10th BITKOM Forum Open Source discusses the future of the open-source world – fairness, regulations, and AI are key topics

PAC attended the 10th Forum Open Source held by the German IT association BITKOM. In mid-September 2024, in Erfurt (Germany), around 200 open-source enthusiasts attending the highly interactive event discussed the current hot topics of the open-source world. In addition to many small companies, big vendors like Siemens, PwC, Accenture, Red Hat, and SAP were present, contributing their perspectives in different sessions. It was an excellent event; we would like to see more big German/European IT service providers getting involved. One thing became very clear at the event: it is not only the German business model but also the foundations of open source that are under pressure these days. In this blog post, we will explain why this is the case and structure the text around the three key topics of the event – fairness, regulations, and AI.

More fairness – many IT vendors are abusing the open-source world

Fairness has always been the basis of open-source communities, as they make code available to everybody for free inspection, use, and modification. This is a reaction to the dominant role of big vendors like Microsoft, whose aim is to heavily monetize their market power. Open source provides an effective way to circumvent the monopolistic behavior of dominant market players in the software industry. Today, though, open source is certainly more than the altruistic efforts of some nerds to battle against big tech vendors. The economic impact of open source on the IT world is huge. A paper by Harvard Business School tried to calculate the value of open-source software, estimating it to be $8.8 trillion. The report says that companies would need to spend 3.5 times more on software than they currently do if open source did not exist; some commercial software consists of up to 99.9% freely available open-source software. On the other hand, however, 96% of the value is created by only 5% of open-source developers. Because of this enormous imbalance, some vendors at the event complained about the unfair behavior of many IT providers in the market. In fact, some companies who contribute to open source feel they are being abused by other vendors. They are considering stopping their investments in developing and maintaining open-source software. They consider open source a failed market that does not allow fair contributors to survive. This is an interesting finding, given that open source was never meant to be a market. There can be no doubt, though, that open source has become a very relevant market with dedicated business models around software maintenance and hosting services. An interesting discussion took place at the event with two contrary positions. One side advocated achieving more fairness in the market by sanctioning abusers and/or giving fair contributors an advantage (for example, preference in public tenders). The other side called for new business models that allow fair contributors to adequately monetize their investments. There was no conclusion as this discussion ran out of time; we definitely need more debate about this topic.

New regulations – the Cyber Resiliency Act becomes a GDPR 2.0 project

With the planned coming into effect of the Cyber Resiliency Act (CRA) in 2027, the software industry in Europe will become a regulated market. Although we often hear complaints from companies about the constantly growing burden of more regulations, we observed overall support for the CRA at the event. Everybody confirmed that the CRA would be relevant to protecting companies and people in Europe against cyber attacks. That means the CRA will be especially relevant for all mobile and IoT-connected devices (beyond cars and medical devices, which are regulated already). Open-source software is under direct attack from cyber terrorists who try to position themselves as contributors and use this position to install back doors in widely used open-source software tools. This has the potential to destroy trust in open-source software. However, providers of commercial software face the same challenge as attackers from Asia are trying to infiltrate their developer teams, too. This illustrates very well how political tensions can have a major impact on software development. We need better control structures to address this issue. Under the CRA, software providers will have to create detailed bills of material for their software packages (called SBOMs) to be compliant. As mentioned above, commercial software often contains a large number of open-source software, and companies will have to report all components of their commercial software products. Companies like Siemens confirmed they were using thousands, if not tens of thousands, of open-source software tools. Creating SBOMs for all their offerings will be quite a challenge. Several speakers warned companies not to underestimate the effort required to become CRA-compliant by 2027. Some compared the effort to the German data privacy initiative (GDPR), others even beyond that. Companies discussed at the event how they could reduce the effort involved in becoming CRA-compliant. This included topics like tools to create transparency in all open-source software they use in their commercial products and automate the creation of SBOMs, and ways to consolidate the number of open-source software tools they use. Overall, the CRA discussion at the event revealed quite a few challenges: on the one hand, there is pressure to get ready in time; on the other hand, not all details about the CRA have been released yet (further details are expected to be published at the end of 2024/beginning of 2025).

Next-level intelligence – will GenAI-generated code replace open source in the future?

Finally, I would like to briefly mention the topic of GenAI. There was an interesting discussion about the use of GenAI in the open-source context. As described above, the CRA and the large amount of open-source software within many commercial software products raise the question of how GenAI-based code development can replace or reduce the use of open-source software. Basically, there will be no need to use open-source software in the future if you can generate new code according to your needs simply by asking a GenAI-based copilot to program the required code automatically. A key aspect of this idea is that computer-generated code is not protectable (only code generated by humans can be protected). However, nobody uses GenAI-generated code without human optimization today. Still, who knows how fast this could become a reality, i.e., we can use GenAI to create functions and maintain them without human intervention. This topic is very interesting – companies should keep an eye on it.