Open Source: A global commons to enable digital sovereignty

Favorite

In a world increasingly run by software, countries around the world are waking up to their dependency on foreign services and products. Geopolitical shifts drive digital sovereignty to the top of the political agenda in Europe and other regions. How can we ensure that regulations protecting our citizens actually apply? How do we guarantee continuity of operations in a potentially fragmenting world? How do we ensure access to critical services is not held hostage in future international trade negotiations?

Building resilience against those undesirable scenarios calls for more locally run critical infrastructure and services. Open Source software has a key role to play there, for three reasons. First, it is made available to everyone and can be used for any purpose, which means that we can build on top of the existing commons, rather than start from scratch. Second, its transparency allows us to trust the software does what it says it does and is compliant with local regulations. And last but not least, Open Source enables a community-based development model that allows multiple organizations to work together toward the same, interoperable software stack. This open collaboration enables regions like Europe, where we have a vibrant ecosystem of smaller companies rather than tech giants, to catch up and compete with the US or China.

Some in Europe, combining those two desires (local providers of technology and Open Source) take a shortcut and call for “open source controlled by Europe,” or even “European Open Source.” But there is no such thing as “European” Open Source. There is only “Open Source.” Open Source is software released under an OSI-approved license, and those licenses guarantee everyone can use the software for any purpose, with no discrimination against persons or groups, and no discrimination against fields of endeavor. Downstream of an Open Source project, it is, by its very definition, a global commons. Nobody controls it; it is available to all.

So when someone calls for “European Open Source,” what they really mean is Open Source software that is designed and written entirely by European companies, upstream of the software releases. But that is ignoring how software is actually built today. Code is not written in isolation: it integrates lots of Open Source libraries and dependencies. That’s why even proprietary codebases today are mostly made of Open Source code. The global commons on which software is built was estimated by a recent Harvard Business School study at over $8.8 trillion. Sure, you could recreate that from scratch to only run code designed and written by European companies, but that sounds like a costly and rather useless endeavor.

And how would that even work in practice? People pushing for the regionalization of Open Source are usually local single-vendor Open Source companies hoping for regulatory capture of a short-term market. But instead of pushing for proprietary, single-vendor development of Open Source software, we should push for an upstream commons, software developed by a global open collaboration between multiple organizations. This is how our vibrant ecosystem of smaller EU companies can compete with a US or China tech giant: by working together rather in isolation. This approach has an additional benefit: it also protects us from unexpected change in direction in any given organization. If you build your sovereign infrastructure on code written by a single company (even a local one), it’s not really resilient or sovereign, as that company can change direction or even be acquired by a foreign company. Openly-developed Open Source is the only way.

So what should we actually push for? What do we need in practice? Taking a step back, what digital sovereignty is really about is building resilience against unexpected changes, in an increasingly uncertain world. We want day 0 integrity, ensuring the critical services we run our countries on are not subject to extraterritorial laws that prevent our own laws from applying. We want day 1 resilience, making sure the software we run does not have a kill switch in the hands of a country or company that could use it against us. And we want day 2 continuity, ensuring that in the event of global fragmentation, we can continue working long-term with the software we currently run.

In practice, in Europe we need to:

Leverage Open Source to catch up. We need to build a lot of local capability to reduce our dependency. This is a massive endeavor, but luckily, we are not starting from scratch. The incredible success of Open Source gives us a global commons on which we can build our infrastructure and services. Passing on that opportunity by mandating only “European-written” software is about the worst choice we could make at this juncture.

Create a strong European Open Source ecosystem. Consuming Open Source from Git is not for everyone. We need a whole ecosystem of local companies creating downstream products based on the global Open Source commons, selling local support services, and building local infrastructure providers to actually run those workloads. This can be kick-started by EU-level procurement directives enforcing EU-based service providers.

Train the next generation of local Open Source talent. US-based hyperscalers have convinced a generation that you no longer need to learn about lower-level details or infrastructure, because they will take care of it for you. If we want to build local capabilities, we’ll need to re-learn those skills. We also need to put Open Source front and center in computer science curricula, rather than teach our students how to better depend on foreign-controlled proprietary ecosystems.

Engage in the global commons. We need Europe to increase its participation in openly developed Open Source communities. We don’t need Europe to control and write every line of code Europe runs. For day-2 continuity, we just need to gain enough familiarity with the code and enough experience with the software development process to be able to fork the project and continue it, should a disaster happen. Good news, those projects are open to all, so it’s just a matter of joining and participating!

Open Source is a great asset for catching up and finally paying our software dependency technical debt. We should double down on it, rather than fragment and break it.

Click Here to View Original Source (opensource.org)