Open source organisations weigh in on age attestation
-
https://opensource.org/blog/open-source-organizations-weigh-in-on-age-attestation
https://mastodon.social/@FreeBSDFoundation/116676767603367392
The FreeBSD Foundation has joined the Open Source Initiative (OSI), the Apereo Foundation, and the Open Source Technology Improvement Fund (OSTIF) in issuing a joint statement on age-attestation requirements for operating systems.
Home pages of the four signatories:
- Apereo Foundation
- FreeBSD Foundation
- Open Source Initiative – The steward of the Open Source Definition, setting the foundation for the Open Source Software ecosystem.
- OSTIF.org – Securing Open Source for the World
The Apero Foundation presents the statement as HTML, alongside a link to the PDF. Quoted below.
-
https://opensource.org/blog/open-source-organizations-weigh-in-on-age-attestation
https://mastodon.social/@FreeBSDFoundation/116676767603367392
The FreeBSD Foundation has joined the Open Source Initiative (OSI), the Apereo Foundation, and the Open Source Technology Improvement Fund (OSTIF) in issuing a joint statement on age-attestation requirements for operating systems.
Home pages of the four signatories:
- Apereo Foundation
- FreeBSD Foundation
- Open Source Initiative – The steward of the Open Source Definition, setting the foundation for the Open Source Software ecosystem.
- OSTIF.org – Securing Open Source for the World
The Apero Foundation presents the statement as HTML, alongside a link to the PDF. Quoted below.
Open Source Organizations Weigh in on Age Attestation
Operating systems are fundamental to the technology we use everyday — from personal computers to smart phones and tablets. Most people know the major operating system providers: Microsoft (Windows), Apple (iOS/macOS), and Google (Android/Chrome). But there are many other operating systems that make up a robust ecosystem of Open Source technology. They are community projects, broadly adopted, and often maintained by volunteers or a small team of developers, that make the code for the operating system available under an Open Source Initiative (OSI)-approved license so that anyone can use, study, modify, and share it. Open Source operating system projects include distributions of the Linux kernel (Ubuntu, Fedora, Debian, Mint, etc.) and many others including FreeBSD, FreeDOS, and GNU Hurd.
Open Source operating system projects have been crucial to ensuring consumer choice, innovation, and competitiveness in the marketplace. These operating systems lower barriers to entry and enable users to customize the software for their needs without being locked into a specific vendor. They offer enormous flexibility and benefit to everyday technology users.
Recent policy proposals meant to improve online safety for minors seek to require the collection of age information at the operating system level, regardless of if the code is Open Source or proprietary. In practice, this would mandate that any operating system provider must include a feature for the user to enter their age information and then provide a “signal” to application providers or browsers. These policy proposals risk shutting down smaller Open Source projects that exist for the benefit of all by creating a legal and technical environment that is so complex that only the large, proprietary vendors with significant resources can participate. And because Open Source code is present in 98% of codebases, policies that make it harder for these projects to operate will have ripple effects throughout technology that are not well understood.
We recognize that some of the age verification and attestation bills being considered in the United States may not take into account the many Open Source operating systems that make their code available for public benefit. We appreciate the engagement thus far from some lawmakers and encourage others to work with the Open Source community to better understand how these projects operate and the impact of proposed age laws on these public resources.
Contact: Katie Steen-James, Open Source Initiative (
katie@opensource.org)Signed,
Apereo Foundation
FreeBSD Foundation
Open Source Initiative (OSI)
Open Source Technology Improvement Fund (OSTIF)Signed May 27, 2026
-
https://opensource.org/blog/open-source-organizations-weigh-in-on-age-attestation
https://mastodon.social/@FreeBSDFoundation/116676767603367392
The FreeBSD Foundation has joined the Open Source Initiative (OSI), the Apereo Foundation, and the Open Source Technology Improvement Fund (OSTIF) in issuing a joint statement on age-attestation requirements for operating systems.
Home pages of the four signatories:
- Apereo Foundation
- FreeBSD Foundation
- Open Source Initiative – The steward of the Open Source Definition, setting the foundation for the Open Source Software ecosystem.
- OSTIF.org – Securing Open Source for the World
The Apero Foundation presents the statement as HTML, alongside a link to the PDF. Quoted below.
Linked from the statement:
2026 OSSRA Report: Open Source Security & Risk Analysis
… The 2026 “Open Source Security and Risk Analysis” (OSSRA) report reveals the biggest increase yet in open source security, licensing, and operational risk. With the amount of AI-generated code increasing faster than teams can govern it, risk is accelerating across security, legal, and compliance. …
There's a form to download the report, and answers to frequently asked questions.
Annoyingly, the Black Duck page:
- is useless in Firefox Reader – there's nothing about the report
- allows only one answer at a time for the FAQ.
I'll add a reader-friendly view of the answers …
-
Open Source Organizations Weigh in on Age Attestation
Operating systems are fundamental to the technology we use everyday — from personal computers to smart phones and tablets. Most people know the major operating system providers: Microsoft (Windows), Apple (iOS/macOS), and Google (Android/Chrome). But there are many other operating systems that make up a robust ecosystem of Open Source technology. They are community projects, broadly adopted, and often maintained by volunteers or a small team of developers, that make the code for the operating system available under an Open Source Initiative (OSI)-approved license so that anyone can use, study, modify, and share it. Open Source operating system projects include distributions of the Linux kernel (Ubuntu, Fedora, Debian, Mint, etc.) and many others including FreeBSD, FreeDOS, and GNU Hurd.
Open Source operating system projects have been crucial to ensuring consumer choice, innovation, and competitiveness in the marketplace. These operating systems lower barriers to entry and enable users to customize the software for their needs without being locked into a specific vendor. They offer enormous flexibility and benefit to everyday technology users.
Recent policy proposals meant to improve online safety for minors seek to require the collection of age information at the operating system level, regardless of if the code is Open Source or proprietary. In practice, this would mandate that any operating system provider must include a feature for the user to enter their age information and then provide a “signal” to application providers or browsers. These policy proposals risk shutting down smaller Open Source projects that exist for the benefit of all by creating a legal and technical environment that is so complex that only the large, proprietary vendors with significant resources can participate. And because Open Source code is present in 98% of codebases, policies that make it harder for these projects to operate will have ripple effects throughout technology that are not well understood.
We recognize that some of the age verification and attestation bills being considered in the United States may not take into account the many Open Source operating systems that make their code available for public benefit. We appreciate the engagement thus far from some lawmakers and encourage others to work with the Open Source community to better understand how these projects operate and the impact of proposed age laws on these public resources.
Contact: Katie Steen-James, Open Source Initiative (
katie@opensource.org)Signed,
Apereo Foundation
FreeBSD Foundation
Open Source Initiative (OSI)
Open Source Technology Improvement Fund (OSTIF)Signed May 27, 2026
Above, I altered only two things:
- the missing link to https://opensource.org/licenses (present in the PDF but not Apero's HTML)
- the other link within the PDF, for the Black Duck Software, Inc. page.
Originally:
Cleaned by Firefox:
Canonical (used by me):
-
Linked from the statement:
2026 OSSRA Report: Open Source Security & Risk Analysis
… The 2026 “Open Source Security and Risk Analysis” (OSSRA) report reveals the biggest increase yet in open source security, licensing, and operational risk. With the amount of AI-generated code increasing faster than teams can govern it, risk is accelerating across security, legal, and compliance. …
There's a form to download the report, and answers to frequently asked questions.
Annoyingly, the Black Duck page:
- is useless in Firefox Reader – there's nothing about the report
- allows only one answer at a time for the FAQ.
I'll add a reader-friendly view of the answers …
I'll add a reader-friendly view of the answers …
What is the OSSRA report?
The "Open Source Security and Risk Analysis" (OSSRA) report analyzes open source security trends, vulnerabilities, and compliance issues found in real-world codebases. Now in its tenth edition, the 2025 OSSRA report examines over 900 codebases across 17 industries to help security, legal, risk, and development teams better understand and manage open source risk in their software supply chains.
What does OSSRA stand for?
OSSRA stands for Open Source Security and Risk Analysis. The OSSRA report analyzes security vulnerabilities and license compliance risks associated with open source software usage.
Who publishes the OSSRA report?
The OSSRA report is published annually by Black Duck, a leader in software composition analysis and open source security solutions.
What does the OSSRA report cover?
The OSSRA report provides comprehensive insights into
- Prevalent vulnerability types in open source software
- Current licensing and compliance challenges
- Best practices for securing your software supply chain
- The role of software composition analysis tools in generating accurate Software Bills of Materials
- Industry-specific trends across sectors
Who should read the OSSRA report?
The OSSRA report is designed for security teams, legal departments, risk management professionals, and development teams that need to understand and manage open source security and license compliance in their organizations. It's particularly valuable for anyone responsible for software supply chain security, application security, or open source governance.
How often is the OSSRA report published?
The OSSRA report is published annually. The 2026 edition represents the eleventh consecutive year of the report, demonstrating more than a decade of tracking open source security and risk trends.
Is the OSSRA report free to download?
Yes, the OSSRA report is available as a free download from Black Duck. You can access the full report by completing a download form on the OSSRA landing page.
How many codebases does the OSSRA report analyze?
The 2026 OSSRA report examines vulnerabilities and license conflicts found in more than 900 real-world codebases spanning 17 industries, providing a comprehensive view of open source usage patterns, security risks, and compliance challenges across diverse sectors.
What industries are covered in the OSSRA report?
The 2026 OSSRA report covers eight vertical industries (Financial, FinTech, ISV, Tech, Healthcare, IoT, Cloud, and Insurance), providing industry-specific insights into open source security and risk trends. This multi-industry analysis helps organizations benchmark their open source practices against sector-specific patterns and identify industry-relevant risks.
What is the latest OSSRA report?
The latest OSSRA report is the "2026 Open Source Security and Risk Analysis" report, which represents the eleventh edition of this annual study. It provides the most current insights into open source security vulnerabilities, license compliance issues, and software supply chain risks.
Why should I download the OSSRA report?
Download the OSSRA report to learn
- Data-driven insights from analysis of real codebases
- Industry benchmarks to compare your organization's open source practices
- Identification of the most prevalent vulnerability types affecting open source software
- Guidance on licensing and compliance challenges
- Best practices for implementing software composition analysis tools
- Recommendations for creating accurate Software Bills of Materials
- Strategies for proactive open source risk management
What is software composition analysis and why is it mentioned in the OSSRA report?
Software composition analysis (SCA) is a methodology for identifying open source components in applications and analyzing their security, license, and quality risks. The OSSRA report emphasizes SCA tools because they are essential for generating accurate Software Bills of Materials and maintaining visibility into open source components—a critical requirement for securing the software supply chain and managing the risks documented throughout the report.
What's new in the 2026 OSSRA report?
The 2026 OSSRA report marks the eleventh edition of this annual study, representing over a decade of tracking open source security trends. This edition analyzes over 900 codebases across 17 industries, providing the latest data on vulnerability trends, license compliance challenges, and software supply chain security risks in the era of AI-driven development.
How can the OSSRA report help my organization?
The OSSRA report helps organizations by providing evidence-based insights into open source risk patterns, enabling teams to
- Proactively identify and address common vulnerabilities in their open source dependencies
- Understand industry-specific license compliance challenges
- Implement stronger security and compliance practices
- Make informed decisions about open source governance and software composition analysis tools
- Benchmark their practices against real-world data from hundreds of codebases
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login