Max Mehl (Presentation)

Getting Real with the Supply Chain: From SBOM Data to Action

Tue, 17 Mar 2026 00:00:00 +0000

At DB, we handle 100,000+ SBOMs per day. For our small, virtual Open Source Program Office (OSPO), the challenge is not to get lost in the data, but to cut through the jungle and identify real risks. Together with my OSPO colleague Cornelius Schumacher, I presented this challenge at the FOSS Backstage conference in Berlin. We explained how we gather data, generate insights, and take action.

This talk was partly inspired by my earlier FOSDEM talks (here and there), where I focused on DB’s SBOM program and its tools. In this presentation, however, we highlighted what can be learned from it for professional Open Source management.

One topic stood out throughout the presentation: the need for an OSPO to balance between people, value, and risk. None of these should dominate, even though governance functions often tend to focus on risk. Instead, Cornelius and I advocated for a risk-based approach to managing Open Source.

Deutsche Bahn's Approach to Large-Scale SBOM Collection and Use

Sun, 01 Feb 2026 00:00:00 +0000

At FOSDEM 2026, I presented Deutsche Bahn’s journey from operational need to concrete implementation of large-scale SBOM collection and use. The scale is staggering: approximately 500,000 SBOMs across our software supply chain expected, covering 7,000+ IT applications, 100,000+ Open Source components, and diverse sourcing streams from software we build ourselves to what we buy and operate. The talk focused on how we moved from understanding that “we need to know, in real-time, which exact component is used where and how” to actually making this happen in an organization with 220,000+ employees and hundreds of subsidiaries.

I explained our approach to treating SBOMs as shared infrastructure rather than a goal in itself. SBOMs support multiple use cases: Open Source license compliance, security vulnerability checking, understanding component distribution, assessing quality, satisfying governance requirements, and supporting strategic decisions about ecosystem engagement. We heavily rely on FOSS tools enriched with our own logic to fit DB’s enterprise architecture. A key insight was the integration of VEX (Vulnerability Exploitability eXchange) with SBOMs – allowing us to track vulnerability status throughout processes and enabling manufacturers to communicate their assessments to us directly.

The presentation detailed our SBOM strategy and architecture built from scratch: starting with a small interdisciplinary volunteer group, iterating quickly with continuous feedback, focusing on existing organizational needs rather than abstract best practices, and documenting everything publicly. Our technical principles emphasized modularity, open standards, central SBOM storage with decentral sourcing and analysis. The SBOM Blueprint serves as our guiding star, implemented through prioritized increments. We started by focusing on Source/Build SBOMs for in-house developed software, creating low-threshold drop-in solutions for CI pipelines. But as I emphasized throughout: tools and clever ideas aren’t enough – we need people to integrate them, continuous quality monitoring, cooperation from related service operators, and support from governance stakeholders.

This presentation was a follow-up to my talk the day before on Deutsche Bahn’s overall software supply chain strategy in the context of the EU Cyber Resilience Act (CRA) – while that talk focused on the strategic rationale and high-level approach, this one dove into the technical architecture and practical lessons learned from our initial implementation. Together, they provided a comprehensive overview of how Deutsche Bahn is approaching software supply chain strategy in the context of CRA and beyond.

Software Supply Chain Strategy at Deutsche Bahn

Sat, 31 Jan 2026 00:00:00 +0000

At FOSDEM 2026, I presented Deutsche Bahn’s software supply chain strategy in the context of the EU Cyber Resilience Act (CRA), but made clear from the start that CRA was the context, not the trigger. We didn’t adopt SBOMs because of regulation – regulation validated the direction we were already taking based on operational needs. The presentation positioned our work at the intersection of CRA compliance requirements, IT operation best practices, and the practical realities of running IT infrastructure for an organization with 220,000+ employees, 7,000+ IT applications, and 100,000+ Open Source components.

I outlined how we understand CRA as consisting of four activity areas: general principles of secure software (which we already do), professional handling of vulnerabilities (also already doing), transparency of software supply chains with SBOMs (the new challenge and focus of this talk), and information to users plus conformity assessments (out of scope but interesting). Deutsche Bahn’s challenge is particularly complex because we take on different roles – customer, manufacturer, and indirectly even steward – across our diverse operations. We build software for ourselves and external customers (ranging from operating systems in train displays to mobile apps), we buy software (local, on-premise, SaaS, bundled in hardware like trains), and we operate everything across multiple environments (on-premise, cloud, edge/embedded).

The strategy presentation emphasized how we created an SBOM architecture from scratch to handle this complexity. Working with a small interdisciplinary volunteer group, we focused on iterating quickly, gathering continuous feedback, and thinking in capabilities rather than specific tools. Our technical principles centered on modularity, open standards and interfaces, central SBOM storage with decentral sourcing and analysis – providing the flexibility needed to adapt to varying stakeholder needs and evolving regulations. The key message was that at DB’s scale and diversity, you cannot implement a one-size-fits-all solution overnight. Instead, we prioritize based on identified risks and external requirements, document everything publicly, and connect the concrete CRA compliance requirements with our broader effort to bring transparency to software supply chains. This transparency forms the basis not just for regulatory compliance, but for security processes, license compliance, and proactively shaping the Open Source ecosystems we depend on.

The day after, I gave a follow-up presentation on our large-scale SBOM collection and use, which dove deeper into the technical architecture and practical lessons learned from our initial implementation. The two talks together provided a comprehensive overview of how Deutsche Bahn is approaching software supply chain strategy in the context of CRA and beyond.

OSPOs as Sovereignty Engines

Fri, 30 Jan 2026 00:00:00 +0000

Delivering digital sovereignty requires more than regulation and investment – it depends on institutional capability. I’ve been invited to join a panel at the EU Open Source Policy Summit focusing on how large organisations, both public and private, are building the structures needed to adopt and sustain open approaches. We discussed the role of Open Source Programme Offices (OSPOs) as engines of institutional learning, collaboration, and governance, and the potential for a EU policy to accelerate this transformation. Drawing on examples from critical sectors – including energy, transport, and public administration – the discussion explored how organisational capacity can strengthen Europe’s digital resilience and enable openness at scale.

My main arguments were:

OSPOs are more than just a team for managing Open Source software – they are a strategic function that can drive cultural change, cross-functional collaboration, and ecosystem engagement across an organisation. They act as vertical and horizontal enablers.
In the debate around Digital Sovereignty, Open Source is a highly relevant option on the table, and goes far beyond “Buy European”. OSPOs can help organisations navigate the complex landscape of Open Source, build internal expertise, and foster partnerships that enhance sovereignty through openness.
OSPOs cannot drive this change alone. External support in the form of strategy, incentives and regulation is needed, especially for organizations under high regulatory pressure or with limited resources. This needs to be coherent vertically across the EU and horizontally across sectors.

It was a pleasure to elaborate this with my co-panelistzs Manuel Mateo Goyet (Acting Head of Unit CNECT.E.2, European Commission), Lucian Balea (Deputy Director of R&D and Open Source Director, RTE), Supriya Chitale (Open Source Program Office Manager, IKEA Group) and moderator Johan Linåker (Senior Researcher, Research Institutes of Sweden).

OpenRail Day 2025 Moderation

Wed, 17 Dec 2025 00:00:00 +0000

I had the pleasure to moderate the OpenRail Day 2025 in Paris, organised by the OpenRail Association to share knowledge and experiences about Open Source software in the railway industry. This event brought together railway operators, digital experts, and Open Source communities from across Europe for a day dedicated to showcasing concrete Open Source projects already at work in the railway sector. The conference featured demonstrations, presentations, and workshops around projects like OSRD (Open Source Railway Designer), RCM OSS, LibLRS, and the Netzgrafik-Editor, all hosted by the OpenRail Association.

The event created a space for dialogue between technical, institutional, and industrial stakeholders around key topics such as interoperability, open standards, and international collaboration. Speakers included leaders from major European railway companies like SBB, SNCF, Infrabel, and ONCF, as well as representatives from the European Commission’s Open Source Programme Office. This first edition laid the foundation for a format designed to evolve and establish itself over time, in service of a more open and collaborative digital railway ecosystem.

All session recordings, presentations, and photos are available in the event replay section.

The Burden of Knowledge: Dealing With Open Source Risks

Mon, 10 Mar 2025 00:00:00 +0000

At FOSS Backstage 2025 in Berlin, I explored a critical challenge facing OSPOs and development teams: as we increase analysis of our software supply chains, tools and scorecards reveal potential risks in Open Source projects like low maintenance, lack of community, or poor security practices. But this data alone doesn’t help if it merely points out potential problems without offering solutions. The question is: how should we handle this burden of knowledge? Through manual reviews? Questionnaires? Funding? Or should we look away?

In this session, I focused on the strategic decisions organizations need to make when assessing risk in Open Source dependencies. Drawing from my experience at an organization using a six-digit number of Open Source packages, I explored the options between the extremes of “Let’s measure everything”, “Let’s avoid all risky Open Source”, and “Let’s not look at the data because it might scare off management”. I discussed how to decide whether to use a project, invest resources to support it, or move away from a dependency, and when it makes sense to actively engage with or withdraw from an Open Source project.

This talk provided an overview of feasible options and the foundation for a more informed discussion on managing Open Source risks strategically – without ignorance or fear.

Who are these Open Source maintainers, actually?

Tue, 14 May 2024 00:00:00 +0000

At Siemens Open Source 2024, I presented a narrative journey through the life of an Open Source maintainer, structured as a five-act drama with a happy ending. Through the story of “Alex”, a fictional developer, I explored what really drives maintainers, what they actually do beyond writing code, and the challenges they face when interacting with corporate structures. The talk moved from the initial motivation of creating a new tool driven by passion and intrinsic needs, through the growth into respected maintainership with community building responsibilities, to the eventual transition of passing on the role to ensure project sustainability.

The presentation highlighted the often-overlooked aspects of maintainership: responding to issues and pull requests, moderating discussions, ensuring code of conduct compliance, mentoring newcomers, designing roadmaps, and making strategic decisions. I also addressed the cultural and process differences between companies and Open Source communities – from hierarchical versus peer production models to the different resource availability and commitment structures. The key message: maintainers are not bosses but servants of their communities, and the true capital of an Open Source project lies not in the code, but in the people and community that keep it alive.

This talk emphasized that while maintainers differ in motivation, funding models, and governance structures, they share core characteristics: a high sense of responsibility, autonomous action, balance of interests, and servant leadership.

SBOMs – A Short Introduction

Tue, 10 Oct 2023 00:00:00 +0000

At OSPOlogy Live Frankfurt in October 2023, I gave an introduction to Software Bills of Materials (SBOMs) for the OSPO community. Everyone had heard of SBOMs by then – they seemed ubiquitous, with shiny tools sprouting up everywhere. But what were they actually all about? What were the real use cases? And what often caused practical applications to fail? This talk aimed to provide a common understanding without the marketing-speak.

The session covered the fundamental concepts of SBOMs, explored concrete use cases where they add value, and discussed the challenges organizations face when trying to implement them in practice. Drawing from my experience working with software supply chain transparency at Deutsche Bahn, I highlighted common pitfalls and offered practical insights for OSPOs looking to make sense of the SBOM landscape.

This was part of a two-day event hosted by SAP’s OSPO and co-organized with TODO Group, InnerSource Commons, LF Energy, OpenChain, SPDX, CHAOSS, and OpenSSF projects.

Was machen eigentlich Open-Source-Maintainer?

Wed, 27 Sep 2023 00:00:00 +0000

Auf dem 9. Bitkom Forum Open Source in Erfurt präsentierten Cornelius Schumacher und ich eine Erzählung über das Leben von Open-Source-Maintainern, strukturiert als Drama mit Happy End. Durch die Geschichte von “Alex”, einer fiktiven Entwicklerin, beleuchteten wir, was Maintainer wirklich antreibt, was sie jenseits des Programmierens tun und welchen Herausforderungen sie sich stellen müssen. Der Vortrag führte von der anfänglichen Motivation, ein neues Tool aus Leidenschaft und eigenem Bedarf zu schaffen, über das Wachstum zur respektierten Maintainerin mit Community-Building-Verantwortung bis hin zum Übergang der Rolle für die Nachhaltigkeit des Projekts.

Die Präsentation hob die oft übersehenen Aspekte der Maintainership hervor: Beantwortung von Issues und Pull Requests, Moderation von Diskussionen, Sicherstellung der Einhaltung des Code of Conduct, Mentoring von Neulingen, Gestaltung von Roadmaps und strategische Entscheidungen. Wir thematisierten auch die kulturellen und prozessualen Unterschiede zwischen Unternehmen und Open-Source-Communities – von hierarchischen versus Peer-Production-Modellen bis hin zu unterschiedlicher Ressourcenverfügbarkeit und Commitment-Strukturen. Die Kernbotschaft: Maintainer sind keine Chefs, sondern Diener ihrer Communities, und das wahre Kapital eines Open-Source-Projekts liegt nicht im Code, sondern in den Menschen und der Community, die es am Leben halten.

Der Vortrag betonte, dass Maintainer zwar in Motivation, Finanzierungsmodellen und Governance-Strukturen unterschiedlich sind, aber Kerncharakteristika teilen: hohes Verantwortungsbewusstsein, autonomes Handeln, Interessenausgleich und Servant Leadership.

Hardware Bills of Material with Deutsche Bahn

Wed, 07 Jun 2023 00:00:00 +0000

At Upstream 2023, I participated in a fireside chat with Luis Villa (Tidelift) and my colleague Erik Schaufuss exploring the fascinating intersection between Software Bills of Materials (SBOMs) and Hardware Bills of Materials (HBOMs) within Deutsche Bahn’s complex supply chain. As Germany’s national railway company with hundreds of federated subsidiaries, we face unique challenges in managing both rolling stock hardware and the increasingly software-driven assets within trains. The discussion centered on how learnings from the software supply chain transparency movement – particularly around standards like CycloneDX – can inform and improve hardware supply chain management.

The conversation explored Deutsche Bahn’s federated corporate structure and how this complexity makes supply chain management particularly challenging yet critical. We discussed the need for standards to communicate information across organizational boundaries, the clash between traditional hardware procurement and modern software practices, and how tracking components in both domains presents parallel challenges. The fireside chat highlighted practical experiences in bridging the gap between software and hardware supply chain transparency, and the importance of ISO standards and industry collaboration in this evolving space.

This session demonstrated that whether dealing with software packages or physical train components, the fundamental challenges of transparency, traceability, and security have more in common than one might initially expect.

Panel: Hot Topics - Organizers of the Legal & Policy DevRoom

Sat, 05 Feb 2022 00:00:00 +0000

At FOSDEM 2022, I again joined my fellow organizers of the Legal & Policy DevRoom for a panel discussion on the hot topics we observed over the past year in Free and Open Source Software. Together with Bradley Kuhn, Karen Sandler and Alexander Sander, we reflected on the presentations from the day’s track and looked forward to the future of FOSS policy. This panel provided an opportunity to discuss the pressing issues facing the FOSS community from legal and policy perspectives.

The discussion touched on the lessons learned from the various presentations throughout the DevRoom, considering how legal and policy challenges were evolving as FOSS became increasingly central to digital infrastructure worldwide. As organizers, we shared our perspectives on emerging trends, regulatory developments, and the ongoing work needed to protect software freedom while ensuring compliance and sustainable community practices.

This panel was part of FOSDEM’s Legal and Policy Issues devroom, which continues to serve as an important forum for addressing the intersection of law, policy, and Free Software.

REUSE - Gold standard for Free Software licensing

Fri, 12 Nov 2021 00:00:00 +0000

At SFScon 2021 in Bolzano (Italy), I presented REUSE as a gold standard approach for Free and Open Source Software licensing. The REUSE initiative, launched by the Free Software Foundation Europe, provides best practices and tools that make licensing Free Software projects straightforward and unambiguous. By following three simple steps – providing license and copyright information in every file, including license texts, and confirming REUSE compliance with the tool – projects can achieve clarity that benefits both developers and users.

The talk demonstrated how REUSE addresses common licensing challenges in Free Software development: unclear provenance, missing copyright information, and ambiguous licensing terms. I showed practical examples of how projects can adopt REUSE incrementally, explained the supporting tools available (including the REUSE helper tool and API), and discussed how REUSE is being adopted by major projects and organizations. The approach helps projects be compliant with requirements like the FSFE’s “Public Money, Public Code” campaign and prepares them for emerging regulations.

REUSE has become increasingly recognized as a best practice standard, with adoption by major organizations and integration into compliance toolchains. The talk highlighted how this simple yet effective approach removes friction from Open Source licensing.

Simplify Licensing Code with REUSE

Fri, 17 Sep 2021 00:00:00 +0000

At EuroBSDCon 2021, I introduced the REUSE initiative to the OpenBSD community, demonstrating how this approach can simplify licensing practices for Free and Open Source Software communities like theirs. The talk focused on the practical challenges developers face when trying to properly license their code and how REUSE’s three simple rules can solve these problems. This presentation was particularly relevant for the OpenBSD ecosystem, where licensing clarity and permissive licenses play a central role in the community’s values.

I walked through real-world examples of licensing ambiguity and its consequences, then showed how REUSE’s straightforward approach – adding licensing information to each file, including license texts in a standard location, and confirming full adoption – removes these pain points. The talk covered the REUSE helper tool, which automates much of the compliance work, and demonstrated how projects can adopt REUSE gradually without disrupting their existing workflows.

The OpenBSD community’s focus on permissive licensing and clear legal status made this an ideal audience for REUSE principles. The discussion highlighted how REUSE complements OpenBSD’s licensing philosophy by making it easier for developers to properly attribute work and maintain clear licensing information throughout long lifecycles.

REUSE - Make licensing easy for everyone

Wed, 23 Jun 2021 00:00:00 +0000

At OW2con 2021, I presented REUSE to an audience deeply involved in Open Source infrastructure projects and close to public authorities and French businesses. The talk emphasized how REUSE makes Free Software licensing accessible and manageable for everyone – from individual developers to large organizations managing complex codebases. This was particularly relevant for the OW2 community, where projects often involve multiple contributors, dependencies, and licensing considerations across international boundaries.

The presentation walked through the core REUSE principles and showed how they address common licensing pain points: unclear copyright holders, ambiguous license terms, and missing attribution. I demonstrated the REUSE tools and workflow, showing how projects can verify their compliance status and incrementally improve their licensing documentation. The talk also covered how REUSE integrates with continuous integration systems and can become part of a project’s regular quality assurance process.

For the OW2 community, known for its focus on collaborative Open Source development and professional-grade software, REUSE offered a pragmatic path to licensing clarity that reduces legal uncertainty while maintaining development velocity. The discussion highlighted how proper licensing documentation becomes even more critical as projects scale and are used in production environments.

Digitale Souveränität in Europa - Freie und Open Source Software als Schlüssel

Thu, 15 Apr 2021 00:00:00 +0000

Bei Europe Direct Dortmund hielt ich einen Vortrag über digitale Souveränität in Europa und die zentrale Rolle, die Freie und Open Source Software dabei spielt. Der Vortrag beleuchtete, wie abhängig Europa von proprietären Softwarelösungen geworden ist und welche Risiken diese Abhängigkeit für demokratische Institutionen, wirtschaftliche Wettbewerbsfähigkeit und technologische Selbstbestimmung mit sich bringt. Ich argumentierte, dass echte digitale Souveränität nur durch den strategischen Einsatz und die Förderung Freier Software erreicht werden kann.

Die Präsentation zeigte konkrete Beispiele, wie Freie Software Europa mehr Kontrolle über seine digitale Infrastruktur geben kann – von öffentlichen Verwaltungen über Bildungseinrichtungen bis hin zu kritischen Infrastrukturen. Ich diskutierte die Bedeutung offener Standards, die Wichtigkeit von Transparenz und Überprüfbarkeit in Software, und wie die Prinzipien von “Public Money, Public Code” dazu beitragen können, eine nachhaltige und souveräne digitale Zukunft für Europa aufzubauen.

Der Vortrag betonte, dass digitale Souveränität nicht bedeutet, Europa von der Welt abzuschotten, sondern vielmehr die Fähigkeit zu entwickeln, eigene technologische Entscheidungen zu treffen und an offenen, internationalen Entwicklungsmodellen auf Augenhöhe teilzunehmen.

REUSE: Best practices for declaring copyright and licenses

Sun, 21 Mar 2021 00:00:00 +0000

At LibrePlanet 2021, I presented the REUSE initiative as a set of best practices for declaring copyright and licenses in Free Software projects. LibrePlanet is the Free Software Foundation’s annual conference celebrating software freedom, making it an ideal venue to discuss how REUSE helps uphold the principles that the community values most. The talk focused on how clear licensing and copyright information benefits both developers and users of Free Software.

I explained the three core REUSE rules: including copyright and licensing information in each file, providing full license texts, and confirming full REUSE adoption by running an easy check. The presentation showed practical examples of how projects can implement these practices incrementally, demonstrated the REUSE helper tool for automated compliance checking, and discussed how REUSE aligns with Free Software philosophy by ensuring that software freedom is clearly documented and easily verifiable.

The talk resonated especially well with the LibrePlanet audience, as many attendees work on software freedom advocacy and understand first-hand how licensing ambiguity can undermine the goals of Free Software.

Panel: Hot Topics - Organizers of the Legal & Policy DevRoom

Sun, 07 Feb 2021 00:00:00 +0000

At FOSDEM 2021, I participated in the annual panel of Legal & Policy DevRoom organizers where we discussed the hot topics from the track’s presentations that year. This panel tradition brings together the organizers to reflect on the most pressing legal and policy issues facing Free and Open Source Software, based on the talks and discussions throughout the day. It provided an opportunity to synthesize the diverse perspectives presented in the DevRoom and look ahead to emerging challenges.

As one of the organizers, I joined my co-organizers Bradley Kuhn, Karen Sandler, Richard Fontana, and Alexander Sander to discuss topics ranging from licensing compliance and governance models to emerging regulatory frameworks affecting FOSS. The panel format allowed us to draw connections between different presentations, highlight recurring themes, and engage with questions from the community about how legal and policy matters would evolve in the coming year.

This type of meta-discussion is valuable because it helps the FOSS community understand not just individual legal or policy issues, but how these challenges interconnect and what broader trends we should be watching. The Legal & Policy Devroom continues to be a crucial space for these conversations at FOSDEM.

REUSE: Best practices for declaring copyright and licenses

Sat, 06 Feb 2021 00:00:00 +0000

At FOSDEM 2021, I delivered a presentation on REUSE best practices for declaring copyright and licenses in Free and Open Source Software projects. The talk was part of FOSDEM’s OpenChain track, where developers and legal professionals gather to discuss these critical topics. I focused on how REUSE provides a practical, standardized approach to one of the most common yet frustrating problems in FOSS development: maintaining clear licensing information.

The presentation walked through the three simple steps that comprise REUSE: adding copyright and licensing information to each file, providing full license texts in a standard location, and confirming complete REUSE adoption. I demonstrated the REUSE helper tool which automates compliance checking and can be integrated into CI/CD pipelines. Real-world examples showed how projects of various sizes have successfully adopted REUSE, and I addressed common questions about legacy codebases, third-party dependencies, and multi-license projects.

The timing was significant as more organizations were recognizing the importance of licensing clarity for compliance, security auditing, and supply chain management. REUSE provides a solution that’s both developer-friendly and meets the requirements of legal and compliance teams, making it increasingly relevant as FOSS becomes critical infrastructure.

Keine IT-Sicherheit ohne Freie Software

Sat, 22 Feb 2020 00:00:00 +0000

Beim Winterkongress der Digitalen Gesellschaft Schweiz hielt ich einen Vortrag über den fundamentalen Zusammenhang zwischen IT-Sicherheit und Freier Software/Open Source. Die Kernthese war provokant formuliert, aber technisch begründet: Echte IT-Sicherheit ist ohne Freie Software nicht möglich. In einer Zeit, in der Cybersecurity zunehmend als kritisches Thema für Gesellschaft, Wirtschaft und Staat wahrgenommen wurde, argumentierte ich, dass proprietäre Software strukturelle Sicherheitsprobleme mit sich bringt, die nicht einfach durch bessere Praktiken gelöst werden können.

Der Vortrag beleuchtete mehrere Dimensionen dieses Arguments: Transparenz als Voraussetzung für Vertrauen, die Notwendigkeit unabhängiger Sicherheitsüberprüfungen, das Problem von Hintertüren und nicht offengelegten Schwachstellen in Closed-Source-Software, sowie die Bedeutung von Vendor-Unabhängigkeit für langfristige Sicherheitsupdates. Für das Publikum beim Winterkongress, das sich für digitale Bürgerrechte und eine demokratische digitale Gesellschaft einsetzt, war diese Verbindung zwischen Freiheit und Sicherheit besonders relevant. Der Vortrag zeigte, dass es kein Widerspruch ist, gleichzeitig für Softwarefreiheit und für Sicherheit einzutreten. Ganz im Gegenteil: das eine setzt das andere voraus.

Go REUSE to license your code

Sun, 02 Feb 2020 00:00:00 +0000

At FOSDEM 2020, I presented “Go REUSE to license your code” in the Legal and Policy Issues Devroom. This talk marked an important milestone in the REUSE initiative’s evolution, as we were seeing increasing adoption across diverse projects and growing recognition of licensing clarity as a critical aspect of software quality. The presentation encouraged developers to adopt REUSE practices for their own projects, showing that proper licensing doesn’t have to be complicated or time-consuming.

The talk walked through the three simple REUSE rules and demonstrated hands-on how developers could implement them in their projects. I showcased the REUSE helper tool which automates compliance checking, the REUSE API for displaying compliance badges, and showed real examples from projects that had successfully adopted REUSE. A key message was that REUSE is not only about legal compliance but respect for maintainers, clarity for users, and building a sustainable Free Software ecosystem where licensing information is always clear and accessible.

The discussion after the talk focused on practical questions about edge cases, integration with existing workflows, and how to gradually improve licensing in legacy codebases. This was exactly the kind of community-driven conversation that helps initiatives like REUSE evolve to meet real-world needs.

REUSE: Make licensing easy for everyone

Mon, 28 Oct 2019 00:00:00 +0000

At the Open Source Summit Europe 2019 in Lyon, I presented REUSE to an audience of enterprise Open Source professionals, developers, and decision-makers. The Open Source Summit, organized by the Linux Foundation, brings together the commercial and community sides of Open Source, making it an ideal venue to discuss how REUSE addresses licensing challenges that affect both worlds. The talk emphasized how REUSE makes licensing straightforward for everyone: from individual contributors to large organizations managing complex Open Source portfolios.

The presentation focused on the practical solutions to typical problems with licensing information: unclear licensing and copyright of individual files, conflicting best practices, and loss of such information during use and re-use of files and components. I explained the three core REUSE rules and showed how the tooling integrates with existing development workflows and CI/CD pipelines. For the enterprise-focused audience, I highlighted how REUSE helps organizations that both consume and contribute to Open Source software, providing clear documentation that satisfies legal teams while remaining developer-friendly.

The discussion revealed strong interest from companies dealing with complex multi-license scenarios and those seeking to improve their Open Source practices. REUSE offered a solution that bridges the gap between legal requirements and development realities – exactly what many organizations were looking for as Open Source became increasingly central to their technology stacks.

No IT security without Free Software

Sat, 14 Sep 2019 00:00:00 +0000

At BalCCon 2019 in Novi Sad, Serbia, I delivered a talk arguing that real IT security is fundamentally impossible without Free and Open Source Software. BalCCon (Balkan Computer Congress) brings together security researchers, hackers, and technology enthusiasts from across the Balkans and beyond, making it a perfect audience for examining the deep connections between software freedom and security. The talk challenged the common assumption that security and openness are somehow in tension, arguing instead that transparency is a prerequisite for trustworthy security.

The presentation examined multiple dimensions of this argument: the security benefits of source code transparency, the danger of security through obscurity in proprietary systems, the importance of independent security audits, the problem of backdoors and undisclosed vulnerabilities, and the critical role of user control over their computing environment. I showed concrete examples where Open Source can resolve an ongoing tension between economic incentives and security needs without sacrificing either.

For the BalCCon audience, many of whom work directly in information security, this argument resonated strongly. The discussion explored how Open Source principles align with security best practices like defense in depth, least privilege, and verifiable trust. The talk reinforced that advocating for Free Software isn’t just about philosophy or licensing – it’s about building secure systems in a fundamentally insecure world.

No IT security without Free Software

Wed, 03 Jul 2019 00:00:00 +0000

At Pass the SALT 2019 in Lille, France, I presented on the essential connection between IT security and Free Software. Pass the SALT (Security And Libre Talks) is a security conference with a specific focus on Free and Open Source Software security tools and practices, making it the ideal venue for this topic. The conference brings together security professionals who both develop and use Free Software security tools, and understand the value of transparency in security work.

The talk examined why proprietary software creates fundamental security problems that cannot be solved through patches or better practices alone. Without access to source code, security researchers cannot fully audit systems, users cannot verify what their software actually does, and the community cannot collaborate on security improvements. I presented case studies of security issues that persisted in proprietary systems precisely because of their closed nature, contrasted with Free Software projects where transparency enabled rapid community response to vulnerabilities.

The presentation also addressed common misconceptions: that disclosure of source code helps attackers (when research shows the opposite), that commercial vendors provide better security than community projects (when evidence suggests otherwise), and that security and usability require proprietary approaches (when Free Software demonstrates both are achievable). For the Pass the SALT audience, this reinforced their work developing and promoting Free Software security tools as not just technically sound, but philosophically necessary for genuine security.

IT-Sicherheit? Freie Software!

Sat, 27 Apr 2019 00:00:00 +0000

Bei den Grazer Linuxtagen 2019 hielt ich die Keynote über den Zusammenhang zwischen IT-Sicherheit und Freier Software. Die Grazer Linuxtage sind eine der wichtigsten deutschsprachigen Veranstaltungen für GNU/Linux und Freie Software, und die Keynote bot die Möglichkeit, dem gesamten Publikum – von Einsteigern bis zu erfahrenen Entwicklern – zu erläutern, warum Freie und Open Source Software keine Option, sondern eine Voraussetzung für echte IT-Sicherheit ist.

Der Vortrag beleuchtete, warum proprietäre Software strukturelle Sicherheitsprobleme mit sich bringt: fehlende Transparenz verhindert unabhängige Sicherheitsanalysen, Nutzer haben keine Kontrolle darüber, was ihre Software tatsächlich macht, und Vendor-Lock-in führt dazu, dass Sicherheitsupdates von Geschäftsinteressen abhängen statt von tatsächlichen Bedrohungen. Im Gegensatz dazu ermöglicht Freie Software Überprüfbarkeit, Community-betriebene Sicherheitsforschung, und stellt sicher, dass Nutzer die Hoheit über ihre IT-Systeme behalten.

Als Keynote war der Vortrag bewusst breit angelegt, um verschiedene Aspekte des Themas zu beleuchten: von konkreten technischen Sicherheitsvorteilen über die Bedeutung offener Standards bis hin zu gesellschaftlichen Fragen digitaler Souveränität. Die Botschaft war klar: Wer IT-Sicherheit ernst nimmt, kommt an Freier Software nicht vorbei.

Public Code with Free Software: Modernising Public Digital Infrastructure

Sat, 15 Sep 2018 00:00:00 +0000

At BalCCon 2018 in Novi Sad (Serbia), I presented the FSFE’s “Public Money, Public Code” campaign and its vision for modernising public digital infrastructure through Free Software. This was during the early, energetic phase of the campaign when we were building momentum across Europe for the principle that software developed with taxpayer money should be made available as Free Software. BalCCon’s technically sophisticated audience with a focus on IT security was an interesting context to discuss how public code can enhance security, transparency, and local technological capacity.

The talk explained why public administrations’ current approach – paying for proprietary software development and then paying again for licenses to use it, while no one else can benefit from the investment – makes no sense. I outlined how Free Software enables code reuse across municipalities and countries, reduces vendor lock-in, improves security through transparency, and turns software from a cost center into a shared resource. The presentation showcased early successes of public code initiatives and addressed common objections about support, security, and feasibility.

For the BalCCon audience, many of whom work with technology in contexts across the Balkans, the message was particularly relevant. The region faces challenges of limited IT budgets, dependency on foreign vendors, and the need to build local technological capacity – all problems that “Public Money, Public Code” directly addresses. The discussion explored how these principles could be adapted to different political and economic contexts while maintaining their core benefits.

Public Code with Free Software: Modernising Digital Public Infrastructure

Tue, 11 Sep 2018 00:00:00 +0000

At DrupalEurope 2018 in Darmstadt, I presented the “Public Money, Public Code” initiative to an audience of Drupal developers, site builders, and digital agencies. This was a particularly relevant venue because Drupal itself is Free Software, and many in the audience work on public sector projects where the principles of Public Code directly apply. The talk connected the FSFE’s campaign to the practical realities of building public digital infrastructure with content management systems like Drupal.

The presentation explained why software developed for public administrations with taxpayer money should be released as Free Software. I outlined the benefits: code reuse across different public bodies, reduced vendor lock-in, improved security through transparency, and the ability to customize solutions to local needs. For the Drupal community, which already embraces Open Source principles, the message resonated strongly – many attendees had experienced first-hand the frustration of proprietary systems or custom Drupal modules that couldn’t be shared because of licensing restrictions.

The discussion explored how Drupal agencies could advocate for Public Code principles in their client relationships, how public administrations could structure procurement to require Free Software, and what role the Drupal community could play in building shared public infrastructure. This talk helped connect the broader political campaign to concrete technical communities already working in the public sector.

Public Money? Public Code! - Modernising Digital Public Infrastructure

Sat, 07 Jul 2018 00:00:00 +0000

At RMLL/Libre Software Meeting 2018 in Strasbourg, I presented the “Public Money, Public Code” campaign to one of Europe’s longest-running Free Software conferences. The RMLL/LSM brings together activists, developers, and public sector stakeholders who have been advocating for Free Software since the late 1990s, making it an ideal audience for discussing how to systematically transform public digital infrastructure. The talk built on decades of Free Software advocacy to argue for a new policy paradigm.

The presentation made the case that when public money pays for software development, the resulting code should be publicly available as Free Software. This isn’t just good principle – it’s good economics and good governance. I showed how current practices lead to wasteful redundancy, with multiple public bodies independently funding development of similar solutions while being unable to share code. The talk outlined concrete policy changes needed at European, national, and municipal levels to make Public Code the default for publicly funded software development.

For the RMLL audience, being strong FOSS advocates, the Public Money, Public Code campaign provided a rallying point and policy framework for their efforts. The discussion explored successful examples of public code initiatives, strategies for changing procurement regulations, and how to build coalitions between technical communities and policy makers to drive systemic change.

Souveränität durch Freie Software (Bundeswehr)

Tue, 03 Jul 2018 00:00:00 +0000

Bei einem internen Vortrag für die deutsche Bundeswehr sprach ich über digitale Souveränität durch Freie Software. Dieser ungewöhnliche Kontext – eine Präsentation vor militärischem Personal – bot die Möglichkeit, die Bedeutung von Softwarefreiheit aus der Perspektive von IT-Sicherheit, strategischer Unabhängigkeit und operationaler Kontrolle zu beleuchten. Für Organisationen, die mit hochsensiblen Daten arbeiten und nationale Sicherheitsinteressen berücksichtigen müssen, sind die Fragen nach Souveränität und Kontrolle über die eigene IT-Infrastruktur besonders dringend.

Der Vortrag betonte, wie Abhängigkeit von proprietärer Software strategische Risiken schafft: Auslandsabhängigkeit bei kritischer Infrastruktur, mangelnde Möglichkeit zur Überprüfung auf Backdoors oder Schwachstellen, und fehlende Kontrolle über Updates und Funktionsänderungen. Freie Software bietet hingegen die Möglichkeit, Code zu auditieren, Sicherheitslücken selbst zu schließen, und unabhängig von kommerziellen Anbietern langfristige Supportstrukturen aufzubauen. Diese Argumente gelten nicht nur für militärische Organisationen, sondern für alle Bereiche der öffentlichen Verwaltung und kritischen Infrastruktur.

Die Diskussion zeigte, dass das Bewusstsein für diese Themen in der Bundeswehr durchaus vorhanden war, aber oft praktische Hürden – von Procurement-Strukturen bis zu fehlender Expertise – die Umstellung auf Freie Software erschwerten. Der Vortrag half, die strategische Bedeutung dieser Entscheidungen zu unterstreichen und Argumente zu liefern, warum Software-Souveränität eine langfristige Investition in Sicherheit und Unabhängigkeit darstellt.

Keynote: Public Code with Free Software - Modernising Public Digital Infrastructure

Thu, 07 Jun 2018 00:00:00 +0000

I delivered the opening keynote at OW2con 2018 in Paris, presenting the “Public Money, Public Code” vision to a conference focused on Open Source middleware and enterprise solutions. OW2 is a European association fostering Open Source infrastructure software, with strong connections to both industry and public sector organizations. The keynote position reflected the growing recognition that making publicly funded code freely available isn’t just an activist demand – it’s a pragmatic approach to building better public digital infrastructure.

The keynote argued that the current model, where public administrations pay vendors to develop software but then cannot share it with other public bodies, is economically inefficient and technologically counterproductive. I presented the FSFE’s “Public Money, Public Code” campaign as a policy framework to address this: require that code developed with public funds be released as Free Software. The benefits extend beyond cost savings to include improved security (through transparency and auditability), reduced vendor lock-in, and the ability to build on each other’s work rather than repeatedly reinventing similar solutions.

For the OW2 community, which works on exactly the kind of collaborative Open Source development that Public Code envisions at scale, the message resonated strongly. The discussion explored how policy changes could accelerate adoption of Open Source infrastructure, how public procurement could be restructured to favor Free Software, and what role organizations like OW2 could play in providing professional-grade Open Source alternatives to proprietary public sector software.

EU Radio Equipment Directive: Extensive Device Lockdown

Thu, 27 Apr 2017 00:00:00 +0000

At the exclusive Legal and Licensing Workshop 2017, I presented on the EU Radio Equipment Directive and its potential for extensive device lockdown. The Legal and Licensing Workshop brings together legal professionals, compliance officers, and policy experts working on Free Software issues, making it the right audience for a detailed legal and technical analysis of this directive’s implications. The talk warned about how seemingly well-intentioned radio equipment regulations could be implemented in ways that fundamentally threaten software freedom on radio-capable devices.

The Radio Equipment Directive (RED) aimed to ensure that radio equipment doesn’t interfere with networks or use spectrum inappropriately. However, the way manufacturers could implement compliance – by locking down devices to prevent any software modifications – posed serious threats. I explained how this could affect everything from WiFi routers to smartphones, preventing users from installing alternative operating systems or modifying software on devices they own. The presentation detailed the legal framework, showed how different implementation approaches would affect Free Software, and discussed what the Free Software community needed to advocate for.

The workshop audience’s legal expertise was crucial for developing strategies to address this issue. The discussion explored how to engage with regulators to ensure compliance mechanisms that preserve software freedom and what legal arguments could be made for user rights to modify their own devices

Funkabschottung - Unsere Geräte in Gefahr

Sat, 11 Mar 2017 00:00:00 +0000

Bei den Chemnitzer Linuxtagen 2017 warnte ich vor der EU-Funkabschottungs-Richtlinie und ihren Auswirkungen auf die Freiheit unserer Geräte. Die Chemnitzer Linuxtage ziehen ein technisch versiertes Publikum an, das oft alternative Betriebssysteme nutzt, Router selbst konfiguriert und Wert auf Kontrolle über die eigene Hardware legt – genau die Praktiken, die durch diese Richtlinie gefährdet wurden. Der Vortrag machte deutlich, dass scheinbar abstrakte EU-Regulierung sehr konkrete Auswirkungen auf alltägliche technische Freiheiten haben kann.

Ich erklärte, wie die Radio Equipment Directive (RED) unter dem Vorwand der Frequenzregulierung genutzt werden könnte, um Geräte komplett abzuschotten. Das würde bedeuten: keine alternativen Router-Firmwares mehr, keine Custom ROMs auf Smartphones, keine Modifikation von Software auf allem, was WLAN oder Mobilfunk nutzt. Die Präsentation zeigte technische Details, wie solche Lockdowns implementiert werden könnten, welche Geräte betroffen wären, und warum die Argumente für diese Einschränkungen nicht überzeugend waren – echte Compliance ließe sich auch ohne komplette Gerätesperre erreichen.

Das Publikum reagierte mit berechtigter Sorge, denn viele Anwesende nutzen genau die Freiheiten, die bedroht waren. Die Diskussion fokussierte sich auf konkrete Schritte: wie man sich politisch engagieren kann, welche Rolle Hersteller spielen könnten, und welche technischen Gegenmaßnahmen möglich wären. Der Vortrag war Teil einer breiteren Kampagne der FSFE, um Bewusstsein für diese Bedrohung zu schaffen und politischen Druck aufzubauen.

Radio Lockdown Directive - Major Threat for Free Software on Radio Devices

Sat, 04 Feb 2017 00:00:00 +0000

At FOSDEM 2017, I presented on the EU Radio Equipment Directive and its potential to become a major threat for Free Software on radio-capable devices. This talk was part of raising awareness in the Free Software community about an emerging regulatory threat that could fundamentally undermine software freedom on billions of devices. The Radio Equipment Directive (RED), ostensibly designed to ensure radio equipment compliance, contained provisions that could be interpreted to require device lockdown preventing any software modifications.

The presentation explained the technical and legal mechanisms by which this directive could be used to lock down devices containing radio hardware – essentially everything from smartphones to laptops to IoT devices. I detailed how manufacturers might interpret compliance requirements as necessitating complete software control, preventing users from installing alternative operating systems, modifying firmware, or running Free Software they choose. The talk outlined the threat not just to hobbyists and tinkerers, but to the entire Free Software ecosystem that depends on users’ ability to control their computing devices.

The FOSDEM audience, as one of the largest gatherings of Free Software developers in Europe, was a critical venue for this message. Especially the discussions after the presentation focused on strategies for engaging with EU regulators, building coalitions with other affected communities (security researchers, hardware hackers, consumer rights advocates), and ensuring that compliance mechanisms preserve rather than eliminate software freedom. This talk was part of a sustained FSFE campaign that ran for more than 10 years.

Routerzwang und Funkabschottung - Was Aktivisten daraus lernen können

Tue, 27 Dec 2016 00:00:00 +0000

Beim 33. Chaos Communication Congress (33c3) in Hamburg präsentierte ich zwei erfolgreiche Aktivismuskampagnen und was andere daraus lernen können: den Kampf gegen den Routerzwang in Deutschland und die laufende Kampagne gegen die EU-Funkabschottungs-Richtlinie. Der CCC bringt tausende Hacker, Aktivisten und technisch Versierte zusammen – genau die Zielgruppe, die sowohl von diesen Themen betroffen ist als auch die Fähigkeiten hat, effektiv gegen diese und ähnliche Missstände einzutreten.

Der Vortrag erzählte zuerst die Erfolgsgeschichte der Routerfreiheit: Wie es der FSFE und Verbündeten gelang, gegen massive Lobbying-Anstrengungen der Telekommunikationsanbieter ein Gesetz durchzusetzen, das Kunden die freie Wahl ihres Routers garantiert. Ich analysierte, welche Strategien funktionierten – breite Koalitionen, technische Expertise trifft Politik, öffentlicher Druck – und was weniger erfolgreich war. Dann wendete ich diese Lektionen auf die aktuell drohende Funkabschottung durch die EU Radio Equipment Directive an: eine noch größere Bedrohung, die aber mit ähnlichen Taktiken angegangen werden könnte.

Der Vortrag war bewusst als Aktivismus-Workshop konzipiert. Die Diskussion fokussierte sich darauf, wie technische Communities ihre Expertise nutzen können, um politische Prozesse zu beeinflussen, wie man effektive Koalitionen bildet, und warum es wichtig ist, nicht nur zu protestieren, sondern konstruktive Lösungsvorschläge zu entwickeln. Für das CCC-Publikum, das oft skeptisch gegenüber “Politik” ist, zeigte der Vortrag, dass technischer Einfluss auf Regulierung möglich und notwendig ist.

Routerzwang und Funkabschottung - Was Aktivisten daraus lernen können

Sat, 20 Aug 2016 00:00:00 +0000

Bei der FrOSCon 2016 in Sankt Augustin präsentierte ich zwei Fallstudien digitalen Aktivismus: den erfolgreichen Kampf gegen den Routerzwang in Deutschland und die laufende Kampagne gegen die EU-Funkabschottungs-Richtlinie. Die FrOSCon (Free and Open Source Software Conference) bringt vorwiegend deutschsprachige Free-Software-Enthusiasten zusammen, die sowohl technisch versiert sind als auch ein Interesse an den politischen Rahmenbedingungen für Freie Software haben.

Der Vortrag analysierte den Erfolg der Routerfreiheits-Kampagne: Trotz massiven Widerstands der Telekommunikationsbranche war es gelungen, ein Gesetz durchzusetzen, das Verbrauchern die freie Wahl ihres Routers garantiert. Ich zeigte auf, welche Strategien erfolgreich waren – von der Mobilisierung breiter Unterstützung über die Zusammenarbeit mit Verbraucherschützern bis hin zur Lieferung technischer Expertise für politische Entscheidungsträger. Diese Lektionen wandte ich dann auf die drohende Funkabschottung an: Eine EU-Richtlinie, die unter dem Vorwand der Frequenzregulierung zu einem Lockdown aller funkfähigen Geräte führen könnte.

Die Präsentation war als Aktivismus-Leitfaden konzipiert: Sie zeigte nicht nur Probleme auf, sondern auch konkrete Wege, wie technische Communities politischen Einfluss nehmen können. Die Diskussion drehte sich um praktische Fragen: Wie findet man Verbündete außerhalb der Tech-Szene? Wie kommuniziert man technische Themen an Politiker? Wie baut man Druck auf, ohne in reinem Protest stecken zu bleiben? Für das FrOSCon-Publikum war dies eine Ermutigung, dass technischer Aktivismus Wirkung zeigen kann.

Routerzwang und was Aktivisten daraus lernen können

Sat, 19 Mar 2016 00:00:00 +0000

Bei den Chemnitzer Linuxtagen 2016 hielt ich einen Vortrag über die Routerzwang-Kampagne und die Lektionen, die Aktivisten daraus ziehen können. Zu diesem Zeitpunkt war der Kampf um Router-Freiheit in Deutschland noch in vollem Gange, aber erfolgversprechend – ein guter Moment, um sowohl über den bisherigen Verlauf zu berichten als auch über die Strategien, die sich als erfolgreich erwiesen hatten. Die Chemnitzer Linuxtage ziehen ein technisch versiertes Publikum an, das oft frustriert ist über politische Prozesse, aber auch das Potenzial hat, diese zu beeinflussen.

Der Vortrag erklärte zunächst das Problem: Telekommunikationsanbieter zwangen Kunden, deren Router zu nutzen, was technische Einschränkungen, Sicherheitsrisiken und Lock-in bedeutete. Ich zeigte dann, wie es der FSFE und Partnern gelang, dieses Thema auf die politische Agenda zu bringen: durch technische Dokumentation der Probleme, Mobilisierung betroffener Nutzer, Zusammenarbeit mit Verbraucherschutzorganisationen, und direkte Arbeit mit Gesetzgebern. Besonders wichtig war die Erkenntnis, dass man nicht nur protestieren, sondern konkrete Lösungsvorschläge und Gesetzestexte liefern muss.

Die Präsentation diente als Ermutigung für technische Communities, sich politisch einzumischen. Die Diskussion konzentrierte sich auf praktische Fragen: Wie findet man Zeit für Aktivismus neben Beruf und Familie? Wie arbeitet man mit Politikern zusammen, die die technischen Details nicht verstehen? Wie baut man Koalitionen mit Nicht-Tech-Organisationen? Der Vortrag zeigte, dass effektiver Technik-Aktivismus möglich ist, wenn man strategisch vorgeht und die richtigen Verbündeten findet.