” resulting from the EUPL licence, in so far linking is done for interoperability. The portions of Code A that are strictly necessary for interoperability may be reproduced in Code B without copyright infringement. The resulting “A-B solution”, which could be commercial, will include the two modules under their relevant licences. This is resulting from interpreting European law and case law[1].
To paraphrase, EUPL would be the LGPL of AGPL? LGPL where "distribution" also means "distributing the output trough a webpage".
One of the major advantages of LGPL is that users can link their own modified libraries, so that analogy doesn't hold all the way, but linking is permitted and non-viral.
Scanning the EUPL quickly, it seems to me that it's actually much closer to weak copyleft (EPL/MPL/LGPL-like), especially because one of the clauses actually lets you distribute the work solely under the terms of those licenses.
There is the possibility that GPL's viral nature is not actually fully possible in EU and EUPL is "the most" you can get copyleft-wise there. There are two articles about it on the EC's site:
As a conclusion, it looks that in most cases, linking two programs or linking an existing software with your own work does not – at least in Europe – produce a derivative or extends the coverage of the linked software licence to your own work.
Such interfacing or linking escapes to the copyleft provision of any licence, open source (like the GPL) or proprietary. The technical way of linking for interoperability (static or dynamic, permanent or temporary reproduction of the needed code) should not make any difference.
Because of this, and in so far linking (even statically) is done for interoperability, does not prejudices the legitimate interests of the rightholder and does not conflict with a normal exploitation of the covered program, it seems that the differentiation between strong and weak copyleft has few legal reality. In applying all relevant licences, the copyleft effect should target the copies and real derivative works, where a significant portion of the functional covered code has been copied, modified, extended etc. At the contrary and in most cases, it seems that in European law the fact of linking two programs and the technology used for it does not by itself produce a derivative work: viral licensing is just a ghost. It does not exist.
===
This article (from the same author) also goes into virality in EU:
Although often highlighted by some free software lawyers, this notion of “strong copyleft” has never been recognized by case law. On 2 May 2012, the Court of Justice of the European Union ruled that a software licence cannot prohibit the legitimate licensee from reproducing the portions of covered code (for example, the APIs or data structures) that are necessary for interoperability and for linking the covered work with others that could be licensed differently. This was ruled in application of the Directive 91/250 EEC on the legal protection of computer programs.
[...]
At the contrary and in all cases, it seems that in European law the fact of linking two programs and the technology used for it (i.e. dynamic or static) does not by itself produce a derivative work. This is the reason why it was considered that adding copyleft licences like the LGPL or the MPL to the EUPL compatibility list was not more problematic than adding the GPLv3 or the AGPL.
===
It should be noted, however, that this hasn't been explicitly tested in court with open source software (the software case mentioned in the second article was between proprietary software developers).
Also in practice most projects aren't released in just the EU so the GPL's strong copyleft still holds true in US, for example, even for work done in the EU. But this isn't a concern for the European Commission since the EUPL was made for EU use.
Interesting. Is this because of how distribution is defined to include "any act of providing access to [the Work's] essential functionalities at the disposal of any other natural or legal person"?
Yeah, I think the meat of it is how they define distribution
‘Distribution’ or ‘Communication’: any act of selling, giving, lending,
renting, distributing, communicating, transmitting, or otherwise making
available, online or offline, copies of the Work or providing access to its
essential functionalities at the disposal of any other natural or legal
person.
The article says "The recent Commission study on the impact of Open Source Software and Hardware on technological independence, competitiveness and innovation in the EU economy showed that investment in open source leads on average to four times higher returns. "
Four times higher returns ... compared to what?
It's like an advertisement that says our product contains 30% less fat. 30% less than what? Than other leading brands? Than your previous formulation (and if so, how do we know you didn't artificially increase the amount of fat in said formulation, so it'd be easy to reduce)?
The author of the study, Knut Blind of Fraunhofer, is a hardent proponent of software patents. If you read the study, you will find those nonsense things related to patents:
"Table 5.16: Impact of OSS Commits on patents on computer-implemented inventions
(FE)"
"the number of national contributors to OSS has a positive influence on the development of patents on CII as an innovation indicator of the IT sector."
That's a weird interpretation of what is being said here...
From the rules[0] that are mentioned in the article:
> On 21 October 2020, the Commission adopted a new strategy on open source software1, encouraging the use of open source software by the Commission, the Commission's contribution to third-party open source projects and the sharing of Commission software as open source. In that Communication, it was stated that, wherever possible and appropriate, the Commission would share the source code for any computer programs where it holds the intellectual property rights on behalf of the Union.
But:
> This Decision should not create any obligation for Commission services to share Commission software under an open source licence nor any right for third parties to require Commission software to be made available under an open source licence. The Commission should remain free to decide whether to share Commission software or to license it under a proprietary licence.
Oh, well, this is the opposite of how the European Commission works:
Managers climb higher in the hierarchy and get salary increase according to how high the budget they manage is.
There is therefore a consistent effort in all the units of all the Directorate Generals to ask budget for new projects, and find a plausible excuse about why an existing solution cannot be used, and a new solution needs to be built from scratch.
Then, once this is built, it is common practice to initiate a new project to throw away the solution and re-do it from scratch, again using an excuse reason like adapting to more modern technology, or providing better performance.
P.S. The European Commission is composed of 33 Directorate Generals (DGs), each of it responsible of a specific topic. One Directorate General, called DIGIT, is in charge of providing IT solutions to all the others. However, each Directorate General has its own IT department (called 'Unit'), developing solutions on its own, rather than using what is commonly available at DIGIT, or already created in other DGs' IT unit.
* the actual code that will be made public (in particular enabling all sorts of things to be built on top of the Commissions policy / legal know-how and rules)
* the signalling, encouragement and precedent that this provides to other public sector instances that may have been sitting on the fence, unsure or even oblivious to open source