A globally unified governance framework for Open Source
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Subtitle |
| |
Title of Series | ||
Number of Parts | 287 | |
Author | ||
License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/56838 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
00:00
Open setOpen sourceInformation securityStationary stateAbstractionVirtual realityJava appletSystem programmingInternet service providerIntegrated development environmentFlow separationPoint (geometry)Enterprise architectureFunction (mathematics)PasswordTask (computing)Normed vector spaceFormal grammarImplementationShape (magazine)Advanced Encryption StandardInformationChainSoftware engineeringDependent and independent variablesHypermediaFlow separationArithmetic meanPoint (geometry)System programmingSoftware bugVulnerability (computing)Focus (optics)Open sourceStationary stateSubsetInternetworkingService (economics)Perspective (visual)Information securitySingle-precision floating-point formatIntegrated development environmentMereologyPower (physics)Multiplication signFunction (mathematics)Process (computing)Enterprise architectureMedical imagingFLOPSFormal grammarSoftware developerDistributive propertyInterpreter (computing)SoftwareNormal (geometry)Different (Kate Ryan album)CuboidGroup actionStandard deviationMathematical singularityProduct (business)Gastropod shellValue-added networkSakokuOperator (mathematics)FamilyUsabilityQuicksortNeuroinformatikOcean currentMathematicsData miningWordGodBlogCodeState of matterCASE <Informatik>Distribution (mathematics)Rational numberBlock (periodic table)Exterior algebraoutputFlow separationType theoryTerm (mathematics)Software frameworkEncryptionSystem administratorShift operatorPasswordFormal verificationRegulator geneInternet service providerDiagramComputer animation
07:06
System programmingImplementationOpen sourceAdvanced Encryption StandardShape (magazine)Point (geometry)Enterprise architectureStationary stateData storage deviceInformation privacyServer (computing)CodeTerm (mathematics)Interpreter (computing)Logical constantChemical equationFluid staticsFormal grammarAerodynamicsLibrary (computing)ConsistencyVector potentialoutputKernel (computing)Flow separationFunction (mathematics)Translation (relic)Data structurePairwise comparisonOpen setDistributive propertyIntegrated development environmentModel theoryMoving averageDerivation (linguistics)DataflowDisintegrationLink (knot theory)PredictabilityDatabase normalizationCodeNormal (geometry)Representation (politics)CASE <Informatik>Exterior algebraChainCondition numberRevision controlData storage deviceSoftware bugTerm (mathematics)Type theoryMathematicsINTEGRALStationary stateProcess (computing)Information privacyEnterprise architectureInterpreter (computing)Different (Kate Ryan album)Dynamical systemSoftware developerDistributive propertyLogical constantConsistencyPerspective (visual)Fluid staticsPhysicalismoutputFunctional (mathematics)Library (computing)Kernel (computing)Flow separationTheory of relativityDistribution (mathematics)System programmingPower (physics)Arithmetic meanData managementState of matterSoftware testingChemical equationOpen sourceStandard deviationDependent and independent variablesInformation securityOperator (mathematics)ImplementationFocus (optics)DataflowMereologyCuboid1 (number)MultiplicationPosition operatorOffice suiteFlow separationMultiplication signForcing (mathematics)Cellular automatonOcean currentPrisoner's dilemmaInsertion lossInternetworkingRecurrence relationExecution unitSign (mathematics)Pairwise comparisonClient (computing)Computer animation
14:01
Open sourceCodeLogical constantMoving averageModel theoryIntegrated development environmentDerivation (linguistics)DisintegrationDataflowSystem programmingWebsiteKernel (computing)Operations researchInformation securityRouter (computing)Enterprise architectureInternet service providerStatisticsMobile WebTable (information)Communications protocolAsynchronous Transfer Mode9K33 OsaOpen setJava appletVirtual realityReal numberImplementationCodeDatabase normalizationDistribution (mathematics)WebsiteDistributive propertyPower (physics)System programmingCASE <Informatik>Term (mathematics)Chemical equationSoftware developerDynamical systemImplementationInformation securityCartesian coordinate systemOpen sourceSoftwareMultiplication signFunction (mathematics)Kernel (computing)Different (Kate Ryan album)InternetworkingCommunications protocolState of matterStandard deviationService (economics)MereologyTorvalds, LinusExploit (computer security)Shared memoryChainOperating systemFile systemInternet service providerMachine codeHexagonLibrary (computing)InformationModel theoryIntegrated development environmentSoftware maintenanceTheoryProcess (computing)Goodness of fitVideo gameCore dumpPairwise comparisonHecke operatorWindowData storage deviceInsertion lossStationary stateForcing (mathematics)Constructor (object-oriented programming)MassWater vaporPoint (geometry)Software development kitWeb 2.0Population densityComplete metric spaceComputer animation
20:56
ImplementationSystem programmingOpen sourceDistributive propertyInformation securityData managementIntegrated development environmentAttribute grammarKernel (computing)CodeSoftware developerKernel (computing)CASE <Informatik>System programmingCryptographyRule of inferenceCodeDistributive propertyMereologyWebsiteDynamical systemImplementationDifferent (Kate Ryan album)Constructor (object-oriented programming)Software developerOpen sourceInformation securityPower (physics)Price indexProduct (business)Software maintenanceTerm (mathematics)Service (economics)Stability theoryIdentifiabilityStationary stateStandard deviationAssociative propertyFacebookOcean currentDistribution (mathematics)Category of beingStatuteSoftware bugEnterprise architectureDatabase normalizationReal numberSoftware frameworkType theoryLocal ringBitLink (knot theory)Context awarenessFrequencyCollaborationismMetreMultiplication signAdditionElectric generatorTournament (medieval)FluidWater vaporCuboidPublic key certificateCellular automatonPlastikkarteMedical imagingSinc functionInsertion lossComputer animation
27:48
Computer animation
Transcript: English(auto-generated)
00:13
Welcome to my lecture, Global Unified Governance Framework for Open Source. My name is Christopher Klortz and I have studied in both the realms of computer and social sciences
00:24
and so I have made a different perspective on several of the current developments and today I want to give you an alternative perspective and also a potential approach that can help us to tackle several issues. We will begin with the problems we have in the international society,
00:41
so the society of sovereign states as of today. Then we will have a look on the open source system, what is it and in the end we will come to the obstruction, the international arbitration and how it can give us possibilities we have not yet used. The security providers of today are of course the sovereign states.
01:02
They are determined by geography, their sovereignty and obviously they are designed for purely social systems. This leads to the question, what if the social environment is replaced by a socio-technical one? What does socio-technical mean? It means blood borders among the technical systems like the internet and the social system.
01:23
There are no longer clear or distinct points of transition. There are persistent reciprocal interactions, influences and impacts and so it is no longer possible to separate or split these two systems. They are persistently interdependent and interacting. So, are sovereign states and their traditional separations of powers
01:44
secure by design in this new environment? What does secure by design mean? It is a concept from software engineering and it shifts the focus from the bugs, the errors, the mistakes we have to the architecture and asks whether these are just symptoms of an architectural flaw
02:01
and so finding the bugs doesn't make a difference. The first issue for us here is we have to avoid single points of failure, abuse and manipulation by architecture. So, in purely social systems we have already separations of powers that can fulfill this purpose. On the other hand, we need a predictable behavior of the system.
02:22
So, we need to ensure intended input to have predictable output. I need to know what I am allowed to do to not get punished. Otherwise, the system cannot offer me security. So, this is a common approach where we have already two single points of failure. The IT operations and the development of the IT systems
02:42
affecting the whole social system at once. So, a very well example is the SolarWinds hack of 2020 where many public agencies, private customers and people were affected because there was a hack in the build processes, in the build environment
03:01
which is the part where the software we can use is created to have finally something usable. We can have a comparable issue in the IT operations. For example, if there is one weak password from one admin which also was the origin of the SolarWinds hack in the IT development environment.
03:20
Another issue here is of course the consolidated fertile IT agencies. Another issue manifest could be the blockchain approach as it is currently used or implemented in Estonia for example where we have many different blockchains to create no single point of failure.
03:43
Of course, affecting one node doesn't make a difference for the remaining but if we have one company that propertarily, without external review develops the technology, the software for all blockchains and if there is one IT agency that does the administration of all we have still the same two points of failure
04:01
and then anticipating these blockchains offering me security can be very dangerous if I then use them to verify everything legislative, judiciary, court systems, police files, healthcare and such which is planned and given the public papers we have, it cannot be excluded that this will be possible. And the absence of full information to everything there
04:22
also makes it hard to determine whether they have considered everything because of the absence of external review. So what you see here is just an illustration, one manifest of an institutional problem because the system, the traditional system is focusing on responsibility and liability. And so it needs one entity that has to take over the responsibility
04:42
and thus this entity also needs to have the means, the full access to possess this responsibility. And so also the public review is something that is still partly seen as a vulnerability on itself and so there remains a focus on security through obscurity
05:01
which consolidates review because external review is also a type of distribution even if I have just one agency for example and the system also anticipates that flaws imply bad work. So good work means we won't have flaws and so everything will be fine and we don't need to consider it. So this can have many manifests
05:21
and if I have multiple agencies that distribute this does not necessarily make a difference if every agency can create full harm. So this is just one example how I can manifest a much deeper institutional problem and we have also to see that security is much more than not getting hacked
05:43
but also offer the services people need. For example currently we have big issues in Germany with the COVID apps that are able to really implement the new regulations in an accessible, suitable amount of time.
06:01
So this approach is generally no integral part of the international society, it's no formal thing. I think that means getting rid of these problems implies getting rid of the international society or a sovereign state. It's an informal thing and it's architectural, yes, it's an architectural flaw but of a subsystem, not of the system as a whole.
06:21
It's an informal problem of the society and the society develops over time. It has integrated passive development where the society adjusts its behavior and its interpretations of the norms and its interpretations of laws when their traditional interpretations are no longer competitive. So this is something that can happen within the system
06:41
and where the society can learn and interact with open source, public drafts, public standardization which leads to distribution and also an ongoing public review. We have already examples like the advanced encryption standard, SHA-3, the security enhanced Linux, where public agencies or publicly strongly influenced agencies
07:03
like the Internet Engineering Task Force or in terms of IAS and SHA-3, the National Institute of Standardization and Technology, strongly interact with open source and possess open source institutions. They have adopted public drafts, public standardization. So we see open source and international society,
07:21
we cannot just say these are two entities, it's the institutions that make up what we are up against and so it's also a blurred thing and you can only see is it open source by institutions and so it's also a blurred thing and there are public agencies and publicly strongly influenced entities
07:41
that are already part of the open source system. And so we have also many implementations already, systems are using open source, supporting it and using publicly reviewed systems, for example Linux, and have also distributed types of operations of review. So once again the graphics is just an illustration,
08:02
multiple possibilities, how I can create distribution but also within an agency, not just among different ones. So the architectural flaw I see in a subsystem is not a general issue and so we can mitigate it by alternative subsystems but it's more than just fighting the bugs and something that means replaceable norms from within.
08:22
How the system tackles its approaches but it's a bigger issue when we come to here. We have in terms of predictable behavior, state one, a customer, he's the customer of a company in state two and this company processes its data in state three but storage is done in state four
08:41
and this leads us indirectly to problems, to bugs, like how to enforce European institutions on Telegram, which is in UAE, a current problem in the European Union but also a very old issue, how to enforce European privacy institutions when data is stored in the United States, which also wants to protect its territorial integrity
09:01
and its own laws. So we can tackle each one of these on its own but finally there is an architectural flaw and it's comparable when we have the GPL, version two, whichever, can be different and interpreted in different states and also within a state that can have different interpretations
09:21
because these are not legal terms and they are so very ambitious and can be interpreted in different ways, my judge, and they are not interpreted in neither state and they are interpreted and derived from the legal constants of the traditional system. They are not prepared for the transnational dynamic socio-technical system
09:41
because this new system has much more dynamics, it's persistently developing and it has not this integrated development of the society, which is passive and so asynchronous developing, if we have a well precedent or a well law on day one, on day two, everything can have changed
10:00
and so the system needs to start again by zero and also in a different case, things can be differently interpreted. So in Germany, I can own something, I can possess something and I can use something but if I use a library, what's the difference to forking code and what's the difference between a static link or a dynamic link of a library?
10:21
So this is heavily probabilistic in terms of a traditional system and so I cannot have security here. And so a question for the lawyers, how stare is the agency of stare diseases, which is representative for what our current system wants to achieve? How stare is it in the socio-technical dynamics of code?
10:42
So only dynamics can balance dynamics and so if I try to seek or to get a static condition on one side, I cannot foresee how it will act when there is a change on the other side so it will be even worse in the situation possibly. So in the current social system,
11:01
we have the interpretation of laws that develops with the society and this gives us a static field, it's a passive process of the society but the code does not develop with these informal dynamics. It's a completely different thing but that's not an issue because the code itself is unbiased, it's maths, it's physics and it has a static dynamics
11:22
because the dynamics can be anticipated how it will develop, we both. We know what we are up against and so this is not an issue. We have the static dynamics of code in this other system that have to be considered as such and that offer us a constant security. And so from the perspective of socio-technical open source system,
11:42
the traditional system, contains inconsistency among interpretations and thus among cases. And so a judge can anticipate, we can anticipate that he knows its law but what is the difference,
12:02
the relation between library and executable for him? He doesn't really know much about it and his law doesn't help him really. So it's very probabilistic again and so we have no reliable consistency or predictable behavior here and thus a lack of security. So if you input data into a system which does not intend it, I have the same thing on a Linux.
12:21
It wouldn't behave different. It's unpredictable behavior. It will be a kernel panic. And so we are talking here about architectural flaws that have to be considered that way and this leads us to the open source system. First in comparison, we have the geographical separations in the dominant sovereign states and we have functional separations in open source.
12:41
So geography is really a secondary thing. It's more about are you a kernel developer? Are you a tester of a distribution? Are you one of the management guys? So it's a functional thing and everything else is secondary and instead of separations of powers which is a type of command economy in itself, we have a distribution of powers which is competition and it captures the dynamics of code,
13:02
the static dynamics of code within this distribution of powers capturing the development. So the interpretation of laws is changing with the society, for example. So it's a balancing itself, balancing thing.
13:21
On the other hand, we have also responsibility and liability focus in a traditional system. We had initially already talked about it and we have an individual focused chain of trust in open source in many cases which is also a very different thing. So the major institutions for open source are forking, redundancy and transparency
13:40
which also link already to Linux law and flow anticipation. So forking means that I can use any code if I disagree with how it develops, how things are done and create something else just by forking using it and create something new and we have a lot of redundancy. So build processes,
14:01
we have many different build processes where the Linux kernel is tested. There is much redundancy in review codes are tested, reviewed and such and this also needs transparency otherwise it doesn't work. And so these are the major institutions where flaws are anticipated and just one problem
14:21
that has to be solved as any other problem. It's nothing where you talk about fault. It's something new in the system because it's actively developing itself not passively. And so we have also within the communities a rough consensus that is driven by merit-based persons. So for example, Linus Torvalds who is more or less deriving the consensus
14:41
of the Linux kernel community. And so this gives a one person a lot of theoretical power where we can have a very efficient development but it's still a very good balanced power because if someone disagrees we have still the possibility of forking through redundancy and transparency and so these people like Linus Torvalds
15:01
are still affected by competition with others. And the constant obviously remains the code. And because of these asynchronous development we have a rolling release model in this technical open source system in the socio-technical open source system. It's no anticipation of a static environment
15:21
because we are doing the development actively and so we are anticipating the development and not seeking something static. Just we are seeking the static behavior of the development of code. We know its dynamics, how they will develop. This already captures the dynamics of the code
15:42
creating competition-based distribution of powers. We have many different communities within with our mouse cases rough consensus driven some in different ways and if you disagree with it you can always create forks which happens from time to time. This does not have to have hostile reasons and forking is usually caused by redundancy and transparency.
16:03
Also in terms of standardization not just in new protocols and such it's not just software development. So is this security critical? The majority of websites are Linux driven given the fact that just 0.3% are not Linux.
16:21
Of those we know you can anticipate that a majority of the unknown sites are also Linux and when it comes to companies who spend money to get security that they can rely on their operating systems 34% rely on Red Hat Linux just one of many different Linux distributions so the Linux market share in general will be much more
16:40
and Cisco and Juniper themselves have 44% in the market of the service providers so the providers of the internet that run the infrastructure where all the traffic of the internet is passed through and their current, their new systems are all based on Linux and there are many more providers
17:01
that are maybe also using Linux but where I couldn't get reliable information and also 70% of the phones people use are Linux driven by a modified kernel and so this is also not just about HEX but about services it's for me today an important part of security to be reachable, to have access to Signal, to be able to buy something on Amazon
17:21
to rely that my system is able to manage the output of the Amazon website so this is all belonging to security as of today and despite opportunities when I can get malware into the Linux kernel there is no exploitation until today so there is a reason for that which does also include a chain of trust of course
17:43
which is also a related institution and despite its dominance the Linux community still does not behave like a dominant market player and this is something we have to consider it has stable competition within and around and there is much more protocol, standardization and software we are using and also libraries and things like WebKit
18:02
are also part of proprietary system for example Safari uses WebKit in its Corus engine and much software and proprietary uses open source libraries so we cannot really foresee how much this is and because of the development which is active unlike the social system where society develops passive
18:21
the development and maintenance have to be considered on themselves in the development in security aspects because it's done actively so this is also something the traditional system is not prepared for this is how it looks we have the development life of the Linux kernel where the open source system is more or less on itself
18:41
next to anarchy doing the work on itself but in most cases of course it's still subordinated to the international society in some cases it even gives security to its communities by managing unseatable precedents or laws of the system so what does technology do in such cases?
19:04
it creates obstruction layers we have running systems we cannot simply replace Windows, Linux, whatever we can create an obstruction layer on top that gives us the possibility to have an application that can be run on everything comparable we have it with Ceph where we needed simplification where it was no longer possible
19:21
that one file system could seat any need we have especially in terms of distribution and so everything out we had an output was too complicated and so we now just use the systems we already have which we are used to that are running everywhere we cannot get replace everywhere just within an hour or so and so we can still use them for what we are doing traditionally
19:43
and just we added another obstruction layer like in another application to add the distribution so obstruction layers can make a big difference and they can also help us to give the judge something the system is intended for but we have to consider the institutions that are important for us not just in this case at another CURD
20:00
as we know it so the big issue here is the convention of New York 5859 this does not introduce international arbitration but just gives an international foundation to enforce arbitration awards more or less globally and so the relevant implementation of the arbitration law
20:23
is always the national one so the law of the arbitration body and it's irrelevant where the parties are placed so we have also much security here and an award can be enforced globally by the state system itself but to give the judge something he knows he's intended for
20:41
he has just to verify the compliance of the arbitration case to the arbitration agreement and of the arbitration agreement to its national law in the case of an arbitration body always the national implementation of the law so this is something he's intended for and we can use it more or less globally because you see in blue the majority of states of the world
21:02
are member states of this convention to enforce an arbitration award two examples you can get into also to have some illustration of what this is all about and so what can we do with the system here what can it be enhanced and how to add this obstruction layer this is what we will have
21:20
an international arbitration obstruction layer for the open source system for create security for both sides and it will be also complementary for the international society because through the international arbitration we help the international society through open source system to also fill the remaining gap with this arbitration concept it is used to, it knows how to handle it
21:42
and so it's a symbiosis more or less we're talking about and in terms of Swiss arbitration just one example we can have also many other states that have suitable laws like UK or such it has two laws but we are free to choose which one we want to apply and so only the highest curd of Switzerland
22:03
this one curd treats cases against arbitration issues other curds are not allowed to do so so we have much specialization experience and knowledge which gives us security and also the public and politics in Switzerland tend to facilitate such implementations socio-technical things in Zug you can already pay public agencies with crypto currencies
22:23
we have the Facebook driven Diem associations or the regulated Libra currency and we have just passed a new law to further facilitate international arbitration and just a little additional incentive partly related to here
22:41
can such a regulated crypto currency which is also possible in Switzerland be complementary because it can give us the possibility for a global stable type of transnational currency which is backed by a stable transnational legal framework which gives us the possibility for linking the source and its exchange which is today of course in most cases a service thing
23:01
which can also drive development because a legal stable framework and a currency and a stable one is also a big issue that can give us access to even more contributors worldwide and some incentives for this arbitration thing what could prove competitive what we have to maybe consider
23:21
instead of just adding a new curd it has to be tailored of course for the rolling needs of this new system which also differs strongly because it is based on community and not on deterrence because you can anticipate in this system that people who are engaging in the socio-technical open source system
23:42
have a very high human development and so it's more competitive to anticipate community rather than crime because the system and its dynamics its efficiency, the flexibility already we know that it automatically gets rid of behaviour that is not competitive for the system
24:01
so it's already very efficient and so here it makes sense to go more towards collaboration because it's just problems we are up against that have to be solved to create security for the future and not punishment which is done by the system already and also by the criminal law
24:21
which is also something that is not part of the arbitration but where the arbitration can also which can be complemented by it another issue that is already widespread in open source self-certification for example for code coverage or for implementing best practices
24:40
you can have rules that just have a shawl which means you don't must but where the self-certification means a company says hey we are implementing this we are making the shawl to a must and so an arbitration would also treat this entity that way when it comes to arbitration and so it's also something that gives us security, flexibility
25:01
for future and so constructs like the Linux kernel development or the ITF are maybe more suitable indication than traditional currents here and we have also to consider the back parts so if we make a global rule we have also to think of what will be the differences in local implementations
25:21
so how does local systems behave to it, how to make local entities aware of what are the differences for you with this new rule so this is something important that has to be considered on itself in terms of intentional property we already know it becomes more and more services rather than products because
25:43
it's hard to implement such a system so it makes sense in such an arbitration to simply assume everything is open and the intentional property protection is not our business but has to be done separately in another traditional current it's important to keep the system transparent, redundant and also forkable
26:02
by statutes and this links also to the question has a lawsuit to be in advance or can it be done just like the development in the system where we have debates for example among arbitrators how they will treat a case if it will happen based upon the rules done possibly by maintainers or so
26:21
because the bureaucracy we want to avoid in a normal system is here not necessary this avoidance because the system already competes towards efficiency in the realms of code anyway we know this so here we can also create or add further security if we keep for sure that there is a distribution given the forkability
26:42
and such and implement the standards the system the open source system and its distribution of powers is used to and of course we have to carefully identify stakeholders maintainers of the rules, arbitrators the users, developers and whatever and of course the question remains how much of this can be really implemented
27:01
in a real arbitration law which also has rules and so what I'm talking here about my incentives are really just implicitly legal and nothing explicit and so a lawyer can come to the conclusion that maybe much is not possible and of course we have to consider that and the transition of the existing licenses is
27:21
also a bit problematic which has to be considered on itself and so always consider architectural flaws and bugs are different things and have to be considered respectively and so now I'm looking forward to your questions and given the very short Q&A period we have now feel free to do some background investigation and add further
27:41
questions on the GitHub site I have set up for this or other comments so looking forward to your comments