FOSS for digital sovereignty in the EU
105 points by sjamaan
105 points by sjamaan
I'm glad the EU is seriously considering FOSS as a path to reduce US dependency, but while US monopolies are allowed to legally bludgeon any competition to death with the DMCA and similar laws, it's going to be more or less impossible to disentangle EU infrastructure from US megacorps.
The best thinking out there on this issue comes from Cory Doctorow - the EU (and other trading blocs) should reverse IP laws which criminalise the development of interoperability tools.
Every country in the EU should be able to develop and use software which automates the laborious process of migrating data out of Google and Microsoft's monopoly platforms. They should be able to do this without fear of the tech giants cutting off their access on legal pretexts, and without fear of the developers of these tools being tied up in court battles for years.
It's honestly a no-brainer. The only problem is that it requires some nerve and political will - which doesn't seem to be in abundance among our leaders.
but while US monopolies are allowed to legally bludgeon any competition to death with the DMCA and similar laws, it's going to be more or less impossible to disentangle EU infrastructure from US megacorps.
It would be hilarious if the entirety of Europe just stopped enforcing US DMCA on the continent.
It would be hilarious if the entirety of Europe just stopped enforcing US DMCA on the continent.
Ehm, US DMCA is not enforced on the continent? It is US. The EU has similar laws and processes, but DMCA takedowns are for US entities.
The EU laws and processes are not just similar, they are in fact equivalent, and they exist precisely because this was a precondition from the US side regarding trade agreements. With the US no longer honoring those agreements, this is indeed a good moment for the EU and others to stop honoring the US' copyright laws, as they mostly run counter to the EU's economic interests.
Yes, and with a non-popular opinion: a lot of the processes of the DMCA are actually relatively sound (I've been involved in a number of DMCA takedowns in Europe). I oppose the circumvention of DRM provisions, but in particular having a process takedowns that is reasonably easy to implement and execute even to amateur hosters is useful.
The DMCA/e-commerce directive were built during a period of high collaboration between the EU and the US and I think it's not a good example for the EU doing what the US wants. Yes, it was part of a trade deal negotiation, but in this one, it was the thing the US got, there's quite a few others they didn't.
Also, things go the other way around: the EU takes bolder stances on how to do service in the EU, e.g. the GDPR is being enforced and a much larger drag on services from the US.
I find the safe harbor agreements way worse, as they definitely don't reflect reality.
Try violating the DMCA in Europe and see how it goes for you. Also look up Kim Dotcom if you want to see what happens when you violate US laws abroad.
there are some countries within europe that have whole businesses around the fact that they do not process dmca requests. a good example of these are the netherlands and luxembourg, both of which are hotbeds of private tracker, seedbox, and usenet activities through companies like leaseweb.
the biting point of these is usually that they do not process dmca requests and require a country-specific version. i forget what the name of the dutch version is, but the historical lowendtalk gossip was that usa corps couldn't be bothered navigating that so it gave an almost-free pass.
dotcom was a unique case in that he had settled in a very us-friendly fvey country (new zealand), and that he was acting like the kim kardashian of piracy at the time.
These are all pretty dated points.
Nowadays I'd say the best way forward is simply to mandate member states employ 1 software engineer (working strictly on public open source software) per 100k inhabitants at 2× local average wage, netting 4500 fully compensated developers across EU.
It's up to the member states what they tell their developers to work on specifically, if it's "whatever" or maybe have them build some internal software, but since they'd be required to be on the payroll already, I figure things would start to move in the right direction.
Just my tiny Czechia would have to get 109 developers (and some support staff and a building or 3) to comply, which would increase the available state-level in-house development capacity at least 3×. All of eIDAS, government portal and other critical infrastructure could be brought in-house from Microsoft and their partners with well-under 20 people. Other systems that are currently being tendered and often end up being built on Microsoft stack by their partners could be replaced, one by one and then maintained and improved indefinitely.
The reason why this did not happen yet is quite simple - corruption.
As you say, there's a lot of corruption. And even if there wasn't, there will still be people who simply prefer Microsoft (or Oracle, or Google, etc) solutions. Some of it due to inertia or expediency (as stuff has to be compatible with what's already there), some of it due to honest preference. It's hard to compete with big tech on UI and features, because of the sheer manpower in these companies. So I don't think my points are dated at all. There's a clear need for the EU to set forth laws to prevent such software from being used. How that is then concretely achieved is a matter of detail.
Look, selling LibreOffice as the flagship of sovereignty is laughable. Most agendas already happen in dedicated systems that are very near to ditching paper trail completely.
The issue is that the US vendors such as Microsoft have quite a bit control of those systems. All government orgs here use cloud Active Directory, Exchange and PowerBI. Hell our national eIDAS endpoint have been piloted using libre software and then converted to Microsoft solution for production. With bugs against the spec that were not fixed for years.
If it were up to me, I'd line up the people responsible and kick them in the balls one by one. Simply because I want them to feel the pain they've inflicted on our country every time Microsoft decides to tug.
But the reality is, they are the majority. The vendors and public servants are locked in too. By the tech stacks, by corruption, by budgetary and tendering constraints imposed via corruption and so on.
If we want to see change, we need to make it extremely easy for well-meaning public servants to procure libre solutions without endangering their careers. That's sufficient to get 30%+ penetration. Then we can talk next steps.
If we want to free desktops, we need to replace ancient proprietary desktop apps that run the agendas. The last time someone tried that via tender here, they lost the ministerial chair. They've been lied to from multiple sides and the project was used as an example of "better make it expensive, proprietary and by a reputable vendor instead of experimenting".
Look, selling LibreOffice as the flagship of sovereignty is laughable.
Agreed. But sticking with Windows and Microsoft Office while claiming we want to migrate to FOSS is just as laughable. It's the yardstick by which all other things are measured. Why does everyone insist on Active Directory? Because they have an entire fleet of Windows desktops to manage. Why Exchange? Because they're using Windows with Outlook shared calenders etc etc.
You have to pull the problem out by the root, and that involves every part of an organization, not just focusing on what runs on the servers, because what is used on the desktops influences what can even run on the servers.
The vendors and public servants are locked in too. By the tech stacks, by corruption, by budgetary and tendering constraints imposed via corruption and so on.
Exactly. That's why the EU needs to set a target date and ruthlessly get rid of proprietary foreign software. It seems to be (slowly) working for the energy transition, so why not for the software transition?
If we want to free desktops, we need to replace ancient proprietary desktop apps that run the agendas.
I think we're in full agreement, actually :)
Sigh. Replacing everything all at once is impossible. You have to start somewhere. Whatever you do, incrementally, must be hard to revert.
Switching office suits and desktop operating system is not hard to revert. Replacing custom systems is.
If a proverbial shit hits the fan, we can switch desktops in a week for whole EU. Makeshift, but doable. Office in two days.
Those systems dependent on cloud AD, MSSQL, running on Azure, developed by Microsoft partners? Good luck.
Can you imagine what happens when pensions are delayed by a month? Healthcare payments? Prescriptions? Document notarizations? All at once?
But yeah, I get you. The idea of "Trump decides to pull CrowdStrike using Windows Update in EU" is scary. But not because of desktops in public sector. Because of desktops in companies. That would be a horrible first strike.
Whatever you do, incrementally, must be hard to revert.
Agreed. My point is more that it should be illegal to revert.
But yeah, I get you. The idea of "Trump decides to pull CrowdStrike using Windows Update in EU" is scary. But not because of desktops in public sector. Because of desktops in companies. That would be a horrible first strike.
The Crowdstrike incident actually hit businesses (like airlines and shops) more than the government, so I totally agree. The EU would be severely overstepping if it would make it illegal to use proprietary software in private enterprises, so I'm focusing mostly on public software usage.
However, having the government improve FOSS projects to make them more suitable for big government organizations means it'll also be more suitable to use in large enterprises. Like you said, you have to start somewhere.
And the education angle is important too. Make people aware of the delayed societal impact of choosing proprietary software.
My point is more that it should be illegal to revert.
That's not going to happen without strong, positive experience with libre stacks and everyone getting used to it. Most of the public sector is so hopelessly out of touch they cannot imagine how we work.
The EU would be severely overstepping if it would make it illegal to use proprietary software in private enterprises...
Actually, your country is probably already flagging energy, water, healthcare, telcos, transportation and other sectors private companies as parts of critical infrastructure and working with them to make sure their core systems are more resilient.
That's where saying they must be able to operate even when external dependencies turn adversarial might actually work. As in: "assume malicious updates from outside-of-EU are likely and re-assess your risk profiles". This might turn a lot of rich companies away from not just Microsoft, but also Red Hat towards SUSE for instance.
but also Red Hat towards SUSE for instance
As an aside, I knew that SUSE still has its main offices in Europe, but I assumed that is owned by some American conglomerate. However, that doesn't seem to be true anymore:
I am not sure who the private shareholders are, but it's great that they are back to being an independent European company. I hope that they can benefit from the geopolitical situation.
Even though I haven't used SUSE in decades, I still have fond memories of using SUSE as the router/firewall/fileserver of our school's computer lib/library when I was a high school student (~1998-2001). Sadly, the company that took over maintenance ripped out everything good, replacing the Linux server by NT and the NT and Linux workstations by Windows 98.
your country is probably already flagging energy, water, healthcare, transportation and other sectors private companies as parts of critical infrastructure and working with them to make sure their core systems are more resilient
This effort is orthogonal to the use or non-use of proprietary software.
As a concrete example, if the power distribution system currently runs on top of Windows, it is less effort to harden it compared to completely replacing it with something running on FLOSS and hardening that.
My point is that:
So yeah, not directly tied to FLOSS, but one could e.g. push for fully reproducible builds with fully auditable sources all the way down and it would likely happen. In single digit years. There is social infrastructure for this.
The main problem with this is hiring. I've seen many non-tech companies recruit their first software/IT hire and the problem is that ignoring hiring 109 developers, the first hire is the most important, as they will usually hire the other 108. But non-technical people have trouble assessing competency, thus leading to low-performing but well speaking people getting the jobs, just look at the UK civil service and how it is capture by privately-educated well-speaking proffessionals.
Ironically anti-corrutiption measures make this much harder, as interview/hiring process' in civil service are often very standardised, and not suited to technical hires. There is a reason start-ups often hire people they know first, because they can vouch for their performance, but in the civil service this is just corruption, even if it might be the good kind.
You are not wrong, but honestly, just post the opening and tick off "contributed non-trivial amount of code to a public open source software and uses open source OS as their primary driver" and you are already getting decent quality people. And there are some national-level organizations that employ a handful of developers already. So it's not like there are zero people and we'd be starting from scratch.
We can argue technicalities, but the amount of economical waste from the tender-induced uncertainty and corruption just here in Czechia is staggering. Look up "Kauza Dozimetr". That's 40 developers per year worth of bribes just from public transportation agency in the capital. So the risks of this not paying off are kinda trivial. Throw in performance reviews from teams across the EU and you've got a decent system to get things rolling.
Nowadays I'd say the best way forward is simply to mandate member states employ 1 software engineer
I will volonteer, I'll donate 30% of my salary to whatever my EU employeer says :D
it's impossible, I don't believe you can build FOSS out of communism
FOSS alive because people fund it and some companies give back. Look at Linux vs MS, Bill has 100 trillions while Linus only 100 millions. This is the difference. Business and solo engineers drive open source, not states
Much of the early Linux development was funded by universities (which are typically funded by the state). Everything from Linux itself (started by Linus when he was a student and FTP hosted by the university), KDE (started by Matthias Ettrich at the university of Tübingen), Python (Center for Maths and Informatics in Amsterdam), to early BSD-based code that helped Linux bootstrap in various areas (from UC Berkeley).
I am not denying the impact of business on open source, just saying that much of it was bootstrapped by state-funded academia.
good argument, cannot deny it
anyone knows if universities still do it? not in my area for sure
Not just businesses, also non-profits such as Codeberg, Futo, Wikimedia Foundation, ISC, Blender Foundation... In reality, any organization or solo developer can drive open source and I think we'd be able to find various kinds of organizations doing so.
The reason businesses drive open source more is simply that they employ more software engineers and have more money in general. Likely due to the fact that we live under capitalism.
There is no inherent reason for public sector organizations to be unable to create and publish open source software. Academic sector has been very active, for instance. I know of at least kramerius, vufind, DSpace. Or Shibboleth... Have you ever used your library login to get access to IEEEXplore?
I know specific people who worked or work on open source and were or still are getting paid with my taxes. For working on said open source. As in their organization receives money directly from the national budget.
Increased usage of FOSS is crucial, the EU has been asleep at the wheel for decades.
But what about hardware as well? Much of computing has moved to the Apple/Google duopoly, and is tightly controlled by them. I don't like it but sort of understand it in the US, as they are the home teams. I can't imagine having government, banking, and commerce gated by (primarily) foreign corporations, what a disaster for them. China seems a bit smarter, though perhaps taken things too far.
So the Fairphone/Murena, Starlite tablet, and NovaCustom have debuted important hardware recently, and there are larger companies to serve more traditional markets. Cloud services are important as well, from Hetzner to Proton, Mullvad, perhaps OnlyOffice (some don't like their former ties to Russia).
A friend and I wrote our thoughts on the subject below. It's mostly a superset of digital sovereignty, which we are calling "trustworthy tech": https://aol.codeberg.page/eci/
Absolutely agree. But one fight at a time. This particular request was about software, and hardware is out of scope for my post. I do think that a mindset change is the most important thing to focus on, and will lead (eventually) to people demanding open hardware as well.
Thanks for the link, I will be reading this over the next days/weeks. "Trustworthy tech" is also a term that's been on my mind for a while (see also the previous post on my blog). I think the times are finally changing, more people are becoming fed up with big tech dictating their lives.
Indeed, glad to hear. I started writing with the phrase "ethical computing" but it did not seem to resonate with others as much as I'd hoped. Perhaps too abstract?
"Trusted" unfortunately was shit on by microsoft, and to some extent so was "trustworthy." But I hope we can take the second one back. Or if you can think of a better title in the future I'd love to hear it. (Feel free to join the zulip chat linked at the bottom of the page to keep in touch.)
The reason I am personally focusing on hardware and cloud services is that I feel like local FOSS has "already won." Of course not decisively, but wont get worse from here. e.g. See the last twit FLOSS Weekly: https://twit.tv/shows/floss-weekly/episodes/761
I have to admit I am getting more and more skeptical of such projects. Open Source (pretty much like everything) tends to be good if it's not a money making machine.
In many situations where some bigger/serious funding happens people that do things primarily for money and/or are good at writing grant applications will be the ones receiving said money.
While that doesn't mean the software will automatically be or become bad, I think the Linux Foundation as well as its subsidiaries, such the Cloud Native Computing Foundation at large suffer from this. Much of their output is either some mess or became worse after taking grants, usually going towards RedHat style over-engineering, when originally explicitly designed for simplicity.
This varies of course and there are various factors involved, but while it's good to pour money into FOSS for digital sovereignty rather than pouring the same money into some big organization and its (cloud) services i think one has to be very careful or you might be sovereign on paper, but not really, because bad products/projects will mean that you still are dependent on these companies or services and potentially reinforced the idea/FUD that this won't work.
We've seen that in the past when various governmental organizations created well-intended but still bad semi forks of Linux distributions.
What I want to say is while it's a good thing, also have some healthy skepticism and don't do that blindly pouring money on things that might seem good and reasonable at first glance.
It feels like governments (and government institutions) lacking expertise is one of the root causes for the lack of sovereignty in first place. And then you are basically the car or insurance salesman if its a good idea to buy their most expensive product.
While open source software has a hard(er) time to completely die having an unmaintained or badly maintained, endlessly developing more research than practical project isn't going to foster sovereignty nor trust in FOSS. And the salesman will have an easy time saying "told you so".
Another thing is that infrastructure is often overlooked. Great if you have your oh so sovereign software if you are at the whim of Azure or AWS.
I think if the EU is able to have an energy network where countries can rely on each other then maybe having redundant, distributed hosting infrastructure should be doable as well. And that's even a sector where FOSS could shine, being distributed yet not completely relying and trusting each other is something that FOSS hackers like to get their hands dirty with. And general networking is something where even big corporations tend to rely on open source.
Just don't have someone dream up things without having a good plan. And don't make this a setup for a money scheme. Utilize the CCC and others instead of a random FOSS consultant or RedHat. I am sure you will find great people within RedHat and FOSS consultancies but I really don't think governments are all that great at detecting those. Writing government grants, knowing what people in committees like to read is a skill for which some companies do hire. Maybe just looking at whether someone got a PhD isn't the best way to do this. Yeah, they might be good at wring multi page paper, do amazing research, but it's not the thing that will create digital sovereignty, even though it's so easy to believe.
Please don't make this yet another well-intended money drain. First build up the expertise to know what's reasonable. With the education part I already see various institutions rubbing their hands. This obviously didn't work with the consultancies giving security trainings selling their virus scanners and fire walls. And after the Blockchain Initiative and the "AI Factory" it feels like saying "Digital Sovereignty" could go a similar road if just done as a "Look, we are modern" stunt. Again, because this has happened before. While it wasn't exactly expensive pushes to use Linux, Open Office, etc. resulted in cementing Microsoft.
Good point regarding the expertise not being there. Unfortunately, I don't think "just git good" is a viable strategy. The public sector is too dispersed and each organization has its own decision makers and tech people. And let's be real, the real talent is typically not going to work for the government as the pay is often not that great. Yes, there will be exceptions (and I personally know a few), but in general you'll be shocked to hear how such organizations often run their shit. "We don't apply security patches" is a surprisingly common attitude. Smart tech people will not want to come within 1km of such organizations.
My wishful thinking is that good people might be interested in doing something more valuable with their lives than optimizing some brain rot activity.
Wishful thinking but in my experience, skill, professionalism and experience don't have strong correlation with salary. That's not just true for computer science fields of course.
I agree though. Government still isn't attractive and "just git good" isn't a strategy.
My comment just meabt to say that the challenge isn't just money and that there previously have been attempts to invest into FOSS. The problem was that the implementation lead to Microsoft closing long term deals and abandon FOSS
Doing things half hearted or as a publicity stunt might therefore be worse than not doing it doing it at all it later with an actual plan.
But yeah certainly not claiming I know how to beat do it just saying there are learnings to be had from previous attempts.
And while Europe isn't Taiwan I've heard they are a good example of gradually moving things on solid foundations. And that effort was lead by a very skilled person.
I agree with all of the points put forward. Now is a good time to try and gain some independence. For example, with how entrenched Microsoft has become by bundling teams onto almost every institutional deal it has, it seems like this will take a lot of time and momentum to break the inertia.
It seems that the fragmented nature of open source and the lack of capital and central organization do not play into its hands when trying to gain more exposure. Most decisions for Microsoft and other large companies are done because they appear safe and "too big to fail", not necessarily because the product is better. So the framing should really focus on the lack of safety (for which there are also examples in the article).
Most decisions for Microsoft and other large companies are done because they appear safe and "too big to fail", not necessarily because the product is better.
Yeah, or the decision is made "on the golf course", where there's a deal struck between two high-ups. A good example is the failed LiMux project, where allegedly the mayor of Munich pulled the plug on a FOSS migration in exchange for MS moving their German headquarters back to Munich. The only way to avoid such obviously corrupt deals is to require institutions to use EU-based FOSS by law. I don't know how you would avoid this kind of thing from happening in the private sector, except by going back to basics and educating people about the impact of tech choices (which I discuss in the article).
So far the EU has not been bold enough to make any hard requirements, but I believe it's the only way forward. Member states are just dragging their feet with the current lackluster "soft preference" for open source. In the Netherlands we've had the "motie Vendrik" (a resolution to use open source where the software is "equally suitable" - you can imagine how optional that really is when you're writing a tender) since 2001, for fuck's sake! Look where that got us: Still very much dependent on Microsoft (see the ICC example).
But as you say, now is a good time. As I write this, I saw a news article about how the Dutch parliament is all upset about the "digid" system (a government-issued eID) possibly ending up in American hands due to a takeover of the company providing the digital infrastructure on which it runs. The ICC is an obvious other example in the Netherlands, which also triggered a debate in parliament. The corrupt system that enables big tech software rollouts can't survive this for much longer, I hope!
Yeah, I absolutely agree, it's really a shame that there is so much corruption going on; it feels like a larger pattern that is not limited to the technology sector. Without a proper lobby I don't know if FOSS will go anywhere (but I assume to some degree this is fortunately already being lobbied, otherwise we probably wouldn't even be aware of those efforts on digital sovereignty).
One argument I've heard is that Microsoft spends more than entire countries GDP on security, so it must be secure.
Workstations for public servants typically run on Windows and use Microsoft Office. Switch these to a proven open operating system like Linux and office suite like LibreOffice.
South Korea announced a similar initiative back in 2019. The Ministry of the Interior and Safety planned to migrate government PCs from Windows to Linux-based “open OS” distributions by 2026, primarily to avoid the costs of upgrading from Windows 7 and reduce vendor lock-in to Microsoft. The plan was to start with internet-facing PCs while keeping internal work systems on Windows. Interestingly, 2026 is now here, but there's been radio silence on how this actually turned out. Given the lack of recent news, it seems plausible that South Korea's effort met a fate similar to Munich's, though perhaps more quietly.
I am not sure about South Korea, but at least in Europe, these 'we will switch to Linux desktops'-threats were often used as a bargaining chip to force Microsoft to reduce licensing prices (and never really serious to begin with).
I hope that the changing global politics with push for real change.
Out of curiosity, what's the current state of things with MS dependence in Korea? When I worked in Seoul (2006-2009) there was a shocking amount of MS and even IE dependence for an average person's everyday life due to digital payments (which at this point was already pervasive) being tied to government-mandated ActiveX plugins and websites in general not testing (and barely ever working) against non-IE browsers.
That was a wild time—ActiveX and IE dependency were indeed massive issues. The smartphone revolution forced significant change: websites had to become cross-browser compatible or lose mobile users entirely. The government officially retired ActiveX-based digital certificates in December 2020, which was a major milestone. Things are much better now, but there's still some lingering Windows dependency compared to Western countries—partly due to legacy systems and partly because government and corporate IT departments tend to be conservative about change. The Linux migration initiative I mentioned was supposed to help address this, but as noted, it seems to have quietly fizzled out.
I agree that this is a good moment and a chance for European open source (OSI or not) to gain some momentum and independence. Probably the best would be a push for financing infrastructure-level open source initiatives (I mean here OS, pogramming lanugages, cryptography, the network stack, open source hosting, even something like Typst etc.), before investing in downstream work (online services nowadays). Yet, we must face it, chosing which team to finance is not trivial, as money doesnt guarantee success.
Reason: who owns the infrastructure has sovereignty.
There are a lot of good projects which struggle (FreeBSD with hardware support, non-Debian distributions to gain relevance, real alternatives to project hosting beyond Git{Hub|Lab} and I'd be happy to see a renaissance in those areas.
Yet, we must face it, chosing which team to finance is not trivial, as money doesnt guarantee success.
There are FLOSS projects that have been around for years or even decades, are successful, and have functioning non-profit structures. Those seem like the best places to start. Everything from Debian to CodeBerg to OwnCloud.
Where there is money, there will be grifters, so best to start with known entities.
There are a lot of good projects which struggle (FreeBSD with hardware support, non-Debian distributions to gain relevance, real alternatives to project hosting beyond Git{Hub|Lab} and I'd be happy to see a renaissance in those areas.
To be honest, and I say this as someone mostly running NixOS and having used NetBSD for years, I hope the EU can avoid fragmenting as much as the FLOSS community. So, to invest money in FreeBSD and fringe distributions seems suboptimal. Decide what a EU server or desktop should look like and invest to achieve that goal as quickly as possible. Spend the money so that already-successful FLOSS projects can close the holes that prevent government organizations/companies from moving off Windows, Office, iOS, Android, etc.
E.g. if the goal is to have an immutable Debian-based desktop (because people yank chords during updates), using Flatpaks and NextCloud. Fund one or more Debian developers to work on an official immutable Debian version using bootc, fund the almost-dead Flatpak project, and chip money towards OwnCloud so that they can fix the gaps compared to Google Workspace.
My argument was that there are some good projects which lack industry attention and traction but do not lack technical merit. I don't think that the EU putting even more money in Debian or the Linux Foundation or Mozilla would do anything towards technical sovereignty.