EPISODE · Dec 30, 2025 · 37 MIN
How to keep Open Source open without leaving our communities open to threats (39c3)
from Chaos Computer Club - recent events feed (high quality) · host Quintessence
The Four Freedoms (defined ~40 years ago) and the Four Opens (~15 years ago) for Open Source provided canonical definitions for what are the cornerstones of Open Source Software communities today. While the ethos still applies today, the cultural norms that blossomed to put it into practice are from an era with different challenges. To build a better world, we need to both keep and protect the value system of the Four Freedoms and Four Opens. To do that, we need to re-assess our risk and threat models to balance that allows beautiful minds to flourish as well as introduce responsible friction to prevent harm from coming to them. The state of the internet, c 1990: * Limited, opt-in connectivity: people had to both have access to a computer and that computer had to have access to the internet. * Tooling required some in-industry knowledge to be able to run and use, not only for development but also for communication. * Open source was a young movement. The "common source" was proprietary. The state of the internet, c 2025: * Always online, might-not-even-be-to-opt-out connectivity: devices are almost always collecting and transmitting data, including audio/visual, in some cases even if "turned off". * Easy to use tooling has made it easier for everyone to come together. The pervasiveness of technology also means that most people, of any background, can easily access other people in the thousands or even millions. * Open source is common, accessible, and matured. A $9 **_trillion_** resource. Yes, **_trillion_**. These three significant changes drastically change the threat model for OSS communities. In the beginning, someone had to have both knowledge and resources to harm or otherwise compromise a community of developers. Now, anyone with a grudge can make a bot army with seamless integrations and gracious freemium tiers for AI/LLMs. Likewise, when open source was small, the "who" who would be motivated to harm and otherwise disrupt those communities was limited. Now there is both massive social and economic benefit to harm and disrupt. This means that risks and threats now still include the motivated and resourced **_with the addition of_** those who are scarce in both. We need to come together to build new organizational threat models that account for how this consequence has posed new risks to our communities. With care and attention to detail, we can introduce responsible friction that will protect our communication infrastructure, the lifeblood of what allows open source to grow. There will also be a workshop with this presentation, with the outcome of creating an ongoing working group dedicated to helping OSS Foundations of all sizes protect their communities. There will be a workshop about the same topic on 12.30, Day 4: [https://events.ccc.de/congress/2025/hub/de/event/detail/how-to-keep-open-source-open-without-leaving-our-c](https://events.ccc.de/congress/2025/hub/de/event/detail/how-to-keep-open-source-open-without-leaving-our-c) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/how-to-keep-open-source-open-without-leaving-our-communities-open-to-threats
What this episode covers
The Four Freedoms (defined ~40 years ago) and the Four Opens (~15 years ago) for Open Source provided canonical definitions for what are the cornerstones of Open Source Software communities today. While the ethos still applies today, the cultural norms that blossomed to put it into practice are from an era with different challenges. To build a better world, we need to both keep and protect the value system of the Four Freedoms and Four Opens. To do that, we need to re-assess our risk and threat models to balance that allows beautiful minds to flourish as well as introduce responsible friction to prevent harm from coming to them. The state of the internet, c 1990: * Limited, opt-in connectivity: people had to both have access to a computer and that computer had to have access to the internet. * Tooling required some in-industry knowledge to be able to run and use, not only for development but also for communication. * Open source was a young movement. The "common source" was proprietary. The state of the internet, c 2025: * Always online, might-not-even-be-to-opt-out connectivity: devices are almost always collecting and transmitting data, including audio/visual, in some cases even if "turned off". * Easy to use tooling has made it easier for everyone to come together. The pervasiveness of technology also means that most people, of any background, can easily access other people in the thousands or even millions. * Open source is common, accessible, and matured. A $9 **_trillion_** resource. Yes, **_trillion_**. These three significant changes drastically change the threat model for OSS communities. In the beginning, someone had to have both knowledge and resources to harm or otherwise compromise a community of developers. Now, anyone with a grudge can make a bot army with seamless integrations and gracious freemium tiers for AI/LLMs. Likewise, when open source was small, the "who" who would be motivated to harm and otherwise disrupt those communities was limited. Now there is both massive social and economic benefit to harm and disrupt. This means that risks and threats now still include the motivated and resourced **_with the addition of_** those who are scarce in both. We need to come together to build new organizational threat models that account for how this consequence has posed new risks to our communities. With care and attention to detail, we can introduce responsible friction that will protect our communication infrastructure, the lifeblood of what allows open source to grow. There will also be a workshop with this presentation, with the outcome of creating an ongoing working group dedicated to helping OSS Foundations of all sizes protect their communities. There will be a workshop about the same topic on 12.30, Day 4: [https://events.ccc.de/congress/2025/hub/de/event/detail/how-to-keep-open-source-open-without-leaving-our-c](https://events.ccc.de/congress/2025/hub/de/event/detail/how-to-keep-open-source-open-without-leaving-our-c) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/how-to-keep-open-source-open-without-leaving-our-communities-open-to-threats
NOW PLAYING
How to keep Open Source open without leaving our communities open to threats (39c3)
No transcript for this episode yet
Similar Episodes
No similar episodes found.