Josh has a chat with Gabriele Columbro, Executive Director of the Fintech Open Source Foundation and General Manager of Linux Foundation Europe. We of course discuss the Cyber Resilience Act (CRA), the evolving landscape of open source regulation, and the collaborative efforts of major foundations. Open source is everywhere, but there’s also a ton of work to do now. Gabriele has really good insight into where things are today and where they are heading in the future for open source and regulation.
Episode Links
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Episode Transcript
Josh Bressers (00:00) Today, Open Source Security is talking to Gabrielle Columbro, the Executive Director of the Fintech Open Source Foundation and General Manager of Linux Foundation Europe. That’s quite the mouthful, Gab. So I want to thank you for coming on the show. I am so excited to have you.
Gabriele Columbro (00:15) Thanks for inviting me, Josh. And between my Italian names and the length of my title, I really appreciate the effort.
Josh Bressers (00:22) Fantastic. So I asked Gab to come on here because he’s part of Linux Foundation Europe and the CRA, the Cyber Resilience Act, is kind of a huge topic right now for obvious reasons. And I think how we kind of got to where we are today is a really interesting story as well as some of kind of what comes next. And so having Gab here is the perfect person. So, Gab, I’m just going to give you the floor. of tell us who you are, tell us what’s going on, you know, and you can start telling your story about
kind of how we got to where we are today. Because I know when the CRA was first drafted, it was pretty scary for open source.
Gabriele Columbro (01:00) Yeah, thank you, Josh. Well, the story starts for me in, I would say mid 2022. I was going about my day running the Fintech Open Source Foundation admittedly building quite of an experience at the crossroads of sort of regulated industries and software having all of these large financial institutions collaborating on open source. ⁓ And I had just…
taken the job of Linux Foundation Europe, probably for my thick Italian accent, hopefully some other qualities there, but ⁓ we had just launched our Brussels-based entity ⁓ at the Linux Foundation, ⁓ partly to facilitate global collaboration, but also to better interact with Europe and European policymakers, regulators, the local community, the specifics of… ⁓
a country, a continent made of 27 different countries, but with a sort of supranational IP framework.
sort of legal framework, which is represented by the EU. And so, yeah, I thought I was going to, you know, work on bringing new projects at the Linux Foundation, help the growth of our existing projects in that region. Turns out most of my time for the last couple of years has been spent working on the crossroads of policy regulation and software, especially starting with the CRA. That was the big…
topic du jour as soon as I took the job. ⁓ And so, yes, you’re absolutely correct. At the beginning, the first versions of the CRA were pretty scary for the open source community, both in terms of the impacts on individual maintainers that it would ⁓ create the amount of liability, as well as
Effectively on foundations. It was basically in a way lumping in the ⁓ liability requirements put on manufacturers of software. So potentially very large industry players and tech companies who have plenty of budget to ⁓ comply. ⁓ And it was basically putting foundations and I would say intermediaries like think about
central repositories, if you think about the whole sort of supply chain, there’s so many sort of intermediaries there that compose, that participates to sort of the final product. I think the first reaction has been one of trying to really collaborate with the other
players in the open source space, know, as much as the Linux foundation is by far sort of the largest foundation out there, in no way there is a single entity that can speak for open source. ⁓
besides multiple foundations, the long tail of the millions of projects that exist on GitHub, there is no single voice. And I think that was, I think the first complexity in this conversation. Policymakers did not have a counterpart to speak to. There’s no such, again, if you compare how they work with sort of industries, there’s generally public policy people, there’s generally…
you know, lobbies, neither of foundations or let alone the long tail of open source is a lobbying organization or has lobbyists that can influence the regulation. And so ⁓ the first thing I think it’s been at that time collaborating with other foundations and ⁓ sort of making sure that ⁓
through a series of blogs, open letters, we sort of really positioned ⁓ the need for the European Union to work with us. ⁓
Josh Bressers (05:35) Well, and I’d say
you were successful because you’ve gotten a lot of this done. And we should say, when you talk about other foundations and correct me if I’m wrong, but my understanding is the big foundations that kind of sat down, you had the Linux foundation, obviously Linux foundation Europe, specifically you. And then there was the Eclipse foundation and the Apache foundation were also involved. I mean,
Gabriele Columbro (05:55) Yep. Yep.
Josh Bressers (05:58) Not that I’ve ever thought of the foundations as competitive necessarily, I also can’t think of another instance where they’ve all kind of come together with like a single unified message and purpose.
Gabriele Columbro (06:09) Yeah, I think it’s interesting because in the last three years we’ve hosted in turn something called the Open Source Congress, which is actually a meeting amongst foundations, primarily code hosting foundations, but obviously you also have sort of national foundations that advocate for open source, ⁓ especially with the purpose of finding this.
common areas where we should be working together. And absolutely policy is one where, again, we have the same, I think, objective to make sure that the open source community at large, not just us as foundations, nonprofit entities, but again, the community doesn’t get sort of unduly impacted ⁓ from some of these regulations. Other areas are obviously, you know, sustainability.
over the last two or three years, know, Alpha Omega, one of the projects of the Linux Foundation has been funding other foundations, ⁓ including Eclipse, including OpenJS, including, I think, most recently Rust as well, to really increase their security posture and sort of reduce the risk of maintainer burnout, the whole sort of big conversation around sustainability that has been sort of ensuing.
Josh Bressers (07:32) In fact, I just talked to Mikael Barbero not long ago from the Eclipse Foundation and he talked about the Alpha Omega, you know, helping them fund some of their SBOM efforts, which is fantastic.
Gabriele Columbro (07:41) Yeah.
Yeah. So there are certainly areas to your point, we’re as nonprofits, we’re definitely less competitive, but certainly we have different projects that ultimately I think the risk is when any one of us sort of portrays itself as the open source. I mean, that’s not ⁓ viable. And I think to an extent, going back to the CRA,
Certainly working together helped. ⁓ But again, there is a ⁓ I would say professional way to work with regulators. And I don’t think any one of us at that time ⁓ had sort of that professionalism. Again, we are not lobbying organizations. So also from a charter standpoint and sort of we have limitations as to what we can do when interacting with policymakers. ⁓ But
We found that, you know, a sort of working together put us more, you know, in the radar of the EU regulators as I think in principle, we were already late in the game when we first started interacting. I mean, the CRA had been already been discussed the early drafts for over a year. And I think we are now in a much better place where, you know, each of the foundations has, you know,
people in Brussels at least to be able to ⁓ intake and understand upcoming regulations at the right time and making sure that we provide feedback. Secondly, the CRA itself has introduced for the first time the role of stewards in a law. And therefore now there is effectively a recognized ⁓
role for stewards both in the CRA, in the standardization process that now is following the CRA as the actual standards that we have to comply with are being developed within ETSI and CEN-CENELEC and the other European standardization organizations. And again, this has meant also that you see a lot more interaction, proactive interaction from policymakers with open source communities. see constant presence from
European Commission at FOSDEM, something that probably a couple of years ago you wouldn’t have had. They feel like they have to engage ⁓ open source maintainers as an important constituency of regulations that impact open source.
Josh Bressers (10:23) Yeah, yeah, for sure. And I’ve heard the FOSDEM policy room was jamming last year, so it should be exciting this year. Now, here’s the question I have, and this is really kind of the reason I wanted you here was this question, is when you sat down with the regulators, kind of for the first time, what were you working with? Like, did they have any concept of open source? Was it like completely blank slate? Did they think they knew and didn’t? Like, I’m really curious to understand where they were coming from in this discussion.
Gabriele Columbro (10:36) Yeah.
It’s a very good question. you know, obviously you can, I won’t say there is a one size fits all answer to the question, you know, depends obviously we are talking to the European, you know, the European Union itself has three different branches, you know, council, commission, parliament, within those there are committees and so on and so forth. So it is certainly a very multifactorial, it’s a full time job. Let’s put it that way.
I would say that they had actually quite of a good understanding of.
You know, the general, I would say the general constructs in open source, ⁓ they had a decent understanding of the role of foundations, albeit I think our work, not just the Linux foundation, again, with the other foundations, has really helped solidify it into ⁓ sort of the role of stewards.
There were certainly some misconceptions at the beginning. ⁓ I think one area where we as foundation and certainly commercial open source companies are very familiar and it’s an area where I think a more ⁓ sort of widespread and sort of clear understanding is still being developed in the regulatory community, not just in Europe, really in the US as well.
is sort of the notion of ⁓ commercial open source and the notion of the ecosystem around an open source projects. What makes it ⁓ sustainable? ⁓ How does a project go from, you know, project to product to, you know, potentially profit, which then sort of gets reinvested back into the community and sort of creating this ⁓
Again, commercial ecosystem that is so vital to some of the largest projects that we’ve seen, Kubernetes, obviously it’s a great project, but without the sort of vast, I would say market that has been created around it, both by VC investments, but also in terms of adoption from large organizations and therefore sort of the need for upstreaming and contributing back.
Um, you know, I think, I think that’s an area where as, as foundations can do a better job at explaining, um, how the value flows across, uh, uh, you know, from projects again, to the actual end users. There’s sometimes I think a little bit more of a simplistic view of open source as this, you know, beautiful collection of free stuff.
that delivers value directly to the users, but the reality is, ⁓ especially if you think about Europe, there is a huge market of ⁓ small and medium businesses who actually service open source and sort of build product or services and deliver it to the customers. And so I think that was an area where at that time, I think there was some, I guess.
⁓ lack of full understanding and to be fair even right now we as open source communities haven’t done a great job at sort of explaining this ⁓ circular nature of sustainable open source communities.
Josh Bressers (14:41) I mean, the topic of sustainability is definitely dicey right now. so, mean, so one of the things, this is just, I don’t know, I’d be interested in your thoughts on this is, so I talk to a lot of people on this show, right? I reach out to, my intent is to find some of the unsung heroes of open source and really ask them what’s going on. And it was pointed out to me, it’s been a couple of weeks now, that a huge number of the like, I will say individual contributors to open source that have
notable projects and are kind of making a difference. Most of them are Europeans. It feels like there are a huge number of very individual like European contributors versus in the U.S. It feels very much like it’s if you’re doing a lot of open source work, you’re probably being paid to do a lot of open source work. It’s a very I don’t know. It’s a strange dynamic. Do you do do you feel like that’s a thing or am I just maybe this is like just, you know, survivor bias who manages to get on the show?
Gabriele Columbro (15:41) Look, I… This is a topic that I have been…
very much going sort of deeper and deeper over the last year or so, especially sort of the regional aspects of open source, both in terms of maintainers, in terms of sort of value capture out of open source, as it indeed plays a critical role ⁓ if you’ve been following Europe over the last year.
might or might not be related with the change in political climate, but certainly digital sovereignty has been one of the ⁓ most relevant topics out there. And so, yeah, I was looking at some of the stats, ⁓ the most recent stats, again, it might slightly vary, but if you look at even just GitHub stats, yes, Europe actually has more open source contributors than America.
But then if you flip the script, and we recently have published ⁓ our first state of commercial open source report as the Linux Foundation together with the European actually VC Serena, ⁓ it is pretty clear that ⁓ in terms of funding, in terms of exits, in terms of basically every step of the… ⁓
commercial ⁓ journey of a startup that builds on open source, the US has ⁓ a lot more, has probably twice as much if not more. And so basically capturing value at open source. So I think you’re right. ⁓ Generally, directionally, US maintainers are more often paid than European maintainers.
But I wouldn’t, you know, it’s not a black or white situation because yes, if you go and think about big tech, yes, they generally ⁓ have, you know, either it’s an eye time, you know, the day dedicated to the work on open source or yes, they are paid as open source maintainers and really it reflects the corporate maturity in terms of understanding the strategic value of open source. It’s not just.
cost savings is not just, you know, those techies in the corner who are consuming software. It’s a, you know, creating markets, it’s commoditizing competitors. It’s truly a strategic play for some of these organizations and that reflects in the way they assign the resources. you know, just looking at my own and thinking about FINOS yes, we made a lot of progress over the last…
seven years in getting banks to fund open source, to contribute upstream, but even in some of my most, you know, my platinum members, the largest investment banks in the world, we have tens of thousands of developers. Yeah, I have maintained, they are the maintainers of my projects. Are they fully 100 % paid to work on it? Not really, if you correlate when the commits.
Come in and you know, have our LFX platform gives us a little bit of insights on that Yeah, they’re after hours. They’re in the middle of the night. And so, you know you can you so I wouldn’t I guess kind of long story short Yes, I do think that generally the US Has more paid maintainers and they also pay better But I think it’s more generally
question of Europe has not invested as much in ⁓ the whole commercial ecosystem around open source. And that means that, yeah, maintainers are probably more struggling, you know, at the recent Open Source Summit in Europe. had Daniel Stenberg, the creator and maintainer of Curl, and, you know, is one of the most…
know, renowned and, and, know, one of the top, I don’t know, five, ⁓ European maintainers. He did it in a very ironic way, but it was a very interesting call, ⁓ to say, look now between requirements imposed by the CRA and all these manufacturers asking me to answer random questions that, you know, please pay me to answer to this. You know, I don’t, I don’t, ⁓
I don’t do compliance as a service as part of my day maintainer job ⁓ between AI slops and the amount of bugs that being now having to be triaged and so on and so forth. Yeah, sustainability is still a pretty complex topic. ⁓ I’m excited to see a few initiatives, both private and public sector, happy to go deeper there. It’s certainly top of my…
Josh Bressers (21:03) Yeah, yeah, for sure. Well, and Europe has a sovereign tech agency based out of Germany, which I love the work they’re doing and I feel like it’s working. It’s having the effect that I think we hoped it would have, which is very exciting.
Gabriele Columbro (21:18) We are very obviously fond of ⁓ the sovereign tech agency and ⁓ you know kudos honestly to Adriana and Fiona and the whole team and what they’ve done over the years. In fact, most recently GitHub has ⁓ spearheaded together with Open Forum Europe, the open source think tank in Brussels and the support of many.
in the open source ecosystem, including Linux Foundation Europe, a proposal for an European level sovereign tech fund. The EU STF has been dubbed. As you probably know, the EU is going through sort of this what’s called MFF, multi-year financial framework. It’s planning for the next seven years of budget. You know, talk about waterfall. ⁓ But, you know, they’re trying to influence a
You know, 250 million dollars, euros, sorry about that, Euro dollars, like my wife would say. Investment from the EU to really sort of up level this from a national level to EU level. You know, with the primary angle of, you know, security, you know, well, EU security.
sovereignty and obviously critical infrastructure sort of protection from attackers. Again, there are one slash two wars going on around Europe. So this is a pretty tense time in that region. ⁓ But if you think about it, that’s a drop in the pond. It’s still a drop in the pond compared to, you know, the sort of the overall ⁓ EU security budget.
and the potential outsized impact that even 250 million could have. I mean, you probably can name better than I do, the help that I can, the massive amount of vulnerabilities that we have seen and we had to deal with over the last ⁓ three, five years that have impacted critical infrastructure. So we’re certainly excited to see ⁓ this type of efforts, but I sort of go back.
to that notion of ecosystem. I think it’s important to have public sector funding and understand that ⁓ open source is critical infrastructure and you need to defend it and sustain it and maintain it like you do for a nuclear plant, like you do for your roads, like your trains.
But I think the long term sustainability and at the Linux Foundation, we have the luck of seeing a lot of these ecosystems flourishing, ⁓ comes from, you know, the private sector having that sort of clear understanding of what’s at stake, that they are depending on this. You know, I have a lot of these conversations with the banks that I work with on FINOS and look, you don’t have to sell risk, risk management to a bank.
You know, I had them at hello. The question is fitting the conversation of open source in that sort of risk management posture. Going all the way back to the CRA, actually there are some really positive aspects in there. If you think about it, there are some requirements for upstreaming security patches. It’s something that as Greg Kroah-Hartman would say, you should have done in the first place, but now, you know.
there is a regulation that makes it either mandatory or absolutely more efficient for you to, if you find a bug, ⁓ follow the responsible disclosure process and upstream it and everyone’s gonna.
Josh Bressers (25:23) Yeah, yeah, for sure, for sure. And I think your comment about the banks, right, being, we’ll say risk is what they do. And I think in the open source world, there was, mean, prior to, feel like maybe 2024, but certainly 2025, I feel like open source was just like this faucet of free stuff no one thought about. And like, there’s definitely a changing attitude everywhere, right? Banks, automakers, governments.
Gabriele Columbro (25:32) Yes.
Josh Bressers (25:52) Like literally every industry I talk to is starting to pay attention to this.
Gabriele Columbro (25:57) I, yeah, I mean, I…
I see it for stand-ups, I’m a little biased as I run a vertical foundation, but I do think that besides the, you know, if you think about the Linux foundation ecosystem, obviously we have a foundation full of critical projects in every layer. I mean, if you think about the sort of ⁓ level of security that the kernel or Kubernetes or, you know, Node or PyTorch have to have because
you know, from nuclear plants to the Mars Rover, they run on this, like we can’t afford anything less to provide to our downstream users. ⁓ I’m certainly very excited to see the sort of flourishing of these vertical foundations where, know, FINOS, we have the financial services industry, basically creating a shortcut between their needs and their ⁓ sort of
pain points to how sort of open source solve those pain points, but also how they can invest to ⁓ sustain open source that is already part of some of their critical infrastructure. We have LF Energy who is bringing some of the actually primarily European.
and large energy distribution, national distributors and sort of the whole supply chain of energy. Again, as all these industries undergo digital transformation, they’re starting to realize that it’s not just about cloud, it’s not just about AI. Open source is sort of this third pillar that permeates from 80 to 90 to 95 % of their sort of software real estate. Telco with the LF networking.
Agstack in the agricultural side of things. Margo in the manufacturing side, Automotive Grade Linux. know, I don’t want to do a commercial here, but certainly I see this, construct of a vertical foundation being able to again, raise again, shortcut the understanding that open source is critical to these industries.
Josh Bressers (28:20) Yeah, yeah, for sure. 100%. Okay, we’re coming to the end. So I want you to fill us in on what you see is coming next. This is just like from a foundation perspective, from a CRA perspective, from a European perspective, whatever you want. Like the floor is yours, predict the future and I promise not to hold you to it. So.
Gabriele Columbro (28:45) With the flourishing now of these prediction platforms here in the US, I feel like I should bet on it. ⁓ look, I think on the European side, I will touch on two topics. The CRA is coming in effect now. We have slightly less than one year, which is still a good amount of time.
⁓ standards are still being developed. think the interest is still very high. You know, as I mentioned, we ran our, our annual events, our member summit last week in Brussels, ⁓ our road show, our first road show in, in Ghent. The CRA track was packed, jam packed from developers to industry manufacturers to, to other foundations. There is still a lot of.
uncertainty about how to ⁓ implement the CRA. That’s what our ⁓ report from the Linux Foundation sort of showed us earlier in the year. ⁓ And so OpenSSF really has amped up the support for the communities, ⁓ both in terms of content, education, we have training, we have the baseline that helps us harmonize across different regulations, ⁓ regulatory regimes.
in different regions. So I think as far as the CRA goes, the EU is finalizing the standards, but my call here is everyone should get to action. Foundations and projects are getting ⁓ structured to support as best as possible their downstream users, but ultimately the big, big requirements are on the manufacturers.
And so, you know, if you’re listening to this and you don’t know what the CRA is and you ship software in Europe, it’s time, it’s really time for you to get on top of it.
Josh Bressers (30:52) not just if you ship
software in Europe, it’s going to be if you have customers that are shipping software to Europe or if you’re customers of customers, you know what I mean? Like it’s CRA all the way down.
Gabriele Columbro (31:02) It’s transitive.
Yep, yep. As I used to be a maven guy before in my previous life. And so I’m so familiar with transitive dependencies. ⁓ I don’t know that everyone is. Very, very good call out there. ⁓ And then I think I sort of touched upon it. I think the most interesting conversation.
We can leave a final cameo for AI because we went the whole podcast without talking about AI. I’m sort of proud of myself. ⁓ But I think digital sovereignty is the talk du jour right now in Europe. And I think it is our role to make sure that ⁓ some of these pushes for sovereignty.
which again is not just European, every region is sort of looking at the geopolitical ⁓ value of technology and therefore of open source ⁓ as a way to reduce the dependency. As open source people, we’ve always sold the vendor locking prevention. ⁓
qualities of open source world now digital sovereignty brings it sort of to a next level where you’re actually trying to prevent ⁓ Dependency on foreign actors and foreign forces that might be friendly Right now, but maybe not later And so I think the biggest conversation is going to be on how we make sure that open source remains this
amazing global engine of innovation that we’ve all come to know, love, use, appreciate, sort of take for granted. ⁓ Because a lot of these conversations are starting to sort of sound increasingly protectionistic, increasingly sort of.
you know, leading towards Balkanization of open source. If we start talking about US open source versus China open source versus European open source, that is going to be a, something not good for the open source community, but also not good for each of the regions involved. And so I think, I think that’s something that we are definitely laser focused in Linux Foundation.
Josh Bressers (33:45) Awesome. Well, we’re going to have to wait to see. So thank you, Gab. This was an awesome conversation. I truly appreciate the time.
Gabriele Columbro (33:50) And let’s go.
I appreciate you giving me the time to chat and thanks for again having us here.