OSI board AMA at All Things Open

13 min read Original article ↗

Members of the Open Source Initiative (OSI) board sat down for a 45-minute "Ask Me Anything" (AMA) session at All Things Open in Raleigh, NC on October 29. Though the floor was open to any topic the audience might want to ask of the OSI board, many of the questions were focused on the Open Source AI Definition (OSAID), which was announced the day before. The new definition has been somewhat controversial, and the board spent a lot of time addressing concerns about it during the session, as well as questions on open washing, and a need for more education about open source in general.

[OSI board members left to right: Tracy Hinds, Sayeed Choudhury, Anne-Marie Scott]

The session was held in one of the smaller rooms at the venue, with about 30 people in attendance (not counting OSI board members or staff). The session kicked off with some ground rules from the moderator, Mer Joyce, who had also worked as a facilitator for the OSAID drafting process. The first order of business was introducing the board members in attendance; OSI vice-secretary Anne-Marie Scott, vice chair Thierry Carrez, Gaël Blondelle, Pamela Chestek, Sayeed Choudhury, and Tracy Hinds.

Deborah Bryant, a former board member who currently works with the OSI as its US policy director, got the ball rolling with a question about the most interesting challenge the board expected to face in the next year.

Scott answered that the recent effort to create the OSAID had broadened the OSI's community, which was good but also "problematic". She said that the organization had encouraged a group of people to participate in the OSAID process who "may not have always affiliated themselves with open source" but were "incredibly valuable to the work we have done". Now, the OSI needed to work on keeping them engaged and to make connections to the existing community.

$ sudo subscribe today

Subscribe today and elevate your LWN privileges. You’ll have access to all of LWN’s high-quality articles as soon as they’re published, and help support LWN in the process. Act now and you can start with a free trial subscription.

Choudhury agreed, adding that it had been an active year, and that the OSI now needed to get back to core things the organization had focused on in the past with the legal and developer communities. He also drew attention to the policy work the OSI had done, particularly with regard to the EU with the Cyber Resilience Act (CRA). "We've been doing that work, but I think we need to focus on it a lot more."

Bespoke licenses

The first audience question was about the trend of "bespoke" licenses, such as the CockroachDB License, that claimed to be open-source licenses but had restrictions such as "a certain number of users, or under a certain amount of revenue per year". He wanted to know how to navigate those "because right now we have to evaluate every single one of them".

Chestek was the first to respond to the question. Bespoke licenses, she said, defeat the purpose of the Open Source Definition (OSD). The idea behind the OSD was to make adopting open-source software frictionless because users know immediately that they have all the freedoms that they need:

These [bespoke] licenses are not designed to build community, they're designed to extract value out of software by free-riding on the concept of open source. But they're not open source.

What the OSI does, she said, is to occasionally talk about those licenses and point out that there's a reason that open source works, "and that is frictionless adoption". Without that, there is no chance of building community, so what is the point of the license "other than to maybe look like you're a good citizen", without being willing to make the real commitment to an open-source development model.

Carrez said that these new licenses focus on a single benefit of open source, which is the availability of code. As an organization, he said, OSI needed to do more to educate the public that there are additional benefits in terms of innovation and sustainability. He added that developers now take for granted a lot of the benefits of open source.

I can tell you that developing today is very different than developing then. I don't want us to go back to the dark ages of the '90s where you had to basically look at [the license of] every piece of code in order to use it.

How to move forward

The next question was from Nithya Ruff, head of the open-source program office (OSPO) at AWS. She said that "not everyone agrees with the new Open Source AI Definition". There were some points of disagreement, she said, but "a lot of places where we agree". She wanted to know how the community could work together to move forward.

[OSI board members left to right: Thierry Carrez, Pamela Chestek, Gaël Blondelle]

Scott said that the simple answer was to keep talking. Some people felt the OSAID was too open, others felt it was too closed, "and then we've got everything in the middle". That is driven, she said, by the kinds of organizations that people work for, as well as the values that they hold. She went on to say that there were more conversations to be had, some in the open and some under the Chatham House Rule, for the "next phase of engagement". Ruff was right, she said, "there's more agreement than there is difference, but on the points of difference, they are strongly held".

Carrez responded that the board didn't have a strong position one way or the other when it started the OSAID process, and that he was "very sympathetic" to the dissenting voices that were heard during the process. However, he said that he realized "the ultimate goal is really to replicate the success we've seen in open-source software to AI" and not to simply translate the OSD to AI.

Some of the tension we've seen is in people that haven't made that mind shift to the wider picture and are just trying to apply what they are very familiar with, that they're experts at, and that made it more difficult.

"Nobody disagrees about the principles [behind the OSAID], where we see disagreement is implementation", Chestek said. The OSI had gone further than others in trying to define a fully open implementation, and tried to put a stake in the ground that defined what it considered open right now. That implementation, she said, is "the piece of it that we know is going to change" but not the principles. Maybe when the industry was more stable, "then I do hope we'll really come to a unified place". She added that it was a "wild experience" to do the OSAID work at the peak of a hype cycle while an industry was being regulated.

Education

The next question came from Carson Shaar, who introduced himself as the co-founder of a company in the open-source space, Zero-True, and a recent college graduate. He said that he'd observed "quite a lack of education" around open source. Universities were doing a lot of teaching around entrepreneurship and building products, "but not a lot of work around contributing to open source and working in open source". He wanted to know what work the OSI was doing to educate and involve students.

Choudhury, who is director of the OSPO at Carnegie Mellon Libraries and director of an Alfred P. Sloan Foundation grant for coordination of University OSPOs, began by saying "I feel your pain". At least in the US, he said, education about open source is "deeply lacking" and fails to help students understand open source beyond the computer-science perspective. The Sloan Foundation is "providing support to the domestic movement" around open source to help university OSPOs give students, faculty, and technology staff a better understanding of the broader open-source ecosystem. "How to navigate in that from a technical perspective, legal perspective, community perspective" as part of the actual educational experience and not just something "on the side". It is, however, early days. "I'm not going to pretend we solve[d] this problem."

Left behind

I asked the next, somewhat long-winded, question. After introducing myself, I noted that I had observed many comments and responses that expressed a feeling that the OSI had chased a "shiny ball nobody asked it to chase", as well as disappointment with the OSAID process and final definition. There seemed to be a loss of trust in the OSI as a result, by the community that put the OSI where it is today. What was the plan to deal with that?

Hinds said that the board recognized that community members were upset, and felt they were not heard. However, "this [definition] was something that was being, I would say, asked and even demanded. We had people saying, 'we need this yesterday'." There was, she said, an underlying assumption that there could be a "translation from OSD to open-source AI" and that the OSI was being trusted to take the process seriously and try to facilitate it.

Choudhury said that the OSI was spurred on by pending regulation. He quoted Mike Milinkovich, executive director of the Eclipse Foundation, as saying that "we just have to get used to the fact that software is about to be regulated" in the context of the CRA. There were clear signals that regulation was about to start, including the use of the term "open-source AI" without defining it. What other group, he asked, is really better positioned to define it? But that meant reaching out to new sectors involved in regulating AI, "which was always going to be messy".

Carrez replied that the OSI "may not have done a great job promoting" the work that it has done to "have the back of developers" in the face of regulation such as the CRA. The regulatory landscape, he said, would be very different without the work done by the OSI and others, that would have put open source at risk.

There is also the fact that the OSI had to work with a lot of stakeholders, and that people from the OSI's traditional constituency were some of the voices heard from during the process, just not the only voices. That, he said, caused some frustration.

Blondelle argued that the OSI was not chasing a shiny ball, but trying to protect the original definition. The OSI had seen vendors using the term open source for things that were clearly not open source, "so I think we had to define open source AI because otherwise we would have lost some ground" on the OSD.

Hinds replied again that she wanted to make it clear that the OSI board had "felt that letdown". It would be spending energy on "reinforcing the value we provide to legal and developer communities, because we feel the pain of them feeling let down and need to do that repair" while making sure to include newer communities to figure out how they can all work together when needed.

"Stable, but not permanent"

The next question came from an attendee who said he was acting deputy chief AI officer for the Cybersecurity and Infrastructure Security Agency (CISA). He said that CISA leads the effort to manage risk in cyber and physical infrastructure, and said that the OSD serves as "a sort of risk tolerance and risk statement" about the acquisition and security risks of software. He said that helps him to advocate for open-source software in government as the best solution that will give the best outcomes to mitigate risk. However, risk was not one of the things that was mentioned about the OSAID, he said, and he wanted to know how CISA could help "sort of drive towards definitions that are equivalent risk-management postures" that would help him with security decisions and recommendations for AI systems.

Carrez said that was an interesting question, and that the OSI was staying ready to evolve the definition. One of the questions, he said, is what is the best way to patch and run AI systems? Comparing pure software to AI systems is difficult, for example the economic cost of generating the AI system's models. "The reality is that if only a handful of companies and a handful of governments have the resources" to rebuild models, it is not a practical goal for open-source AI. There is more and more evolution, he said, on the ways that models are fine-tuned or patched in a less costly way. It was important, though, to "put a stake in the ground" with the OSAID to have something to work from to have the discussions.

Choudhury also noted that the OSAID was the start of a journey and "a stable definition, but it's not permanent".

Open washing

The final question was about combating open washing, and how the OSI, government, and developer communities should be trying to prevent bad actors or others from misrepresenting software or AI systems as open if they are not.

Chestek said that this was not a new thing for open-source software and had probably been going on as long as it had existed. The OSI relies a lot on the community to do communal shaming, which is "probably the most powerful" way to combat open washing. When a company misrepresents its software, the OSI usually finds out about the situation from the community. Then the OSI would say something publicly, if it was appropriate to do so. That, she said, would probably carry over to the OSAID as well and she hoped "we can all converge at least on the principles of it". For example, if a system has a commercial limitation on it, "that's just not open source, and we don't even need to get into the weeds about whether or not you provided all the information about the data".

"Can I fork it?" asked Hinds. From a practical standpoint, she said, the right to fork translates to AI, and that is what the OSI is going for. "Can I look at this model? Can I work with this? Can I do something with it? I think that's really easy to resonate with our existing communities" as well as new ones coming into the open-source space.

The board also had an opportunity to give parting thoughts to the audience, which Carrez used to thank attendees and encouraged people to join the OSI and run for the board if they were interested in helping to make open source better.

[ Thanks to the Linux Foundation, LWN's travel sponsor, for supporting our travel to this event. ]


Index entries for this article
ConferenceAll Things Open/2024