Bitkom Forum Open Source 2024 in Erfurt

Triggered by a provocative announcement for their The Cuckoo in the Tendering Process: When the vendor loses to itself panel discussion by Peer Heinlein (Heinlein Support) and Johannes Loxen (Sernet) on LinkedIn, I attended the 10th Bitkom Open Source Forum in Erfurt. This free one-day conference on open source in a business context has become a highly informative event - that is well worth attending. This year's motto of The future of open source - fair, regulated, intelligent was exactly what I needed at the moment, and I spent the whole day in the Open Source - regulated track.

Cockoo or What Is My Business Model?

The panel discussion was about the challenges Peer faces in marketing OpenTalk, the open source videoconferencing software that Heinlein Support has developed over the last few years. Competitors seem to be offering OpenTalk hosting packages in public tenders, even though they don't contribute to the code or fix bugs. In the end, Peer cannot compete with their low prices and feels squeezed out of his own business. Johannes, on the other hand, has managed to build a functioning business around selling enterprise distributions (Samba Plus) of the open source Samba server. In the discussion that followed, it was suggested that perhaps the problem is the business model, not open source itself. My view is that good open source software will win out in the end, but companies without a good business model may struggle.

Cyber Resilience Act

The Cyber Resilience Act (CRA) is of course the main topic, and it was looked at from different perspectives, to name just a few examples:

Dr. Hendrik Schöttle (Osborne Clarke) gave a very concise but thorough overview of the CRA and how and when it applies to software - and specifically to open source specifically. My personal key take-away is that a "product" needs to have an "online component" to fall under the CRA, and luckily my Relax-and-Recover open source project for bare metal Linux restore / disaster recovery doesn't really have an online component 😁 So it seems we don't have to deal with the CRA as a project.

Lars Francke (Stackable) gave an insight into the struggles of an open source software distributor to comply with the CRA, specifically how to "stick a CE logo" on an open source software distribution. Stackable is a small startup that specialises in providing open source software for data lakes and other data-related topics, packaged to run on Kubernetes. As such, they naturally have to take upon themselves the full responsibility of a software distributor under the CRA. I'm really impressed with how much effort they're putting into this open source compliance issue!

I'd urge everyone to check out the presentations at bitkom.org/bfoss24 (it may take a while for them to be available).

All in all it was a good day, time well spent, catching up with old friends and making new ones. I'm looking forward to next year's event, again in September.

Are you interested in learning more about the topic of NIS2, DORA, CRA or Open Source in your company, or with Linux disaster recovery & bare metal restore? Together with my colleagues from Tektit Consulting I'll be happy to support you!

Location: Erfurt, Germany

Comments

Post a Comment

Like this content? You could send me something from my Amazon Wishlist. Need commercial support? Contact me for Consulting Services.

Popular posts from this blog

Overriding / Patching Linux System Serial Number

Image
I'm a big fan of test driven development  (TDD) for infrastructure components. I'm currently working on a hardware-related topic where we also use the system serial number as identifier. To create a proper integration test, we need to be able to start a system and set the serial number to a known value. This can easily be done with the help of virtual machines like in VMware or VirtualBox , but I couldn't find a way for changing the system serial number on hardware boxes, cloud VMs (e.g. on Alibaba Cloud) or other Linux system. Problem Analysis I was thinking: Linux is the operating system where I can potentially do everything . So how hard can this be? After some digging around I found out that there are those main sources for the serial number on Linux: /sys/firmware/dmi/tables/DMI contains a binary blob of Desktop Management Interface data provided by the kernel and the dmidecode utility is commonly used to decode
Read more

A Login Security Architecture Without Passwords

Image
Following up on Lifting the Curse of Static Credentials and Eliminating the Password of Shared Accounts , I have many discussions about why we would benefit from removing password prompts for website logins. Let's dig deeper into the details and show why removing password prompts leads to a  safer security architecture . Update 11.03.2022: Added more details about business vs. consumer websites and additional security suggestions surrounding WebAuthn Problem Space For context, imagine a website that needs to identify online users via their email address. We assume that the website in question is not the primary email system of a user but some other website, e.g. an e-commerce shop system or a collaborative productivity tool. As a User As a user of that website I want to easily sign up for an account have an easy way to login into the account be sure that my account is protected from others or attacks be able to easily recover access to my account i
Read more

Mission Impossible: Complete Disaster Recovery for Google Workspace

Image
I'm a frequent user of Google Workspace and even accept the switch from free to paid for my family domain . One topic has always been on my to-do list: Proper backups to support disaster recovery after a major problem. It turns out that Google Workspace has a significant flaw: It is technically impossible to create a full backup of all data and to restore that! Google simply doesn't offer any API for that. As a result, all backup vendors are forced to work with the regular APIs. As a result, not everything in Google Workspace can be stored in a backup, e.g. Google Sites (new, not classic). Some content, like Google Drawings and others, can only be backed up as a static file (e.g. PDF) and not restored into a new Google Drawing. Google itself doesn't offer much on backup and disaster recovery: Recover deleted files and folders for Drive users Restore deleted shared drives or their files How to mitigate ra
Read more