Glossary

AGPL(GNU Affero General Public License)

Strong copyleft free-software licence published by the Free Software Foundation in 2007. Extends the obligations of the GPL to software exposed through a network service: any public deployment of a service relying on AGPL code must publish its modifications. Designed to close the “SaaS loophole” that allowed cloud providers to use copyleft code without releasing the resulting changes.

AWG(Außenwirtschaftsgesetz)

German foreign-trade act (Außenwirtschaftsgesetz, AWG) and its implementing regulation (Außenwirtschaftsverordnung, AWV), which together form the legal framework for the screening of foreign investment in Germany. The procedure is run by the Bundesministerium für Wirtschaft und Klimaschutz (BMWK). It provides for the review of foreign equity acquisitions in companies active in sensitive sectors — critical infrastructure, key technologies, cybersecurity, media — and may lead to a prohibition or to the imposition of conditions. German counterpart of the French IEF regime and the Italian Golden Power.

Sources: BMWK — Außenwirtschaftsrecht.

BSL(Business Source License)

Source-code licence published by MariaDB in 2017 and adopted by HashiCorp in 2023 for Terraform, Vault and several other products. It allows use, modification and redistribution for non-commercial or non-competing purposes, and provides for an automatic conversion to a free-software licence (typically MPL or Apache 2.0) after a defined period, generally three to four years. The BSL is not recognised as a free-software licence by the Open Source Initiative, since it restricts competing commercial uses during its active period.

CNCF(Cloud Native Computing Foundation)

Foundation created in 2016, a subsidiary of the Linux Foundation, that hosts and certifies cloud-native infrastructure projects. Its portfolio includes major graduated projects: Kubernetes (orchestration), Prometheus (metrics), etcd (distributed storage), containerd (container engine), Envoy (network proxy) and OpenTelemetry (observability). The CNCF governs these projects through a three-tier maturity model (Sandbox, Incubating, Graduated) and ensures neutrality with respect to its contributing members, which include most of the major cloud providers.

Sources: CNCF.

CRA(Cyber Resilience Act)

European regulation 2024/2847, adopted in October 2024 and applicable progressively from 2027. It imposes cybersecurity requirements on manufacturers and distributors of products with digital elements placed on the European Union market. The obligations include the provision of an SBOM, documented vulnerability management, the notification of incidents to ENISA within 24 hours, and a minimum security-support period of five years. Free-software projects developed without commercial purpose benefit from specific exemptions, the contours of which were clarified during the legislative process.

Sources: Regulation (EU) 2024/2847.

DORA(Digital Operational Resilience Act)

European regulation 2022/2554, applicable since January 2025. It establishes a unified digital operational resilience framework for entities of the European financial sector: banks, insurers, investment firms, clearing houses and their critical IT service providers (third-party ICT providers). DORA imposes ICT risk management requirements, resilience testing (including threat-led penetration testing, TLPT), incident management and reporting, and a framework for direct oversight by the European supervisory authorities (EBA, EIOPA, ESMA) of critical ICT providers, in particular cloud providers of systemic importance.

Sources: Regulation (EU) 2022/2554.

eIDAS(electronic IDentification, Authentication and Trust Services)

European regulation 910/2014, in force since July 2016, which establishes a common legal framework for electronic identification, electronic signatures, electronic seals, time-stamping and archiving services within the European Union. It defines assurance levels (low, substantial, high) and imposes the mutual recognition of notified identification schemes between Member States. A substantial revision, known as eIDAS 2.0, introduces the European Digital Identity Wallet (EUDIW) and extends the scope to qualified identity attributes.

Sources: Regulation (EU) 910/2014.

escrow

Contractual mechanism by which the source code of a piece of software, its technical documentation and the elements required for its operational continuity are deposited with an independent trusted third party. The third party holds these assets under a non-disclosure agreement and releases them to the beneficiary (customer, partner, community) upon the occurrence of triggering events defined in advance: bankruptcy of the publisher, acquisition by a party outside the contractual perimeter, discontinuation of support, change of licence. Software escrow is an established practice in IT contract law, in particular in public procurement and regulated industries; the European tradition relies on notarial or specialised escrow agents, distinct from the corporate escrow arrangements common in US (Delaware) practice. → See also /en/profile/about/#equivalence-conditions-for-proprietary-publishers for the argumentative context.

FISA 702(Foreign Intelligence Surveillance Act, Section 702)

Provision of the US foreign-intelligence surveillance statute, codified at 50 U.S.C. § 1881a, which authorises US intelligence agencies to collect the communications of foreign persons located outside the United States, including through US digital service providers subject to their jurisdiction. This provision played a central role in the Schrems II ruling of the Court of Justice of the European Union (July 2020), which invalidated the Privacy Shield on the grounds that US law does not guarantee a level of protection equivalent to that of the GDPR for the personal data of European residents transferred to the United States.

fork

Creation of an independent development branch from the source code of an existing project. The fork is a foundational act of free software: every free-software licence guarantees the right to copy, modify and redistribute, which makes a fork always legally possible. In practice, a fork can be technical (development of a variant), governance-driven (divergence in stewardship) or survival-driven (response to a licence change or to abandonment of the original project). The possibility of forking constitutes a structural protection against dependence on a single maintainer or a single publisher, provided the contributor base is sufficient to ensure the viability of the divergent project.

foundation

Non-profit legal entity that hosts a free-software project and holds its common assets: intellectual property, registered trademark, treasury and, sometimes, hosting infrastructure. The foundation separates these assets from any single company, reducing the risk of unilateral changes of governance or licence by a single actor. The main foundations of the cloud ecosystem are the Linux Foundation (and its sub-projects CNCF, OpenSSF), the Apache Software Foundation, the Eclipse Foundation and the OpenJS Foundation. Their ability to guarantee neutrality depends on their bylaws, the composition of their board and the voting rules defined therein.

Golden Power

Italian legal regime for screening foreign investment in strategic sectors, established by law 56/2012 and progressively extended by decree-laws 21/2012, 105/2019 and 23/2020. It allows the Italian government to block acquisitions, impose conditions or exercise special rights (veto, behavioural prescriptions) in transactions affecting activities of strategic importance: defence, national security, energy, transport, communications and, since 2019, technology of high strategic value (5G, artificial intelligence, sensitive data). Italian counterpart of the French IEF and German AWG/AWV regimes.

IEF(Investissements étrangers en France)

French regime for screening foreign investment in strategic activities, governed by articles L. 151-1 et seq. of the Monetary and Financial Code and its implementing decrees. The Direction générale du Trésor (DG Trésor) reviews requests for prior authorisation for transactions liable to harm national interests in defined sectors, including critical infrastructure, dual-use technologies, cybersecurity, energy, water and communications. The scope was extended in 2019 to include activities relating to sensitive personal data. French counterpart of the AWG (Germany) and Golden Power (Italy) regimes.

Sources: DG Trésor — IEF.

maintainer

Person or group responsible for accepting or rejecting the contributions (patches, pull requests) submitted to a free-software project. The role of maintainer is a de facto responsibility, not a legal obligation: it arises from the trust granted by the community or by the publisher who holds the repository. Maintainers may be publicly identified, act under a pseudonym or be distributed across a technical committee. They often constitute a bottleneck for project velocity: their availability, their neutrality and their continuity directly condition the durability of the software. Concentration of the role on a single person represents an operational risk well documented in the engineering of critical systems.

MPL(Mozilla Public License)

File-level copyleft free-software licence published by the Mozilla Foundation in 2012 (version 2.0). The sharing obligations apply file by file: modifications to existing files under MPL must be redistributed under MPL, but a project may combine MPL files with files under proprietary licences in separate directories without the copyleft contaminating the whole. This weak copyleft makes the MPL compatible with commercial environments while preserving the openness of modified code. Used in particular for Firefox, Thunderbird and Terraform (before the move to BSL in 2023).

Sources: Mozilla Public License 2.0.

MSP(Managed Service Provider)

IT service provider that operates infrastructure, applications and digital services on behalf of its clients, typically under a flat-fee or subscription contract. The MSP takes over monitoring, updates, backup, security and support of the relevant environments, transferring the operational load from the client to a specialised third party. The core tools of an MSP are the RMM for remote monitoring and administration, and the PSA for commercial and contractual management. In the SME and local-government segments, MSPs often constitute the main intermediary between software publishers and the user organisations.

multi-vendor neutral

Governance model for a free-software project in which several companies contribute significantly to the code, the documentation and the decisions, with no single one of them holding sole control over the roadmap or the intellectual property. This model is often structured around a neutral foundation that hosts the project. The Linux kernel, Kubernetes and OpenStack are established examples. The plurality of contributors reduces the risk of lock-in to a single publisher and increases the resilience of the project against unilateral decisions — provided the governance rules effectively prevent any single actor from holding a dominant position. → See also /en/profile/about/ for the argumentative context.

NIS2(Network and Information Security Directive 2)

European directive 2022/2555, in force since January 2023 and to be transposed by Member States by October 2024. It replaces the 2016 NIS directive by significantly broadening its scope to new sectors (public administration, waste management, critical manufacturing, postal services) and by increasing the number of entities concerned, now classified as “essential entities” and “important entities”. The obligations include technical and organisational cyber risk management measures, incident reporting to the competent authorities within 24 hours, and security requirements for software supply chains.

Sources: Directive (EU) 2022/2555.

OCI(Open Container Initiative)

Standardisation initiative founded in 2015 within the Linux Foundation. Defines three open specifications: the container image format (image-spec), the runtime interface (runtime-spec) and the distribution protocol (distribution-spec). These standards guarantee interoperability between registries, runtimes and orchestrators independently of the provider. Docker, containerd, Podman and most cloud platforms comply with the OCI specifications, which makes it possible to build an image once and deploy it across heterogeneous environments without modification.

Sources: Open Container Initiative.

PSA(Professional Services Automation)

Category of software tools dedicated to the operational and commercial management of IT service providers. A PSA centralises incident and service-request ticketing, time tracking, invoicing, contract management and resource scheduling. It is generally integrated with an RMM tool to link technical alerts to contractual commitments and billing records. The leading PSA platforms (ConnectWise Manage, Autotask, HaloPSA) are largely Anglo-American in origin and distributed as SaaS; self-hostable alternatives exist but remain a minority in the MSP ecosystem.

release-on-trigger

Variant of the escrow mechanism in which the depositary third party is mandated to release the source code automatically under a predetermined free-software licence as soon as a contractually defined trigger occurs, without further intervention from the publisher and without a court ruling. Typical triggers include the bankruptcy of the publisher, an acquisition by an entity outside an agreed geographic or legal perimeter, the documented abandonment of the product or the lapse of a maximum delay between two security updates. The mechanism is designed to guarantee operational continuity of the software for the organisations that operate it. → See also /en/profile/about/ for the argumentative context.

RHEL(Red Hat Enterprise Linux)

Commercial Linux distribution published by Red Hat, a subsidiary of IBM since 2019. Built on the sources of the Fedora community, it is commercialised as subscriptions including support, certifications and long-term security updates. Until 2023, Red Hat published the RHEL sources openly, which allowed derivative distributions (CentOS Stream, AlmaLinux, Rocky Linux) to reproduce them freely. Since June 2023, public access to the sources has been restricted to active customers and to partners under agreement — a decision that has changed the conditions of existence of community RHEL-compatible distributions.

RMM(Remote Monitoring and Management)

Category of software tools used by MSPs to monitor and administer their clients’ systems remotely. An RMM continuously collects data on the state of workstations and servers (hardware health, service availability, event logs, security alerts), allows automated patch deployment and script execution, and provides remote access for technicians. The dominant RMM solutions on the market (NinjaRMM, ConnectWise Automate, Datto RMM, N-able) are mostly North American in origin and operate as cloud SaaS, which raises questions of dependence and data sovereignty for European service providers.

SBOM(Software Bill of Materials)

Structured inventory of the software components of a product, including versions, dependencies and licences. Codified by the SPDX and CycloneDX standards. Required by the European Cyber Resilience Act for products placed on the market from 2027.

Sources: SPDX, CycloneDX.

self-hosted

Architecture in which an organisation operates the software services itself on its own infrastructure, whether that means physical servers, a private virtualised infrastructure or an IaaS cloud whose virtualisation and operating-system layers it controls. As opposed to the cloud SaaS mode managed by the provider, self-hosting gives the organisation full control over data location, deployed versions, the update calendar, security configurations and network access. This control comes with the operational responsibility for updates, backups and availability, generally assumed in-house or delegated to an MSP.

single-vendor

Governance model for a free-software project in which a single publisher controls the roadmap, holds the majority of intellectual property rights and takes on its own the structural decisions (change of licence, repository closure, conditions of access to the code). Contributions from other actors are possible but remain subordinate to the agreement of that publisher. This model facilitates the technical and commercial coherence of the product but exposes its users to a high risk of dependence: in the event of acquisition, change of strategy or liquidation of the publisher, no other entity holds an established legitimacy to ensure the continuity of the project. → See also /en/profile/about/ for the argumentative context.

SSPL(Server Side Public License)

Licence published by MongoDB in 2018 for MongoDB and adopted by several other projects, including Redis (2024). It extends the obligations of the AGPL to managed services: a provider that offers a cloud service based on software under SSPL must publish under SSPL the entirety of the software stack used to operate that service, including the infrastructure components specific to the provider. The Open Source Initiative has not recognised the SSPL as a free-software licence, considering that this requirement reaches beyond the perimeter of the licensed software itself.

upstream

Refers to the source project from which a distribution or a fork derives. A Linux distribution based on Debian has Debian as its upstream; a Docker application image has the official base image as its upstream. By extension, “to contribute upstream” means submitting modifications directly to the source project rather than maintaining them locally on a divergent branch. Contributing upstream reduces long-term maintenance cost (fixes are integrated into subsequent versions) and strengthens the contributor’s legitimacy in the governance of the project. Conversely, accumulating local patches without sending them upstream creates a growing technical debt as the source project releases successive versions.

vendor lock-in

Situation in which an organisation cannot substitute one provider for another without bearing migration costs disproportionate to the value of the transition. Lock-in arises from a combination of factors: proprietary data formats or protocols without standard equivalents, deep integrations with other products of the same ecosystem, contractual clauses limiting portability, absence of documentation allowing a third party to reproduce the service, or dependence on skills specific to the platform. Vendor lock-in reduces the client’s bargaining power at renewal and limits its ability to respond to a unilateral change in pricing, terms of use or service availability.