In the rapidly evolving world of open source software, staying ahead of regulatory requirements is becoming increasingly critical. The Eclipse Foundation, one of the largest open source foundations globally, is taking proactive steps to address these challenges with the launch of its Open Regulatory Compliance Working Group. At the helm of this initiative is Mike Milinkovich, Executive Director of the Eclipse Foundation.
In this exclusive VMblog Q&A, Milinkovich dives into the mission of the new working group, its initial focus on the European Cyber Resilience Act, and how it aims to bridge the gap between regulatory bodies and the open source community. With major tech players and open source organizations already on board, the Eclipse Foundation is positioned to play a key role in shaping the future of open source compliance.
VMblog: Before we jump into the news, give
us a bit of background on the Eclipse Foundation.
Mike
Milinkovich: The
Eclipse Foundation is a Brussels-based open source software foundation and one
of the largest open source foundations in the world. While we're perhaps best
known for the Eclipse IDE, used by millions of developers, for Jakarta EE, the
open source successor to Java EE, or Adoptium, one of the most widely used
OpenJDK Java distributions, our scope extends far beyond that. We currently
host over 420 open source projects across diverse technology domains, including
runtimes, tools, specifications, and frameworks for cloud and edge
applications, AI, automotive, IoT, systems engineering, open processor designs,
and many others.
VMblog: What exactly did you all announce?
Milinkovich: We're formally launching the Open Regulatory Compliance Working Group, a new
initiative hosted at the Eclipse Foundation. Its mission is to help open source
participants navigate and comply with governmental regulations, ensuring the
continued use and advancement of open source throughout the software supply
chain.
The
Open Regulatory Compliance Working Group bridges a critical gap between
regulatory authorities and the open source ecosystem. By collaborating with
relevant authorities and standards organizations, the working group aims to
formalize industry best practices so they can be properly referenced in
legislation and support the authorities in understanding the nuances of the
open source ecosystem. This ensures that all open source participants can meet
regulatory requirements across jurisdictions and improve software quality and
security.
While the working group is focused on general open source compliance,
its immediate priority is the European Cyber Resilience Act (CRA), which is
rapidly approaching implementation.
VMblog: Which organizations are
participating in this working group?
Milinkovich: We're
thrilled to have a diverse and influential set of participants, including major
global tech leaders like Bosch, Mercedes-Benz, Nokia, and Siemens, alongside
smaller companies like Lunatech, Obeo, and Payara Services. Additionally, we
have the support of numerous open source foundations, including the Apache
Software Foundation, Blender Foundation, CodeDay, The Document Foundation,
FreeBSD Foundation, iJUG, Matrix.org Foundation, NLnet Labs, Open Elements,
OpenForum Europe, OpenInfra Foundation, Open Source Initiative (OSI), Open
Source Robotics Foundation (OSRF), OWASP, The PHP Foundation, Python Software
Foundation, Rust Foundation, SCANOSS, and Software Heritage. We anticipate more
organizations will join as the working group expands its focus.
VMblog: Why focus on the Cyber Resilience
Act first?
Milinkovich: Primarily
because of the urgent need to get organizations the tools and processes they
need as soon as possible. The CRA will come into force very soon, followed by a
three-year transition period for ironing out implementation details. The
European Commission's agenda for standardization is particularly tight. A draft
request for harmonized standards was issued on April 17, with the goal of
making them available a year in advance, giving the industry time to prepare.
This gives us limited time to ensure the specific needs of the open source
community are well understood and properly addressed.
VMblog: What other tech policy areas does
this group plan on addressing?
Milinkovich: If
there is a government regulation that impacts the open source community, we're
willing to tackle it. As your readers likely know, many potential regulations
are being considered globally, particularly in the EU. We'll be focusing on
important areas like AI, data sovereignty, and the software supply chain. Just
as importantly, all organizations are welcome to participate. You can learn
more about joining the Open Regulatory Compliance Working Group on the group's
participation page here: https://orcwg.org/participate/.
##
Mike
Milinkovich has been involved in the software industry for over thirty years,
doing everything from software engineering, to product management to IP
licensing. He
has been the Executive Director of the Eclipse Foundation since 2004. In that
role he is responsible for supporting both the Eclipse open-source community
and its commercial ecosystem. Prior
to joining Eclipse, Mike was a vice president in Oracle's development group.
Other stops along the way include WebGain, The Object People, IBM, Object
Technology International (OTI), and Nortel.