Ukraine is not part of NATO. Should they wish to do so, they are a sovereign state and should be free to apply, entirely irrespective of the feelings of anyone in Moscow.
Until the day of their full admission to NATO, they cannot be held liable, punished or even criticized for any of the actions of NATO. Specifically, starting a full illegal invasion against them has nothing to do with NATO.
OpenSanctions | Data Platform Engineer | Full-time | REMOTE (EU) / HYBRID Berlin | https://opensanctions.org
We help to keep people and companies accountable for their political and economic actions. OpenSanctions builds an open source database that tracks a wide range of entities in the public interest: sanctioned companies, politicians, fraudsters and criminals. Originally built to support anti-corruption journalists, OpenSanctions has also become a powerful tool used for customer screening, legal compliance and in-depth investigative analysis.
We’re hiring a mid-career or senior engineer who will assume co-ownership of our data infrastructure. Our value proposition is to produce reliable, high-quality data, so you should share that passion and take pride in making an excellent, open source technology product.
OpenSanctions | Data engineer | Full-time | Remote CET +/- 3hrs or Onsite Berlin, Germany
OpenSanctions helps to keep people and companies accountable for their political and economic actions. We build a database that tracks sanctioned companies, politicians, fraudsters and criminals. Originally built to support anti-corruption journalists, OpenSanctions has also become a powerful tool used for sanctions screening, legal compliance and in-depth investigative analysis.
We're looking for a third engineer to help us add more data sources, work with our customers to integrate our data into their solutions, and improve our open source data processing framework. Python stack, simple but solid tech.
I think the days when you could just set up a company in some random country and run it from Germany are pretty over, the Finanzamt will just treat it as a domestic entity unless you can prove you've gone full nomad.
You have to cleanly separate personal and company taxes. If the managing director makes significant decisions (as in forming the will, not as in executing) while on German soil, the company is taxed like any other German capital company.
Btw. despite the myth, just being 182 days outside of Germany doesn't get you out of German personal taxes. It just stops taxation of foreign-derived income.
If you're talking about income taxation of individuals and would otherwise be dual resident in Germany and another country with which Germany has a typical set of tax treaty residency tiebreakers, then the top criterion in the list is where you have a permanent home available to you. If you have a permanent home available to you in the other country but not in Germany, you are by treaty a tax non-resident of Germany regardless of days in Germany or center of life.
That does raise the question of what does it mean to have a permanent home available to you. And that's a much harder conversation as applied to the edge cases. But one can certainly construct viable enough scenarios where it would not be a close call even if one spends more than half the year in Germany, and then arrange one's reality to genuinely match the constructed scenario. Explaining to the Finanzamt (tax office) might need a Steuerberater (tax advisor) to argue with them, of course.
I worry that Lukas is about to find out about the business end of the Umwandlungssteuergesetz: converting a Einzelunternehmen to a GmbH is a surprising amount of faff, and once you've done it you (normally) end up with a company you can't easily sell for 7 years without paying some pretty hard-core taxes. I got to do this whole dance early this year, and it took a big bite of momentum out of the little bootstrap I was trying to pull.
As weird as it sounds: German founders, consider just biting the bullet and doing a GmbH straight away. Conversion is no fun. And even worse, UGs are hated by everyone with a law degree for absolutely no reason, but they will try to make your life as difficult as they can just to show who is boss.
If you are planning on VC-like returns by selling your company, you should start with a holding GmbH and an operative GmbH below (or crazier structures like a Holding GmbH & Co. KG). But: This way you have the maximum administrative costs and complexity in the beginning...
I think starting as an Einzelunternehmer makes sense in certain situations. I'm not a tax lawyer, but I'm a lawyer in a firm that advises startups and I have seen a lot of "Starts as Einzelunternehmer -> Does asset sale to own GmbH" type deals... "Normal" lawyers / tax advisors will never recommend this, because it is not a "simple check the box" exercise, and "sophisticated" lawyers are incredibly expensive.
Author here. I appreciate your points. I started the business as a learning experience without any thought of the end game. Now that I am wiser and with some money a GmbH is the way to go for the next business.
While bootstrapping, you do not know whether you would ever want to go full GmbH. So biting the bullet is a little bit like betting on the future. You have considerably higher cost and hassle from day one on and would need a tax consultant for doing your yearly balances. Of course all the cool kids have GmbHs but do you really need it? Its main advantage is that you can sell it at once or in pieces if you need financing, but even that is manageable with an Einzelunternehmen.
With regard to risk, the CEO of a GmbH is still personally liable for a lot of risks and liabilities including the social insurance payments of employees.
Also, all risks you can get insurance for you should get insurance for regardless of the form of the enterprise.
Agree that the UG is the worst choice since you are basically announcing you have zero savings behind and can generally not be trusted.
If you want to get more serious with your Einzelunternehmen, you could also consider becoming an „e.K.“ (eingetragener Kaufmann). Same tax rules but full HGB (Handelsgesetzbuch, special law that governs interactions between companies) applies.
Realistically, it's entirely possible to bootstrap without going full GmbH right away as long as you can do it quickly. There's a grace period where you can retroactively designate stuff to fall under the GmbH you created later and if you are smart about it, you can move your software project into the GmbH if it's plausible that it was created during that period.
In other words: you don't need a GmbH to build a prototype but it's probably a good idea to have the GmbH in place before you're production ready. Also people are way too squeamish about UGs (micro-GmbHs): they're actually fairly normal in the startup space and end users don't care about that distinction and larger companies are more interested in knowing you have sufficient capital/insurance to cover any liability claims rather than what it says on your letterhead - a full GmbH isn't worth anything to them either because they know you can literally buy and repurpose a shell GmbH for cheap.
I agree that a GmbH is not necessary if you don't consider VC investment an early/eventual goal for your product. If you can bootstrap and build a sustainable product, the biggest advantage is that having a GmbH (or UG) makes it easier to appear as a serious business but as you say, often e.K. is another viable route for that. And as you say, the managing director of a GmbH is still personally liable for anything that could be considered a neglect of their legal duties. Plus the way most people found GmbHs, the owner(s) are usually €12.5k in debt to the company as you only need to transfer €12.5k of the €25k initial capital directly to the company's bank account.
That said, things get messy if you're in GbR territory, i.e. if you have a co-founder who is a co-owner. You can approximate something of a worker cooperative by having everyone individually be an Einzelunternehmen but then you'll have to structure your business in such a way to still split profits fairly while also avoiding running afoul of Scheinselbstständigkeit (fake self-employment) - there's a good example in the Premium Kollektiv[0] (and plenty of literature and research articles have been written about their approach) but this is more of a case of "bending the law" and not something the law was written to explicitly support. A GmbH has the advantage of being structured in such a way you can precisely define split ownership but the disadvantage is that by default this will mean your co-founder can just decide to quit and still retain their ownership because the ownership and the job are legally distinct concepts.
Lastly an often overlooked caveat of GmbHs (although this in part also goes for all self-employment) is that German laws are written with the idea that "business owners" have access to generational wealth and are thus exempt from many aspects of the welfare state and this is even reflected in times of crisis: there were for example COVID relief programmes for solo-entrepreneurs (including solo GmbH owners with no employees) as well as COVID relief measures to allow downscaling employee hours (and thus costs) but if you were a small GmbH with more than one owner, most programmes were not available to you. Things also get nasty if you're a woman who wants to have children while owning (or co-owning) a GmbH: legally the best option for heterosexual couples looking to start a business is still for the woman to be an employee (no, not a managing director either) and own zero shares in the company and even then the German IRS may decide that the woman has a controlling influence and retroactively reclassify her as a co-owner. In short: if you're an entrepreneur in Germany, either don't be a woman or plan to abandon your company in favor of dependent employment if you try to get pregnant.
Do you have any further information / links / legal references regarding the IP transfer grace period? As ideally this is what I'd like to do with my current ideas.
Basically work on a bunch of opensource components that would complement a commercial product that I offer / develop under a future GmbH (which I spin up basically as soon as I have an interested party in the hypothetical product).
Trying to reduce the amount of legal and finanzamt shenanigans where possible.
I'm not an accountant or lawyer and I'm not your accountant or lawyer. You should speak to an accountant or lawyer familiar with IP law or software companies.
All I can say is that it's de facto possible to create a GmbH after you already have started building something that will be owned by the GmbH without requiring a formal transfer of the assets. To do so in a way that is legally safe and sound you should speak to a legal expert.
As I understand it, it's less that there's a legally defined period, it's more about the limits of what you can rationalize or to what degree history can be redefined. If all the code you've written is sitting on machines under your control, who's to say that the code you wrote before the company was founded is the same as the code the company ends up owning? Especially when it was just a draft prototype you definitely threw away anyway. If sale of the company or investment ever comes up, they'll do the due diligence to make sure the documented history is up to par anyway.
If any of this was too subtle: legally, history consists of what everyone agrees history is. Founders can be expected to bring in their prior knowledge when founding a company, so any software produced by them for the company while employed by that company is owned by that company, even if it happens to be indistinguishable from software they wrote prior to founding the company, as long as there are no third-party claims to that previous software (which would create liability for the founder anyway). If you're the only person who knows what color your bytes are, well... .
Thanks for sharing, now the last paragraph really got my attention: What exactly is the problem with (co-)owning as a woman with children, no eligibility for parental leave?
The least direct one that may still be fairly consequential is that if you own a controlling share in a company and are in the public health insurance, fluctuations in income can become an existential threat because while salaried employees have their rates adjusted on a monthly basis and Einzelkaufleute can use their income tax advances (which can be adjusted on a fairly short notice based on projected annual revenue) to adjust their rates, you don't pay an income tax advance (because your company instead pays corporate tax advances) but you also aren't considered salaried so public health insurers are legally required to use your most recent income tax return as the basis for your rate even if your salary changes. This can mean up to 2 years of delay between what your insurance rate is based on and what you actually make. Keep in mind that upon submitting a new income tax return, any difference is owed immediately. So if you decide to reduce your salary because you reduce you have to your number of hours or take time off for your kids, you continue having to pay the same monthly rate to your health insurance (although of course the difference will be refunded eventually) and if after doing this for a while you decide to go back to full-time employment you basically have to find out what your rate should be and set the difference aside so you can pay it back when the rate eventually catches up.
Another example with self-employment is that if you give birth, you are banned from working for a set period around the due date and this ban even applies if you're self-employed but because you are self-employed this also translates to zero income (or at least zero billable hours). Contrary to what some accountants might tell you, you can absolutely apply for Elternzeit though and the money you receive will be based on your salary, so there's that - but keep in mind what I said about public health insurance still applies even here.
Another fun fact about public health insurance is that as a mother giving birth, you receive compensation for the days around delivery via the health insurance. But this is tied to the "Krankentagegeld" and this is a "feature" you explicitly have to opt in to. So if at any point you switched health insurance companies you need to make sure you ticked the box - it's absurd that this is optional given that omitting it only saves you a few Euros per month but especially early on many solo entrpreneurs try to cut costs wherever they can. Keep in mind that there is not only a maximum insurance rate but also a minimum and many early entrpreneurs pay this disproportionate minimum while making barely any money - this is something private insurance companies prey on. Private health insurance is always a numbers game and not something that should be taken lightly even if public health insurance may seem extremely awkward an expensive. It's also much more difficult to go back to public once you've been in private (the usual hack is to register as unemployed for a couple of months to lose eligibility for private health insurance and automatically roll back into public insurance).
I don't recall the exact problem we ran into but the short version is that a lot of services Germans think of as "public" because they're publicly funded or paid by the government are actually tied to salaried employment or unemployment and "do you own at least 50% of a GmbH" appears on a surprising number of forms (as well as "does your GmbH employ more than one person including its owners").
Oh, and another thing worth mentioning: if your work is at all creative (somehow "building software products" doesn't tick that box, yet) or editorial, you may be subject to the Künstlersozialkasse. This is a social insurance that anyone hiring creative or editorial labor for commercial use has to pay into directly (i.e. it's not part of the invoice but the amount is based on the invoice). If you hire this labor via a GmbH, you don't have to pay this but the GmbH does. This means if you have a GmbH that provides creative or editorial labor (e.g. you do any design work), the amount owed to the Künstlersozialkasse will be based on the salary of the person that holds ultimate editorial control. If in doubt, this will be one of the owning managing directors, i.e. you. This can be a bit of a shock but if you are in the public health insurance this also means you can join the Künstlersozialkasse as a member, pay into public health insurance (via the KSK) the exact same way a salaried employee would (i.e. none of that "wait 2 years to adjust your rate after salary changes" nonsense) and not only does the money your company has to pay to the KSK go towards your own social security but through the magic of arcane accounting laws, they effectively contribute twice the amount you would if you paid directly (which for self-employed people is voluntary and largely pointless) - in other words you end up in a situation where you are legally self-employed but still benefit from public health insurance and the public retirement fund as if you were a regular salaried employee. I can't overstate how useful this is, especially if you are able to do this early on:
If you want to be self-employed in any creative field subject to the Künstlersozialkasse: JOIN THEM ASAP. You massively cut down on the headaches of self-employment and someone will have to pay into them for your work anyway so you might as well benefit from that.
Unfortunately, the "Rapid Application Development" thing also seems to apply to the library itself: you get a new release every other week, and stuff breaks in somewhat unpredictable places. So it's easy to prototype something with Textual, but hard to maintain it afterwards.
I get that this can be annoying (as someone who maintains code written using Textual, I very much get it), but while we're still 0.x we are making the most of being able to steer in slightly different directions if a more beneficial approach becomes obvious in some area.
We also try really hard to highlight breaking changes when a new release is made.
And, of course, if anything particular is tricky to work around or get working again anyone is welcome to seek some help in GitHub issues, discussions or even on Discord if that's your thing.
OpenSanctions helps to keep people and companies accountable for their political and economic actions. We build a database that tracks a wide range of entities in the public interest: sanctioned companies, politicians, fraudsters and criminals. Originally built to support anti-corruption journalists, OpenSanctions has also become a powerful tool used for customer screening, legal compliance and in-depth investigative analysis.
We take pride in providing a high quality dataset to the public and to our subscribers. Based on an open source data pipeline and providing public search for everybody, we bring transparency and a (relative) lack of bullshit to the compliance/sanctions world.
You will build and maintain a data pipeline that consolidates information from public sources into a high-quality dataset; improve our techniques for record linkage, tracking changes and data lineage; think up and implement advanced data quality assurance mechanisms and build additional crawlers for relevant data sources.
You will work with customers to help them adopt our product for their use cases and answer technical questions about the product.
After reading this I’m fully confused by how they define dark matter. Stuff that doesn’t come from the distro package manager? Everything installed via other mechanisms? Assets copied into the container as part of the build mechanism?
Wouldn’t it make more sense to define dark matter as all the stuff that is installed in a container but never activated (unless exploited?)
That's their explicit definition: "Software dark matter refers to files that are not tracked by operating system (OS) package managers (like `apt` or `apk`), which renders these files and the packages they represent invisible—or at least complicated to find—to software composition analysis and security scanning tools."
That seems to specifically exclude software installed by, say, language-specific package managers (Cargo, Rubygems, npm and derivatives) -- which on the whole seems pretty perverse. Dealing with those does indeed complicate SBOM maintenance -- but people use them anyway for very good reasons (which sometimes include getting more secure versions of the packaged code!), and having tools that work in the real world requires dealing with that complexity, not wishing it away.
Different meaning of "tracked." This is about static-analysis systems that seek to understand the "provenance" of the files that go into the container-image, so that they can alert you to vulnerabilities in the container's dependencies.
"Dark matter" here is anything these tools can't see / notice vulnerabilities in.
So any DB container by definition would have massively high percentage just because DB app itself is few tens of MB but database data is in tens of gigabytes ?
Seems like really useless metric for containers.
I can get it for OSes (some packages there do manage DB data, and even have option to remove it when removing package) but for container it does seem a bit pointless
No...? Again, we're talking about container images, not containers. Specifically, public container images sitting in registries like Docker Hub. People aren't burning their Postgres data into a container image and then pushing it, public-readable, to an image registry.
(But also, even ignoring that, I believe the metric used by the article is number-of-files, not byte-size. A DB might be large in byte-size, but is usually relatively negligible in number-of-files, usually holding individual table chunk files of 1GB or larger.)
As the container is the result of a build process, unless the tools aren't the build tools themselves, the whole container should be treated dark matter and just rebuild. It's process, not state.
It's the build process for the container-image (i.e. the Dockerfile or equivalent) that the tooling being discussed here is analyzing; not the resultant container image, nor containers spawned from said image.
The goal is, presumably, to figure out when a given docker image was created in such a way that it burns in a vulnerable version of some library; so that the author can be alerted that they need to (update their Dockerfile and) rebuild their image.
"Dark matter", under this definition, is anything that gets injected during the build process of the image, that is not itself traceable to some other versioned package management system with vulnerable-version deprecation. Without such information, an automated agent like the one described in the article cannot then propagate deprecations from consumed package-versions to produced image-tags.
A good example of such "dark matter" would be a static binary built outside the Dockerfile using a CI system, where the CI then creates a docker image by running a Dockerfile that simply injects the expected prebuilt binary into an image with an ADD stanza. Does that binary contain vulnerable versions of embedded static libraries? Who knows?
Not sure it is that easy. The Docker API provides introspection for those as well as also there is no Light Matter only because the example project is not using an ADD stanza any longer but the Dockerfile context is from a tar ball created by that project as a reproducible build artefact.
This is basically the definition we used. It's practically important because scanners really do miss software copied in via other mechanisms, and most of them give zero indication about it. For a few basic examples, try running your favorite scanner on the wordpress, node, or busybox images on DockerHub and see what the scanner finds.
For Wordpress, most scanners will miss that PHP or Wordpress are even installed in the image. The scanners spit out lots of data, but it's only about what they can find, offering the illusion of completeness or transparency.
Well then I guess scanners need to improve... I mean, the current version of Wordpress (and other software) is being made available as a Docker image because this is faster and more convenient than making it available via the package system, so it kinda makes sense that they are not available (or available much later) via apt/apk/whatever. Calling all other methods of distribution (pulling software from Github or via the various language-specific package managers) "dark matter" expresses the desire of not wanting to deal with that stuff, but surely won't make the "problem" go away.
I guess the point is you could have an open source program in the package manager, that then downloads a closed source binary blob component, that could be doing something undesirable.
I have the exact same confusions and questions as you. I think maybe they consider "dark matter" to be anything for which the source is not publicly available and so cannot be analyzed by security tools that don't have access to the private sources.
I also agree with your "wouldn't it make more sense" definition. From the perspective of a developer concerned about the security and robustness of their own deployment, "dark matter" would be anything that ends up in my container that I don't actually need to run the app in the container.
When you say "might" - you're aware Tornado was actually used for these things to the tune of at least half a billion dollars?
Basically, the case you're making is: they might have actively aided and abetted nuclear proliferation - but they're technologists, so their actions are sacrosanct and cannot be subject to the usual penalities because we've been ultra smart and managed to create an industry where free speech and money laundering can be switched out at will like in a shell game.
I am saying the rights of my sister and brothers, friends and colleagues are far more important to me than clamping down on north korean hackers. I would much rather live in a world where we are free to use tornado cash and maintain our privacy in these networks, than live in a world where code can be overnight made suddenly illegal, everyones accounts historically associated with that code blacklisted, the developers then sit in jail for a month with 0 charges against them.
The large majority users of tornado weren't criminals. Tornado devs had worked on compliance tools to aid governments, doesnt matter they get locked up anyway. The treasury has historically only sanctioned people, doesnt matter apparently they can make themselves new powers and sanction the use of code too.
Until the day of their full admission to NATO, they cannot be held liable, punished or even criticized for any of the actions of NATO. Specifically, starting a full illegal invasion against them has nothing to do with NATO.