Open Source Is Not a Licence, It's a Political Act

I spent last week at the UN in New York for Open Source Week — four days of sessions covering AI, Digital Public Infrastructure, OSPOs, community-led open-source work, and a hackathon. I work for amazee.io, which sits at the intersection of open-source hosting and AI infrastructure, so I had skin in the game. We have clients that are squarely in the middle of this conversation. What I heard at the UN was not a typical technology conference. It was a conversation about power and who holds it.

Who owns the systems the world runs on? Who owns the intelligence those systems produce? And what happens to everyone who has no say in either question?

Here is what stood out.

Open source is sovereignty or it's nothing

The word "sovereignty" came up so often across the week that it risked becoming wallpaper. But strip away the repetition, and the argument is real.

Tanzania's Minister of Technology put it plainly: 90% of her government's systems are now on open source. The savings from eliminating expensive proprietary licences have been reinvested in people. The workforce now owns the systems it builds. She framed this not as a technical achievement but as a political one: Tanzania is no longer a passive consumer of technology. It's an active creator. She approached me on community day and gave me her card so we can be in touch.

Estonia's Minister of Justice made a similar point from a different angle. Open source is the default. The e-voting system is open source, audited by independent international auditors. X-Road — the interoperability architecture Estonia built and has now shared with 140 countries — is the infrastructure that makes it possible to connect 300 government databases without creating a super-database that becomes a single point of failure and a single point of control.

Morocco is training 100,000 people a year in digital skills, building a 1 GW data centre, and adapting AI models into local languages. The Minister framed it as a "third digital path" — not the Silicon Valley model and not closed state-controlled systems. It represents international openness with local values. Open source becomes an instrument of sovereignty.

The contrast with how most Western enterprises talk about open source is striking. In most corporate conversations, open source is framed as a cost play or a developer preference. At the UN, it's framed as the difference between a country that controls its own future and one that doesn't.

I find the latter framing more compelling.

The infrastructure argument, and why it's incomplete

Several speakers made the roads-and-bridges comparison: open source is like physical infrastructure; we wouldn't expect volunteers to maintain the motorway network. I asked one panel directly — if governments and companies increasingly depend on open source as critical infrastructure, how do we make the case that they have an obligation to fund its long-term maintenance, and what does that model actually look like?

The answer was sobering. Awareness is still the first obstacle. Most people in most member states do not understand how software is created or sustained. The public instruments to fund open-source infrastructure as a public good don't yet exist; they need to be invented. Unlike roads, the benefit of open source isn't immediately visible to the people who need to fund it.

Adriana Groh from Germany's Sovereign Tech Agency put it well: we have built something extraordinary over twenty years, and we are reaching a point where losing it is possible. The value isn't just financial. It's the entire mode of collaboration that has developed. Governments are starting to understand this, but we are not there yet. I'm wondering how organisations like the Drupal Association, the Linux Foundation, and Typo3 can get into the "room" to make the case. Can you imagine the endowment that could be created if the governments and companies of the world leveraging these tools just donated a tiny fraction of 1% of their tech budgets to the communities building the code they rely upon?

Jim Zemlin from the Linux Foundation added a harder edge: the mean time to exploit a vulnerability is now down to seven days. In 2020 it was sixty. We are patching slower than attackers are moving, and roughly $50 billion a year is being overspent on proprietary models that open-weight alternatives would replace at a fraction of the cost. If we exercise the collective will to address the technical debt sitting across millions of open-source projects, we can restore the security equilibrium. If we don't, we lose something that took decades to build.

The infrastructure argument is correct. It's just that making it stick requires work that hasn't been done yet.

Digital Public Infrastructure: the governance problem people keep misidentifying as a technology problem

The DPI day was the most practically grounded part of the week. Country after country laid out where they are: Sierra Leone building towards 90% 5G coverage and 80% digital ID coverage; Jamaica spending $100 million to connect underserved regions; Morocco deploying 5G across 1,400 regions and building shared identity infrastructure. The ambition and the progress is real.

But the consistent theme, said in different ways by different speakers, was this: DPI is not an infrastructure problem. It's a governance problem.

Ethiopia's DPI assessment illustrated this exactly. 98% of the population have an ID. 92% have a payment wallet. And yet fewer than 5% can access the protections that ID is supposed to unlock, nearly half of payment transactions fail, and 32% have experienced fraud. The technical systems exist. The governance doesn't. People don't know what protections they have. Fraud goes unreported because people don't know who to report to and don't trust that anything will happen if they do. The systems were designed for the system, not for the people using it.

Siobhan Green from Fenix Digital described what she's seen across multiple countries: the majority of costs come after the pilot stage, but funding is structured around strategy and pilots. USAID cuts have left data centres without anyone to pay the electricity bill. Zambia has a mere 25% birth certificate coverage and rampant fraud, and verification is expensive. The development community has been running fragmented pilots for years and calling it progress.

Her recommendation was blunt: don't build it if you can't support it. When pilots end, real people who depended on those systems are left stranded.

The piece that stuck with me most was on migrant women and remittances. The data from Fundación Capital showed that even women with digital wallets frequently can't send money across borders. Onboarding processes that require documentation many migrants don't have. Exchange rates that aren't disclosed until after the transaction. Systems that work fine domestically and fail at every boundary. The observation: "DPI must connect identity and payment. When it fails, it's usually because it wasn't designed with the most likely users in mind."

That's the governance problem. Not missing technology. Missing design intent.

The verification problem is more important than the model problem

The most technically sharp session of the week was on verifiable AI, and it reframed something I've been thinking about for a while.

Tricia Wang at the AI day made the argument that we live in a claims-based AI world and need to move to a verification-based one. The technology exists. We just haven't built the institutional and policy frameworks to use it. Her framing: every time you board a plane, you trust an agent. Pilots, air traffic controllers, the flight management system. We know how to govern this. We have liability frameworks, certification requirements, black boxes, independent investigation bodies. We haven't applied any of that to AI yet.

The verifiable AI panel pushed this further. Zero-day exploit windows have collapsed from a year to 40 seconds. Agents are non-deterministic by design, which means traditional deterministic security models don't transfer. At 70 million events a minute, you cannot have a human or even an AI review everything — it would cost about a billion dollars a day.

Stan Byers made the point I think matters most: end-user liability is coming. If your agent does something damaging, it will come down on companies or individuals. That's not a threat, it's an observation about how accountability systems historically develop. The question is whether we build the governance frameworks proactively or reactively, after the first major incident that can't be explained away.

Mostafa Elkordy's frame was "mutual distrust". Start from the assumption that nothing is trusted, build verification in from the ground up, log everything, and make the logs immutable. For an AI system to be trusted, it needs to be open source. Closed systems can claim anything. Only open systems can be interrogated.

I asked during the data governance session whether we're heading toward a place where AI answers in regulated domains could be 100% accurate. The honest answer is: that's the wrong question. The right question is whether we can build verification systems robust enough that we know when an answer is wrong before it does damage. That's tractable and what open verification is trying to create.

The questions nobody is funding

I asked two questions across the week that I want to flag here, because the answers were incomplete and I think deliberately so.

At the data governance session, I introduced myself as a late-diagnosed autistic person with ADHD and dyslexia who has spent a decade in neurodiversity advocacy. University-educated autistic people are unemployed at roughly 20 times the rate of neurotypical people. The panel had just said "nothing about us without us" should apply to data governance, that transparency and inclusion are essential, that community stewardship matters. So I asked: how do we avoid creating consultation processes where only well-funded organisations can participate, while the communities most affected are effectively excluded?

The honest answer is: we haven't solved this. Meaningful participation takes time, expertise, and money. The communities most affected by bad data governance are often the least resourced to engage in the processes that shape it. That tension doesn't resolve by declaring it important.

At the OSPOs session, I asked about the obligation to fund open-source maintenance. I got the awareness/instruments/impact framework I mentioned earlier. Useful, but also a recognition that we're at the start of this conversation, not anywhere near the end.

Both questions expose the same gap: the people doing the most interesting work on these problems are not the people with the money or the institutional weight to implement solutions at scale. The people with the money and the institutional weight are often not in the room, or are in the room and consuming without contributing.

What I'm taking back to work

I work for amazee.io. We host open-source projects and we're building AI infrastructure on open foundations. The week confirmed some things I already thought and surfaced a few I hadn't fully articulated.

The hosting question matters more than it sounds. When Bernardo Mariano Junior from UN-OICT said "imagine if you're using proprietary — one person can choose to turn on or off the systems you use," he was describing something real. Sovereign, open infrastructure isn't just a procurement preference. It's a resilience decision. Project Tapestry, the open frontier model training initiative from The AI Alliance, raised the question of whether open hosting infrastructure could serve the ecosystem those models need. That's worth exploring.

The harness argument from Brian Behlendorf and Sara Hooker is correct and underappreciated: people talk about AI as if it's the model. It isn't. The model is one layer. The harness — how you orchestrate models, constrain them, route information, log outputs, build verification in — is where the work happens. The harness layer is where open source has the most to offer, and where vendor lock-in is most dangerous. Keep in mind, I've been making the argument that Drupal has been transformed into the most flexible and powerful AI harness available.

The governance observation from the DPI day applies more broadly than DPI: open source doesn't automatically mean equitable, adopted, or sustainable. Openness is a necessary condition, not a sufficient one. The ecosystems around the tools — the training, the policy frameworks, the maintenance funding, the trust architecture — are what determine whether technology actually improves people's lives. That's where focus is needed.

The week could have been dispiriting. The problems are large, the funding is inadequate, the timeline is urgent, and a lot of the people who most need these solutions to work aren't in these rooms. But it wasn't dispiriting. The Estonia minister said something I keep coming back to: trust leads to innovation. Not the other way around. Build the trust first. The innovation follows.

That's the argument for open source in two sentences.