Amanda Brock, OpenUK CEO, is back in the sauna with Marc and Darren discussing the impact of AI-generated code on open source software. Licensing, ownership, regulations, challenges with Generative AI, security in private sectors, job displacement worries—it's all in this episode! Join in the conversation at The DEVOPS Conference in Copenhagen and Stockholm and experience a fantastic group of speakers.
Speakers
Darren Richardson
Cloud Security Architect
Darren helps organizations build security into modern software delivery without slowing innovation. As a Cloud Security Architect, he combines deep expertise in cybersecurity, DevSecOps, and IoT with a talent for making complex technical concepts accessible. He helps customers understand security risks, adopt practical approaches, and build more resilient software delivery practices.
Transcript
Amanda (00:06): Who owns it? Is it the creator of the AI or the framer of the question? And is liability going to be the same? So if you own the copyright, are you liable? Marc (00:21): Welcome to DevOps Sauna Season 4, the podcast where technology meets culture and security is the bridge that connects them. This is the DevOps Conference Global post-game podcast. I'm back here with my dear colleague, Darren Richardson. Hi, Darren. Are you recovered from the conference? Darren (00:48): Afternoon, Marc. Yeah, I'm starting to get there. It's always a bit of a long recovery time. Marc (00:53): It's so great that there's so much work that we put into getting into one of these conferences, getting everything ready, getting our fantastic guests ready for the stage. And then when it's actually happening, it's like, oh my gosh, you just have to hold on and enjoy it while it lasts. And the next thing you know, we're post-game. So one of my favorite keynotes from the conference was a regular guest on the DevOps Sauna podcast. I have here Amanda Brock, the CEO of OpenUK. Hello, Amanda. Amanda (01:24): Hello both. Great to be with you again. Marc (01:27): We always enjoy talking with you and you gave a fantastic keynote at the conference and it had a little bit of an interesting title. So will opening AI destroy open source software? Would you like to give us a little bit of an angle on what you talked about and what you're up to? Amanda (01:46): Absolutely. I think there's sort of two or three main themes that ran through it. And the first was looking at the impact that using AI to create code has on open source. And we've seen a great deal of discussion around the licensing and whether licenses carry through and who owns copyright. And there's a piece there that definitely will come from our regulators, our governments, our lawmakers. And then there was a second piece that was more focused on the issue of being a maintainer and receiving code, which is contributed that has been created by AI and how we're going to manage that on already overburdened maintainers. And then I think the third theme, which is probably the biggest one, is that suddenly everybody wants to talk about the words open source. They don't always add software to the end of it, but in the context of AI and what that means and lots of people want to be relevant in that conversation, at least in the experience I've had over the last year, which means that there are many actions going on and many conversations going on around the merits or problems of AI openness. And it will be very interesting for us all to see where that goes in the next period of time, and that period of time is days, weeks, months, and probably a year or maybe slightly more, but it's certainly not years where we see the impact of it. Marc (03:08): Things are moving so fast and open source has been around for quite a while. And I'm so happy that you reminded our audience that what open source really means. Would you like to elegantly put that as you usually do? Amanda (03:22): Elegantly. Let's see if I can be elegant. So open source is a lot of different things depending on who you are and how you've come to it. But at its heart, there is the legal and licensing requirement, which is that the software is not only made open, but it's distributed on a license which complies with the open source definition. And I'm sure you all know that the open source definition is in the custodianship of the open source initiative. And the easiest way to make sure that it complies is to check whether or not the OSI has approved the license. And if they've approved it, then you have the rubber stamp that it complies with the open source definition. And there are, I think off the top of my head, around 80 of those licenses, but half a dozen that we see constantly used. And that's the basic definition of open source software. The reality is if you just stick code on GitHub with an OSI approved license, you are not really creating open source. You're not really getting the value out of it. And the value comes from the ecosystem and that's the contributors, the collaboration, making sure that you've got code that's in good shape, that's documented, et cetera. So it's a much bigger thing than just that legal definition. Marc (04:33): All right. Darren (04:33): And there's actually something kind of interesting here to me because you talked on the stage about how people are starting to maybe try to use the word open out of context with open source to try and generate this sort of, do you think they're trying to generate kind of a fake feeling of open source of openness and transparency? Amanda (04:53): Yeah. And I think there's different, there's a few different things happening there. I think there are people who are being disingenuous and I think there are people who do not know what they mean. And I think there's a good mixture of the two. And unfortunately the term open source has become used in all sorts of different ways. So when we talk about open source software, we mean what I've just defined. And for OpenUK, we've tried to look at the broad range of opens and called it OpenTech. Now it could be just the opens, you know, you could call it whatever you want to call it. But increasingly we see people talking about open source, meaning that whole space and that causes huge confusion. And then we see people who don't really know what either means. So they're actually implying it's open source software, it has all the value of open source software. Yeah, it doesn't. And there are these sort of shades developing or have developed over the last few years, not just in the AI context, we've seen a lot around cloud and we've seen open source companies, you know, we've seen Elastic, we've seen HashiCorp, Redis last week moving away from proper open source licensing to something similar. So it's not just an AI issue. And the easiest thing in the world is to say, Amanda, stop worrying about the definitions. Amanda, this doesn't really matter, but it does. And the reason it does is that at its heart, open source software allows an unrestricted free flow. So within the 10 points of the definition at five and six, it means anyone can use it for any purpose. Now that enables everyone to rely that they don't have to go and check out that they're not on a list of excluded people or categories or using it for something they shouldn't. And that's at the heart of the free flow of open source software and its success. And what we see is restrictions that are often around commercialization. Sometimes they're ethical, you know, sometimes people feel they have a really good moral reason for it, but whatever the justification, any restriction like that stops the software being open source. So if we look at AI, last year we saw Meta take quite a brave step and open up Llama 2. And they did it on something called the Llama Community License. And that has an acceptable use policy and it has a commercial restriction at 7 million users. Now that's important because that's different from an open source license. And actually OpenUK, I think we were the only open organization to support that launch. And it's not a decision, as you probably heard me say, that I made on my own. My whole board agreed that we should support it and we supported it because we felt that as an organization supporting all the opens, it was a positive step in the right direction. I think a week, two weeks ago, we saw Elon Musk open up Grok on an Apache 2 OSI approved proper open source license without those restrictions. And it's a step further. But if Musk wanted to make a point without having had that happen with Llama, I'm not sure that he would have gone as far as he did. So I do think that it has been steps in the right direction to get to that point where we see Grok and also Falcon in the Middle East opened up properly on OSI approved licenses. Darren (08:07): So you feel like without the initial drop from Meta, they would have been less willing to kind of open up so fully. Amanda (08:17): Yeah. It's boundaries, right? And when you push a boundary, you can't really go back from it. And I feel like they pushed the first boundary that sort of, if Elon then wanted to push a boundary, he had to go the full hog. There was no middle ground where you could be disingenuous or confused or whatever you want to call it. And with Meta, just to be clear that in the run up to launch, and if you look at their website, on the Llama 2 website, which has the OpenUK logo on there, it's very clear that the partners have all signed up to support open innovation. It was never described as open source. And it was only, I think, Mark Zuckerberg's Facebook post to launch it. And then, you know, communication since then with him and Yann LeCun, the product director, I can't remember his exact title, but, you know, they talk about it being open source, which is different. And again, I don't know whether that was actually intentional or whether it's just that this is the word or the phrase the market expects to hear is open source. They won't know what I mean if I say open innovation. I think it really comes back to matter when we start to look at how we regulate. Marc (09:21): Well, words matter. And I think that has to have been intentional. How could it not have been intentional? Amanda (09:26): Yeah, I'm not going to say because I honestly don't know. I think sometimes you'd be surprised by people's lack of understanding of things, but I'm not making excuses for it. You know, the community was very annoyed and felt it was open washing. It wasn't on the terms of what had been carefully crafted prior to launch, you know, that I can confirm. Darren (09:46): Yeah, I think you actually bring up this thing about definitions, which is useful because we have this. I was actually talking with another person, a lawyer in tech the other day who was saying how it's quite difficult to engage the extremely technical nerds in things like definitions and things like the defining of these acts and actually pushing them forward. So I do think there's some requirement for the strong definitions there. And it all comes back to this idea of trying to use the word open to try and cover things that it's perhaps not. But do you know, I guess you feel somewhat vindicated in your choice of backing Meta. Amanda (10:24): Yeah, no, totally. I've always felt it was the right thing to do. Even when we were being given a hard time about it, I've always felt that going in that direction was a major step forward. Because you'd seen Llama 1 last March. It was released for research only, I think it was in February. And then by March, it had been leaked. Now, Zuckerberg was dragged across the coals by various governments about how that could happen. No idea how it happened. But what you saw between that sort of March leak and May was advances in AI technology that hadn't been matched by the corporates doing this alone. And it really showed the value of an open collaborative community around innovation. But it also, for me, shows, I suppose that we need to learn from history, right? You know, I'm aged, I have been around tech since the mid-late 90s when I worked in the internet stuff and dotcom boom. And there are lots of things if we had a crystal ball and understood how that was going to play out, we wouldn't have wanted to happen or allowed to happen. We have the benefit now of history and hindsight. And I think it's super important to not have the eight or so companies who've got the money, the staffing and the compute power to do this innovation, to become guarded by a moat effectively. You know, that Google leaked memo, we have no moat, meaning that the IP wouldn't protect them enough and enable enough revenue to match the innovation. Now, we've got to understand that there's a cost to that innovation and that they've invested it and they're going to have to make some money somewhere along the way. And business models and openness, we all know it's tough, it's the Holy Grail fixing that. But the fact that you have so much more innovation and that you need to democratize this next technology that's going to be such a big part of our future really has to be high up the agenda. You know, we have to understand that none of us want that to end up in a few companies or a few individuals' hands and that we do need to democratize it. Now, that comes with a different set of risks. And I'm always banging on about the fact the UK is too risk averse and that risk shouldn't be a bad thing so long as it's managed and that we just need to understand what the components are and make an assessment based on our risk tolerance of what is acceptable. And I think that with AI has to be done on a progressive basis. We understand the AI of today, we might have an idea of where it's going in the next month, six weeks. We don't know where it's going to be in a year. We genuinely don't. So, we need to sort of plan so that we have some mitigation around extreme risk. None of us want Hull taking over the environment that we live in and making our decisions. On the other hand, that's a long way off in real terms. And what we need to do is be looking at the actuality and hard fact and technical understanding. And I'm interested there in what you're saying about the real nerds not wanting to be part of the discussion. There needs to be sort of stepping stones around that, I think, with people who can engage that community and be translators, which is kind of what I view myself as. But then they need to represent the breadth of that community. And one of the problems that we're seeing, not just in AI, but with things like the Cyber Resilience Act, is a lack of representation of SMEs, of developers, folk who really understand A, policy, and B, the issues, who can be a sensible voice into government lawmakers, regulators on what's going on and represent that community. Because most of the people with the skills and the understanding are working in big companies or the foundations, I guess. They have some of them. But what they represent is primarily their own interests. Marc (14:10): Are SMEs, do they even have a chance to maintain certification, or compliance is the right word, to be able to maintain compliance and competitiveness in the landscape that we have ahead of us? Amanda (14:23): I'm really concerned that they won't. And I'm really concerned they won't because of things like the Cyber Resilience Act. In a way, sitting here in the UK, I see it as a moment of opportunity where Europe has always been considered to be a leader from a regulation perspective. And I'm not sure that what the commission is producing, unless there's something I don't understand, which there could well be, is driving forward that reputation and even the ability to build that digital future that they want. I think they're accidentally closing things down. And I think they're closing down innovation. So if you're an individual who wants to create something or build a small business or build a big business, but you have stepping stones or just want to build something and then naturally wants to be able to earn enough of what they've built to eat and do the normal things in life, the fact that you want to earn around your software, that commercialization, whether it's a royalty in a proprietary context or selling services or subscriptions or whatever it is as an open source business, that's going to get you captured by European regulation. And that regulation is going to be really hard to comply with. And I think that the phrase that the governments use is regulatory capture, where they capture the market through regulation because it's too hard for small businesses or individuals to comply with. And it looks like that's where Europe's going at a pace. Darren (15:54): Yeah, I would agree with that, especially with the dawn of the AI Act that they just put into place, which I mean, we look at AI and a lot of us will just equate it with OpenAI and ChatGPT. But most of the AI tools out there are run by smaller and medium sized companies who now they have to deal with this EU AI Act may end up just being crushed under the weight of the new compliance required. Because if you're running a team of 20 people, you can't afford three of them working full time on compliance with a standard. So despite the EU being quite aggressively anti-monopoly, I feel like they are creating conditions for a market monopoly in AI because of this act. And similarly, that they might be running into the same thing with something I think we could discuss more at this point, which is the Cyber Resilience Act. Amanda (16:45): Yeah, I sort of share your sentiments on this. I think they've tried very hard to accommodate open source within what they're doing, but they've driven it at an aggressive pace without full understanding for some reason. And there's a sort of shift going on. And that shift seems to be on the way software is categorized legally, and that they're recategorizing it as a product or a good. So like a tangible thing where it's always legally been categorized as a service. And what that means is this sort of certification type model where you put something on the market and it has to be compliant with your kind of regulation seems to be coming through. And the way that they're dealing with the implementation of the legislation is through standards. And the standards for the Cyber Resilience Act, we're expecting 44 standards. Now, the open source communities will not have a voice in that process. And the pushback to what I've just said is that you can go along as a member of the open source community to a standards meeting as an observer. And what that means is you don't have a vote. You can ask questions, I believe, but you've got to get yourself there. These meetings are frequent, they're meetings that you have to travel to in person really to have any impact. And you would have to be a member of the standards process and body to be able to have a vote. And even if we got one or two organizations representing open source along, you are still looking at a handful at most of organizations versus all the enterprise players in the room. And to me, it's regulation by the back door where big companies with the resources to sit in those standards meetings are going to be able to heavily influence it in their favor. They may also be able to influence it in terms of their patent supplying, but it's not going to be good for small companies. It's not going to be good for individual innovators. And ultimately, I think it's bad for the whole tech ecosystem, including the big tech companies. Because if you think about most of their innovation or a lot of their innovation comes from acquisition. And if you're not able to grow small businesses to a point for fear of being captured by regulation, then you will not have as much. You may still have some, but you won't have as much innovation. And I think it's bad for Europe because if I'm sitting here in the UK and our regulation is much more liberal and the UK government keeps saying again and again, they want to be pro innovation, which is why they're moving slowly on regulation, then you would do something here. And when you release it on GitHub, it's available in theory anywhere in the world. Well, I would just be blocking it going into Europe so that I could continue to innovate. And potentially that is very bad for the European Union. So the most practical, simple solution to me is just 404 error message comes up when you try and download it the same way as when you deal with export control. If you're not allowed to download it in a country, that's how you manage it. So it's quite worrying. And honestly, I cannot believe that it's what they're trying to achieve. Marc (19:52): You talked a lot about the standards meetings and standards bodies. And I understand some of this from my past, but what can the average community member do? Amanda (20:02): I really don't know. Marc (20:04): There's a lot of us out there.
- DevOps
- Sauna Sessions
- AI
Related podcasts
