WEBVTT 00:00.000 --> 00:14.520 So, from circuit it is, and we are about to start a larger block about the cyber 00:14.520 --> 00:20.280 resilience act, and we will kick it off, Jimmy will kick it off with the talk on the CAA 00:20.280 --> 00:22.440 contribution applications and challenges. 00:22.440 --> 00:27.720 Cool, let's see, yes, this works, that's awesome, that's a great start. 00:27.720 --> 00:32.720 So my name is Emelberg, I work as director of open source policy at the Ericsson open 00:32.720 --> 00:37.880 source program office, for those of you that are wondering, yes, Ericsson are still around, 00:37.880 --> 00:42.040 we don't make mobile phones anymore, but we do make mobile networking infrastructure 00:42.040 --> 00:48.400 such as 5G network equipment that we sell to CSPs and making sure that you can stay 00:48.400 --> 00:50.400 online at all times. 00:50.400 --> 00:56.280 Dear phones, the views in this presentation, since I am a lawyer, full disclosure, are not 00:56.280 --> 01:02.440 necessarily those of my employer, so these are my own views. 01:02.440 --> 01:06.520 My job at Ericsson, I said I am director of open source policy, of course, that's a made-up 01:06.520 --> 01:08.960 title, right, doesn't mean anything. 01:08.960 --> 01:09.960 So what do I do? 01:09.960 --> 01:16.240 Well, I am partly a lawyer, I am partly a guardian for Ericsson, in terms of risk, IP, copyright 01:16.240 --> 01:17.240 and so forth. 01:17.240 --> 01:21.840 I am also a bit of a gardener in the sense that our work is to, oh, I should be here. 01:21.840 --> 01:26.240 Cool, I need to curb myself, yes, I am now glued to this quote. 01:26.240 --> 01:31.960 Okay, some bit of a gardener in the sense that we help grow open source both internally 01:31.960 --> 01:36.600 and a culture of that, but also externally, in the projects we are engaged in, a bit 01:36.600 --> 01:42.560 of a translator between engineering, legal and business management, trying to explain 01:42.560 --> 01:45.720 like this strange things of open source, why does it make sense? 01:45.720 --> 01:47.280 Why should we be doing that? 01:47.280 --> 01:49.960 Why should we be giving away stuff for free, right? 01:49.960 --> 01:54.160 And I am also a little bit of a cultural anthropologist, that is a very hard word, I will 01:54.160 --> 01:55.600 take a moment to explain that. 01:55.600 --> 02:00.640 A cultural anthropologist is, you know, those brave people that go out to the Amazon live 02:00.640 --> 02:06.640 there for 12 months, among the local population, instead of study how they act and work. 02:06.640 --> 02:12.240 I am not quite so adventurous, I will not travel down the Amazon river and live with the natives. 02:12.240 --> 02:18.720 Instead, the culture and tribe, I study are software developers and, like today, I am dressed 02:18.720 --> 02:23.160 as the warrior cast of software developers, the open source people. 02:23.160 --> 02:26.840 And I also sort of occasionally need to go back to the human village with the grown-ups 02:26.840 --> 02:31.520 at legal departments, that is way less fun. 02:31.520 --> 02:36.200 So open source at Ericsson, why is what I talk about relevant towards the scale we do? 02:36.200 --> 02:40.320 I think about mobile communications network, there is something quite closed, there is no open 02:40.320 --> 02:41.320 source in there. 02:41.320 --> 02:45.240 Well, there is a lot of open source in there and we do use a lot of open source at Ericsson. 02:45.240 --> 02:51.560 So this is the number of new components, top level components, not including dependencies, 02:51.560 --> 02:54.080 new components we introduce each and every year. 02:54.080 --> 02:57.360 That might be a new version, but no components or something completely new. 02:57.360 --> 03:00.880 So we have a lot of new open source components coming in each and every year that we need 03:00.880 --> 03:01.880 to manage. 03:01.880 --> 03:05.880 And that is of course high-per-relevant from a CRA perspective, one we need to deal with 03:05.880 --> 03:06.880 that. 03:06.880 --> 03:11.120 That is not exactly what I am going to talk about, but I have figured, I give you a reason 03:11.120 --> 03:14.320 to listen to me, right? 03:14.320 --> 03:17.040 So the CRA awareness curve, how does that look like? 03:17.040 --> 03:21.680 How does that look like for any person or organization? 03:21.680 --> 03:25.760 And those of you that heard me talk before, I usually use a version of this slide and I'm 03:25.760 --> 03:29.280 lazy, so I'm going to reuse it and just rename it, CRA. 03:29.280 --> 03:33.440 So at the first stage, you're at the denial stage, we're not going to be impacted by CRA, 03:33.440 --> 03:34.440 right? 03:34.440 --> 03:35.440 That's some weird legislation. 03:35.440 --> 03:38.320 Either we're not going to be impacted because we're not in Europe, or not European 03:38.320 --> 03:42.600 company, or what we sell doesn't have any problems, right? 03:42.600 --> 03:48.280 And I go, like, oh, this is a huge risk for us, we really need to deal with the CRA. 03:48.280 --> 03:53.120 And then, I'm going to bring the boring stage, like, if we please just not impacted by this, 03:53.120 --> 03:57.200 if there's someone at the Commission, we can talk to, could we not sell stuff in Europe, 03:57.200 --> 04:01.120 like how do we get out of this huge compliance and regulatory burden you have just created 04:01.120 --> 04:02.120 for us? 04:02.120 --> 04:08.720 A huge depression stage, we are screwed, there's no way around this, right? 04:08.720 --> 04:12.600 So hopefully, in the end, you will get, like, the acceptance stage, the final stage of 04:12.600 --> 04:13.600 grief. 04:13.600 --> 04:18.160 This is okay, we just need to be smart about it and develop strategies and most importantly, 04:18.160 --> 04:24.960 processes to manage the CRA and CRA implementation. 04:24.960 --> 04:28.720 So for those of you who don't know, I made a stupid assumption of thinking, I would 04:28.720 --> 04:31.560 not be first among the people talking about CRA. 04:31.560 --> 04:35.560 So everyone knows what CRA is. 04:35.560 --> 04:38.800 Lots of people know that CRA has, even people raising their hands, great. 04:38.800 --> 04:44.400 But for those of you who may be joining us on the stream, that doesn't know about CRA already, 04:44.400 --> 04:47.320 this is the very simplified version of what it is. 04:47.320 --> 04:53.000 If you don't know about CRA, the focus taking the 36 months of started, so we better start 04:53.000 --> 04:54.000 looking at this. 04:54.000 --> 04:58.120 And this is a legislation from the European Commission that concerns all product with digital 04:58.120 --> 04:59.120 elements. 04:59.120 --> 05:02.000 Essentially, it's a C-marking for software. 05:02.000 --> 05:06.320 Fundamentally, it's about not shipping software with known vulnerabilities and reporting 05:06.320 --> 05:08.480 of vulnerabilities you find. 05:08.480 --> 05:12.880 And if you have fixed stuff, you need to fix it upstream as well. 05:12.880 --> 05:17.600 And about shipping as bombs, or at least have them available to ship and provide to the 05:17.600 --> 05:19.600 national bodies. 05:19.600 --> 05:22.520 And potentially, it's very expensive if you don't comply. 05:22.520 --> 05:27.880 That's why you should care about it, at least if you're a company. 05:27.880 --> 05:32.040 So a little bit in detail about the CRA. 05:32.040 --> 05:38.600 So let's highlight what's important and what we're going to cover in more detail here. 05:38.600 --> 05:45.880 So where manufacturers have developed a software hardware modification to address the vulnerability 05:45.880 --> 05:47.120 in the component. 05:47.120 --> 05:53.200 They shall share the relevant code or documentation with a person or entity manufacturing 05:53.200 --> 05:55.120 or maintaining the component. 05:55.120 --> 05:56.120 We're appropriate. 05:56.120 --> 05:59.000 They should do it in a machine readable format. 05:59.000 --> 06:07.800 So this is, in my view, a really, really big change in the way we need to think about open 06:07.800 --> 06:11.600 source and the economics incentives around this whole thing. 06:11.600 --> 06:16.480 Because it used to be that, you know, you could take stuff, you could consume them. 06:16.480 --> 06:18.200 It didn't necessarily need to contribute back. 06:18.200 --> 06:20.320 There's plenty of good reasons why you should. 06:20.320 --> 06:21.320 Don't get me wrong. 06:21.320 --> 06:24.480 But you didn't really have to. 06:24.480 --> 06:31.080 So if we run through this scenario that we have an open source component, we like this 06:31.080 --> 06:32.080 open source component. 06:32.080 --> 06:36.960 We're going to put it in a product, but after a while we discovered that this has a vulnerability 06:36.960 --> 06:37.960 to it. 06:37.960 --> 06:38.960 Okay? 06:38.960 --> 06:42.920 What happens then if we go back to this text, what should we be doing, right? 06:42.920 --> 06:45.640 We're going to run this exercise. 06:45.640 --> 06:50.640 So open source component into our product, we find a vulnerability. 06:50.640 --> 06:55.160 The first question that I would ask is, have you developed a fix for this? 06:55.160 --> 06:57.160 Yes or no? 06:57.160 --> 07:01.240 Well, if no, then you need to report the vulnerability to the owner. 07:01.240 --> 07:06.960 And I do, I use that's not the term in the CRA, but it's, it's fitted within this box, 07:06.960 --> 07:07.960 right? 07:07.960 --> 07:10.320 It was easier than manufacturer or open source keyword. 07:10.320 --> 07:13.600 So let's use the term owner for now. 07:13.600 --> 07:14.960 Zinn is reported to the owner. 07:14.960 --> 07:20.520 And, you know, that might get implemented and addressed in that component going forward. 07:20.520 --> 07:26.040 This could, at this point, be a proprietary component or it could be an open source 07:26.040 --> 07:27.040 component. 07:27.040 --> 07:30.640 We're going to assume that's an open source component, because that was a bit put up there. 07:30.640 --> 07:31.640 Okay? 07:31.640 --> 07:38.040 So, assume that this is an open source component, we found a vulnerability, we have actually 07:38.040 --> 07:40.200 developed a fix for this as well. 07:40.200 --> 07:44.520 So, the next question we need to ask is, is this a permissive license? 07:44.520 --> 07:47.840 There is it BST, this is MIT or something similar. 07:48.600 --> 07:55.760 Or is it a copi-left license, like, for, in that case, that leaves us with a number of options. 07:55.760 --> 08:00.720 In the case, where this is a permissive license, I mean, we can either contribute the fix-up 08:00.720 --> 08:05.880 stream under that license or a compatible license, upstream to the project and, you know, 08:05.880 --> 08:07.720 they can do what they want with it. 08:07.720 --> 08:12.840 But the CRA also leaves us due to language, the opportunity to contribute this on their proprietary 08:12.840 --> 08:13.840 license. 08:14.840 --> 08:18.840 There's no requirement to provide it under the same license. 08:18.840 --> 08:25.720 However, in the case of a copi-left license, then, of course, in both these cases, it's a derivative 08:25.720 --> 08:26.720 work, right? 08:26.720 --> 08:31.040 And we know that under copi-left derivative works needs to be licensed under the same terms 08:31.040 --> 08:32.040 of conditions. 08:32.040 --> 08:35.480 So, the same license needs to apply. 08:35.480 --> 08:43.720 So, for companies, this becomes really, really interesting, because normally, at the 08:43.720 --> 08:48.240 large corporation, your open source policy might be that, well, we're not going to contribute 08:48.240 --> 08:54.080 to the IPL projects, or we don't contribute at all, or we have a long and winding process 08:54.080 --> 08:59.120 to contribute into a project, even if it's a small bug fix, because we're really super scared 08:59.120 --> 09:01.240 about this open source thing. 09:01.240 --> 09:05.960 So, this really changes that, right? 09:05.960 --> 09:09.240 Because, like, under permissive license, these companies that are scared of it, they can still 09:09.240 --> 09:14.600 provide under proprietary license, or provide it in some way, shape, or form, or they 09:14.600 --> 09:18.680 can provide it under permissive license, which may be less scary. 09:18.680 --> 09:24.440 But, for copi-left, they really need to do it under the copi-left license. 09:24.440 --> 09:33.120 So, yeah, here I talk about a little bit of a significant substance, right? 09:33.120 --> 09:38.640 And it sort of, for me, the significance here is that it's truly shift, that's the voluntary 09:38.680 --> 09:40.480 nature of this. 09:40.480 --> 09:44.840 This is no longer something you can choose to do, especially in Northebut Steepel. 09:44.840 --> 09:51.880 You need to contribute this back up stream, like historically companies, like it or not, 09:51.880 --> 09:54.480 yes, there's everyone they do, what's good for them. 09:54.480 --> 10:01.040 They contribute, what benefits them, when it benefits them, I have 15 minutes left. 10:01.040 --> 10:04.040 So, for me, that poses the question, right? 10:04.040 --> 10:09.800 Building this with the CRA, will this impact what open source companies select? 10:09.800 --> 10:15.520 Will they be less likely to select non permissive licensees with this? 10:15.520 --> 10:18.960 Because all of a sudden, they don't have the option, if we go back, they don't have the 10:18.960 --> 10:22.760 option to go with a proprietary license and contribute the back in, they don't have the 10:22.760 --> 10:29.040 option to contribute under that, they need to contribute up stream under that. 10:29.040 --> 10:32.840 Will it impact companies' contribution policies? 10:32.840 --> 10:39.840 Will the requirements in the CRA necessitate that companies make it easier, quicker, faster 10:39.840 --> 10:43.840 to contribute these bug fixes and fixes? 10:43.840 --> 10:47.840 Will it impact the policy of fixing contributions? 10:47.840 --> 10:53.520 So, if I'm a company and I'm scared of this thing, or if I'm for some reason don't want 10:53.520 --> 10:57.520 to do this, will my policy be, I'm not going to fix this, I'm just going to report it, 10:57.520 --> 11:01.400 and let someone else do it up stream, we're not going to fix it until because we don't 11:01.400 --> 11:05.000 want to be contributing off stream to these projects. 11:05.000 --> 11:07.600 I think those are important questions to ask. 11:07.600 --> 11:13.360 I don't think they necessarily were asked during the CRA process, but I think it's something 11:13.360 --> 11:15.960 that should be asked now. 11:15.960 --> 11:19.080 Also, CRA for me, it's supposed to be a question. 11:19.080 --> 11:26.880 Is it likely how easy it will be for a company to fulfill its obligations under the CRA? 11:26.880 --> 11:29.160 How easy a project makes it for them to do that? 11:29.160 --> 11:31.160 Will that impact their choices? 11:31.400 --> 11:37.880 So, for example, if I have an old abandoned component, will I now be less likely to select 11:37.880 --> 11:42.960 that due to the fact that if I discover a vulnerability, there's definitely no one upstream 11:42.960 --> 11:49.160 that's going to react to my report, and I need to fix it myself, but then I also have the 11:49.160 --> 11:53.480 requirements contribute that back off stream, but there's no, if there's no one receiving 11:53.480 --> 11:57.200 it, like have I really fulfilled my obligation then? 11:57.200 --> 12:01.880 So will this mean that sort of abandoned where will be even less interesting to use? 12:01.880 --> 12:05.200 Maybe that's a good thing, and maybe not, right? 12:05.200 --> 12:11.680 But I think it's an interesting question to ask if this forces us to sort of be on more 12:11.680 --> 12:15.920 current versions or newer software or active maintainers. 12:15.920 --> 12:21.640 For example, if I put on my boring lawyer hat and ask the question, like, okay, so we 12:21.640 --> 12:26.440 have developed this fix, we have shifted, no one is answering us, do we know they have it? 12:26.440 --> 12:28.920 Have we fulfilled our obligation? 12:28.920 --> 12:32.560 Because I'm going to be a lot happier if that project responds, hey, thank you so much 12:32.560 --> 12:37.480 for your contribution, we have received it, your obligation under this theory is fulfilled. 12:37.480 --> 12:44.760 That's going to make my life a lot easier, because I can take the box like we did what 12:44.760 --> 12:55.240 we were supposed to, we can cover that a little bit again, and also with software as a service, 12:55.240 --> 12:59.120 it's normally, you would think that, okay, we offer this as a service, we don't distribute 12:59.120 --> 13:02.560 it, DPL doesn't really impact us in that way. 13:02.560 --> 13:08.840 What I find interesting is that the CRA also contains this language around remote data processing, 13:08.840 --> 13:13.720 meaning data processing at the distance for which the software is designed and developed 13:13.720 --> 13:18.120 by the manufacturer or under the responsibility of the manufacturer and the absence of which 13:18.120 --> 13:22.440 would prevent the product, which is the elements from performing one of its functions. 13:22.440 --> 13:27.320 I, if I sell you a product and I remove the data processing, does it do everything I told 13:27.320 --> 13:31.840 it would do when I sold it to you, and if we remove that, okay, but in that case, then it's 13:31.840 --> 13:37.400 covered under this scope of the CRA, and if this remote data processing then contains 13:37.400 --> 13:42.520 a vulnerability, we need to fix it, but if that's remote vulnerability, due to the couple 13:42.520 --> 13:48.280 left, effects will also impact my fix, mean that fix needs to be couple left, all of a sudden 13:48.280 --> 13:53.080 normal GPL is a lot closer to AGPL than what it used to be. 13:53.080 --> 14:01.400 So in that sense, the CRA shifts to AGPL to something that is a lot closer to AGPL, I think 14:01.400 --> 14:05.400 that's an interesting thing, it's not necessarily a good or a bad thing, but I think it's 14:05.400 --> 14:07.200 interesting. 14:07.200 --> 14:14.040 So software as a service, that's not necessarily a shield behind any more for these things, 14:14.040 --> 14:19.880 which I think should have implications for the compliance work on these things as well, 14:19.880 --> 14:26.240 and the homework the companies should do even if they're offering a software as a service. 14:26.240 --> 14:29.960 We can look at one more interesting detail here, because this is the text, and it also 14:29.960 --> 14:36.040 says, or documentation, about this GPL thing, and it's a couple of things, is it an 14:36.040 --> 14:41.680 off that we supply documentation, and documentation doesn't necessarily have to be a derivative 14:41.720 --> 14:42.680 work. 14:42.680 --> 14:49.960 The documentation could be, well, you know, don't run that function, or remove this, right? 14:49.960 --> 14:54.920 Have we satisfied our obligation then, is that sufficient, or are we still impacted by 14:54.920 --> 14:56.920 co-pileft in that case? 14:56.920 --> 15:00.200 Well, maybe maybe not, I guess we will see, right? 15:00.200 --> 15:04.800 I don't think that's the intention of this language necessarily. 15:04.800 --> 15:11.400 I think it's probably meant for when there is no, when this is not possible to fix, 15:11.640 --> 15:16.640 via software, it might be that this is a hardware issue, it might be something else, right? 15:16.640 --> 15:21.720 So, I'm not necessarily thinking that this is what they intended, but this might be the 15:21.720 --> 15:22.720 result of that. 15:22.720 --> 15:26.360 I don't know that that's necessarily something we should be happy with, I think it's 15:26.360 --> 15:29.600 probably better if people contribute, they actually fix, rather than do the work around 15:29.600 --> 15:30.600 the flag. 15:30.600 --> 15:34.240 Yeah, we have the fix, but now we're going to rewrite that fix into documentation, and 15:34.240 --> 15:35.960 you guys have to implement this. 15:35.960 --> 15:36.960 Okay. 15:36.960 --> 15:47.520 I think we've gone over most of this, so what I would like to do is talk like some potential 15:47.520 --> 15:49.280 issues, right? 15:49.280 --> 15:53.600 So, for example, and I will move into QINA. 15:53.600 --> 15:55.760 All of you guys look like you're really following, so I'm not sure there's going to be 15:55.760 --> 15:59.000 any questions, so there's going to be lots of them, we'll see. 15:59.000 --> 16:03.480 So, say for example, you're on the exclusivity agreement with one of your customers, and 16:03.480 --> 16:06.680 that's exclusivity agreement says that everything we develop under this contract for 16:06.720 --> 16:09.640 you, that belongs to you, that's your stuff, right? 16:09.640 --> 16:13.080 We have to develop it for you, that's very standard. 16:13.080 --> 16:18.000 Or you have joint ownership with them of what you develop in an R&D collaborations, like 16:18.000 --> 16:21.920 we own everything together, and we all need to agree with what we do with it. 16:21.920 --> 16:27.200 Or you have issues of patent ownership, like patent ownership is one thing that could come 16:27.200 --> 16:28.200 in. 16:28.200 --> 16:30.560 Or other questions that could be potentially issues. 16:30.560 --> 16:34.760 If anyone could come up with more of these, let's bring them up during Q&A. 16:34.760 --> 16:40.080 I don't know if these are good solutions or not, but I mean, to the issue of if you 16:40.080 --> 16:46.320 have exclusivity with your customer, the problem then is, of course, that I have promised 16:46.320 --> 16:50.560 you exclusivity with everything I developed, even the things that were derivative works 16:50.560 --> 16:53.760 of copyleth software. 16:53.760 --> 16:58.440 But now I'm forced to make that available, I'm in breach of my exclusivity towards you 16:58.440 --> 17:03.080 my customer, because this is the array says you need to contribute this, my contract with 17:03.080 --> 17:07.000 my customers says I'm not allowed to make it software publicly available, because it's 17:07.000 --> 17:08.000 his. 17:08.000 --> 17:10.200 But I have developed a fix, and I have it. 17:10.200 --> 17:14.320 I mean, at reasonable solution would be to talk to your customers, say, hey, where 17:14.320 --> 17:19.200 this serial obligation and this fix is really not that important, but that's, of course, 17:19.200 --> 17:25.360 the reasonable thing, and like if people were reasonable, I'm a lawyer, I would be out 17:25.360 --> 17:27.080 of a job. 17:27.080 --> 17:31.160 So maybe that doesn't work, maybe it's better that you take into writing, in these 17:31.160 --> 17:35.880 agreements, that well unless it's for CRA purposes, then I'm allowed to, to fulfill my 17:35.880 --> 17:42.640 legal obligation on the CRA top screen this, right? 17:42.640 --> 17:47.600 And of course, most contract has this, like, abiding by applicable law clauses, but is 17:47.600 --> 17:48.600 that sufficient? 17:48.600 --> 17:53.000 I don't know, maybe it will be, maybe it won't be, but it definitely can't hurt, at 17:53.000 --> 17:56.840 least in terms of your relationship with your customer, say, hey, this situation might 17:56.840 --> 17:57.840 come up. 17:57.840 --> 18:03.320 We need to deal with it and do that upfront rather than relying on those clauses, because 18:03.320 --> 18:06.840 even if you're allowed to do it, that relationship with the customer will certainly be 18:06.840 --> 18:11.640 more stower if they are not being reasonable. 18:11.640 --> 18:15.280 And another thing is like, well, this might impede you, but not your customer, if the fix 18:15.280 --> 18:20.000 is developed in the US, for example, by your company, but you have the same open source 18:20.000 --> 18:26.360 software that's also deployed in Europe, and you know the same vulnerability applies. 18:26.360 --> 18:30.480 Well, then your US customer, it's definitely going to say, well, abiding my applicable 18:30.480 --> 18:34.300 laws, I mean, the applicable law is here at US laws, so I really don't care about the 18:34.300 --> 18:39.960 strange CRA thing in the Europe, you're not making my software available source. 18:39.960 --> 18:43.200 So the question is, do we need more specific language on CRA? 18:43.200 --> 18:44.200 Maybe. 18:44.200 --> 18:52.200 And another question is, can you require an NDA to be signed, along by the code being provided 18:52.200 --> 18:53.200 up screen? 18:53.720 --> 18:56.920 I don't know that there's anything to say, preventing it, it might not be a good thing, 18:56.920 --> 19:02.920 but that might be a path to be built take, I'm not sure that's a good thing, but it's 19:02.920 --> 19:10.200 also might be so that to provide the fix, you would be provided, you would need to show 19:10.200 --> 19:14.800 some stuff that are either trade secrets or stuff that you're simply not willing to 19:14.800 --> 19:19.480 share, you shouldn't be sharing, like personal data or so, so maybe you need to 19:19.480 --> 19:26.120 require science NDA sometimes, that might be a solution. 19:26.120 --> 19:29.040 And then, back to the question, can you provide documentation? 19:29.040 --> 19:32.040 Maybe? 19:32.040 --> 19:34.480 Other ideas for how to solve these things? 19:34.480 --> 19:41.800 I think with that, we can move into, like, the Q&A part of this. 19:41.800 --> 19:42.800 Anyone with a question? 19:43.800 --> 19:46.800 Okay, let's start this. 19:46.800 --> 19:52.800 And it would be great if next guys, really, for from us, that guy had to run really far. 19:52.800 --> 19:59.960 So, thank you for your presentation, and hello from Sweden. 19:59.960 --> 20:05.960 One question is that we have issue with software where we discovered a security vulnerability 20:05.960 --> 20:13.680 in, and we did a report and also right how to reproduce it, and we're very lengthy, and 20:13.680 --> 20:21.400 it got to response, nah, it's not the security issue, but we could show them that it's 20:21.400 --> 20:25.240 a real issue, how did you do that? 20:25.240 --> 20:32.680 Well, I would say that that's the case where you have done what's up on you, and it would 20:32.680 --> 20:34.840 be upon that project. 20:34.840 --> 20:38.120 They have no responsibility to implement what you give them, right? 20:38.120 --> 20:42.080 Just because you have developed a fix, it doesn't mean it's a good fix. 20:42.080 --> 20:46.320 It might be something that's not relevant, or it might be something that's, you know, 20:46.320 --> 20:51.320 it's the garbage and trash, and we'll sort of, like, hey, all developed fix is that 20:51.320 --> 20:55.840 as soon as you hit the run on this, it just shuts down the program. 20:55.840 --> 21:00.600 Okay, well, it fixes the security vulnerability, but you introduce another of other bugs, right? 21:00.600 --> 21:05.840 So there's no requirement on the project actually take your fix, but they have to receive 21:05.840 --> 21:06.840 it. 21:06.840 --> 21:13.040 And in my view, that's kind of where that, that obligation ends, right? 21:13.040 --> 21:17.240 Then there's other things on the project that they might need to do, but in terms of the 21:17.240 --> 21:21.680 relationship between you, the project, that's where it ends. 21:21.680 --> 21:25.520 They have received it, now it's rest up to them. 21:25.520 --> 21:35.240 Hi, thanks by the talk, it was an interesting insight on, yeah, interesting questions. 21:35.240 --> 21:42.680 Like I thought about, I'm aware that many companies fear using a copy left software if they're, 21:42.680 --> 21:47.680 especially if they're based on, like, proprietary business models, but you mentioned several 21:47.680 --> 21:55.200 times that these companies might also fear contributing back to some, yeah, a copy left software, 21:55.200 --> 22:00.000 so in the first place, why should they contribute back, even if they don't use this software 22:00.000 --> 22:04.200 at all, the first place, and even if they would use copy left to software, what's the 22:04.200 --> 22:06.240 metric with contributing back? 22:06.240 --> 22:12.920 So there's no, I don't see the legal risk here for all the companies. 22:12.920 --> 22:20.620 Okay, so in the first place, I think there's very few people that use absolutely zero 22:20.660 --> 22:22.420 GPL code or copy left code. 22:22.420 --> 22:25.780 I think there are companies that may think they don't, they don't use it, but I think 22:25.780 --> 22:28.740 during the process of CRA, they will become aware. 22:28.740 --> 22:33.060 We've seen that time and time again, so it's like, yeah, you're telling me this, but 22:33.060 --> 22:37.940 I'm pretty sure that somewhere in your stack that sits a few DPL libraries, so they are 22:37.940 --> 22:45.700 using it, and reasons might be, right, that they simply don't understand it or they don't 22:45.700 --> 22:50.300 have, like, in large organizations, there's processes for most things, right? 22:50.300 --> 22:56.740 There's no process for this, like, we don't know how to conceptually deal with this, 22:56.740 --> 22:58.460 that might be one thing. 22:58.460 --> 23:05.740 Another thing might be that the GPL, at least GPL version, three contains patent provisions, 23:05.740 --> 23:09.580 that they might be seeing that as a problem, no, we don't want to contribute it out, because 23:09.580 --> 23:15.860 we would expose these patents towards that, because that functionality is not previously 23:15.860 --> 23:19.420 introduced into that project, and we have no intention of contributing that, that might 23:19.420 --> 23:21.820 be one such reason. 23:21.820 --> 23:26.420 Did that somewhat ask you your question? 23:26.420 --> 23:31.140 Hey, great talk, thank you. 23:31.140 --> 23:35.420 One question that I had was you, one of the things that you had on your list that you kind 23:35.420 --> 23:44.340 of glossed over was abandoned projects, and I was wondering if you could elaborate a little 23:44.340 --> 23:49.380 bit on that specifically, I'm thinking about server-side components that might be 23:49.380 --> 23:56.380 part of such types of abandoned projects or abandoned products. 23:56.380 --> 24:05.780 Okay, so I will try, and this might not be a good answer, but essentially my fear here 24:05.780 --> 24:11.500 from, like, again, boring corporate lawyer, printer-reduced risk is if we have one of these 24:11.500 --> 24:17.460 components, and it's an abandoned project, maybe even, like, we have the source code, 24:17.460 --> 24:22.700 but since the website has shut down, we have no way of contacting the former owner of 24:22.700 --> 24:23.700 this. 24:23.700 --> 24:24.700 It's pre-github. 24:24.700 --> 24:29.620 It was available on something else, or this is anonymous user on stack.