I hate when switches like these get advertised first and foremost as some huge cost-cutting measure, further solidifying open source ecosystem as some cheap knock-offs of their commercial alternatives.
How about instead you donate the same amount of money you would've paid to Microsoft anyways to fund open source projects you rely on? At least for one year, then drop it down to some arbitrary chosen percentage of that cost. That way you can still advertise it as a cost-cutting measure, and everyone would benefit.
You're not wrong, but this is actually what they're pursuing; the article just leaves it out.
> The goal is not only to save costs, but above all to gain digital sovereignty.
> [It's true] that open source is not necessarily cheaper, [..] it requires investment. But the money flows into internal infrastructure, into the further development of Nextcloud, LibreOffice, and other similar systems, instead of proprietary ones.
> Schleswig-Holstein pursues an "upstream-only strategy," meaning that developments flow directly back into international projects. The state does not want to maintain its own forks, but rather contribute all improvements directly to the main projects, thereby contributing to development for the benefit of the general public.[1]
On a side note, the real key to the project's success is that it's supported by a coalition of the conservative and green parties. They actually value digital sovereignty and longterm cost savings. Contrast that with Bavaria, where the MS lobbyist managed to get them to sign a longterm Office 365 contract…
Thank you for providing this valuable context. I am hoping to advocate for OSS transition in my workplace and these examples go a long way to help make my case.
I am thinking about opening my own shop, distinguished by digitally sovereign offerings, for instance, Stormshield over Cisco, Proxmox over VMware, Matrix/Element over Microsoft Teams, Nextcloud over SharePoint...
I've been doing m365 and azure for more than three years by now and I just feel terrible. Especially regarding some of our customers, which are small gGmbH (kind of NGO). Instead of making a secure, privacy focused offering we just sell them the usual m365 package. We basically push them into the data industrial complex just to get some collab tools and mail.
Stormshield is a very good product but it's mainly designed for industrial scenarios and lacks some features that are essential for an enterprise NGFW (i.e. the protocol inspection covers very few protocols compared to PA/Checkpoint/etc). Unfortunately the enterprise NGFW scenario is dominated by US or Israeli companies, even if some niches brands like Stormshield for OT and Clavister for telcos are Europeans
Stormshield firewalls offer a plethora of IPS protections and signatures, not just OT related ones. There are different licenses, offering varying protections and signatures.
Stormshield firewalls can certainly be used in enterprise settings. OT environments are an added bonus where Stormshield firewalls can be used as a protective layer.
Stormshield's IPS is its major strength, being very well integrated in the overall firewall design. The whole firewall rulebase is designed in terms of its IPS; I am not aware of any firewall on the market that has such a nicely integrated IPS.
Also, at the point where one runs out of IPS options to configure, whereby I'm not referring to signatures in the general sense of the term, and one also has adapted all of Stormshield's available signatures to the needs of the particular environment, the real fun of creating new custom IPS signatures begins.
Stormshield's roots date back to 1998's NETASQ, and so I would say they are of a similar pedigree as Check Point, in terms of their history.
Disclaimer: I'm a Stormshield Platinum Partner and hold a CSNTS.
TBH there will likely be a _huge_ demand for "digital sovereignty consulting" over the next while, especially in the EU (and maybe also Canada).
Here in Denmark, the previously unthinkable is happening: because of Schleswig-Holstein's leadership in moving to OSS, the Danes are now seeking to learn from the Germans (or at least, that particular set of Germans) about digitalisation! That trend, plus the Danish government's all-in-on-vendors/consultants approach to digitalisation, will likely open a sizeable market - and the traditional vendors like Netcompany have taken a large beating in public opinion themselves, so it's a good time to start something in this direction.
And at the Digital Tech Summit in Copenhagen this year, digital sovereignty (and the lack thereof) was a very prominent theme across both public and private sector talks. As was the comparative advantage the EU has in _trust_, and how that helps e.g. businesses around cybersecurity, privacy-oriented SaaS, and data management expand even outside the EU - which makes it extra infuriating to see continued political interest in things like Chat Control and cracking down on GrapheneOS. This trust is IMHO pretty much the only advantage the EU has in the global tech marketplace, and we're busy throwing it away.
StormShield are a French company, and a subsidiary of Airbus.
So I guess "digitally sovereign" in the European Union could mean using a combination of GPL style free, open source (BSD and other similar licences), proprietary European "homegrown" products.
I guess Genua is another good contender in this market.
Check out "Europe as a Software Colony" [1], it's an excellent documentary including about the Munich case specifically.
Then watch the Scale 22x talk of the former Mexican CTO, because those stories are so close to industrial espionage it's absurd what kind of influence Microsoft has over diplomats and ambassadors. [2]
Vendor risk management. It's the process of identifying, assessing, and mitigating the risks associated with engaging third-party vendors or suppliers.
++ When an EU outlet says, "Given the annual savings, this sum will pay for itself in less than a year. In the past, the state transferred millions to the US company Microsoft, primarily for the use of office software and other programs."
You know they want sovereignty.
WRT the criticism on this move by "the opposition" saying, ""It may be that on paper 80 percent of workplaces have been converted. But far fewer than 80 percent of employees can now work with them properly.""
I think this natural pressure will also be helpful for re-tooling IT infra and support companies to being more sovereign.
The German government actually started and funded quite a few projects supporting FOSS development over the past few years. For example, ZenDis was founded in 2022 to develop open-source software for the public administration. They are the driving force behind openDesk, which is shaping up to be a great office- and collaboration suite. Also, there's the Sovereign Tech Agency, where open-source projects can apply for direct funding. The available funds aren't as big as I'd like them to be, but it's not as if there's no funding coming from the German government.
ZenDis has the specific task of improving FOSS software for use by government agencies, so Germany's public administration is simply their primary focus in their development work. I honestly don't have enough experience with different collaboration suites to pinpoint any major feature differences.
Thanks. The software's homepage also cites its target of "public administration," so I'm curious as to what it might lack for private companies or projects.
An alternative would be to create jobs for people that take on part of the development of used software. They would be a close connection between their organization and the Open Source project in question. Paying money to the project would be one way to go. Providing development resources another. Both would be best :)
That's very true in the case of private companies. I'm not sure to what degree employing developers who contribute to open source projects (probably for lower than private sector wages) works in the case of a lot of public sector entities.
Why would it make a difference? Offering developers a salary to contribute to an open source project is a good thing. Leave the developers to be free if they want to work for the offered amount.
There are often different incentives, constraints, and pay scales. Nothing against public organizations doing this obviously. Just don't see a lot of evidence that it works well in general.
The problem is that most of that work is not something anyone can pick up.
Regardless of the coding, one would first need to be familiar with git or VCS in general.
Also, you would want people to go back to normal jobs when they can. This would lead to short stints for all employees which I've always found to be one of the best predictors of bad outcomes
This has been my view too... all these years, all these organizations with collective billions, and didn't anyone have the vision to say, let's all pool some money together and actually get these open source alternatives to shed some of the papercuts, and maybe hire some UX/designers to make them look more polished?
True. Software and computers don’t even exist to save money. A lot of problems stem from the weird idea of MBAs that a computer, digitalization or even cloud are there to save money.
I hope Holstein prepared the switch well and kill off any Microsoft stuff as quick as possible. Nothing is worse than co-existence with something hostile which doesn’t want to be compatible.
* No Dual-Booting
* No VM
* Especially no WINE (your ducked with every odd update)
* And by the love of god, hit everyone with a bat which tries to ship incompatible files (MS-Office, ppt, xls, pst…) to you. Links to “Microsoft Teams”? Hit harder and show no mercy :)
What to do, minimal list:
* Make plan.
* Used standards wherever possible.
* Switch file-formats and external platforms before. Use a standard distribution and DO NOT MAKE YOUR OWN DISTRIBUTION. If you have a big IT department with hundreds of employees, maybe an own repository with your custom software.
* Enforce all suppliers hard to support Linux natively! If not? Drop them. Search a honest company which gives you also the source.
* Avoid the usual mistake like “this a local support company” or “their offer is cheaper”
* Don’t purchase shitty hardware. ThinkPads are a good start, but we speak about printers, NFC, label writers, scanners and so on.
If your answer doesn’t include either Debian, Red Hat, Canonical or Suse it is probably the wrong choice. You need support.
The remaining 20 percent of workplaces are currently still dependent on Microsoft programs such as Word or Excel, as there is a technical dependency on these programs in certain specialized applications. According to Schrödter, however, the successive conversion of these remaining computers is the stated goal.
A red flag. Soft migrations work only, if both side cooperate. If not, hard migration. Short pain is better than long suffering.
PS: And don’t repeat Munich! Munich is “HOW NOT”. Three distinct IT-Departments. And the next major was “convinced ” with tax money and a Microsoft Headquarters. Result, it is worse than before.
>dependent on Microsoft programs such as Word or Excel
This kind of suggests that they have a bunch of VBA scripts in the tax department and the legal team are dependent on sharing 'track changes' in contracts. It will do the world a favour if the VBA is forced out. Don't know what they will do about 'track changes', it is ubiquitous in the contract world. Hopefully they will force government suppliers onto the libre alternative.
And searching the web for “Excel government failure…” is an adventure.
Excel is a shell script containing data. Minus well defined syntax and a proper change log. I see the nice point behind using Excel, it is a “visual” shell script containing data.
There are plenty of decision makers who will not be sold on an abstract concept like software sovereignty, especially when it requires them to change. Tell the same crowd "$15 million saved" and more of them will listen.
They're out of their minds if they're donating nothing to Libreoffice, though.
The idea is sound but the feeling of hate is perhaps strong. It’s understandable there’s no incentive to pay for open source software, and doing so would be seen as an unnecessary allocation of resources that could better be allocated elsewhere.
Given this understanding, the best away to achieve the desired outcome is to get creative about aligning incentives at the top of org structures where resources are allocated.
>”Given this understanding, the best away to achieve the desired outcome is to get creative about aligning incentives at the top of org structures where resources are allocated.”
I really don’t understand what this means; could you please explain it? It comes off as ‘mushy’ consulting-speak to me.
It’s a mini-language that you don’t have to learn unless you work with executive types. But it does mean something. In particular it means “activity at the grassroots is wasted effort when the real decision maker with the money is not aware or in agreement with the direction.”
Many years ago some people proposed to move open source to paid licensing to guarantee income for core open source developers. But the self-righteous community attacked them like it was the end of the world.
In the current cancel culture even if you use *GPL licenses you get attacked for not being MIT or similar. But mysteriously never a peep about Big Tech making billions off open source without giving back even a tiny 1% to the projects. Insanity.
The sales pitch for FOSS to corporations in the 1990s and 2000s was "free as in speech and free as in beer". Reneging on that is a straight-up rug pull on the adopters.
Both gratis and libre were talking points for FOSS advocates, with gratis being leaned on heavily to persuade businesses who didn't give a hoot about libre, which turned out to be almost everybody. Source: I was there too.
"Open Source" has always been a play for Free Software from a pragmatic and business-focused point of view, as opposed to a community-focused and moralistic one.
That's a really good point actually. If you're self hosting, you're already eating some cost by having people, probably in-house, doing the work but the price difference must be quite large and they should use it to support the project.
And in the sentence above that, they're "saving" 15 million in Microsoft licenses. So either they've paid 24 million to Microsoft this year, in which case their next year's expenses are dropping by over 60%, or it's the same pot of money, in which case their yearly bill dropped by 40%.
I get that 9 million sounds like a lot, but it's much, much lower than what they would've paid to Microsoft anyways. And those 9 million are advertised as a "one-off investment", while their contract with Microsoft was perpetual.
You hate that, but what I hate that so many of my tax dollars are funnelled into bloated software run by awful foreign companies with massive lock-in scams, when better free software is available. I hate that lobbyists and consultants get these systems into place and can’t be unseated despite its utter unreasonableness.
It’s a tremendous mis-allocation of public resources. Hiring local people to tailor the free software which already exists and contributing those changes back to the world would spend fewer of those dollars and spend them locally, and be pro-social at the same time.
So I don’t hate this story. I love it and see it as a massive win.
That's a double-edged sword, though. Those tax dollars don't just pay for the license, but for ongoing development, responsibility for security issues, support contracts, emergency personnel, and so on. With a purely Open Source strategy, you'll have to pay multiple external consultants to take care of part of this, and/or cover these roles in-house. And suddenly, you've taken up a lot of tasks completely foreign to your business domain, such as new infrastructure and its maintenance, documentation requirements, software development, and so on. And we haven't even talked about the massive effort of educating your entire workforce on new tools and workflows.
Assuming you just replace a proprietary software ecosystem with an Open Source one and immediately get the same thing for free is a very naive view that will get you in trouble.
Having said that, as a German, I am very happy this switch happens and seems to have some backing in the local administration at least. But it's still a high-risk wager and I'm afraid it'll turn out like the LiMux project in Munich, which was eventually (and cleverly so) framed as the origin of all problems in the municipal digital infrastructure. In the end, it got swapped out for a new Microsoft contract in a wonderful example of lobbyism and bribery, and Open Source and Linux have been discredited, to the point no winning mayor candidate can ever bring it up again as a viable alternative.
> With a purely Open Source strategy, you'll have to pay multiple external consultants to take care of part of this, and/or cover these roles in-house. And suddenly, you've taken up a lot of tasks completely foreign to your business domain, such as new infrastructure and its maintenance, documentation requirements, software development, and so on.
Yes, this is what I’m talking about. Hiring people and developing expertise instead of paying expensive consultants is a preferred use of my tax dollars.
> But it's still a high-risk wager and I'm afraid it'll turn out like the LiMux project in Munich, which was eventually (and cleverly so) framed as the origin of all problems in the municipal digital infrastructure.
While this may be true, there are also quite prominent cases where the massively expensive foreign consultant solutions have also lead to disastrous project overruns.
> Those tax dollars don't just pay for the license, but for ongoing development, responsibility for security issues, support contracts, emergency personnel, and so on.
Maybe this was true at one point in time. But now, it just pays for AI/Copilot and your latest support chatbot.
This. Also, with FOSS, you choose who you hire for support. From the article, it seems they’re hiring developers locally, so it’s also creating jobs in the region instead of outsourcing to MSFT. But I hope they donate a bit to the maintainers, too.
Because in Germany the price is the only thing that counts.
Building a new street?
The cheapest bidder wins.
Cuts to social security?
As long it saves money in the short term in doesn’t matter if the long term costs will be higher or if the cuts don’t make sense.
Yes. But budget decisions are made by politicians. Who know that one euro spent on things they could get for free is one euro less for things that voters and other interests are endlessly asking them to spend more on.
I'm a Windows/macOS developer, but I strongly feel that all national governments need to convert to Linux, for strategic sovereignty. I'm sure Microsoft, under orders from the U.S. government, could disable all computers in any country or organization, at the flick of a switch.
Imagine how Open Source Software could improve if a consortium of nations put their money and resources into commissioning bug fixes and enhancements, which would be of collective benefit.
Apart from a few niche cases, the needs of most government bureaucracies would be well served by currently available OSS word processing, spreadsheet, presentation and graphics software.
Yes, but bureaucracies make this impossible. If you have worked at a bank before, you'll know how difficult it is to make a change to some in-house piece of software. And that's a bank, not a gov't institution. Think how much more friction there will be in the latter.
At a certain size (and government departments are absolutely large enough) it makes sense to manage software deployment centrally, from an internal package repository/cache.
Once that’s in place, the process for populating that repository can easily adopt locally modified versions of upstream software: defaults changed, bugs removed, features added, etc.
No one in a big business/government blinks at changing group policies for internal deployment. Changing the code is really very little different once the ability to do so is internalized.
The culture can only change when it actually becomes possible to make any changes to the systems.
If all the software one institution uses comes in the form of proprietary binaries, there is simply no need to even think about making policies about fixing those systems in-house.
These institutions don’t bother making fixes where they can, so it seems unlikely that giving them more options will change much. Ironically, things like windows auto-update being the default probably actually help their IT departments maintain some level of security
Yeah and it is better. Most things can be updated without a reboot and even for the kernel, you can either live-patch it (not always possible) or reboot only the kernel.
I wonder if it is in fact easier in a German region than a bank though. A bank has massive compliance complications, where the state insists on rules being met, so their are teams of people trying to make sure no rules being broken, and therefore anti-change. Germany is a Federal system, and the region has law making powers, a bit like a US state. Therefore it can set the rules to make sure migration to a new system happens. If big fixes are not allowed, they have themselves to blame. At a bank it is the state causing the friction.
Governments have more to gain from being able to work with a few big companies on things like surveillance than they do from sovereignty - which many of them regard as an out of date idea anyway.
Despite all the talk about sovereign cloud the actual governments are actually going the other way.
1. The Online Safety Act in the UK pushes people to use big tech more rather than run stuff independently - the forums that moved to social media.
2. EU regulatory requirements that help the incumbents:https://www.theregister.com/2025/10/27/cispe_eu_sovereignty_...
3. ID apps in multiple countries that require installs from Google or Apple stores, and only run on their platforms.
4. The push to cashless which means increased reliance on Visa, Mastercard, Apple and Google.
To be clear I do not not think that any of these things are in the public interest. However the government is not the public, and the public (and probably a lot of the government) has deeply ingrained learned helplessness about technology.
Today when a government pushes for a backdoor we often see companies push back. The FBI publicly complained about iMessage encryption a lot, and currently Apple is also telling the government of India they aren’t going to install their “security” software… those are just a couple examples.
What happens when major OSS projects are controlled by the governments themselves? Will David still beat Goliath?
How does anyone "control" an OSS project in the sense that you are talking about, so the ability to insert backdoors or activate kill-switches? Maybe Linus controls Linux, but can he "flick a switch and kill" any running kernels? He might be able to insert backdoors, but will they go unnoticed? Would anyone be forced to install them? Just patch the code to remove the backdoor.
I feel that you wrote some words that only seem to make sense if we don't think about them too much.
> How does anyone "control" an OSS project in the sense that you are talking about, so the ability to insert backdoors or activate kill-switches?
A government can control a piece of open source software the same way a big tech company does - with economies of scale. In other words, by throwing more money, resources, and warm bodies at their open source projects than anybody else.
The code itself might be under an open license, but project governance is free to remain self-interested and ignorant of the needs of the "community."
Any pull request accepted from outside isn't a mutual exchange of developer labor for the benefit of all, but the company successfully tricking an outside developer into doing free work for them.
Any pull request that runs counter to the interests of the company can and will be ignored or rejected, no matter how much effort was put into it or how much it would benefit other users.
Any hostile forks are going to be playing a catch-up game, as community efforts cannot outpace the resources of most large companies.
As long as upstream is open source, forks can just keep syncing. At some point, the upstream will then usually switch to open core, or some sort of delayed open source, but often that leads to people leaving for the open forks, hopefully donating to them, too.
(Gentle reminder to subscribe to donate to a FOSS project or two that you use.)
Because in my experience, the projects that I can think of that switch to open core are those that are started by smaller businesses when a large multinational tech company starts to mess with their revenue streams.
In that case, I don't fault them in the slightest. As a matter of fact, I think these days it's now a sucker's bet to build a company around an open source product. Free software? Maybe. Source available or open core from the start? Possibly. A fully permissive license that in the outside chance my product is successful, suddenly puts me in competition with Amazon and Microsoft, so they can kill my business with my own software? Forget about it.
Yeah, I don’t fault them either. It’s a shitty situation to find yourself in. That said... they went with a permissive license, so they knew what they’re getting into.
I think the main reason they do that is because AGPL is a turnoff for a noticeable chunk of corporate users, and you do want those users. Dual licensing should work here in theory, and does work in practice for some – no idea why we don’t see it more often. (I have a project-not-quite-startup-anymore [1] under AGPL, but I do keep around a CLA for outside contributors just in case.)
Linux is not a smart target. But OpenOffice, nextcloud, postfix, those are much easier targets for developer coercion to compromise widely installed software that is important for "linux on the desktop". Ah and ofcourse also the desktop environments, and perhaps systemD are all in a privileged position with much less eyes on.
The thought was that the government would effectively become the largest employer of OSS developers who would then be compelled to follow directions or be out of a job. Would there be enough independent developers to review millions of lines of code, patch out any back doors, or fork and maintain an entirely separate projects, since none of the government protects can be trusted?
Could the government also dictate the operating system and software people use to make sure it is the state sponsored one? If I’m not mistaken some similar actions have happened in N Korea and China.
I’m not saying this is an inevitable outcome, but just trying to think of worst case scenarios. A lot of terrible things have started with good intentions.
> Would there be enough independent developers to review millions of lines of code, patch out any back doors, or fork and maintain an entirely separate projects, since none of the government protects can be trusted
You're saying that a state can upstream patches with planted backdoors. Thruth is, this is possible in all software. It's not specific to state-sponsored open source software. So your scenario is a reality whether you want it or not. And open source is not particularily vulnerable either. People forget this.
Now a lot of people would be angry if my state decided to spend money on security flaws. I imagine an elected representative try to explain how they wanted to misspend funds allocated to improve software and plant flaws instead. That would not go down well here or in Germany. Try to hire people for this in Germany and see how long you last till your little op is public.
Maybe. I highly doubt Apple or any other company isn’t complying in some way.
It’s been widely speculated that there are gentleman’s agreements where strategic bugs do not get fixed. To apple’s credit, unlike say BlackBerry, they designed iMessage where many of the intercept methods are tamper evident.
Apple sit behind the most corrupt US President in history at its inauguration, donated to a ball room and millions of dollars for other unspecified purposes. Is your argument that they will not fold...or that the backdoor is already in place ? :-)
> Imagine how Open Source Software could improve if a consortium of nations put their money and resources into commissioning bug fixes and enhancements, which would be of collective benefit.
This is the business model of Quansight Labs, whose employees help maintain much of the scientific python stack. Mostly tech companies, not governments, sponsoring the work
I doubt that Microsoft has a kill switch. Though through automatic updates they still have pretty strong sabotage capabilities.
But the OS is not where Microsofts power lies. Its in exchange (almost everywhere cloud managed, including for many governments) and SharePoint, with a small amount of teams, where Microsoft is truly a scary prospect for sovereignty.
It caches your credentials so you can still login offline. But you do need to be online when you're logging into your PC for the first time, post-install.
There are some unofficial hacks to bypass the online account requirement, but MS have been actively stamping these out. Now the current situation isn't like it's impossible to bypass this, mind you (as far as I'm aware there's at least a couple of workarounds), but normal users won't know/care and will end up just creating an online account.
Not quite. Because that requires pushing an update and only hits those who have windows automatic updates enabled. A lot of companies run those updates on a slight delay, which means they have a decent enough window to block such an update.
Microsoft is a big thing to worry about when it comes to independence from the emerging fascist government of the US. But not because 'they can shut off windows'.
The short-term fear should be in enterprise cloud (See ICC judges). The long-term pain lies in blocking security updates (As happened to Russia). One might worry about malicious updates being pushed, but the legal grounds for that are flimsy to non-existent, and Microsoft has very strong business reasons to push back. So even the trump administration would be smart enough to instead target the cloud solutions. Since the legal precedent is very clear and well lubricated "providing services to sanctioned entities", and the business impact is equally crippling.
They absolutely have. They force upgrade computers to Windows 11, which then won't boot, because the system doesn't actually support it. I guess they also have a smoother way to achieve that. They are also cases where an update broke the booting process, so the bitlocker key was lost. Everything is encrypted with it by default, and the only copy sits on a MS server connected with you MS account. Guess what happens when they say sorry, we can't just give you that key...
"the needs of most government bureaucracies would be well served by currently available OSS word processing, spreadsheet, presentation and graphics software."
wait until they found out that there is no "customer service" in OSS, sometimes the project is fine but people need "someone" to be held accountable in some ways
Microsoft pledged not to intervene like that again, reclassifying its legal interpretation of its own services, and added language to its contracts to guarantee that it would fight future US attempts to do so:
When the US manages to force Microsoft to do something, it responds by trying to protect itself from the same scenario in the future. Because it wants profits. The ICC leaving Microsoft is the last thing Microsoft wanted.
None of that has anything to do with whether Microsoft is trying to assist the government. The cloud companies are doing what they can to protect themselves against these government actions.
> The cloud companies are doing what they can to protect themselves against these government actions.
No, they are doing what they can to convince customers that they are trying to protect themselves against government actions.
In fact its all smoke and mirrors. See the second link. AWS have admitted that the Cloud Act does allow the US government to compel access to French data.
Lengthy contracts between nation-states and corporations, developed and reviewed by teams of lawyers, and enforced by judges, are not exactly "pinky promises."
They will become pinky promises, once Microsoft gets ordered to do something by orange man or some three letters. There isn't really anything Microsoft can do about that, unless they decide to move headquarters and lots of employees out of the US. It basically doesn't matter what they have in contracts, as US law or just political power with access to enforce that power trumps (ha) any contracts they can sign.
> There isn't really anything Microsoft can do about that, unless they decide to move headquarters and lots of employees out of the US.
Actually there is, that's what the entire point of the sovereign clouds are. They reside physically in Europe, with legal control by Europeans, and European employees that can't be bossed around by the US. If the US orders Amazon to retrieve data from S3 servers located in a European sovereign cloud, Amazon employees in the US don't have the technical capability to do so, and the European data center employees are legally bound not to.
If those employees were working in a vacuum, then sure, but in reality they are not.
Employees have bosses and those bosses have bosses, and those bosses have bosses in the US. If not direct bosses, then at least people higher up in the context of all of Microsoft, who can pull strings, criticize them, categorize them as unreliable, and make their life hard, or even bring into motion that they are made to give up their position or are let go. Most people don't want a hard life at the job and be bullied. It is likely, that people joining Microsoft don't have the strongest moral compass anyway, so them sticking their neck out for European data protection, and losing what comfy life they have, including probably exceptional ...
Company politics are not to be underestimated. The question becomes who selects and vetoes higher ups in those sovereign clouds.
European governments cannot trust US companies, even when they have inner-EU parts, because influence from the US cannot be rules out.
"Microsoft admits it 'cannot guarantee' data sovereignty:
Under oath in French Senate, exec says it would be compelled – however unlikely – to pass local customer info to US admin"
No, you have it 100% backwards. I'm saying Microsoft is incentivized to not allow interference, and this is strengthened by the fact that when a government forced interference, it took steps to strengthen itself against future interference.
So in light of that actual evidence, yes I am calling it conspiracy thinking to suggest that Microsoft has built in some kind of kill switch to make it easier for the government to do things that are against its corporate interest. Because that's literally what it is -- imagining some kind of conspiracy where Microsoft wants to help the US government, instead of its own bottom line.
Explain to me what's problematic about that?
And whatever you think about the arguments on either side, snark is absolutely a problem on HN. We can't have civil, productive discussions with it, and if you say it's "the least problematic thing here", then that's part of the problem too. Let's be better than that, how about?
There's zero evidence that Microsoft could shut down computers across a nation. Zilch. Nada. None.
Meanwhile, OP asserted they are "sure" Microsoft could do it at the "flick of a switch". Under orders from the US government.
That's absurd. If that's not conspiracy thinking, I don't know what is. A literal conspiracy between the two entities. When something is actually conspiracy thinking, you're allowed to label it as such, you know? You're trying to police ideas here, and that's entirely inappropriate. Be better.
They can (and will) switch off individual accounts from the US if the government asks them, and this has been demonstrated earlier this year.
No, they haven’t coded a “country-wide kill kill-switch” but having the ability to kill individual accounts, and being in a jurisdiction that demands accounts to be disabled from time to time is equivalent to having such a thing.
Also: Remember that several US organizations, including Github, have disabled thousands of accounts from eg Iran in the past is such maneuvers.
So: definitely feasible and has definitely happened in the past, with or without the mythical kill switch you talk of.
Also, how about less snark about the "news in my jurisdiction"? Since the first amendment provides more press freedoms than many European countries have.
I agree, but it also feels like it would be so difficult. It requires a ton of training, the UIs are not flashy so people are going to feel repulsed (I unironically found looks to be a big blocker when adopting open source tech) and finally Microsoft is going to lobby incredibly hard against it. I wouldn't put it past Microsoft to actively sabotage any adoption.
This excuse is as old as the hills and I've been hearing it since the late 90s, but historically there has been exactly zero training between versions of Office or Windows that changed a lot of the interface overnight. Office workers just kept using them like the rest of the planet.
Not to mention companies who moved on to Google Docs or the web version of Office. Or companies who moved to MacOS 15-10 years ago.
In my state back home the entire workforce moved to LibreOffice and, according to my sister (a government worker), everyone is doing fine. Recently I saw a German government worker using Office to produce a document and she mentioned that she "barely knows how to use it" and "just knows how to load templates, fill and print".
This hypothetical problem of "needs training" only seems to exist when you mention the words "open source".
> - It requires a ton of training, the UIs are not flashy so people are going to feel repulsed (I unironically found looks to be a big blocker when adopting open source tech), and finally Microsoft is going to lobby incredibly hard against it.
I think everyone agrees the costs are high, especially beyond monetary ones, but this stance on avoiding these costs is slowly pushing everyone into finding out how expensive is not having sovereignty.
Through its tech industry the US has over time acquired too much power over critical digital infrastructure that has already compromised governments. We know of Presidents/PMs/Legislators spied upon through their phones and computers, and also Microsoft itself involved in revoking email access to the ICC's chief prosecutor as retaliation/defense against investigations.
Sovereignty is too important for government, and since everyone needs to do it and get security right going for open-source with funded development and constant auditing is in my mind the only way.
The employees don't care about software sovereignty. They just want to do their jobs and get their paychecks. Fail to win them over and the transition will fail as well.
"Saves 15 million" on license costs, but how much will be wasted on the contractors involved, the lost productivity for state employees (especially the ones who depend on Excel, who will be converted too per the announcement)? And how much do you really save if you keep switching back and forth between M$ and Linux every decade, as state governments seem to enjoy doing?
They should switch to open-source for sovereignty. Not "cost". The fact that they mention "cost" as motivation and to secure buy-in is very worrisome. If you really want to switch to open source permanently and secure your sovereignty, you should invest more (making LibreOffice Calc as good as Excel? One can dream, but it's not cheap). Cost-savings show a lack of seriousness. How long until another government switches back?
How to know when they're serious: when the federal government hires an in-house team of (well-paid) programmers, and sysadmins. Not consultants. Put them in charge of public-facing and internal-use digital infrastructure, serving both the federal and state governments. Make them work to tailor a distro, or LibreOffice, to government needs. Invest in workforce training to keep their productivity up despite the switch.
And then, one day (let's dream for a second), that team could also pick new projects that serve the public interest, like a vulnerability research team (like Google Project Zero), or helping out with all those underfunded core pieces of digital infrastructure out there with only a single maintainer. Creating public goods is the point of a government.
At least the federal government loves to contract McKinsey, so a lot of the profit still ends up outside of the country. I didn't find any quickly accessible data on the state government in Schleswig-Holstein, though.
> Saves 15 million" on license costs, but how much will be wasted on the contractors...
Approximately 9 million, according to the article:
> In contrast, there would be one-time investments of nine million euros in 2026, explained the Ministry of Digitalization to the Kieler Nachrichten. These would have to be made for the conversion of workplaces and the further development of solutions with free software in the next 12 months. Given the annual savings, this sum will pay for itself in less than a year.
Yeah. Notice how they emphasize how the "one-time" spend on contractors will save them money. Never includes the cost of the lack of institutional knowledge, or the impact on quality, maintainability, etc. Money brain.
For a transition to open-source to be successful and permanent, manage it well. Not like this.
IMO they should also emphasize that this money can go into German (or at least European) consultants, rather than dumping 15 million on licensing costs that will go straight to Redmond, Seattle.
Of course no guarantee that it will be the case for 100% but still better. Even if there were no savings it would be better spent money.
True, regardless of the cost, it feels like money spent on open source software is more ethical and a better way to spend tax money. Why pay $15 million to Microsoft that will only benefit their shareholders, when spending the same amount of money on open source software would benefit everybody (the citizens as well).
This resonates with me as well. This money will increase attention and expectedly contributions to OSS, which will also be of benefit to other entities implementing the same model later on. That’s the way to go towards sovereignty in software.
A not to be easily dismissed factor is privacy and data protection. A company that has 700+ "partners" that they sent who knows what data to from inside their e-mail client is not to be trusted. I don't want my data in the hands of these crooks.
There's a history of German public administrations using Linux and other open-source software. In particular, the City of Munich has pioneered this with their 2006-2019 LiMux [0] project, which was ultimately cancelled in exchange for Microsoft moving their German offices to Munich proper.
I recently spoke with the head of a local police station in Schleswig-Holstein. This was an informal conversation, so feedback was quite unfiltered.
We mainly talked about the state's transition to open source. I tried to show him the outside perspective, how much international attention the move is getting and why many see it as a bold step toward digital sovereignty, how much positive (side) effects it has.
His reaction was not that enthusiastic: He described his everyday frustrations, which anecdotally align with the points made at the end of the article.
Especially at the leadership level their workflows are heavily email-driven, with the mail client acting as a universal everyday tool for e.g. team scheduling.
Migration from Outlook to Open-Xchange felt rushed, with seemingly limited upfront analysis of how officers actually use these tools and ensuring use cases were adequately covered. The idea of User Interviews was new to him or - if conducted - didn't reach anyone in his circles.
It's crazy that organizations are willing to spend millions of dollars on Microsoft Office simply because people are used to it. There are literally no features most people actually use that aren't completely duplicated in open source alternatives. Whatever amount of time it takes the user to find the button they're looking for costs less than the permanent subscription cost for something that will only get more bloated and expensive with time.
One thing that is missing that nowadays you get O365 so also management of employees access and licensing in single env.
You get backups, file synchronization, real time collaboration.
Setting and running all of that is as simple as making O365 account and clicking couple of buttons by one person.
There is no OSS solution that does that.
To replicate that with OSS you need 3 to 5 full time graybeards and it still will be annoying normal people that will not understand “why they can’t just do X as in MSFT tools”.
> You get backups, file synchronization, real time collaboration.
Shouldn't backups and file sync be handled at a higher level of abstraction? Unless every employee is only dealing with Microsoft Office documents and nothing else (doubt it), shouldn't there be a separate backup&sync strategy already in place?
There are a myriad of both FOSS and corporate backup/sync tools available.
As for the real-time collaboration - I'm not sure how important that is. Writer/Word seem like useful tools for documents that have reached their final state before being prepared for printing. I think there are lots of better formats suited to real-time collaboration. Intuitively it seems like text-first documents (markdown, etc.) should better lend themselves to tools like diff or git, or any other collaboration tool, especially a real-time edit tool. It's almost like asking for pdf to support real-time collaboration. I'm not sure about Writer, but Word and pdf documents are awful with regards to edits and git-style collaboration. They're formats for presentation, not editing. In case someone here hasn't delved into the internal structures of the files, remember how WYSIWYG HTML editors jumbled the HMTL beyond recognition? It's similar in that it doesn't seem like the format we want to collaboratively work on documents before finally converting them to Writer/Word/PDF.
*Intuitively it seems like text-first documents (markdown, etc.) should better lend themselves to tools like diff or git, or any other collaboration tool, especially a real-time edit tool.*
Well don’t explain it to me I know that stuff. Go grab 2-3 office workers and try to explain markdown to them. If you’re lucky maybe they won’t leave when you move on to explain Git.
I worked one time with a guy that wanted to convince sales department to write documents in LaTex so then it could be well printed for the customers and also put in Git … well they laughed the guy out of the room - well before he’s even started explaining formats for presentation vs formats for editing.
I see how business people we work with on documents understand I have a cursor here and I type and there is my avatar/photo on top that I am active - I see how they wouldn’t understand Git diff at all and would just move on presented with Git diff not even wanting to collaborate.
Agreed... The level of integration across MS products in business is hard to entirely quantify.
NextCloud/OwnCloud and other options can deliver some of it, but all of it is harder... Just email/calendar/contacts is hard to match... Then file collaboration and syncing... And all the corner cases in the various office formats.
Even the non mainline office app, Visio does a lot of things competing apps just don't.
I tend to prefer open source apps for myself, and for code projects, I'll focus on markdown for docs etc... but definitely understand why a corp would just pay the monthly Microsoft tax for all employees.
With the improved web versions, Linux on the desktop becomes an option even then.
Many times I've seen people state that they use Windows because they know it, but they can't do trivial things such as set up a printer or connect to WiFi.
Most user's Windows ability is to look for apps on the desktop or Start menu.
Shared contacts, calendars and coordination of meeting locations and virtual meetings.
I've yet to see FLOSS that matches that aspect of Outlook and o365/Exchange. I'm fact, IMO, it should have been one of the monetization efforts with Mozilla, which is a server companion for Thunderbird and a now comprehensive integration of calendar and contacts.
Initiated by the city of Munich, LiMux aimed to migrate public administration systems from Windows to a Linux-based OS to increase control over IT infrastructure and reduce costs. Despite initial success (announced at LinuxTag in 2014, I was there for the announcement), the project faced intense political lobbying by Microsoft leading to a reversion to Windows.
The political climate is completely different. The US is no longer an ally but a fascist regime actively supporting far right and nazi movements in Germany. What made sense 8 years ago probably doesn’t make sense today.
What if you have an excel workbook that relies on a bunch of custom formulas. I would be upset if this happened in my workplace. Datasets have been far easier to handle with lambda, vstack, byrow, and the rest. I would not like this move and would have to remain a holdout. That would also frustrate me because of the division.
Are we gonna accept being forever locked in to Microsoft because of custom Excel workbook formulas? Forever paying Microsoft a license fee, because we don't want to covert said formulas or invest in open source software to make it reach parity with Excel.
In many organizations, that license costs less than converting all the Excel workbooks - a process that disrupts work, as only the Excel spreadsheet's creator and user can reliably spec and test the new spreadsheet. And they need to convert with accuracy - worse than crashes is undetected bad output.
Being stuck in legacy systems sucks, and technical people like to deny the reality of it - but it's a business reality.
The problem with this is that the decisionmakers fucked up 10-20 years ago, and now when those decisions are being righted, some poor public servant is paying the price.
And 10-20 years ago it would have also been a public servant paying the price. You are just salty it's now you. At least be happy your work is impacted for a noble cause.
I must agree, unfortunately, and do so due to a reason that's way more mundane than "custom formulas": UI.
Language, form, muscle memory (call it what you will) is difficult to separate from thinking and working. I'm very picky when it comes to desktop UI: I use Linux exclusively, and I can't tolerate most Linux distros' default desktop environments. Someone who's been productive for a decade or more with Windows applications -- well, to the extent we're willing to ascribe "UI stability" to those applications' own updates -- will probably hate Linux with a passion.
I don't think such a transition can be made seamless. They should have thought about becoming Microsoft's hostage two decades ago (I guess).
Unfortunately, we have to be willing to make compromises and even learn a new thing or two if we want to survive and protect our sovereignty. And it really is a matter of national survival - Microsoft has made it clear that they are fully controlled by the whims of whoever is in charge of the US government on any given day and will comply with the orders that come down to them. So yes some people will have to re-learn how to use a spreadsheet program, but it's a transition that's worth making.
In that case, keep your MS license where there is a migration problem, simple as that. There is no need for the entire gov sector to pay so you and your team can use custom formulas.
Will you get upset if Microsoft will charge 500000000 USD (because more copilot value added every month) per year? That is way more upsetting imho. And if all fails there is still some SAP solution to everything in life :P
This one gets me now than most of the rest... The increase in licensing for copilot features a lot of orgs would prefer to disable is distasteful to say the least.
I work at MSFT. I understand why they migrated to LibreOffice. Outside of work, I use none of MSFT products.
I do have some burning questions though,
1. How are they saving their work to the cloud if they use LibreOffice ? I don’t think it offers the same functionality that M365 suite does.
2. How are they handling IT security? Are they using a different vendor ?
Well, now, they can handle it more seriously, which before - they couldn't quite. That's because Microsoft - your company - is one big security breach. You are known to pass information that gets into your hand to the US federal government's intelligence agency, and you probably use it for all sorts of commercial purposes, like training AI models, directing advertising etc. So, by installing Microsoft Office, especially Office365 and cloud facilities, they were ensuring a security failure.
What is the political element in Germany that makes these very public walk away from Microsoft viable?
I’ve run projects for a few different employers to look at doing this. The math doesn’t math unless you can segment your workforce. For example, at one place we had a field workforce that operated dispatch centers and field techs. That was all iOS + Linux or Chrome.
When the US government has become erratic, unreliable, untrustworthy, and aligned with your enemies then it's necessarily time to de-risk your infrastructure and supply chains by removing America products and services from them.
It's the same reason you don't want Chinese equipment in your telecommunications infrastructure. You can't trust what the Chinese government will do to it or with it.
"Poland provoked occupation by Germany" (1939)? Germany "liberated Czechoslovakia Germans" by occupation and annexation (1938)? How occupation and annexation of neighbors ended for WW2 Germany (1938-1945)?
In 2014 Moscow invaded Ukraine, occupied Crimea, Donetsk, Luhanks. In 2022 Moscow invaded again. No NATO forces in Ukraine. No Moscow forces on NATO members territory. Trump officials unable to answer who started war, you blame NATO, both you and Trump aligned with Moscow.
>Mostly the widespread perception that the USA has betrayed the security guarantees given to Europe, and that the USA isn't a reliable partner anymore.
Mostly the widespread perception that the Trump administration has betrayed the security guarantees given to Europe, and that the USA isn't a reliable partner anymore.
Recent comments (and by now published strategy) of the US administration have certainly shifted public and political perception. Not necessarily 180° but enough too make such projects/attempts more viable.
In the end, from a European/German perspective, it matters little whether these thoughts/comments/strategies are a negotiation tactic, "trolling", serious threats or something else entirely. And the fact that "Government adjacent" people like Elon Musk behave the way the do certainly doesn't help.
The fear that the United States may use it's tech companies as blunt offensive weapens does now exist (in a semi-abstract form) where it didn't 5 or 10 years ago.
I think at this point in time nobody can say what the end result will be or how things may develop in the future.
Either on the political or the technological field.
> What is the political element in Germany that makes these very public walk away from Microsoft viable
Germany has had a fairly active Linux community for decades. A large portion of German local government has had experience using or RFPing FOSS alternatives since the 2000s all the way back to Munich's bake off of Windows vs Linux.
While the geopolitical portion is sexy and fun to look at, in most cases American vendors just don't find much value in supporting DACH customers because their budgets are significantly lower and they tend to be much more on-prem heavy unlike their Scandinavian, CEE, or British peers.
DACH local governments also tend to rely heavily on MSP/MSSPs and for these kinds of businesses, margins really matter and vendors don't like dealing with channel sales because they just don't bring enough money to the table for the amount of money you have to spend wining, dining, and supporting them. And given MSP/MSSP margins, it makes sense for them to adopt FOSS.
Finally, some German local governments have used public proclamations like these to renegotiate vendor deals (I think Munich did something similar).
That said, private sector players in DACH have largely consolidated around American or Israeli vendors, such as Schwarz - despite their proclamation for digital soverignity - using American-Israeli SentinelOne [0].
It's good to have competition though, and I do strongly feel that MSP/MSSPs and organizations dependent on Channel are better suited to using FOSS tooling.
I think you’re closest to reality here vs the geopolitical stuff. I find it really interesting, because virtually none of my tech colleagues in the US would reach these conclusions.
Here is a concrete example of what other comments are talking about (threat that MS/USA is no longer reliable partner).
Microsoft blocked official email account of Karim Khan (a prosecutor of International Criminal Court). That was due to Executive order by president Trump (Executive Order 14203 - Imposing Sanctions on the International Criminal Court).
Schleswig-Holstein (pop. 3M) shows that Open Source in government is viable. We need an EU that shifts its focus from compliance frameworks to actually investing and building.
That was by far the most hostile cookie banner I've ever seen by a lot. It required multiple levels of saying no with a bid level of clicking reject a few hundred times. It wasn't worth it.
Delete the banner from the DOM. They can't process your data legally until you pressed that button. That's why the reload is. When you delete it, you never pressed the button.
Note that this is considered not freely given consent by various data protection authorities, including the Dutch one (quite strongly; could find a source but would be in Dutch) and the European-wide collective of them (more weakly): https://www.edpb.europa.eu/news/news/2024/edpb-consent-or-pa... It's not like GDPR is new or dubiously worded on this aspect. They're willfully ignoring both ethical boundaries and the law
I don't know why people keep sending me / sharing Heise links. There's more than one news website in the world
As a Polish man TIL Schleswig-Holstein is not only the ironclad that started WW2, but also a German province. Imagine my astonishment when I read that SH relies now on OSS having in mind that it's the infamous ship
We've been seeing variations of the same article every week. The answer has been the same for a long time: this is great but unfortunately there are advantages in using Office and that's the reason we shouldn't expect mass migration anytime soon.
Excel, in particular, hasn't been unseated despite billions in investments from competitors over the years. Parity will happen someday, but it's at least a decade away.
> We've been seeing variations of the same article every week.
Time has come. Over the last few years there is more and more interest from goverments and private organizations to have relieable software that does not depend of foreign entities. Software sovereignty is becoming a necesity rather than a nice to have for both nations and enterprises.
> Excel, in particular, hasn't been unseated despite billions in investments from competitors over the years.
Excel, like many other technologies in the past can be disrupted. Like mane other commenters say, it won't come cheap. Saving costs shouldn't be the the goal here.
> Parity will happen someday, but it's at least a decade away.
This is the year of LibreOffice on the government? I'd love if you were right, but I doubt it. The chasm is enormous, and maybe you don't use Excel enough to realize it.
The chasm is enormous, but Calc doesn't need to implement 100% of Excel's functionality when most people - even business/power users - don't use all of its features.
What major commonly used features do you reckon Excel has that hasn't been implemented in LO Calc yet, that would be a deal-breaker for most businesses?
To my knowledge, Calc has implemented most of Excel's formulae (well over 500 in total count), so at least for typical spreadsheet functionality you wouldn't missing anything.
The biggest limitation I can think of is the limited support for VBA, but Microsoft have already announced VBA's deprecation[1], so no one should be relying on it even in MS World.
And whilst LO's own Basic scripting is... basic, it also supports rich scripting and full automation via Python and Javascript. It even has a full-fledged SDK for developing addins/extensions using a high-level language like C++/Java etc[2], so businesses who're dependent on some random proprietary excel COM addin or something could invest in development effort to port it over.
Heck, if businesses are so inclined, they could modify the LO source itself and build a custom version to add the features they want - that's the beauty of FOSS.
You don't use all it's feature, but if you need part of the 10% of features that Calc doesn't support, then your in a world of hurt.
When Calc gets the other 90% of the features Excel has, you also need to contend with word, Outlook, Visio and all the rest that Libre Office has a 0% solution for.
I support FLOSS... But pretending that anything else does enough for many orgs is delusional. There is work and pain to get through to even have a workable solution... And it won't be as good for a long while.
Massive cost savings are one of the bigger motivators... But that will be offset by the need for more internal staff.
I don't see why you would automatically be in "a world of hurt". Yes, you might be if you were to suddenly roll it out organisation wide without any testing, but no sane IT department would do that. This is why you have internal test groups and pilot groups. Once you identify the limitations, you scope out the missing features/issues, engage developers if need be, or look for alternate solutions. No one needs to get hurt.
No, but that's only because I hate Excel. But I'm sure developers who don't hate it but also appreciate FOSS solutions might be interested, if the pay is good.
Access = LibreOffice Base
Visio = LibreOffice Impress
Outlook = Schleswig-Holstein already switched successfully to Open-Xchange and Thunderbird, I've not heard of them running into any major issues with this setup.
No, I don't think LibreOffice is the answer. And I am with you here, I would love to be wrong. One issue is that it doesn't really work well online. The folks from Collabora[1] have done an amazing job at wrapping LibreOffice for the web and maybe that is a way to go?
As a sibling comment says you don't need to implement absolutely everything Excel does to _disrupt_ Excel. But you do need to provide a fantastic tool that is easy to use and solves 99% of the problems. If governments start putting their money were their mouth is I am very convinced we can create tools that supersede Excel, Word,...
I wonder what they use for Microsoft Office. My office license is renewing in 2 weeks and I have been looking at alternatives but they all have their own catch.
The catch depends a lot on the context that you're considering. Trying to replace Microsoft Office as a whole by a drop-in replacement like LibreOffie may work better or worse depending on who uses it.
I've never used anything but OpenOffice / LibreOffice for writing academic texts in the humanities and never missed anything. The "catch" whenever I tried Microsoft Word was the menu that had the most important functions (for me) hidden away much deeper than in OO and LO.
I've never been a big user of Spreadsheets but I've heard only good of Excel and trust the widespread opinion that it is unchallenged in its domain. In sociology you wouldn't use it because you've got specialized statistics software such as R and SPSS (PSPP being an attempt at an Open Source Alternative to SPSS).
Looking at administration, Excel ist probably quite important but when you get rid of it, not one but various solutions might take its place, depending on who uses it. If you want something like a browseable database in a colorful table for office clerks, LO Calc might be enough. But the things Excel gets praised for a lot (I never know what exactly people mean) would probably have to be tackled another way.
Governments going down that need to invest into finding those solutions by providing staff that is qualified to find them or even develop them. The state of Schleswig-Holstein considered in its Open Source initiative strategy that it may be challenged by a future legislation and put a focus on the reasons for acceptance of Open Source solutions. I wonder if that is put into action well to find solutions with the least "catch" that may even excel over Microsoft products depending on their context :)
Immerse yourself in a workplace setting where Excel is the first thing that people grab for anything but text editing. You'll see how insanely productive people are. Now actually try switching to LO Calc.
I've done this several times during my career, to see if LO Calc would ever come up to the performance of Excel. To be fair, I haven't done so since I switched to Python.
Here's the experiment I would conduct. Generate a column of 5000 numbers. Now graph them. Now make a few token changes to the graph such as modifying some of the aesthetic parameters. The difference in processing time was profound, last time I tried it. Also, there was a noticeable "latency" between clicking something, and seeing something happen, that made it quite un-ergonomic if not physically painful to use. I'm sensitive to this because I get eyestrain headaches easily.
I find Onlyoffice to be the closest alternative. It presents itself as a hosted office platform but you can actually install it locally and it feels just like an office program.
It's not the most efficient, being effectively a webview. But its UI and compatibility is imho much better than LibreOffice.
Super basic use cases, like having a CV in Word and a Budget Excel. But I switched to Onlyoffice now. I am not a huge fan of scripting in excel anyways.
Cost savings make headlines, but the important part is reducing structural dependency. Governments shouldn’t base essential functions on systems they can’t inspect or control. Even if OSS requires investment, that investment at least builds local capabilities instead of external lock-in.
A company that cuts all services to members of the International Criminal Court because they prosecute war criminals that are protected by the US is not a reliable service provider for non-US customers. That’s why Swiss Data Protection Officers recommended recently to migrate away from MS products and services. And all European agencies should do the same immediately.
Its been a very long time since I was a Sysadmin, but I'm curious what managing a fleet of Linux desktops is like today? Has it vastly improved?
When I last tried in a small pilot program, it was incredibly primitive. Linux desktops were janky and manual compared to Active Directory and group policy, and an alternative to Intune/AAD didn't even seem to exist. Heck, even things like WSUS and WDS didnt seem to have an open version or only had versions that required expensive expert level SME'S to perform constant fiddling. Meanwhile the Windows tools could be managed by 20 year old admins with basic certitifcations.
Also, GRC and security seemed to be impossible back then. There was an utter lack of decent DLP tools, proper legal hold was difficult, EDR/AV solutions were primitive and the options were limited, etc.
Back then it was like nobody who had ever actually been a sysadmin had ever taken an honest crack at Linux and all the hype was coming from home users who had no idea what herding boxen was actually like.
This is my concern with all those "success" stories about Linux as an enterprise desktop OS. Run it for 10 years and show me the actual cost savings/improved productivity.
Microsoft is trash and is getting worse day by day, but at the very least it's the same trash everyone has to deal with, so people mostly got used to the smell, and you can get economies of scale in tools used to deal with said smell. MS is trash because of incompetence.
Linux is dozens of different flavors of trash, so you don't even get economies of scale dealing with it. It's trash because of ideology - the people involved would often reject the functionality you mentioned for ideological reasons, and even for those who do accept them, won't agree on the implementation meaning you now have a dozen of different flavors, and will take up arms if someone tries to unify things (just look at the reaction to systemd).
Linux works well for careers where shoveling trash is already part of your work, in which case all the effort doubles as training for the job and experience makes this a non-issue. But for non-IT careers where the computer is just a tool that is expected to work properly, it's nowhere near there, and will never get there because everyone's instead arguing on the definition of "there" and which mode of transportation to use getting there.
Google gave its employees a Linux laptop option for well more than 10 years, but in the past few years they started steering everyone away from it, before formally announcing they want to scale it back.
This is despite them being a tech company, and despite them having already invested in their single Linux flavor (gLinux). Wayland migration was also a pain.
I'm not an expert and that still might be the case but you have to understand that for many Microsoft as an American company is simply no longer an option for critical infrastructure. It's a matter of trust.
I think this comes primarily from trying to add a separate management tool on top, instead of leveraging the OS structure themself. There is a reason, why most directories are specified to be readonly. Also writable XOR persistent is mostly true. The only things required to be writable are /tmp, /var and /home. /tmp is wiped at least on every boot or is even just a ramdisk. /var can be cached or reset to the predefined settings on boot. /home needs to be managed, that is true. But you wouldn't want every users directory on every host anyway, instead you want to populate them on login. That is typically done by libpam.
/usr is expected to be shared among hosts, host-specific stuff goes into /usr/local for a reason, and as a sysadmin you can decide to simply not have host specific software.
EDR/AV is basically unnecessary, when you only mount things either writable or executable. And you don't want the users to start random software or mount random USB-sticks anyway.
> Back then it was like nobody who had ever actually been a sysadmin had ever taken an honest crack at Linux and all the hype was coming from home users who had no idea what herding boxen was actually like.
Unix has over 50 years of history of being primarily managed by sysadmins instead of home users. While Linux is not Unix, it has inherited a lot. The whole system is basically designed to run a bunch of admin configured software and is actually less suitable for home users. I would say the primary problem was accessing it with a Windows mindset.
>EDR/AV is basically unnecessary, when you only mount things either writable or executable
Sounds good, except:
* scripting languages exist. The situation is even worse on Linux than on Windows (because of the sysadmin focus). You need at least /bin/sh installed and runnable on any POSIX system. In practice bash, python, perl and many more are also always available.
* exploits exist. Just opening a pdf file may execute arbitrary code on a machine. There is no way to avoid that by just configuring your system. And it will happen sooner or later, especially if nation states are involved.
The idea that your systems are somehow unhackable because you... mount everything W^X is... not based in reality. Of course it's a great idea, but in practice you need defense in depth, and you need to have a way to Detect and Respond to inevitable Endpoint breaches. I don't love EDR/AVs, but they mitigate real attacks happening in the real world.
> the primary problem was accessing it with a Windows mindset.
The early Unix systems you're talking about were mainframe based. Modern client-server or p2p apps need an entirely different mindset and a different set of tools that Linux just didnt have the last time I looked.
When they audit the company for SOX , PCI-DSS, etc we can't just shrug and say "Nah, we decided we don't need that stuff." That's actually a good thing though, because if it were optional well meaning folks like you just wouldn't bother and the company would wind up on the evening news.
Maybe I am missing something, but that seems orthogonal to ensuring host integrity? I didn't argue against logging access and making things auditable, by all means do that. I argued against working against the OS.
It is not like integrity protection software doesn't exist for Linux (e.g. Tripwire), it is just different from Windows, since on Windows you have a system where the default way is to let the user control the software and install random things, and you need to patch that ability away first. On Linux software installation is typically controlled by the admin and done with a single file database (which makes it less suitable for home users), but this is exactly what you want on a admin controlled system.
Sure, computing paradigms have changed, but it is still a good idea to use OS isolation like not running programs with user rights.
> on Windows you have a system where the default way is to let the user control the software and install random things, and you need to patch that ability away first.
That's certainly not the default in a managed corporate environment. Even for home users, Microsoft restricts what you can install more and more.
And restrictions are not implemented via patch, but via management capabilities native to the OS, accessed via checkboxes in Group Policy.
I just mean to say that while you absolutely should work to configure the OS to a reasonable baseline of security, you also still need a real EDR product on top of it.
Even if security were "solved" in Linux (it's not), it would still often be illegal not to have an EDR and that's probably a good thing.
> you also still need a real EDR product on top of it.
Well that's my point. You don't need third-party software messing up with the OS internals, when the same thing can be provided by the OS directly. The real EDR product is the OS.
I guess you wouldn't install wget in that installation and patch programming languages to follow the executive bit or also remove them.
Also you can't make it physically impossible for employees to not e.g. screenshot things and take them home. You can forbid it and try to enforce it, but some amount of trust is needed.
Willing action needs to be taken for what it is, an deliberate action by that user. If that user is allowed to access that data, than I don't see what is wrong with him doing that in an automated way.
Even if it were technically unnecessary (in some hypothetical future where privilege escalation became impossible?), legal, compliance, and insurance requirements would still be there.
The problem is that EDR is basically a rootkit, by using it you enable a huge attack surface instead of being able to have stuff e.g. immutable. That tradeoff only makes sense, when you don't trust and control the OS itself. This is more of a problem with proprietary OSes like Windows. Otherwise you would rather integrate this into the OS itself.
> That tradeoff only makes sense, when you don't trust and control the OS itself.
That's totally accurate, but you're missing the fact that we fundamentally don't (and can never) trust the OS or any other part of a general purpose computer.
In general purpose computing you have a version of Descartes brain in a vat problem (or maybe Plato's allegory of the cave if you want to go even further back).
To summarize: We can't trust the inputs even if the OS is trusted, and if the OS is trusted can't trust the compiler, and even if we trust the compiler we can't trust the firmware, but even if we trust the firmware we can't trust the chips it runs on, and even if we trust those chips we can't trust the supply chain, etc. "Trust" is fundamentally unsolvable for any Turing machine, because all trust does is move the issue further down the supply chain.
I know this all sounds a bit hypothetical, but it's not. I can show you a real world example of every one of those things having been compromised in the past. When there is money or lives at stake people will find a way, and both things are definitely at stake here.
So what we have to do is trust, but verify, or at the very least log everything that happens and that's largely what those EDR products exist to do. Maybe we can't stop every attack, even in theory, but we take a crack at it and while we're at it we can log every attack to ensure that we can at least catch it later.
There just isn't any version of this world in which general purpose computers don't require monitoring, logging, and exploit prevention.
Sure, that is why you trust a blackbox software from some random company running as a rootkit, whose concrete version you do not even control, because it is remotely updated by them.
If you think the hardware works against you, then you are screwed.
> Sure, that is why you trust a blackbox software from some random company running as a rootkit, whose concrete version you do not even control, because it is remotely updated by them.
It doesn't have to be "a random company". Microsoft, for example, now ships EDR as part of the operating system.
Many companies prefer other vendors for their own reasons. Sometimes one concern is the exact issue you're describing. By using another vendor outside of MS they can layer the security rather than putting all their eggs in a Microsoft designed basket. We sometimes call that a "security onion" in cyber.
I have no idea what the Linux version of that would even look like though. I imagine you'd just choose one of the many 3rd party EDR's from "random companies." It's another reason I asked the original question about how Sysadmins cope with Linux these days. MS has an entire suite of products designed to meet these security, regulatory, and compliance problems. Linux has... file permissions I guess?
If your think of running some EDR software in kernel mode, then my point is indeed don't do that. That just sounds like less security. Use the OS and run the reporting in userspace.
If you want integrity, first make everything executable immutable, the system is explicitly designed to work that way. That's why the FHS exists for. Then use something like Tripwire to monitor it.
How though? Presumably you mean we should trust the OS to do that?
Edit to be clear auditd has the same issue. We're trusting it to audit itself. However, we know that we cant trust it because rootkits are a thing. So now what?...
I guess we need a tool thats designed to be tamper proof to monitor it. We do that by introducing an external validation. A 2nd external system can vouch that hashes are what we expect, etc.
So you have an OS of which you have the source, which is binary reproducible and you can compile yourself if you want to. You want to make that more trustworthy by injecting a random blob, you can not inspect and which updates itself over the network controlled by a third party. I do not understand your threat model.
If you think your OS doesn't give you the correct answer to a read, than you need to run a second OS side-by-side and compare. If you think your OS is touching data you haven't told it to, you need to have a layer running below so you can check, i.e. virtualization, BIOS or hardware. If you think your OS is making network calls you haven't told it to, then you need to connect it via an intermediate host, that acts as a firewall.
I don't see what injecting a random blob into the OS gives you other than box ticking. Now you need to trust the OS and that other thing.
When your attacker gains control of your OS (so actually below root), than you are screwed anyways. Only having some layer independently will help you in that case. Having more code in your OS, won't help you at all, it will just add more attack surface.
> If you think your OS doesn't give you the correct answer to a read, than you need to run a second OS side-by-side and compare.
I mean, that's mostly right. IF the OS is already rootkit infected then installing an EDR won't fix it, as it mostly won't be able to tell that the answers it gets from the OS are incorrect. That's why you'll sometimes see bootable EDR tools used on machines that are suspected of already being compromised. It's a second OS to verify the first, exactly as you describe.
In practice that's not typically required because the EDR is usually loaded shortly after the OS is installed, and they're typically built with anti-tamper measures now. So we can mostly just assume that the EDR will be running when the malware is loaded. That allows us to do things like Kernel‑level monitoring for driver loads, module loads, and security‑relevant events (e.g., LSM/eBPF hooks on Linux, kernel callbacks/ETW on Windows).
By then layering on some behavioral analysis we can typically prevent the rootkit from installing at all, or at the very least get some logs and alerts sent before it can disable the EDR. It's also one reason these things don't just run in userland as you suggested above. They need kernel mode access to detect kernel mode malware, and they need low level IO access to independently verify that the OS is doing what it says it is when we call an API.
Your suggestion reminds me of the old 'chkrootkit' command on Linux. It's a great tool, if you don't already have a rootkit. In that case it just doesn't work. A modern EDR would have prevented the rootkit from installing an API hook in the first place (ideally).
> Only having some layer independently will help you in that case.
Sometimes it's more about detection, and sometimes it's more about prevention, but both are valuable. I would one day love to see a REAL solution, but for now I think EDR's are the least worst answer we have.
A better answer would be a modern OS built to avoid the weaknesses that make these bolt on afterthought solutions necessary, but neither Windows or Linux come anywhere close to being that. They both have too much history and have to preserve compatibility.
> A better answer would be a modern OS built to avoid the weaknesses that make these bolt on afterthought solutions necessary
That's basically my point. Plugging EDR into an OS, is getting you a different OS that contains a part of which you have only a binary blob, and which is changed by a third-party over the network. This means you need to be able to change parts of the OS over the network, which opens you to new attack surfaces and you now also have the possibility of incompatibilities between the core OS and your blob, since these are developed by different vendors.
When you have software, of which you have the source, you control the version, trust the vendor, run this in the kernel and still want to call that EDR, that is fine, but that doesn't seem to be what EDR companies like Crowdstrike are doing.
If all you do is use kernel hooks, than you are still trusting the kernel. If your low-level IO still queries things in the kernel, than you still trust the kernel. If low-level IO means below the kernel, than you are not modifying the OS, your "EDR" is the OS and you run another untrusted OS on top.
AFAIK they use Open-Xchange, Univention Corporate Server and other specialized (maybe customized?) an open solutions for telephony, interoperability and other tasks.
I've never used it. Does this actually replace AD and group policy effectively? Does it manage updates properly? Can it handle compliance tasks?
I've used other things that claimed to in the past and none came anywhere close in practice. They all turned out just to be LDAP with some NT4 style policies for windows and very little at all for the Linux clients. It was like traveling back in time to the Windows 2000 era of management.
> Does this actually replace AD and group policy effectively?
I do not know. They probably evaluated the solution before they made the decision.
In any case, continuing to use AD seems out of the question. Relying on US based software in 2025 and beyond is simply not a viable option for any administration that values its sovereignty. The US isn’t even hiding its hostility.
I really don’t get why there’s always this group of people who feel the need to constantly manage everything for others—like sysadmins, for example. Sure, there are valid scenarios where management makes sense, like printing or shared drives, but most of the stuff is just over the top. As a developer, I’m sick of all the constant restrictions—broken VPNs, stealth monitoring, and antivirus software that slows everything down. These "security measures" are supposed to help, but they just kill performance and cause frustration. At the end of the day, I just want my system to work smoothly without constant interference.
I think everyone hates it, but they're often legally required. Even when they aren't legally required, they usually are by insurance companies.
Nobody wants to be on the news the first time Becky in Marketing opens an email attachment she shouldn't.
*EDIT* I left out one of the biggest benefits: Dummies & Newbs. The world is filled with people who have never used a mouse before they started this job Last week and people who actually NEED the stupid warning stickers on their toasters. If you don't lock down their desktops your support costs will be astronomical and downtime will be constant. We know this because there was a time before these tools, and it largely sucked for everyone.
Did you know that you can bypass the windows 98 login screen by just clicking 'Cancel' instead of 'OK' at the login prompt? Nice and simple, right? That stupid button not only wrecked security it caused 10's or 100's of thousands of hours in lost work because people forgot their passwords, clicked Cancel, and then would call the help desk wondering why network shares didnt work. It would sometimes take hours to figure that all they had to do was reset the password and login properly.
Looks like what IBM tied. IBM allowed some people to stay on Microsoft Office, the 'some people' were VPs and a few 'important' people. That turned into a disaster.
Eventually almost everyone started requesting M/S Office Exceptions, and many were granted. Other people revolted. IBM then gave up and went back to M/S Office.
To do this correctly, convert everyone, from CEO, Board Members down to the lowest level of person. No exceptions.
It is by now a trusty enough workhorse for large organizations.
Yes, it's not all the way there: I've filed hundreds of bugs against LibreOffice, and many are still open (not just feature requests); and yes, I have a lot of criticism of the governance. But it is proof that a huge, end-user-facing software project can sustain itself and improve within having to rely on the MS-bucks or the Googlebucks and such.
But a huge project needs a lot of support, and needs to renew its support from new people, so please help out!
Filing bugs, contributing graphics, translating parts of the UI (which you would be a saint to do since the translation system is the pits), designing document templates, organizing an install-party, getting promotional material and putting it, and of course you can write write code (starting with easy-hacks) or contribute money.
----
Due disclosure: I'm a trustee of The Document Foundation, which manages the project. Going to speak at LOConf Asia 2025 in Tokyo later this month:
Whenever cost-cutting measures are open for recommendations, I always mention how any company or organization can save on Microsoft licenses by switching to open source alternatives. It's never taken seriously, my competence is always questioned, and I somehow form new enemies from Microsoft fans. In the end, layoffs are conducted meanwhile the bills from Microsoft increase. The worst part about it all is that if my recommendations were implemented, the savings could have been enough to save everyone from a layoff.
Over half my life I've been reading this headline. "[Subdivision of Germany] switches to Linux". Here's some slashdot slop from 2002.
You'd think Microsoft would be dead and buried by now, or that the readers would have realized how inconsequential these changes are. One or the other.
I've been using LibreOffice Calc and Writer for years. I've used Microsoft Office Excel and Word, too.
I can't say I've ever suffered from my choices or that I missed any features. As for "polish" - that's subjective, isn't it? I can access all the features I want quickly and efficiently. It's a tool, after all.
There are some minor bugs with Calc that I'd rate 2/10 in importance - annoyances mostly. I haven't used Excel in a while, but it had annoyances, too.
But even if Microsoft Office is more polished and feature-rich, I still think that the trade-off is worth it - we get data and software sovereignty, privacy and cost savings. The workers need to relearn how to access feature X in the menu or how to live without feature Y.
I don't necessarily disagree with "Libreoffice is junk" but that's not actually a problem, or all the problem. As the article has stated, 80% of the licenses were dropped, while 20% of the use cases continue to be supported by Microsoft Office. To me that is already a big win compared to 100% Microsoft Office.
You see, most Office users are not heavy/expert users and they only occasionally need the basic features that exist everywhere and do good enough of a job. I personally have only used Word maybe 3 times over the past few years, because almost all work documents live elsewhere, while Google Docs is good enough for my personal word processing needs (which could probably be done with Libreoffice as well). In the old days I used to install pirated Microsoft Office when I got a new laptop. These days I don't even think about it.
Imagine every company starts to evaluate how many employees actually need Microsoft Office, and then drop licenses for those who would be ok with Libreoffice or nothing at all. Microsoft would be shitting their pants.
There is probably some (or even much) truth to it but it needs to pointed out that this statement comes from the political opposition and is therefore somewhat biased against this project.
It's not ideology. The US has started sanctioning European judges who serve on international courts, causing Microsoft to cut off access to its services.
Given that the US has shown it's willing to wield sanctions as a blunt instrument against anyone and everyone, it's only prudent for European countries to reduce their exposure to US tech.
It's 2025, maybe instead we can finally stop trying to emulate letters from the 1980s? If your business process today involves Word, you need to be retired so someone can come in that understands what computers are.
Good move, gotta watch out for complicated contractual claims in Schleswig-Holstein. Microsoft might ally with the Danes and claim Schleswig, and then we'd have an 1864 situation on our hands again.
I really tried to read the comments on heise.de … but their website is the perfect example if ad revenue drives a company instead of providing value to their readers. Why do users have to create another page impression to read a comment?
To Heise's (slight) defense, their forum system is at least 24 years old, extrapolated from checking the date of my first comment on it. Probably even older. Apart from driving page impressions, there didn't seem to be an incentive to make the experience smoother, as user engagement is still very high.
How about instead you donate the same amount of money you would've paid to Microsoft anyways to fund open source projects you rely on? At least for one year, then drop it down to some arbitrary chosen percentage of that cost. That way you can still advertise it as a cost-cutting measure, and everyone would benefit.
reply