New EU laws are coming that will affect Open Source. Should we worry?
One is the NIS2 directive, which cares about the state of computer and software security in sectors that work on critical infrastructure. Another is the Computer Resilience Act, which tries to improve the security landscape around network-connected devices.
Depending on how these two directives are implemented, and how companies and communities react, this may either lead to increased funding for badly needed efforts in resource-starved Open Source communities — or — motivate affected businesses to move in the direction of software mono-cultures and away from the culture of permission-less innovation that Open Source software developers have practiced for decades.
Of course, these laws aren’t finished yet. NIS2 has to be implemented in local law, and the CRA is (as of this writing) still a work in progress. While the situation may still change, I believe there are a couple things Open Source communities can do to prepare already now.
Ensure supply-chain security procedures are in place and all issues resolved.
Create easy-to-find-and-use documentation directed at business managers that are forced to be introduced to their new Open Source colleagues.
Clarify project adoption and takeover procedures so the ones with a bus-factor of zero get a chance to be revived.
I’ve summarized some of my thoughts on this in the presentation I gave at the Perl Toolchain Summit 2023 in Lyon, France, on April 27th 2023, embedded below.
In this conversation, we explored these laws (and others) both from a legal, security and Open Source perspective. The panel consisted of Simon Phipps (Director of EU Policy at the Open Source Initiative), Kaspar Rosager Ludvigsen (Lawyer and PhD candidate, working on the Cyber Resilience Act), Hans-Petter Fjeld (Senior Security Analyst at Defendable), and myself (Community activist and organizer in the Perl and Raku communities).
Things seldom happen by themselves, but when they do, there is luck, help and sweat involved. â€” Unknown
If you ever find yourself at the Chaos Communication Congress, you may eventually snap out of your awestruck haze to realise you probably want a memento to bring home. This happened to me at last year’s event, and while I usually go for a t-shirt or a hoodie, this time I found something unexpected and much, much better!
The PTS is a gathering of key contributors to the CPAN and Perl ecosystems. These people spend a long weekend extra every year on building, improving and fixing many important parts of infrastructure most Perl developers and their companies use to do business.
This time we were in Oslo! 10 years ago the very first one was also organised in Oslo (then called the Perl QA Hackathon), so we had good reasons to come back. Together, we spent our time on hacking, breaking, fixing, arguing, deciding and much more. We had lots of fun and were quite productive.
The first real movements towards PTS in Oslo were done in October and November 2017; Reserving dates for the venue and contacting the first few “Core” invitees to the PTS to determine which dates are the most convenient.
The “Core” is a group of roughly 10 leaders of well-established, best-practice and/or important toolchain projects: MetaCPAN, PAUSE, Test2, CPAN Testers, ExtUtils::MakeMaker, major CPAN clients, Devel::Cover, Dist::Zilla, Carton, Test::Smoke etc. This list (and the people behind them) change over the years, but they form the base of invitees. This group helps the organisers select the others that are invited – people that are making meaningful contributions to the CPAN ecosystems.
Much of the local activity was about planning, budgeting, finding a summit hotel, coordinating with the venue, sort out decisions around printing & hoodies, and making sure we have the resources to pull everything off. Much of this would be a lot more more difficult if it weren’t for the help we got underways; Stig Palmquist for handling all things related to food; Oslo Perl Mongers for letting us use some of their banking resources; The French Perl Mongers for handling invoicing.
Our venue was Teknologihuset in Oslo; They’ve been incredibly supportive throughout the preparations and during the event. I can’t say enough good things about the support they’ve given us.
Thanks to them, we had plenty of rooms, workspaces and areas to work and discuss. The network worked spotlessly, access to the building was exactly what we need. All this within a budget that allowed us to pull off a PTS in one of the most expensive cities in the world. We decided it was appropriate to declare Teknologihuset as a Venue Partner, for the first time in PTS/QAH history.
But when we mention Teknologihuset, we should also mention Macsimum for being a fantastic partner. These two organisations are joined at the hip, and supported us also with graphic design resources, helped us with printing hoodies and creating posters and roll-ups.
Breakfast & lunches
As for food, we focused on having coffee, snacks, fruits and vegetables available at all times, and offer at least breakfast and lunch for everyone at the venue. Three of the days we also organised supper, and all meals except for the anniversary dinner were in-house so everyone could quickly get back to work. We even got (quite well-received) lasagna lunch thanks to a generous donation from FastMail.
With 10 years since the first QA Hackathon (now PTS), we felt it appropriate to organise a better dinner at a local restaurant, Sofies Mat og Vinhus. We had a three course dinner with drinks, and a very pleasant opportunity for several of the attendees to give both prepared and impromptu speeches. Salve chose to tell a classic Norwegian folk tale about conflict resolution and stubbornness.
One important thing we were aiming for was creating a positive atmosphere with “Strong opinions, Weakly held”. The Perl Toolchain summit is a place for working and good relationships, and while productivity is the main focus, we also paid attention to make the social aspects of the event as frictionless as we could. Good food and drink, a few social gatherings in the evenings, and some friendly reminders of giving someone a hug are all part of this.
One major goal of ours was to make sure everyone had reasons to stay at the venue and hack until they felt “finished for the day” and still have enough tuits left for socialising. On-site food, plenty of snacks (much due to our snacks sponsor, Oetiker+Partner), and coffee and tea – all this gave people extra reasons to stay at the venue and continue working.
The Sponsors and Partners
Finding new sponsors and partners is always a difficult task, and because of this we are always happy to hear it when long-standing supporters chose to continue sponsoring us. This year we changed the offer too, by adding a “Diamond” level partnership because of the incredible level of support we got from the NUUG Foundation (local partner) and from Teknologihuset (venue partner). They made it possible to organise this summit in one of the most expensive countries in Europe.
Still, the most important support we get are from the companies that actually use Perl in their daily business – those who see the long-term value of the Perl Toolchain Summit – First among those are Booking.com, cPanel, FastMail, Elastic, ZipRecruiter and MaxMind. Without them, we wouldn’t be able to invite many of the volunteers our businesses and communities so much depend on. Their continuing support is invaluable.
For me, the Perl Toolchain Summit is a fantastic event which embodies many of the best qualities of the Perl community.
We manage to improve important and useful tools, while spending appropriate amounts of attention on ensuring old code still keeps running with minimal change.
We may have heated discussions and still demonstrate to everyone that we’re actually on the same team and that we can show both grace and humility.
That we’re an Open Source community that involves businesses that depend on us, without becoming tied to just one company.
That the successes of Perl Toolchain Summit and other events like this give clear indication on how neutral grounds for developing our tools are beneficial for everyone.
That we’re far from done with both Perl 5 and Perl 6, and that improvements will continue to happen as long as we have people who care.
The Perl community has people who care a lot – enough to take a week out of their busy schedules just to improve the foundations the rest of us use to create value in our companies.
We can all can benefit from this work if we make sure to support these people as much as we can. Open Source projects like Perl depend on the interaction with our community, and anyone who is determined to work with the community is welcome to take part.
I hope you agree, and choose to help us make Perl better.
Every year we bring together the lead developers of the Perl and CPAN toolchain! This event was previously known as the QA Hackathon, but in 2016 it became the Perl Toolchain Summit (PTS) to more accurately reflect the scope and purpose.
This is an event where pressing issues around Perl’s toolchain, CPAN, testing infrastructure and much more are hacked on, fixed and improved, and where important issues are discussed and decided on. The focus is the continued support and development of the tools used every day by individuals, organisations, and companies that rely on Perl in Production.
Many improvements in the CPAN ecosystem can trace their roots to this event, including Test2 improvements, the «River of CPAN» analogy, numerous MetaCPAN additions, improvements to the Perl Authors Upload Server (PAUSE), policies on how to handle CPAN distribution adoption and takeover, work on the CPAN Testers service, several consensus documents and much, much, much, more!
This year’s summit will be in Oslo, Norway running from Thursday 19th April 2018 through Sunday 22nd April. Attendees be staying at the Smarthotel Oslo, with the event itself at Teknologihuset, a short tram-ride away.
The old Nemo project, which had it’s humble beginnings at Yes Interactive in Ski, is no more. That’s where I had my blog, mail services and DNS for 15-some years. It was a good run, but times have changed and we have moved on.
The blog is now hosted at Hackeriet, an awesome little hackerspace in Oslo, and hopefully this means I’ll spend some more time updating it! 🙂