FLOSS Weekly 756 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

0:00:00 - Doc Searls
This is Floss Weekly. I'm Doc Searls. This week, simon Fips and I talked with Luis Villa, who is with TideLift, a really interesting company which, if you're a maintainer of code, you want to know about because you can get paid if you're not getting paid now. That's one topic, and that's a big one, and one that gets us just started off. We go off into AI ML what government's doing with all this? What's happening in government right now, and not just here in the US, where I happen to be at the moment, but in Europe. Even China gets brought in at the end, I think. So there's all kinds of stuff that we're going to be talking about for the next hour and that is coming up next.

0:00:46 - Doc Searls
This is Floss Weekly Episode 756. Recorded Wednesday, november 1st 2023. We won. Now what? this episode of Floss Weekly is brought to you by Kolide, that's Kolide with a K. Kolide is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Visit to book an on-demand demo today. Hi everybody, I'm Doc Searls. This is Floss Weekly, and this week I am joined by Simon Phipps, himself from sunny Southampton. It's beautiful at the moment, there's a light upon you.

0:01:44 - Simon Phipps
We're expecting a storm today, though we have a big storm it's kind of even fairly big by Florida standards. That is due through tomorrow, so we're batting everything down, but at the moment we've got the blue sky and we've got the sunshine, and then everything blows away tomorrow.

0:02:01 - Doc Searls
That's great. Well, we've had very balmy weather here for a while. I'm in Indiana, in Bloomington, Indiana, where nothing is blooming right now. We had a frost so hard this morning that my blue car was covered in white, so that's what's happening here. So we have a guest, Luis Villa, and he is a return guest. We both know him. It turns out in different ways, including the fact that he's been on the show before. So how do you know?

0:02:35 - Simon Phipps
Well, I think I first ran into him at GNOME, but he was on the OSI board for a long time. He's also the guy that wrote the Mozilla Public License version 2. He was also involved in the GPLV3 process and I bumped into him there. He's also now a lawyer and I collect lawyers like people collect badges, so we have many, many points of contact the whole time. So I've known Luis for a very long time, along with his former Zimian pals, who are all doing great things for free software in different places.

0:03:10 - Doc Searls
Zimian, another word we haven't heard in a while, so I'm going to run down to the bio here as quickly as I can. Luis is the co-founder and general counsel at TiveLift, which will be a topic here. He was a top open source lawyer advising clients from Fortune 500 companies, leading startups, on lots of matters. An experienced open source community leader with the Wikimedia organization of Wikimedia, led the Wikimedia Foundation's community engagement team. Before that he was with Mozilla, where he led the revision of the Mozilla Public License and served on the boards of Creative Commons, the open source initiative, and, more a long ago, programmer computer science degree from Duke. And so, luis, I have to ask you, when were you at Duke? Because I hung out there too. I didn't go there as a student.

0:04:03 - Luis Villa
I was Duke 1996 to 2001.

0:04:08 - Doc Searls
Okay, it was long after my time.

0:04:10 - Luis Villa
I was a political science and computer science double major. At a time when I didn't think those two things were related, it was like, oh yeah, politics is sort of interesting, computers are sort of interesting. Wait, they're the same thing, you know. Brain explode.

0:04:28 - Doc Searls
Did you know Jamie Boyle there?

0:04:31 - Luis Villa
I did not meet Jamie Boyle until the year after I graduated. A friend of mine who was a Red Hat employee for a long time but at that time was at the Duke physics department, shala Flyer for conference on the public domain at the Duke Law School and he's like, hey, you've been looking for an excuse to come back to campus and say hi, like come crash on my couch and it was sort of, I don't know, life changing. I guess, right, like it was one of these because I met Jamie Boyle, who is on the law school faculty and has been a sort of theorist of open for a long time.

0:05:12 - Doc Searls
It was like the public domain, basically, yeah yeah, he kind of owned that topic.

0:05:17 - Luis Villa
Yeah, and that was the meeting where Creative Commons was announced. Right Like Creative Commons have been sort of yeah.

0:05:24 - Speaker 2
Yeah, yeah, yeah.

0:05:25 - Doc Searls
And we were both at the Berkman Center in different capacities at a time when his name was kind of thrown around a lot. So I want to. I want to start just because I promised this gentleman I would mention it and also for our listeners, and it's relevant to you and we don't have to dig far into this. But it is an interesting topic that the list of the well annotated list of episodes for this podcast, which is now having it's like a 750 something episode going back more than 10 years, as an early podcast may not be notable and so it's got. It has a, it has. It has been nominated for deletion and so you'd like to recruit interest in that in Wikimedia, in Wikipedia, in Wikipedia, so so. But you were telling me, telling us earlier, before we started, that citations wasn't even. I had always thought that citations was like the original thing. With having written and edited many, many Wikipedia pages and worked hard to make sure citations are everywhere, I did not know that that was not like from there from the start.

0:06:39 - Luis Villa
Yeah, no citations was sort of baked in in year three or four maybe I think of, and they work differently on every. This is one of the things that I love to tell open source people about Wikipedia, because Wikipedia is, like it's, very open sourcey in a lot of ways, but it's also open source. People who bring their experience and preconceptions to Wikipedia are sometimes sort of surprised, right. So we sometimes sort of colloquially, were like the Linux community, but of course if you talk to a Linux maintainer it's actually like the networking drivers community and the you know, and the storage layer, community, and they like sort of interact a little bit.

And Wikipedia is the same way English Wikipedia, german Wikipedia, within each of these Wikipedia's there are sub communities and it you know, and so there's no, there's actually still no one way to do citations. In English Wikipedia there's like six last time I counted and it's slightly different in German and in Spanish, and that drives external people like if you, they're like what's the API for citations? Like I have bad news for you. It's an IRC channel. And you put a bot in the IRC channel and they're like no, no, you can't be serious, like deadly serious. That's actually been fixed now, but that was the case when I was a Wikipedia about 10 years ago.

0:08:08 - Doc Searls
Yeah, I was doing citations as a bear and I don't do them so often that I remember how to do them every single time, and it's always. I'm just always copy it from somewhere else or I look where somebody else has done it. It looks okay and just paste it and then cop, strip out the other stuff and put in my stuff. But is the, you know one? Of the types in the right place and is the space? Go here and stuff like that.

0:08:34 - Luis Villa
There's a. There's a gooey editor now in Wikipedia, and has been for seven or eight years now, but it's not on by default. For for people who've had accounts for a long time, like you and me and like mostly it's like you're like oh look, it's wiki text is fine. What do I need a visual editor for? The reason you need a gooey editor is because it's citation mode is awesome, really.

0:08:59 - Doc Searls
Okay, yeah, it's got a. You can go down like to the command line version of it, right, so that's. But that's the basically HTML.

0:09:07 - Luis Villa
And that's it, yeah, and that's the and that's the default, and it's fine for like, if you're just, you know, doing a little copy editing or whatever, great, but the in one of these awesome examples of the power of open source. Have you ever heard of Zotero? Yes, yeah. So Zotero is like. For those not familiar with it, is an academic tool that helps researchers collect and store their citations. So Wikipedia now runs a copy of Zotero in server mode and in the visual editor. You can give it a URL and it will attempt to pull out author, publication date, all the stuff that you want in a citation and put it into a properly formatted citation. Wow. And then, through the magic of collaboration between Zotero and a programming team, wikitext is a like deeply, how you say, horrific, in terms of a programming doc. Before the show started.

0:10:10 - Simon Phipps
We're talking about standards.

0:10:11 - Luis Villa
There's no standard for Wikitext. The standard was the PHP implementation. So this like heroic team reverse engineered Wikitext from the PHP implementation into a specification reimplemented in JavaScript so they could do the visual editor. It's one of those things that, like, you're like how hard could a, how hard could a WYSIWYG editor be? And the answer is like many years of some of the smartest programmers you know, but you would never know that behind the scenes, right?

0:10:43 - Doc Searls
Well, well listeners, if you take an interest in this you know, take a look at what, what this little controversy is. We'll put it in the show notes.

0:10:52 - Luis Villa
You know, and let me actually say this might be a good transition to for those who are wondering what I do at Tidelift and my things are these days.

0:11:00 - Doc Searls
Yeah, I was going to jump over to that, so go for it. Tell us about that.

0:11:03 - Luis Villa
So one of the ways in which open source and Wikipedia are very parallel, these are long lived things now, right, like this article is like a decade, a decade and a half old, something like that the my Biography article, which maybe should be deleted, or, if listeners want to update it with some of the stuff you learned in the beginning of this episode, you're also welcome to go do that. But it is you know my articles. You know 15 years old, 20 years old maybe, and and we have to think about how does that get maintained over time? Right, because people's interest waxes and wanes, you know people's, I mean, it sounds like this article is very well maintained, which is awesome, but not all articles are. For example, the person who started my Wikipedia article now has three kids and doesn't add a Wikipedia anymore, and so it's less maintained, and I don't want to maintain it myself. That would be a conflict of interest.

So what Tidelift is is a way of thinking about this maintenance problem over the long term for open source. So we observe that many. Our average customer has about 4000 packages at Tidelift, and so they have. When, doc, when you and I started, simon, when we all started, you could count all your packages on one hand right so you could establish a relationship with these communities by dropping them an email. Now, if you've got 4000 packages as part of your production, your production setup, you can't build human relationships with them. So how do you know that they're going to still be there tomorrow, day after tomorrow, you know, 10 years from now? The answer is you got to think creatively and that's where we had tidalift come in. We build relationships between our enterprise customers and the folks.

For those of you who have seen the XKCD comic, I think in this audience, that's probably safe. The person in Nebraska who's maintaining the one little stick right we build relationships with them to encourage them and pay them out of our customers money to keep doing what they do because they are deeply underappreciated. That person in Nebraska is is a small cog in a big machine and the way open source works these days, they often get a lot of requests and not a lot of love, and so we bring in paying them to help make those pieces more durable and more. For those not familiar, there's also a variant on this that I put together, which is all modern slide decks about digital infrastructure are maintained by a comic that Randall has been maintaining thanklessly since whenever it came out, like five, six years ago. Because it turns out we actually had to tell speakers at our last conference. We're like you can't use the slot, you can't use the XKCD, because otherwise all of you will use the XKCD and that would be a little awkward.

0:14:16 - Simon Phipps
So so, luis, tell me some more about Tidelim, because it fascinates me. You're building relationships with communities. I know there are countless millions of communities you mentioned earlier about how it was layers and layers and layers. There's communities of communities, that communities don't have any ontology, so the relationships between them are all entirely random. And then over here you're taking some money from one of Tidelift's customers and you're somehow going to send it to the right people over here. How does that all work? It blows my mind. I think you might even attempt it.

0:14:57 - Luis Villa
Well, I mean, some days it blows my mind that we attempted to, but so you're not alone there. So a couple things. The basic model you can almost think of as Spotify. We measure what our customers are using in order to identify what packages we need to reach out to. First, and to some extent, of course, they're all using some things like Kubernetes, for example. We don't. The amount of support we can offer to something like Kubernetes that is already supported by a bunch of the biggest companies in the world very directly and by a flourishing commercial ecosystem is relatively very small. So that's not what our customers need and not what we focus on.

Instead, it turns out as soon as you get start going down that long tail, you get to packages with one or two maintainers Very, very quickly.

So some of the biggest packages in the world, like lib curl or a bunch of the JavaScript ecosystem, basically relies on one person, and so we identify those packages where you as a customer get a lot of maintenance bang for the buck by saying, hey, you're using you and all of our other customers are using this JavaScript framework. We're going to go find that person and give them, and we have several of our top maintainers making six figures from us. Now, right, lots are making smaller amounts. I don't want to like say that every listener who has any kind of package should run and sign up. You can check our web page does allow you to check if you're a maintainer or a package. But that's really where the sweet spot is is those large packages widely used, but with a small, usually one or two maintainers, and we really we think we can make a big difference there in the long term sustainability and viability of those projects.

0:16:56 - Simon Phipps
Right. And so what is that onboarding process, you know? So I don't have anything I'm responsible for maintaining anymore. But you know, pretend I am maintaining some package. What should I go check, you know, will you give me money?

0:17:10 - Luis Villa
Yeah, yeah.

0:17:12 - Simon Phipps
How would I find out? How do I get it? You know, oh, I wish I had this.

0:17:16 - Luis Villa
I should have this URL like tattooed on my forehead for every time I go to a conference. I just came back from a conference and I don't it's what it's washed off, but you can go to our website and there's a link that says something like for maintainers, you can click there, you can search your package and we'll show, like you know, hey, substantial number of our customers. They're using you. We expect that you could make up to this much money if you, if you joined up, and when you do that well one, we contact you. Obviously it's a pretty hands on kind of process, but then we also what we do is we start walking you through essentially what are the kinds of things that an enterprise wants to think about that aren't fun for you. You can sort of think of us as like trying to incentivize the things that big businesses care about, like licensing. It's a little weird that lawyer is a co-founder and that's because licensing is something that actually businesses care a lot about and maintainers mostly like they just want to copy a license to its t file and never think about it again. So we help bridge the gap right. So like if a scanner, if our scanner, says actually it looks like you've got two or three licenses in here. Is that a surprise to you and you say that's totally surprising? I thought I had only one license. We help you bridge that gap right. We help you get to that point. You know what our customers are paying for is helping to to get there right.

Similarly, a thing we're doing a lot of these days, some of you in the audience may have heard of the open SSF scorecard. That's the open source security foundation, open software security foundation. I always forget what the first S is, but that's a Linux foundation project and they publish a large scorecard which is essentially like 10 metrics, that they believe that if your project hits these 10 metrics, your project is going to be more secure in the long run. We find that the average package only scores like a three and a half four somewhere around there on those 10 metrics. So we help you, as part of the onboarding process, identify what are the gaps between scoring a four and a 10.

Might not be possible for technical reasons or depending which framework you're, you know might not be possible to get to 10. But we can help you get from four to eight pretty quickly and that benefits our customers and also helps benefit your project in the long run. But like, honestly, it's all sort of boring stuff. It's probably not what you would want to do on your weekend, simon. Right, like you've got other things to do on your weekends and you know you wouldn't want to be doing a scorecard on your weekend unless somebody like us paid you for it.

0:19:57 - Simon Phipps
Yeah, yeah.

0:20:00 - Luis Villa
And so you know and we can show we've got some reports on our website that show that change over time. Right, like, where does the scorecard once people start getting paid? You can see the graph going up up into the right, which you know. Correlation and causation are a little complex here, but we think that that really helps, over time, make your code base more maintainable. Right, there's no magic bullet. We can't prevent a log for J, right, but we can make sure that a greater number of maintainers are around for the long run so that when those kinds of things come up, they are more you know, we can respond to them more quickly. Hopefully they're more minor in severity because the maintainers are around and active, which includes, to be clear, the log for J maintainers, who we do support.

0:20:51 - Simon Phipps
Right, and you mentioned just then a very large sum of money that someone is earning. So how are you doing? I mean, how many, how many clients have you got? What's your? You know it. May I ask, what is your turnover at the moment?

0:21:05 - Luis Villa
I, you, you may not ask.

I don't think we make that public, or you can ask you can ask whatever you want, but we are, we're growing, you know. I think it might be helpful or interesting to your customers, might, might help and make sense. A lot of our customers are banks, insurance, increasingly governments, which maybe is a good transition for another topic of our conversation. Increasingly, governments are thinking about. Governments are more concerned than the average organization with the long term. So when you tell them like hey, you've built your castles on sand, they actually respond to that. They're like, oh, especially in this very current moment. Right, like I mean, simon, both, both, both of you, we've all been doing this a long time. The idea that the White House would be having meetings about open source would have seemed extremely farfetched to younger us. Right, absolutely.

0:22:01 - Simon Phipps
It could only happen after the legalization of cannabis. Really, that sort of, that sort of supposition, I can't imagine it happening any other way.

0:22:10 - Luis Villa
Right. I mean, yeah, some people had to get very creative, which may have involved things even stronger than cannabis, but it happened, right, we had White House meetings about this stuff and and that like is. I mean, this is a two edge short, right, and I think maybe this is an interesting it's a very active week in this space for this. Actually there's, as Simon well knows and maybe, simon, you want to lay some groundwork here but governments are starting to think about open source, which is cool. They're bringing a lot of resources to bear. It's a sign that I I I considered at one point launching a podcast called we won.

Now what? Because in many ways, open source has won. Right, we're like the defaults in the industry. We're sort of you have to argue against open source in a lot of ways, but yet also it's like okay, now we're the backbone of the entire world economy. That means governments are going to pay attention to us, that means we're going to be regulated and that is a. That is a sea change that I think we haven't fully. You know, we as a broad community have not really fully internalized yet. Right.

0:23:29 - Doc Searls
Well I want us to get to. There's so many. There's a long list of things that we have to talk about, and AI and ML and that stuff which is now required, I think is a topic for every podcast. But first we have to take a break, and I let everybody know that this episode of Floss Weekly is brought to you by Kolide. Kolide is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. If you work in security or IT and your company has Okta, this message is for you.

Have you noticed that for the past few years, the majority of data breaches and hacks you read about have something in common it's employees. Sometimes an employee's device gets hacked because of unpatched software. Sometimes an employee leaves sensitive data in an unsecured place, and it seems like every day a hacker breaks in using credentials they fish from an employee. The problem here isn't your end users. It's the solutions that are supposed to prevent these breaches. But it doesn't have to be this way. Imagine a world where only secure devices can access your cloud apps. In this world, phished credentials are useless to hackers and you can manage every OS, including Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for your IT team. The good news is you don't have to imagine this world. You can just start using Kolide. Visit to begin on-demand demo today and see how it works for yourself. That's K-O-L-I-D-Ecomfloss. So Luis, ai, ml, all of it, whatever we thought about it this morning, is already a little bit obsolete. So it's like our heads spinning fast enough. It's beyond interesting and absorbing.

I've spent much of the last week playing with various visual things which are interesting. I'll put one to you. I wanted to show a radio tower collapsing in the forest because I'm ready to get peace about how radio, as we knew it is kind of going away To get them to do. An AM radio tower, which generally has nothing hanging off the side, is impossible. Dolly Stable Diffusion they all want to show a radio tower encrusted with dishes and gizmos, but of course it's going by what I guess the large image model shows. That's two of the things that look a different way, even telling it.

I did another one about printing presses, because we have an idea for a kind of WordPress thing called DatePress, which is for calendars. I wanted to show a kind of printing press, but not an ancient one printing calendar. The only thing you can imagine are ancient printing presses and people in turn of the last century gear operating them. It's kind of weird and interesting. So what do you got on that Boy? I mean this is open, right. I mean we're in an open-vill, but there's a lot of stuff that gets through the door that you may not want in the door.

0:27:11 - Luis Villa
Well, or that maybe you need in the door, right? I mean, it turns out that to train these things to avoid racism and sexism, you have to show them racism and sexism so that they know what they are. The problem is, these things know what we put into them. What we put into them is mostly what's on the internet, and so if the internet only has FM towers, then good luck getting an AM tower out of it, right, yeah, it's.

0:27:52 - Doc Searls
I remember one of the earliest onion headlines, like back in 1995, said the headline was error found on internet and it's kind of like there's almost nothing but that Right.

0:28:07 - Luis Villa
Well, and what is the? That's such a great example of bias, right, because we like to talk about biases in AI. It's really important. In my opinion, a much more interesting and important issue than is this stuff going to turn into the terminator. Is this stuff going to be biased in a whole bunch of ways? And it turns out. One of the more innocuous ways it can be biased is things like age or geography, right? Well, again, just simply because at this point there probably are many more FM towers certainly pictures of cell phone crusted towers than AM radio towers on the internet, just because of age and time. That's what the AI is going to know about, right? Until we make deliberate steps to de-bias it by, for example, showing it a bunch of AM radio towers, it's just going to know what it knows and those biases are very real, very present already, and that's a really interesting conversation for everybody to have. All of society needs to be thinking about that question.

But it's also a really interesting example for open and how open has to or can deal with this kind of stuff, right, because we're not used to. We're sort of used to like we write a piece of software, we hand it out to the world like you break it, you buy it right, like if it doesn't work for you, run a test suite, fix it yourself. These opaque blobs of model. They're open in the sense that anybody can poke at the numbers and in fact in some ways it's easier to modify than traditional source code.

But if you don't know about AM versus FM radio towers, you would never think to look for that kind of bias. You would never know about that kind of bias. You might look for other, maybe more high profile forms of bias, but you're never going to catch all of them. And so how do you? So, even if it's open, whose responsibility is that? We don't know? Right Government is saying I mean this week literally very actively, both in Washington DC and in Brussels, where the EU is headquartered. Both of them are actively working on regulating AI to fix that and how that's going to work for open. They're worried about Terminator.

0:30:49 - Doc Searls
That's the big one. But the I mean interesting when, since you mentioned cells here in the US there are lots of cell towers, but in Europe there are mostly cell sites. You don't see many towers, depends on the country, but in many they hide them perfectly. They're in church steeples, they're buried in the side of buildings made to look like bricks. So yeah, it's interesting because we, as Greg Crow Hartman pointed out when we brought this topic up with him a few weeks ago. He said it's all pattern matching and it's just nothing but pattern matching. We're matching patterns and patterns are in the world and we are human beings and we make machines to do the same thing. We look for patterns. There they are. I know that's a light bulb, I know that's a clock that looks like a wall. We're going to give him more of that right and so the machines are going to do similar things.

0:31:38 - Luis Villa
Yeah, and to be clear, I mean I do want to pause for a second and say that's miraculous, man. We taught our computers to recognize clocks and to know the difference between a watch and a grandfather clock, and like that's amazing, and I do think sometimes. I mean I sat on my coffee shop. I live in San Francisco. I sat on my coffee shop this morning and watched a car with no human being in it negotiate a turn with somebody crossing a crosswalk and like, again, that's like science fiction, it's wild and we should, I think. I think it's very easy in this moment in time to be like, well, okay, but what happens if the car accidentally nudges the pedestrian? And it's really important to think about that. Right, we should not lose sight of these. Things are going to have such huge impact in the world.

I've written on my ML blog. Actually, doc, you were talking about printing presses. I think the lower bound of the impact here is sort of on the level of cell phone and the web and the upper bound is like societal change at the level of the printing press and we are all creatures. I mean you've got a bookshelf behind you. I've got a giant bookshelf behind me, simon's off camera right now. But I assume, simon, you do read, are you? You know no books for Simon? Yeah, off camera, sure.

0:33:11 - Speaker 2
My bookshelf is that yeah, that's what they all say.

0:33:14 - Luis Villa
Yeah, the books are don't trust Simon. If you don't have a book in the background, don't trust him. I have so much in there, we're all creatures of the book and none of us would go back. The printing press did also lead to 100 years of bloody warfare in Europe. Right, and there's so much that we take for granted about the printing press that is really hard for us to unwind that, and I think it's going to be the same with ML.

0:33:42 - Simon Phipps
I think you know there's the other end of that process that we've all been talking about deployment and effects of AI. The other end and the same thing happened with the printing press was the question about the origin end of the knowledge. So, you know, one of the really big questions is should AIs be allowed to be trained on open source software without the express permission of the authors? And I don't know what the answer to that is. Quite honestly, I wonder what's tidalist's position there. Would you act as a conduit for people to get permission from maintainers to use their code to train AI? Is that something you're doing?

0:34:23 - Luis Villa
You know that is something we're looking at because there is some research that suggests that focusing on higher quality code can lead to higher quality outcomes, right? So, for example, for those of you who are familiar with the lingo, there's a process called fine tuning, which is essentially like you take the general purpose model and then you tweak it based on a smaller set of data, and that's often used for things like I would like my image model to be more anime-like, so I'll feed it a little bit of anime and we'll make it produce anime more easily. One thing you can do in coding is you can feed it higher quality code and you can tune it to produce higher quality code. So we're monitoring that because we think there might be a. We think there might be some market there, for, you know, are the folks who contract with us because they are small maintainers doing really high-end code some of the most widely downloaded projects on the planet. Their code quality, we have some reason to believe, is higher quality than average, right? So there may be a market there, but at the same time that's a there's attention, right. Among other things, many tensions here we could talk all day about this, but a couple really relevant ones there.

Open has succeeded in part by reducing friction and increasing people's ease of use. So anytime you put licensing fees in there, you have to be really careful that you're not sort of killing the golden goose by demanding another layer of stuff. And you know, I mean more generally as Simon, as I think you know, I spent a lot of years working on the Oracle versus Google case for Google and a key question there was fair use of APIs. And you know, again, fair use has really benefited the software industry as a whole and open source and specific and so anything that anytime you run around saying that's not fair use, you have to really think about what the side effects are right, and that is. I've done a couple podcasts on that. I have a newsletter. It's a side project, it's called openmlfyi. That is a lot about the intersection of open and machine learning might be of interest to some of you.

And I've talked about that fair use question quite a bit because I don't know. You know, by the way, this is the kind of thing that you know, simon, as I was saying, and I know you know this right, we could talk about that all day, absolutely Traditionally, I mean, I think the key thing for any listener to take away. Traditionally, governments actually react to technological changes Like the history of the US Copyright Act is, in part, driven by oh, we invented player pianos, which was the first recorded form of music commercially viable form of music. We got an entirely new copyright act out of player pianos because musicians were like this is gonna put us out of business, this is stealing our stuff right, which is very similar to the moment we're in right now in a lot of like emotional ways for musicians and I think that's the you know that's the distinction when it comes to fair use, because Google's use of the Java API was totally fair use because it made everyone's lives better.

0:38:08 - Simon Phipps
And AI, sucking the juices out of open source software and making the people who work on it redundant, doesn't sound like it makes everyone's lives better in quite the same way. Boy, I could literally like Much more a player piano kind of situation than it is a Google Android API issue, I would assume I could literally copy and paste the sucking the blood out of like Oracle used exactly those words to talk about how Android is killing the Java ecosystem.

0:38:39 - Luis Villa
That's the thing every generation of fair use argument boils down to. But the prior generations of fair use arguments those people were right, but I am different and like that's a very slippery you know. I mean the Free Software Foundation used to talk very openly about how one of their goals was a world in which there was no copyright and software whatsoever. And weird now that they're on the receiving end of that.

Now, suddenly it's complicated right and I get why I don't wanna dismiss, I mean, those emotional reactions to the things that we create are very real and I think, you know, I think the unfortunate thing, Simon, is that, as you know, ideally you'd have a sort of democratic process to like balance these things and unfortunately, at least in the US, it seems likely it will be the courts that decide this and that is a, I think, not the optimal way to be making really society wide. Like I don't want a judge, picked someone at random, to be the one. I mean you might be right, right, Like maybe this is not fair use because it's societally bad, but I don't want a single judge deciding that Like one way or the other. I would really much rather Congress figure that out. But that assumes a level of functionality that, for people who don't follow US politics, Congress not very functional right now. So-.

0:40:14 - Simon Phipps
Yeah, it assumes that a Congress other than the current Congress is going to do that, because they might actually take the topic. Seriously, I'm not last to put example. Sorry doc, take it away.

0:40:23 - Doc Searls
Yeah, I want to tease with that because everything so legislative body that doesn't actually legislate. But we want to get to this, but first we need a brief break. Okay, so let's dig a little deeper into government and regulation. I mean, you were saying, lewis, that we don't want courts to decide this, but we maybe don't want. I mean, I tried reading through the US thing. They came out of the White House and all I could think of was it's way too early for this. This is no fun. This is gonna take away a lot of fun. There are real threats, yeah, but do we want, I mean, do we need, bureaucracy right away on this thing? And I'm kind of coming from the libertarian spirit that actually does animate Silicon Valley and most of the open source world, I would say. I mean, it's a lot of individuals scratching their own itch, having fun doing cool things. Do you want to throw sand in those tires?

0:41:27 - Luis Villa
I a little bit. I mean, this is a super, super complicated and fraught topic. I think part of this is generational, right, I mean, there was a if you tell a computer science grad coming out of, who graduated from a comp side degree in 2023, that when I graduated, the most pressing ethical issue in software was Bill Gates. Yeah, yeah, they, that was true. That was a genuine Bill Gates' control of the industry. Like it still makes me steaming mad when people are like, oh, bill Gates, you know, patron of the arts and like dude, stole all that money, period. And so, yeah, it's great that now this like guy who committed monopolistic violations to make all that money is now giving some of it back to the world that he stole it from. Terrific, great thanks, Lex Luthor.

But like, so that was like a real I think still is a real ethical issue, but like that is not the leading ethical issue in software anymore. Right, and to try to tell that with a straight face to somebody who's, like you know, surveillance cameras are my, we can now legitimately ask the question are my surveillance cameras racist? Because, like, the technology can literally embed racism in a like very real, as you were saying earlier, pattern matching kind of way. And so to tell this new generation of open source developers that the most important ethical issue that you can tackle is like Microsoft's power in the industry, they're like no, no, no, no, no, that's like 10th on my list of ethical issues with software. So I think the libertarian, the libertarian vision is real, the concerns are real, they are just not top of mind. To say that that's the dominant vision in open source, I think, is no longer. At least, that's a very complicated place to be right now, cause so many people in open source do not resonate with our old libertarian issues.

It just doesn't rank for them, and it probably shouldn't.

0:43:58 - Simon Phipps
Yeah, and you know I go deeper than that as well. So we watched the web being a wild west for 20 years, and then finally it comes time for the European Union and for California to do some legislation about it. So the European Union makes GDPR. Gdpr is a steaming mess that really benefits nobody, because the way the web works is now so much a part of people's economic lives that you can't fundamentally disrupt it in the way that you would have done if you had started legislating much sooner and let the legislation evolve in the places where it turned out to not be quite right. And so I'm really pleased to see both the US and Europe legislating around AI.

I'm actually quite pleased at the Cyber Resilience Act that that is happening, that they're legislating for the protection of users of devices, because you know they're not going to get it right now. They are legislating early in the life cycle. But that will mean that there is a legislative framework that we can tell them is wrong, rather than just letting everybody go invent new ways of stealing money from the general public and then in 15 years someone come along and weekly say, oh, we really ought to be legislating some of this. So you know, I'm quite pleased to see it here. Having said that, I'm not very pleased about the CRA and the way that it actually looks.

0:45:26 - Speaker 2
But we are going to get- no-transcript we're gonna get the details.

0:45:30 - Luis Villa
There's no point.

0:45:32 - Simon Phipps

0:45:33 - Luis Villa
Yeah, I know, I mean, look as an American, I mean, you know, talk to your point about libertarianism and like, and I think one of the like Good questions that our techno libertarianism raises is Are are these folks like competent to be legislating this right? And the cookie pop-ups Drive me bonkers because, as Simon says, the like privacy legislation, good, getting permission for every cookie on the internet, like what? Even that was obviously a terrible idea 15 years ago and the fact that it's still going on is like, just yeah, you know, it's a triumph of like, it's a triumph of Of words token is there, it's, it's yeah, yeah, yeah.

0:46:24 - Simon Phipps
The legislation was being negotiated at a point when it was not possible to do the real thing that needed doing, which was to regulate surveillance Capitalism, and instead what happened, was it? It all got reduced down to an argument over cook down cookies, and so the the token is that the token thing that everybody could agree did the least harm to everybody's business models was to was cookie pop-ups. And it's not there because it does anybody any good. It's there because it's the, the, the avatar for doing the least harm to everybody else who wants to carry on Surveiling the general public and stealing their identity and information in order to make money, which unfortunately, no one could let us say to help.

0:47:08 - Luis Villa
Yeah, I mean, it is like that. We're still having that discussion about cookies. She was later, is not? I mean, look, I'm a, I'm a democratic optimist. I would say, right, like small d democracy optimist. But boy, yeah, every time I see a cookie pop up I Cringe at the thought of and now they're gonna figure out large language models.

0:47:30 - Speaker 2
But the thing is, somebody's gonna was it?

0:47:33 - Luis Villa
yeah, no, it's not gonna work very well, but but we? But the alternative of I mean, as you say, starting earlier, I think Simon is not ideal, but I Think this it's just too central to the economy, right, we can't pretend there's some amazing. One of my favorite books about the law is called the accidental Republic and it's about how the US came to regulate railroads. Because railroads went from this thing that the law analogized to horse driven carriages and so there was very little Liability on them. Because how much damage could a horse driven carriage really do? To at its peak, all the major railroad systems had their own hospital systems Throughout the US. Because they maimed and killed so many people every year, like Civil War levels of carnage from railroad accidents and like at that.

And at some point they, the US government, was like, oh, maybe we need to. I mean, they sort of invented modern regulation in order to regulate the railways and it's because they were so central and so huge and so powerful. And tech is the same way, right, software tech is the same way. The question is not are we gonna be regulated. The question is, how are we gonna be regulated and do we engage with that in a healthy way. So we're the least that way.

0:49:00 - Doc Searls
So I said two, two problems here. One is every new law has it in in a way, especially around tech, kind of protects yesterday from last Thursday, and I think what the GDPR did is it protected 2015 from the 2012 and became enforceable in 2018, after which enforcement couldn't possibly keep up with a massive business that developed in in GDPR compliance. Look up GDPR compliance, you'll get hundreds of millions of results and all of them all of them are for how to obey the rate, how to obey the letter and screw the spirit of the GDPR, which is what gives us all the cookie pop-up, pop-ups, but on the. The other problem is that, as as a former FCC chairman said to a small group of us once I may have mentioned this on a show before About net neutrality, this has been a years ago actually, and as several FCC chairman ago, but he said I I've spoken every member of Congress at one point or another and I could tell you Almost to a person there are two things they don't understand. One is technology and the other is economics. Go for, go for it, you know. So I Think it's better now because I think more people are actually using technology, more people coming out of technology. But we're also at the end of what Jeff Jarvis calls and we talked about it earlier the Gutenberg Parenthesis, where all of our framing was in the Brent world, like the railroad world you just mentioned, as was framed in the horse world. And you know, and you know McLuhan said, every, every technology Changes us utterly, it extends this and then it changes us. I mean, when I mean we, we associate planes, native Americans, with horses. Well, those came from the Spanish and that changed their cultures utterly, I know, to a horse culture. That was a way they were extended and changed. We are in the middle of that right now.

And you know one of the things that bothers me and I want to get back to sort of the, it's not the Libra, I mean. When I say a libertarian, I'm talking about where you know, all the so many ideas come from one person scratching their itch. You know that person in Nebraska there's thanklessly working on a thing right, and you don't want to stifle that, and it's it's that. It's that that spirit of Originating something that actually works, is Is the thing we don't want to crush, and that's what got missed with with the GDPR, the.

The GDPR actually thinks of us as data subjects and not as human beings. They say everybody's a natural person. But we're just data subjects and other only other parties can be controllers or processors and of their own data, and so we're sort of relegated to mere users, which is a conventional term used only by the computer industry and by drugs and so and I'm kind of going a field here, but if we're staying inside the government Involvement part of this they invite stakeholders to come. You and I are not the stakeholders they get, they get invited right, it's, it's the captains of industry.

0:52:05 - Luis Villa
I think, I think a change in the open space. Right now is it's time, and I actually are, as as part of a large You're doing it, you're doing the work. We are actually now stakeholders, you guys.

0:52:17 - Simon Phipps
You know I mean Brussels. Next week I've got an invite to go see some people from the Commission that the truth about the current Registrate legislation at the European Commission is it is actually being written and reviewed by people who understand it. So the the people who wrote the product liability directive change, which is gonna extend product liability to software. The people who wrote that know what they're talking about. They are actually subject experts in software and in software law and the people who've reviewed it in Parliament are actually people who have worked in the in the technology industry. So, for example, there's an MEP in the check in check here in the Czech Republic who used to be a an engineering manager at Red Hat before going into politics and he's one of the people who's reviewing the PLD. So the old situation from 20 years ago where there was nobody in Washington or Brussels or London who Understood what the legislation did. It's not like that anymore. The people who are writing this stuff in in Brussels. They know what they're talking about. Their work is being reviewed by people that know what they're talking about and that last Problem is now slowly getting fixed. They are beginning to invite Luis and me and you know, folk from the Linux Foundation and people from From Debian and people from Apache are now beginning to get invited to go and advise on things.

So I think that I'm very worried about the AI Regulation because I don't think anybody understands that stuff and so there is nobody with the knowledge to regulate it at the moment. It including you, including me, and I don't speak for you, lewis Maybe you know how to legislate it. I have no clue how to write regulations about AI, apart from being very worried about people's taking the works of others and deriving value from it without compensating them, and People applying the derived knowledge in the models to do bad things. Those are the two things that worry me. How I legislated, I don't know. So I think we're kind of partly fixed there, doc. I think that the people you know we're talking with people who know what they're talking about, and Cyber security is mature enough for the legislation to be meaningful. It has Defects deep in the details, and that's why we're engaging is we're trying to help them fix the defects, and so so, lewis, you know you're representing a whole load of developers Plausibly at TideLift. Is that why TideLift has got you intervening in these, these activities?

0:54:48 - Luis Villa
Yes, yes, absolutely. I mean we are very concerned With the impact on. I mean we think Overall I mean younger me can't believe I'm so like capitalist, red and tooth and claw here, but like we think at the end of the day that injecting some more money into the system is a net good thing. And one of our concerns about the cyber resilience act is that it tends to want a sort of a Very binary either you are a peer as the driven snow Lovely volunteer, scratching doc, as you say, scratching our itches, or you're like a tool of American capitalism and you should be regulated to like within an inch of your life. And so part of our position has been to try to like say, actually there are a lot of people who are like doing small bits, they're consulting here and there, they're using TideLift, they're using open collective and, and that we should have, that we should be careful not to accidentally stomp all over those folks, right, and we are similarly we're submitting next week to the White House. They have a Cyber security request for information out that I know open collective is doing a response to. We are doing our response to.

I Think Linux Foundation is, I know open source initiative through their open policy alliance. By the way, simon Cantor shouldn't make this pitch here, but I'm going to. Open source initiative is doing great work right now, including around policy issues. This is a good time to become an individual member and support that organization, because they're doing awesome stuff and you should support them. No longer a board member, no conflict of interest here, I'm just a guy. You should go join the. And. Sorry, I got slightly distracted because my team back home is asking how did it go?

0:56:42 - Simon Phipps
And the answer is it's been so awesome that I'm still going.

0:56:46 - Luis Villa
So yeah, I mean, I think, and so anyway, this request for information that we're going to publish soon and we're going to submit to the US federal government talks about this question of how do we make sure that we don't crush the motivations of individual maintainers, because they are, in many ways, they're not the high visibility. Like there's no conference. There should be a conference for individual maintainers. There's what we do, something called upstream at Tidelift, which is very cool. It's all online and it focuses on these solo maintainers because they are the upstream of so much of our value, but there's not a lot of focus on that, even though so much value is there. So part of our role is very much to go to Brussels, to go to DC and say, hey, we're trying to speak for these solo maintainers. That's certainly why I I mean, I definitely don't get engaged in policy discussions, because they're fun, because they're sort of like nails on a chalkboard constantly, but they're really important.

0:57:46 - Doc Searls
So we're getting close to the end of the show, as your team just lets you know they're a little off. We're still at less than an hour, but we have to take one last break and we'll have a question after that. Right now, I would say that pretty much most of the world is obeying the GDPR one way or another, and, to a lesser degree, the CCPA and a number of other things, the CRA and other things that come along, and Europe has been taking a lead on this. What about China, you know? Is this going to split the internet apart? More and more regulation coming down from the West, as some are like to say. What would you think of that?

0:58:32 - Luis Villa
I think perhaps, especially in AI, it might. For a lot of cultural reasons, that split has already happened between China and the rest of the world for sort of non-legal I mean political maybe great firewall, different patterns, yeah, but also different patterns of adoption, different patterns, I mean, you know, china has all these super apps that are just, despite Mr Musk's best efforts, are not going to become a thing in the West for various sort of historical adoption reasons, right, so that split was already, I think, on a lot of issues was already happening On AI. That's going to be a more interesting question, right? I think one of the really fascinating questions about regulation of AI right now is whether or not sharing models and things like that. Is that going to be something more like MP3s, where we have a lot of legal options but we don't? We haven't, for example, mandated DRM as a legal matter. We haven't mandated DRM yet, we don't as a digital rights management? Yeah, digital rights management, yeah, speaking of issues that we used to care a lot about and now have the importance of those has changed.

But you know, but for MP3s the government could be a lot more aggressive than it is and instead it's sort of like a certain low level of MP3s is fine For what's called CSAM, which is a the government acronym for essentially child pornography, zero tolerance. A government will come and swoop down and arrest you in your home, so pretty much across the Western world, and we don't know whether AI regulation is going to look more like MP3s or it's going to look more like CSAM. We don't know. I mean, there's talk in this White House executive order of an international treaty treating it almost like nukes or biological weapons. Is that going to happen? Is China going to get on board? Like that's where, I think, for the privacy stuff, you already sort of have two internets for AI. We don't know what that looks like, right, and we don't know.

You know, doc, I think one of the things that where our intuitions as open source folks can lead us a little bit of stray with AI is that the amount of hardware needed makes this sort of a powerful company's game. Right now, open isn't involved. In the same way, there's a lot of open. I mean, facebook calls their stuff open. It's not not in the sense that any of us would recognize it, but they can sort of get away with that because they have a lot of hardware and so they can train good stuff, and so some of those intuitions that we have. You know, maybe this is like in the good old days when open source is open source. This is like in the good old days when open source had to be bootstrapped by Solaris and AIX and we'll get our Linux kernel and it'll become cheap and easy to do AI, or maybe it won't, we don't know yet. To Simon's point, it feels very early, so writing good regulation now is going to be hard.

1:01:52 - Doc Searls
Well, this is, this has been a fast hour and you're one of the cases where we say we have to have you back, and then we did have you back. Here we are and we'll have to.

1:02:02 - Luis Villa
No, we'll have to wait as long next time.

1:02:04 - Doc Searls
We'll wait as long.

1:02:08 - Luis Villa
You know what? Sign me up for this era in tech. We'll do like a historical. We'll do player piano. We'll do a series on player pianos. We'll do a series on trains.

1:02:20 - Doc Searls
That's a really interesting one to me, that and it wasn't just player pianos, it was Victor Herbert hearing his songs being played in a bar that resulted in composers getting compensated and the performers never keeping up with it, which is why the RIAA, and not something else, is involved in advocating performers why radio is different copyright regime than podcasts do, why podcasts don't. There's no podcast for music that that's like really good high quality music, because you have to clear rights for everything. I mean all that stuff is really weird and interesting. I'd love to go into that at some point. So so quickly, because we really are, I think, at a time now, because we always ask this and in exchange for you, what are your favorite text editor in scripting language.

1:03:13 - Luis Villa
I mean my favorite. Let's be honest, my IDE is word.

1:03:20 - Doc Searls
Like that's sad, but that is my main idea, so you can mark this.

1:03:25 - Simon Phipps
Yeah, we're going to be sending the Libra off his paper round, just so you know.

1:03:30 - Luis Villa
And, though, and, and, and, yeah, in my scripting language is marked down and anything that will manipulate, mark down these days. Right, that's a. Though shout out to my Mozilla folks in JavaScript will always be in my heart.

1:03:45 - Doc Searls
Yeah, it's too many bases to cover. So thanks, lewis, it's been great having you on the show and we will have you back to talk about eras next time. Remind us of that.

1:03:55 - Luis Villa
Sounds great, all right, ben been a lot of fun. Thank you both Indeed.

1:04:02 - Doc Searls
Since Simon, both of us were so eager to cover topics that we did. We text each other in the background here, like I, but you guys are colleagues really on on this. I mean, when we talk about stakeholders, you, you are the guys holding the stakes, is it?

1:04:20 - Simon Phipps
Yeah, I'm more peripheral to it than Simon has been, but but yeah we're trying to hard to get those stakes into the right vampires as well.

1:04:30 - Doc Searls
That's what I was thinking.

1:04:31 - Simon Phipps
You know, it's the responsibility of the stakeholders to get the stake into the right vampire. So there is a there's certainly a sense to in which we're colleagues and Luis, you know, helps with ISI activities around licensing, which is still. You know, we used to be so central to everything that we talked about in open source and it still is. It's still fundamental.

It's a forever topic the reason it seems so unremarkable is because I think we've, we've, you know, paris thought largely got it right, and people do feel that they have the confidence to proceed with other matters than how to pick a license. These days and that's not universally true there's still a whole load of activity in that area. So so, yeah, we're, we're, we're kind of working on those things. I think that the tide lift was a fascinating and timely activity and I'm fascinated to hear how it's going and what's going on there, the fact that tide lift is a substantially enough part of our ecosystem in open source to get invited, for Luis to get invited to the White House to give us a little bit of a talk.

I think that for Luis to get invited to the White House to give advice on open source software topics, I think is an indication that we've moved from where we were the Rebels on the frontier we're now. We're past the town planning stage and we're now a community of people who are the community that is running all the things the world is using. It's the people that you and I and Luis know that are running the messaging services, that are running the compute services, that are implementing the government engagement services. So yeah, in many ways we're colleagues. We're also gamekeeper and poacher to a certain degree as well.

1:06:25 - Doc Searls
That's great. I like that metaphor.

1:06:32 - Simon Phipps
So what did you think, doc? I mean so do you feel that we're betraying the libertarian roots of oh no, not at all.

1:06:41 - Doc Searls
Not at all. Those roots are never going to end. It's just basically individuals being able to have the freedom and liberty to contribute in one way or another, and there's always a. It's not a tug of war, there's just a tug between interests and needs, and governance is an important thing, whatever that is, and you guys are on top of it and we're really way late at this point. So give us your plugs, simon.

1:07:10 - Simon Phipps
If you have one, yeah, so plugs if you are anywhere within reach of the north end of Italy, so you're in Germany, austria, switzerland, italy or Jason States. There is a fantastic conference called SFSCon happening on November the 10th, where I will be the opening keynote speaker and there is a tremendous lineup of very smart people, because I'm just there to compare. Really, all the smart people come after me, come along to that conference. There's no charge for admission. It is in one of the most beautiful places in Europe, in Bolzano, and you can sign up for it by going to SFSConit and sign up and register and get a ticket and I will see you there. Really, if you're around in the evening, we can drink some wine together and find out what you think about open source and free software.

1:08:06 - Doc Searls
SFSConit very good. And I have to tell people, surprise, I actually know the guest next week. Sorry, the VAC channels, I got to catch you on that one. It's Philip Griffiths. He's with OpenZiti Z-I-T-I dot I-O OpenZiti. So that is next week and we will see you then.

1:08:28 - Jonathan Bennett
Hey, we should talk Linux, the operating system that runs the internet, bunch of game consoles, cell phones and maybe even the machine on your desk. But you already knew all that. What you may not know is that Twit now is a show dedicated to it, the Untitled Linux show. Whether you're a Linux pro, a burgeoning system man or just curious what the big deal is, you should join us on the Club Twit Discord every Saturday afternoon for news analysis and tips to sharpen your Linux skills and then make sure you subscribe to the Club Twit exclusive Untitled Linux show. Wait, you're not a Club Twit member yet. We'll go to and sign up. Hope to see you there. 

All Transcripts posts