SUSE: The European alternative

5 things to take away:

  • SUSE is the European alternative
  • You should know about object measurement score
  • Objective scaling
  • How you can improve your score
  • There should be a Belgian representative in the EU space

The story

You cannot be sovereign without Open Source.

DOSBA

DOSBA is the Dutch Open Source Business Association, and they are the voice of open source in the Netherlands.

They combined 4 open source enthusiasts, and they decided they needed european representation in the open source space. There was a need for a lobbyist that could represent the interests of open source in the EU. This group now pays for a lobbyist, to represent the interests of open source in the EU.

They work together with APELL.

The speaker called for a Belgian representative in the EU space, maybe a BOSBA?

SUSE

What does SUSE do?

Influence standards, policy and regulation

There’s about 2000 people working for SUSE, founded in 1992 in Nuremberg, Germany.

Working with:

  • The Linux Foundation
  • OpenSSF
  • Contributions to the Linux kernel

Digital Sovereignty

The SUSE definition:

Digital Sovereignty refers to the ability of a nation organization or individual to have control over their digital infrastructure, data and technology.

There’s a misconception that you can never have total sovereignty. The limit is always seen at the hardware level. Some alternatives exist: RISK-V, OpenCHIP

To be sovereign you need:

  • To know where your data is and where your software comes from
  • To not have black boxes in your stack
  • Open hardware (RISK-V is maturing)
  • To know who has the key? (To your data, to your software, to your hardware)
  • To know what jurisdictions define the rules for your vendors

EU Cloud Sovereignty Framework

Six pages of EU commission documentation.

8 objectives (with a weighting factor):

  • Strategic (15%)
    • Strategic partnerships
    • Kangaroot, Drupal, SUSE, OVH Cloud, OpenCloud, NextCloud, ODOO, …
  • Legal (10%)
    • Protection from Legal claims
    • CLOUD Act: Clarifying Lawful Overseas Use of Data - Act.
      • US law that allows US authorities to access data stored by US companies, even if the data is stored outside the US.
    • Since 2018 there are cloud guidelines for EU governments, you cannot handle peronal data of EU citizens with a non-EU provider
  • Data and AI (10%)
    • Know who has control over your data
    • AI is an amplifier for an existing movement, it highlights the need for a framework like this
  • Operational (15%)
    • Running independently without foreign control
    • SUSE provides full technical documentation and source code, which are the primary contributing factors for long-term autonomy
  • Supply Chain (20%)
    • EU Control over critical components
    • Common Criteria Evaluation - Supply Chain verification
    • This already existed for food, but now it’s also needed for software
  • Technical (15%)
    • Open standards and Open Source software
  • Security and Compliance (10%)
    • EU Controlled security and audit independence
  • Environmental Sustainability (5%)
    • Long-term resilience regarding resource usage
    • Power is a dependency, so you should have control over it and be able to have redundancy

You can calculate your SEAL score, and see how you are doing on the different objectives. Goes from 0 to 4, 4 being “full control”. There is no official certification, but you can use a self-assessment tool. Doing this for your entire org is probably too much, but you can do it for specific projects or products.

Not just EU companies are using this, but also companies in Canada, India, Japan, … proving that this is a global movement.