It was about ten years ago that "free" software sold its soul to the "devil", when Big Tech started marketing its own so-called "free" software. Today, they largely control the ecosystem. (Photo: Shutterstock)

It was about ten years ago that "free" software sold its soul to the "devil", when Big Tech started marketing its own so-called "free" software. Today, they largely control the ecosystem. (Photo: Shutterstock)

Open source is a colossus with feet of clay: if, in its infancy, it praised the noble ambition of freeing creativity, Big Tech understood with the internet, and then with the launch of their own products, that it was not in their interest to let free software develop. Today, they have financial and human control over all the major players. Even the EU has to extricate itself from the mess it got itself into.

(To our readers: this article was updated at 10 p.m. The German fund does not receive financial support from the European Commission.)

The promise is magnificent. After a "very successful first edition of the Open Source conference in combination with the LibreOffice conference", "open source software, together with data sovereignty, is the basis for achieving digital sovereignty as an inclusive effort where all participants cooperate to create the tools we need to protect our data while sharing the technologies that improve everyone's digital life", assures the website of the conference, which was held last week in Belval, in the presence of, among others, the Minister for Research, Higher Education and Digitalisation, , or the "State's Mr Cybersecurity", François Thill.

In itself, free software poses no problem as long as nobody associates sovereignty with it. Because behind the banner of free software, the promise of sovereignty that Europeans are running after, the financial flows tell a different story. Today's open source has little to do with the militant utopia of the 1980s. The era of Richard Stallman and the GNU project, when people dreamt of emancipating users from the control of proprietary giants, has given way to a highly industrialised structure. Let's take a look back at how it all went wrong: in 1999, IBM invested 1 billion dollars in Linux for its own benefit, marking the start of a collaboration that was to become even more pronounced with the Internet boom. Google, Amazon, Facebook and later Microsoft Azure all wanted to build their future on open source... and recruited the engineers who would go on to make the success we know today. In the mid-2010s, they even went so far as to sell software labelled "free" or "open source" themselves, in a fantastic marketing success.

Large foundations such as the Linux Foundation, the Apache Software Foundation, Eclipse and Mozilla manage hundreds of open source projects and attract the budgets of private companies. In 2023, the Linux Foundation had revenues of more than 260 million dollars, mainly from contributions from Google, Microsoft, Amazon, Meta, IBM and Huawei (the Americans have opened up certain sites and projects to other players, mainly Chinese, for a veneer of neutrality). At the Apache Foundation, a 'Platinum' sponsor pays $125,000 a year, while Mozilla lives off the hundreds of millions it receives from Google to keep its default search engine on Firefox. Open source has gained in power, but it has lost its financial independence.

In fact, almost all the building blocks that run the internet and the cloud are funded by these players. The Linux kernel, Kubernetes, Node.js, PyTorch or TensorFlow - all hosted by the Linux Foundation or its branches - are projects born in the laboratories of Big Tech before being "offered" to the community. There is nothing disinterested about this generosity: it enables these companies to define standards, control development cycles and attract thousands of developers to their ecosystem.

The German Sovereign Tech Fund, a model to follow

In Luxembourg, local players naturally use these tools and, let's be clear, there's nothing to criticise them for, unless they were to demand the emergence of sovereign solutions. The Passbolt password manager is based on Docker and Kubernetes environments. Circl, Luxembourg's security incident response centre, uses solutions integrated with the Linux Foundation and the OpenSSF project. The Luxembourg Institute of Science and Technology is developing frameworks running on cloud-native platforms. Even the public services, through Restena or NSI, operate on infrastructures built on technologies from these foundations. Without always putting it like that, a whole section of Luxembourg's digital ecosystem therefore depends on an architecture governed by organisations and sponsors from outside Europe.

Faced with this situation, Europe has not remained idle. It is trying to curb the imbalance through public initiatives that are expected to take shape soon. The Sovereign Tech Fund, financed by the German government, now invests more than €30 million per year to support critical open-source infrastructure projects such as curl, OpenSSH, WireGuard, OpenPGP.js, OpenBGPd, and Bundler/RubyGems. These are fundamental components, present in all IT systems, but historically maintained by small teams with no industrial support. The aim of the fund is to fill this gap and ensure that they are maintained outside the commercial sphere.

The European Commission, for its part, has launched its Open Source Programme Office to coordinate its internal strategy, after funding the EU-FOSSA project, which aimed to audit the open source software used in the European institutions. The question remains as to who is responsible for the tool used to audit open source software? Once again, the Linux Foundation. The Cyber Resilience Act, adopted in 2024, marks another step forward: it imposes security obligations on publishers, including for open source components, thus recognising their crucial role in the digital economy.

But despite these advances, the balance of power remains unbalanced. Where Brussels and Berlin commit tens of millions, American foundations spend hundreds. And most of the engineers who develop and maintain the most widely used open source tools are employed by Google, Microsoft or Amazon. In other words, even what is presented as "open" remains shaped, paced and often decided elsewhere.

This is the paradox revealed by the Belval conference. Luxembourg is promoting a digital model based on collaboration, transparency and mastery of its tools. But the very basis of this ambition - code, standards, infrastructure - remains dominated by global players who do not necessarily share the same vision of sovereignty. Europe is certainly making progress, but it is still moving forward on foundations that others have built.

And in a world where digital sovereignty is as much about data as code, open source is not yet a guarantee of independence: it is a battleground.