5 MIN READ
Sovereign Tech Fund invests EUR 875,000 in the OpenJS Foundation to improve open source infrastructure and security
Cailean Osborne | 10 May 2023
Governments across the globe are increasingly recognising that open source software (OSS) represents critical digital infrastructure and the need to do more to sustainably fund its development, maintenance, and security. While the private sector has historically been the largest financial supporter of OSS, government interest in funding OSS has increased in recent years due to concerns about digital sovereignty and software security.
The Sovereign Tech Fund (STF) in Germany is a noteworthy example. Established in October 2022, it aims to sustainably strengthen the infrastructure and security of critical open source ecosystems. On 2 May 2023, it invested EUR 875,000 in the OpenJS Foundation, the largest one-time government support investment ever in a Linux Foundation project. As one of the first governmental funds dedicated to OSS, the STF is spearheading a critical shift in how governments invest in the long-term viability of OSS and digital public goods.
Strides in Government Funding for Open Source
In the last few years, OSS has become increasingly recognised as digital infrastructure by governments across the globe. An often cited statistic is that 70-90% of any software “stack” consists of OSS. In fact, Synopsys’s latest analysis (2023) finds that 96% of codebases contain OSS.
The discovery of the Log4Shell vulnerability in Apache Log4J in November 2021 was a crucial moment that mobilised many governments to think more strategically about OSS, particularly from the perspective of the security of software supply chains. This moment shed light on the consequences of under-investment in the maintenance and security of OSS, which act as critical digital infrastructure that public administrations and the global digital economy at large depend on.
Indeed, there is an increasing recognition that more must be done to support the people behind the code, and one way to do so is to support the developer communities that maintain and secure OSS. We have made this argument before at Linux Foundation Europe: Organisations from various sectors should work together to fund the open source communities building and maintaining our digital infrastructure in a sustainable manner. Similarly, the OpenSSF has outlined a 10-point OSS Security Mobilization Plan that sets out the need for USD 150 million of funding over the next two years to rapidly advance well-vetted solutions to the ten major problems in software security.
Others are also calling for long-term funding interventions to sustain OSS projects. The Atlantic Council's Cyber Statecraft Initiative recently compared OSS to three types of infrastructure and proposed setting up an OSS Trust Fund for sustainable and long-lasting investments in OSS. Similarly, Paul Keller from OpenFuture EU has proposed setting up a European Public Digital Infrastructure Fund, while Katja Bego has proposed the establishment of a Public Technology Fund at the EU level dedicated to OSS development and maintenance.
To date, the private sector and philanthropies have been the largest funders of OSS, from sponsorship of projects (e.g., via FOSS Funds) to investing financial and technical resources into open source projects. A European Commission study estimated that companies located in the EU invested around EUR 1 billion in OSS in 2018, with an estimated positive impact of EUR 65-95 billion contributed to the EU economy that year.
Meanwhile, the public sector has been lagging behind. However, there have been a number of promising developments, including the US government’s Open Technology Fund (2012), the European Commission’s Next Generation Internet initiative (2018), and Germany’s STF (2022).
SPOTLIGHT: STF invests EUR 875,000 in OpenJS Foundation
The STF was established in October 2022 with the goal of sustainably strengthening open source ecosystems that the government recognises as “critical digital infrastructures.” The STF argues that no digital sovereignty can exist without a robust open source ecosystem.According to the STF, funding open source matters because “the open source ecosystem, while incredibly successful, is also increasingly fragile. Many more people are using the software than contributing to it. It is time to invest in digital commons, volunteer communities, and the open source ecosystem to build the digital world we want to see.”
The STF is funded by the German Ministry for Economic Affairs and Climate Action and is currently incubated at SPRIND GmbH, the federal agency for disruptive innovation. It has a budget of EUR 11.5 million for the year 2023 alone and it is already sponsoring a number of projects, from curl to OpenBLAS.
“We hope that this will start to build a JavaScript ecosystem that will continue to flourish not only in Germany, but around the globe. It’s encouraging to see the German government taking this initiative to improve the lives of citizens by investing in the critical open source infrastructure that powers the web.”
– Robin Ginn, Executive Director of the OpenJS Foundation
With the investment, the OpenJS Foundation will deliver infrastructure updates across their project portfolio, implement a responsible sunset program for inactive projects, as well as develop and deliver state-of-the-art security and maintenance policies and practices for critical projects. Crucially, this investment will support the JavaScript ecosystem to flourish not only in Germany, but around the globe, benefitting all stakeholders that use JavaScript libraries.
Where do we go from here?
We commend the German government’s leadership in establishing its STF and taking concrete steps to financially support critical OSS projects that governments–not just the German government–and the wider global digital economy depend on.We hear time and time again that it is difficult for open source champions within public administrations to mobilise their management or political leaders to invest in open source. While the private sector optimises for profit, the public sector optimises for public value creation and the public value that comes from funding OSS can be hard to measure. For good reason, governments have frameworks for how public money can be spent, and the absence of quantitative measures is often a major obstacle for public servants that seek to fund OSS projects.
While these are still early days, the STF can set a precedent and act as a model for other governments in Europe and elsewhere, which also seek to support the sustainability of open source digital infrastructure that powers and benefits diverse stakeholders across sectors and countries. This is an important cultural shift in how governments invest in the long-term viability of OSS and digital public goods, and we hope to see more of this in the future.
Beyond funding open source digital infrastructure, we applaud the STF’s funding-based approach to improving the security of critical open source projects. As policymakers across the EU and beyond weigh up policy options about how to ensure greater cybersecurity, the STF is striking an appropriate balance between, on the one hand, seeking to improve (open source) software security and, on the other hand, understanding open source development cultures and practices. We see this as a positive step towards sustaining and securing OSS in the long run.