From dependence to resilience: Digital sovereignty for software
There’s something fitting about Roberto Di Cosmo returning to the University of Pisa to talk about the fragility of digital infrastructure. He studied there from 1982 to 1986, then again for his doctorate in 1988 — back when the computer science department had no budget for machines that actually worked, which meant he spent most of his time making friends in physics and astrophysics, where the funding was.
«They had the big computers,» he told the room at a recent GARR conference, back in the same city nearly four decades later, this time as the founder of Software Heritage and one of the people most responsible for the fact that the world’s source code hasn’t simply vanished.
The talk he gave was called «From Dependence to Resilience: Building Ecumenical Digital Sovereignty for Software.» It was, in essence, a polite but urgent intervention aimed at a room full of people who understand networks and infrastructure — and who therefore have no excuse for not understanding just how exposed they are. You can catch the talk, in Italian, here or check out the slide deck in English.
The forgotten pillar
Digital sovereignty has become a political buzzword. Read any European policy document, listen to any ministerial speech, and you will hear about data, about cloud infrastructure, about strategic autonomy. What you will hear much less about is software — the thing that makes all of the above actually function.
«If you remove the software, nothing works,» Di Cosmo said. «All those cables, all those computers — useless.» The world’s scientific, technical, organisational and political knowledge is increasingly embedded in source code. Not just in computer science departments. The French Open Science Barometer — which has been running for four years, tracking software produced by French researchers — found software being created and used across every single discipline. Chemistry, physics, law, sociology, psychology. In psychology, because psychology involves a lot of statistics, and statistics means R scripts, and R scripts are software.
This is not a niche problem for computer scientists. It’s a problem for everyone who depends on digital infrastructure, which is everyone.
11 lines of JavaScript
The other face of open source’s extraordinary power is dependency — and dependency, at planetary scale, is a kind of fragility most people don’t want to think about.
Di Cosmo told the story of a JavaScript developer who, in 2016, fell out with the owners of npm — the package manager for JavaScript — and decided to remove all his code from the platform. Among his packages was an 11-line function called left-pad. It added spaces to the left of a string. Within hours, the entire web collapsed, in what went down in nerd history as the npm left-pad incident. Every JavaScript package loaded by every page on the internet pulled in left-pad, directly or indirectly. Two and a half hours later, npm’s owners overrode the developer’s decision and put it back. The internet recovered.
«This gives you an idea of the fragility,» Di Cosmo said.
He then asked the room a question about their own institutions — the members of GARR, Italy’s national research and education network. European Commission developers, it turns out, host 78% of their software on GitHub. What about GARR members? «Any guesses? Ten percent? Twenty? Ninety?» The answer: 88%. Then Bitbucket. Then GitLab. Then, in fourth place, a CNR-hosted platform.
«If GitHub or Python Packaging stop tomorrow, all your institutions — all of them — stop. The software you contribute to no longer works.»
Europe regulates. The infrastructure isn’t there.
This is where the structural gap becomes visible. Europe has produced GDPR, the Cyber Resilience Act, the AI Act, open science policies mandating that research software be made available. All of it, Di Cosmo argued, presupposes a certain capacity to actually control the infrastructure on which these obligations are enforced.
«If I pass a law and there’s no magistrate, no police officer, no notary behind it, the law is just wishful thinking.»
Europe’s answer to digital dependence has largely been regulation. What it has not done is build the infrastructure that would make that regulation meaningful — or ensure that the code its institutions produce, depend on, and are legally obligated to share actually lives somewhere that Europe controls.
What Software Heritage actually does — and why it matters now
This is the argument for Software Heritage: not as an archive in the library sense, but as critical infrastructure for digital resilience.
Since 2015, Software Heritage has been building what Di Cosmo calls a giant vacuum cleaner — connected to more than 5,000 platforms, ingesting source code with its complete development history, deduplicating it, and rebuilding it into a single unified graph. 50 billion nodes. A trillion edges. Three petabytes of storage. Every public line of code written over 70 years of computing history, including code from Pisa that was collected in 2019 with colleagues at the university museum.
The identifiers used to reference code in the archive became known as the SoftWare Hash IDentifier (SWHID) and are now an ISO standard (ISO 18670), «four years of work, what a thing,» Di Cosmo noted). The archive has been integrated with Nix and GNU Guix package managers so that when a package can’t be found at its usual source, the build system automatically falls back to Software Heritage and continues. Transparently. You only notice when you’re at scale.
And Di Cosmo has built a network of mirrors: one in Italy at Enea, GRnet (Greece), with more coming soon: Imdea Software, Spain, and one in Germany in progress.
The telescope metaphor
To explain what the Archive makes possible beyond preservation, Di Cosmo reached for a comparison that’s only slightly immodest. His old friend from his Pisa physics days, Massimo Stiavelli, became the mission head of the James Webb Space Telescope. Di Cosmo admitted to some admiration, and perhaps a little envy. «So we built a telescope too.»
Software Heritage, he argued, is now a telescope for the software sky. Point it in any direction — filter by institution, by domain, by licence, by programming language — and you get a strategic picture of what code exists, where it lives, who contributes to it, and what it depends on.
At the GARR conference, he shared a complete analysis of all software that GARR member institutions contribute to: 38,000 projects, 19,000 individual contributors, nearly 3 million individual commits, dating back to 1968. A breakdown of the most significant software by institution, by domain, by internal versus external contribution. «A strategic software insight that was impossible to build without this giant telescope.»
Resilience is not control
The conclusion Di Cosmo drew was deliberately aimed at the political tendency to conflate sovereignty with ownership — with autarky, the economic isolation his parents’ generation knew as ersatz coffee made from chicory and chocolate replaced by hazelnuts.
«Sovereignty cannot be treated as isolation. Europe’s path, I think, is to have an infrastructure that is genuinely open, genuinely transversal, genuinely international — that guarantees not that we own everything, because that is an illusion, but that nothing essential disappears when we need it.»
And resilience, Di Cosmo has spent 10 years arguing, does not require hundreds of billions of euros and new infrastructure built from slideware. It requires taking what already exists — the archive, the mirrors, the graph, the standards — and scaling it.
What it absolutely cannot survive is Balkanisation: every country, every region, every university building its own small archive for its own ten projects, duplicating effort, duplicating cost, and producing something that serves no one.
«The true sovereignty is not control. It is resilience.»