All Things Open 2023 Presented at All Things Open 2023 Presented by Deb Bryant - Open Source Initiative, Patrick Masson - Apereo Foundation, Stephen Jacobs - Rochester Institute of Technology, Ruth Suehle - SAS, & Greg Wallace - FreeBSD Foundation Title: Open Source and Public Policy Abstract: New regulations in the software industry and adjacent areas such as AI, open science, open data, and open education are on the rise around the world. Cyber Security, societal impact of AI, data and privacy are paramount issues for legislators globally. At the same time, the COVID-19 pandemic drove collaborative development to unprecedented levels and took Open Source software, open research, open content and data from mainstream to main stage, creating tension between public benefit and citizen safety and security as legislators struggle to find a balance between open collaboration and protecting citizens. Historically, the open source software community and foundations supporting its work have not engaged in policy discussions. Moving forward, thoughtful development of these important public policies whilst not harming our complex ecosystems requires an understanding of how our ecosystem operates. Ensuring stakeholders without historic benefit of representation in those discussions becomes paramount to that end. Please join our open discussion with open policy stakeholders working constructively on current open policy topics. Our panelists will provide a view into how oss foundations and other open domain allies are now rising to this new challenge as well as seizing the opportunity to influence positive changes to the public’s benefit. Topics: Public Policy, Open Science, Open Education, current legislation in the US and EU, US interest in OSS sustainability, intro to the Open Policy Alliance Find more info about All Things Open: On the web: https://www.allthingsopen.org/ Twitter: https://twitter.com/AllThingsOpen LinkedIn: https://www.linkedin.com/company/all-things-open/ Instagram: https://www.instagram.com/allthingsopen/ Facebook: https://www.facebook.com/AllThingsOpen Mastodon: https://mastodon.social/@allthingsopen Threads: https://www.threads.net/@allthingsopen 2023 conference: https://2023.allthingsopen.org/

1. Open Source &
Public Policy
Let’s open all the things.

2. Today’s public policy panelists
Deb Bryant
Open Source Initiative
Board Member Emeritus
OSI Policy Director - US
Former State of Oregon
Deputy CIO
Greg Wallace
Director of Partnerships
and Research,
FreeBSD Foundation
Ruth Suehle
Executive Vice-President,
Apache Software
Foundation &
Director of Open Source,
SAS
Patrick Masson
Apereo Foundation
Executive Director
Formerly…
General Manager, OSI
CTO, University of
Massachusetts
CIO, State University
of New York
Stephen Jacobs
Director
Open@RIT
2024

3. The Open Policy Alliance is a new
initiative (2023) born out of request
from non-profit community
members to join together to better
understand the changing landscape
of public policy where it effects open
source stakeholders and to provide
a platform from which to
constructively contribute to the
public dialog.
Its members are non-profit
organizations with a stake in open
domains and intersectional interests
in open source software.
The Alliance focuses on
● The need to educate public
policy-makers on open source
to inform their development
and deliberation of new policy
concepts.
● Assist in the development of
good public policy, and to help
avoid under-informed policy
with unintended consequences
due to a lack of understanding
of how open collaboration
works in practice.

4. Open@RIT
Open@RIT https://openr.it
Open Programs Office and Research Center for the Rochester Institute of Technology.
Co-creator of Open Work Definition (https://openworkdefinition.com) with Karsten Wade and other contributors.
Funded by Alfred P. Sloan Foundation to support Academic Open Work of All kinds.
Ran Summit on Open Work in Academia Summit.
Founding member Open 3D Engine foundation and International Game Developers Association Open Source SIG.
Policy interests include internal policies to academia, science and research civic and federal government and do work in
and across those silos.
FOSS and Open Work policies have been growing in influence in these spaces. The most recent example of this is the
effort to crowd source federal policy for science and research by the Foundation of American Scientists, the Center for
Open Science and the Wilson Center.
Help shape the next decade of open science

5. Apache Software Foundation

6. Cyber Resilience Act
“In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial activity
should not be covered by this Regulation. This is in particular the case for
software, including its source code and modified versions, that is openly
shared and freely accessible, usable, modifiable and redistributable. In the
context of software, a commercial activity might be characterized not only
by charging a price for a product, but also by charging a price for technical
support services, by providing a software platform through which the
manufacturer monetises other services, or by the use of personal data for
reasons other than exclusively for improving the security, compatibility or
interoperability of the software.”

7. The Source for Open Source in Higher Education…
Founded in 2012, with roots dating back to 1999
Fiscal sponsor of 20 open source edtech solutions including:
Central Authentication Service (CAS) Bedework enterprise calendar system
Opencast video capture, editing, & management Sakai learning management system
uPortal enterprise portal framework Xerte content authoring & publishing
300+ participating academic institutions
2500+ contributors: developers, system administrators, faculty, instructional designers, deans,
department heads, campus administrators, students, commercial affiliates…

8. Open Source Policy and Practice Impacting Academic Institutions
Higher education technology is extremely distributed.
Requirements in public grants for outputs to be “open.”
Increased interest and investment in cross-discipline, multi-resourced, “open initiatives.”
Open source adoption on campuses tends to be bottom-up.
Regulating bodies don’t see universities as digital businesses that use and develop open source.
All of the above means many “campus decision makers” are unaware of policy and impacts.

9. Open Source Policy and Practice: What Apereo is Doing…
Contracting with dedicated policy analyst/advisor.
Engaging membership: universities, consortia, projects, commercial affiliates, etc.
Partnering with subject matter experts: Eclipse, OW2, OSPO.Alliance, OSPO++, etc.
Reaching out to higher education organizations, e.g., AXIES, EDUCAUSE, ESUP Portail, German U15.

10. www.FreeBSDFoundation.org
The FreeBSD
Foundation is
dedicated to
supporting the
FreeBSD Project, its
development, and
its community
FreeBSD is a
complete open
source Unix-like
operating system.
The FreeBSD Project is a welcoming open source
community with hundreds of committers and
thousands of contributors around the world
Descended from UC Berkeley,
FreeBSD powers much of the
technology we all use daily to stay
connected, informed, and
entertained

11. Policy areas
● Sonotype found OSS n 96% of ALL
scanned codebases
● This means that virtually every
company bidding for govt digital
contracts relies on open source
● Can govt. agencies use procurement
power to favor software companies
that support the open source they
use?
www.FreeBSDFoundation.org
Government procurement Security by design
a few areas that every software
company should investigate. First, …
The Capability Hardware Enhanced
RISC Instructions (CHERI) … gives
memory unsafe languages like C and
C++ protection against many widely
exploited vulnerabilities.
https://www.cisa.gov/news-events/news/urgent-need-memory-safety-software-products
The Urgent Need for Memory
Safety in Software Products

12. Rust & CHERI
The One-Two punch for memory safety protection
www.FreeBSDFoundation.org
● Millions of
applications are
written in C / C++
● Leaving users at
risk of memory
safety
vulnerabilities
● With minimal mods,
port C/C++ apps to
CHERI
● And users are
protected against
nearly 70% of
memory safety
vulnerabilities
THE PROBLEM
● Rust for NEW
systems apps
● BUT what about
all the millions of
existing apps
written in C / C++?
RUST FOR NEW APPS CHERI SECURES EXISTING APPS

13. Resources
★ Open Policy Alliance announcement and membership application
★ US Office of the National Cyber Director (ONCD) RFI on OSS sustainability
★ EU Cyber Resilience Act and references
★ OpenWork
★ Apero Foundation
★ FreeBSD Foundation
★ Apache Software Foundation

14. Thanks!
Questions?