> Even if only "commercial activities" are in the scope of CRA, the Free Software community - and as a consequence, everybody - will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneurs.
That statement was based on the old text, correct? The revised law seems to address this in the opinion of experts OSI spoke to:
"In particular, “digital artisans” using Open Source software at small scale – the main concern of Debian – will need guidance from the European Commission. While the experts we have met have all said that using an Open Source software distribution as part of a commercial activity is unlikely to require CE marking of the distribution itself, the interpretation of the key phrase “making available on the market” will need careful clarification."
> The amount of knee jerking in the comments for this law really brings down the quality of discussion and detracts from remaining issues.
Sadly, there are topics that sometimes come up on HN that makes people have these knee-jerk reactions. Anything related to EU, unions, Tesla, Israel and more tend to bring out the worse from normally reasonable people. I'm probably guilty of it sometimes too, we're all humans after all.
Another thing people can do is to disallow governments to use any software you produce by default.
This doesn't change your obligations to the law but it does attach consequences to government decisions. Right now they make sweeping decisions to benefit large players and screw small players, which is like stealing from the poor to give to the rich. And worst, the whole thing is effectively retroactive to all of the people whose collective work gave them all the nice things.
Government should learn that decisions should be thought about very carefully and the only way to start a change in thinking is to attach consequences.
Such limitation would effectively change the project's license, which would no longer be F/OSS approved. Most people and businesses don't evaluate custom licenses, they'll just skip your project because it doesn't have a well-known, approved license.
> Another thing people can do is to disallow governments to use any software you produce by default.
So, instead of having governments become part of an open (software) commons, using software that costs less in taxes[0], which they would then have a stake in supporting and helping to make better, you're proposing that they purchase higher-cost proprietary software from private corporations, supporting their shareholders?
Yeah, that'll help.
> the only way to start a change in thinking is to attach consequences.
That's not how FLOSS has got where it is today, so it is clearly not "the only way". FLOSS succeeds by allowing everyone in, in allowing them to reap the benefits first, so that they understand the value first-hand. Then, they come to depend on it, and when they see how much it would cost them to stop using FLOSS, do they realise how much they have invested in the ecosystem.
Keeping people out means that they never get entangled in the first place.
[0] Or, requires less money to be created, depending on your viewpoint.
How do you expect that to be respected when you have things like illegal surveillance or eminent domain? A well behaving government wouldn't be the target for this, and a badly behaving one wouldn't respect it anyways.
It tends not to be agencies like the USDA, USGS, VA, etc conducting illegal surveillance, yet they all use computers. And I'm not sure what eminent domain has to do with it.
They should have started by competently and carefully thinking through the consequences of the liabilities they were about to impose on open source, rather than obligating open source to expend limited resources explaining the obvious consequences.
These problems were obvious to anyone competent who spent even a second thinking about it: people who give software away cannot accept liability for doing so, and the act of giving software away can't impose obligations to people who receive nothing or they will obviously have to stop.
I'd much rather they consult open source people about open source needs, rather than try to guess. IME, you need to talk to the people on the front lines. In fact, unless I talk to people I know best, even family members, I don't really know.
They made open source go lobby them to avoid having to block the EU. That's the exact opposite of asking open source, in advance of legislation, what would happen if they did X.
> CRA needs an exemption for small businesses and, at the very least, solo-entrepreneurs.
My guess is even medium size businesses will face enormous risk and cost related to this.
In the end we might see the worst scenario happening: open source is good, but only if sold by a big company who can afford compliance, risks and lawyers.
This will be somehow similar to what happened with GDPR, most small & medium shops cannot spend too much time on this. And ironically it pushed a lot of people in the 3 big public clouds.
I think medium software sized shops - 500 employees are large enough to afford the details and so will be okay. Anything smaller though and this is too much overhead. Of course many projects don't need 500 people. If you use Linux you can buy support from several actors of this size who can afford the overhead (also covering tools like ls that are part of an OS, maybe covering the basic gnome desktop, but not many of the lesser used tools that make linux useful). I'm sure the Apache and FreeBSD foundations will look into this and decide that they are able to handle the overhead by starting (legally this may be finding people to start?) such a company. However I'm not sure OpenBSD is large enough to be worth starting such an organization.
There are a lot of tools that are not large/popular enough. Who will support OpenScad, FreeCad, cppcheck, and all the other open source projects that don't have a large company behind them and probably are not interesting to enough companies to be worth starting something to support them just for legal purposes. There are also projects that are supported by a company today, but the company is not large enough - will enough more customers come in to make it worth hiring a dozen laywers - cmake and sqlite come into mind as projects in this category.
In every other industry business of all sizes, even people selling stuff on the street, have to obey regulations, with exceptions where obeying regulations comes with certain flexibility.
Open source is no different from anythig else performed by street artists, food trucks.
- Everyone is liable by their actions on the eyes of the law, regardless of what they are doing is a business, that is why civil insurance is a thing in many countries
- Not everything that people do happens on the street
- Handling with physical goods doesn't mean one knwos before hand the number of customers, and as for impact, it depends on how wrong it happens to go
Maybe liability is finally a way to get people to pay for open source, instead of feeling entitled with stuff they leech on (including big corps).
> Handling with physical goods doesn't mean one knwos before hand the number of customers
Sure it does? You can resell them, but if you produce X items, there'll be X items. You can't be sued into oblivion after producing one and then learning that it was used by a billion people and 100 of them got cancer.
GDPR is easy as a small organization IF you are not greedy for other people‘s data. Keep your hands clean.
I own (part of) a small company that makes software for a small market and we had absolutely no problems with GDPR because we try to not collect any data we don‘t absolutely need.
It‘s not very complicated if you just invest some thought into your processes and don’t spy on your customers. Most of the time you don‘t need the data but someone wants to sell you a product to gather it.
> we try to not collect any data we don‘t absolutely need
Do you have analytics/telemetry for your products/websites? Do you include 3rd party fonts, libraries or use a CDN or a anti-DDOS service like CloudFlare?
Do you have data scrubbing capabilities in all your user-interaction software with a default maximum retention period? Do you answer data removal requests?
These are some the requirements for organizations of any size, big or small.
This reminds me very much of the warnings by people like Robert C Martin over a decade ago that unless the software industry adopted better practices for quality and regulated itself regulators would step in. Regulators understand very little about the software process so the laws they are pass are unlikely to be the best way to solve it. Years after those lectures little has changed and now the regulation is coming at an increasing pace.
None of this will be good for small software companies, this sort of regulation will entrench the big players as it always does.
> In particular, “digital artisans” using Open Source software at small scale – the main concern of Debian – will need guidance from the European Commission.
Sadly I don't think it will move, the commission doesn't want to weaken the legislation because they don't want to much discrepancy between member states.
It will once again be up to individual countries to set up this law with their own interpretation.
In my experience with Rgpd, the watchdogs in at least 3 countries (France, Italy, Germany) are extremely helpful in navigating regulations, especially if you are incidentally its target (As a PaaS that hosted health data, we were).
I understand that this is both unclear, unknowable and a pretty huge risk (not really factually, but it feels like one): I'm not saying Debian people are wrong to want to clarify, I'm not saying people should take this as a victory, or that EU is perfect : I'm just saying that as a complex federation, with current rules, this law will probably be the best we will get, and sadly, local 'forgiveness' and loose execution is the only thing you can count on.
Because in the EU eyes, the law being loose is way, way worse than the local executive power being loose.
> the watchdogs in at least 3 countries (France, Italy, Germany) are extremely helpful in navigating regulations
This is a bad dependency to have. For example, for the new EU medical device regulation, IVDR, a lot of the regulatory infrastructure just isn't ready[0], and many bodies are bowing out due to the complexity. Ironically, the British Standards Institute is one of the few notified bodies to take it on!
And that's medical devices, which are a tighter form of software. Regulating software in general seems like a very difficult task.
Yes, I think I was unclear: depending on local governmental watchdogs/agencies goodwill isn't a good solution. It's the one EU choose however.
It's weird for Anglo countries, or countries with the Anglo law system, where the legislation might have holes and weak points, but decree and case law fill those holes (the French system work like that too). EU can't do that because it's a federation of countries with different culture and interest.
Again, not saying it's good, I'm saying that's how it works.
I still wonder who enforces the MDR if a company from outside the EU offers their app/software to EU citizens without any certification.
There are quite a few health apps that are considered medical devices under MDR, but not in other countries. The EU companies must comply with the regulations, but nobody seems to be responsible for removing non-certified apps made by non-EU companies. That is a huge competitive disadvantage for EU companies.
There are freedoms to and freedoms from. The Cyber Resilience Act is giving freedoms from to consumers that never had them before, at the expense of some freedoms to abuse from software vendors.
OT: Anyone have a more useful link to the Apache Foundation's statement?
All the links to the other statements in the article go to the sites of the organizations they are quoting, but the one for the Apache Foundation goes to something called sandbox-pad.webm.ink.
That just gives me an error dialog in Chrome, Firefox, and Safari that says "sframe-boot.js must only be loaded in a nested context" then a shield with a keyhole image fads in over it along with "Loading..." text, and nothing more happens (at least in the 30 minutes I've had that tab open).
The legislation (Cyber Resilience Act) aims to enforce some standards and add liability around software products, to enforce that vendors don't just throw something out, never touch it again and it becomes a problem (customers stuck with paperweights, security holes exploited). The problem is that if you enforce that sort of thing on random open source projects, many will be simply incapable of even trying to follow the legislation because they're a small one-two dev team that cannot navigate complex laws. So, progressively, more and more exceptions have been added to who does the regulation apply to.
Liability for software developers and vendors. The only problem is they forgot to make an exception for free and open source software developers. It simply makes no sense for me to publish free software out there for free if that can get me sued.
I think, the CRA might create an incentive for companies not free loading Open Source Software but instead putting money in the open source eco system (though mainly on Security) and that is somehow great!
I very much doubt it, and it’s probably going to do the opposite.
CRA just brings the kind paperwork that physical products have always had to be licensed in the EU (CE marking) to software. Have you seen european companies investing in Open source hardware?
The path of least resistance will be to use homegrown alternatives and sell them to potential investors and shareholders as valuable intellectual property that puts them ahead of competitors.
Not only because that makes perfect business sense, but because this kind of IP is very hard to value fairly, so it will allow for a variety of accounting and tax avoidance shenanigans.
Really? Specific security requirements for iot devices “have always” been in existence? I’d really like to know the source for that. I sound snarky because I work in security and am unfamiliar with what you describe. I could also not be very good at my job.
I think they were speaking more generally: the requirements in the legislation are similar in structure to the kind of safety/serviceability requirements that already exist for hardware being sold in the EU (much of which is just self-certifying you have implemented the relevant standards). Having security requirements and applying them to pure software products is what's new.
Most people over estimate how effective CE marking is.
For example, CE only prevents people from selling products. For example, I’ve done pilot tests (city wide installations of urban equipment) with devices that, while I knew they’d be compliant, we had done 0 tests.
It’s also fairly trivial and common to cheat at the tests. Most EMC testing is done in conditions that aren’t necessarily the normal operating conditions and with “accessories”.
If anything else fails, aside from medical or safety critical devices, you could always self certify and roll the dice, it’s way more common than what people think.
You haven't given any mechanism that would make this happen. Specifically, some reason that the company would see contributing be beneficial to it. Of course, it benefits from the existence of open-source as a whole, but what material difference does its contribution make?
Take a small-medium sized business (say 5 - 50€ million annual revenue). Perhaps it can fund one library that is critical to it, but no contribution it makes will make a material difference to the trajectory of major products like Linux, or Python.
The mechanism is clear: If you use Open Source software commercially, you are now liable if the software misbehaves. Thus, you have an incentive to make sure the software is correct. For (A)GPL software, you have to publish your contributions.
Not a lawyer, but it also seems to me that if you are a small shop, you might decide to pay, e.g. RedHat for taking on the liability. RedHat can pool these resources to make sure their software behaves as advertised.
> If you use Open Source software commercially, you are now liable if the software misbehaves. Thus, you have an incentive to make sure the software is correct.
As a software developer at a non-tech firm, I can gaurantee this means we will not be able to use any open source software. If we are granted an exception, it will be such that we must maintain a private version of the open source software.
This is simply a no-go for many companies of all sizes. The risk associated here is not something many (any?) legal department will be willing to take on.
If your company is not willing to pay someone (another company ) for making sure the open source software used is actually working properly (and for assuming liability if it doesn't), then it can't use open source software. But then, what does open source lose when losing for profit users that are not willing to contribute back?
What is due to some health condition they are incapable of fixing it anymore. Tough! Now the law is discriminating against old people because the risk of health deterioration is higher. Let me guess, tough. Old people shouldn’t be programming anyway and they don’t deserve to earn anything with it.
Of course, an SME company will not hire a developer to constantly perform security checks and apply patches for an important library libImportant.
What will happen is that company A will hire company B to do this and assume liability for it. If we set the annual cost of this at 100k, the monthly cost is about 8333 EUR. Let's say company B has 20 customers to protect the security of libImportant, that is 416 EUR per month and SME can afford that. There are OS that are of course used more frequently and that scales much better (i.e. cheaper per month). I actually see a new market niche here and perhaps they will find resourceful entrepreneurs.
Only if there are enough companies interested in the project. Will company B support cppcheck like that? I prefer kde to gnome, but my company won't pay for kde support when gnome already comes from some contract they have - at least kde is large enough that I expect someone to offer support - there are other desktops that are not popular and now have even less hope of breaking in.
Most users of open source don't really care to make a difference to the trajectory. Someone else made the linux drivers I need, that is good enough for me.
For linux you will probably be able to buy a certified Linux distribution for similar costs to Windows which is affordable to a medium sized company that needs certification. However that will only cover your basic OS: linux, ls, basic gnome desktop (but not many applications, just the window manager, a file management, and email client) - probably not a web browser.
However there are a lot of small projects that are not popular enough for anyone to certify like that.
As with CE marking: there's very little enforcement, so people would carry on downloading solutions from outside the EU and ignoring the rules. See the entire Aliexpress market.
The CRA still applies as soon as it is first brought onto the EU market. It might just be the distributor or importer having to do some things instead of the manufacturer.
I mean the software is never used inside the EU. The final product is built outside and later imported, so you don't know what software was used.
An example: EU is approving very restrictive legislation about pesticides for use inside the EU but it happily allows importing food grown in other countries using the very same forbidden substances.
This is the weirdest form of colonization. In bygone days, we had to accept European monarchs; now we have to live with the diktats of their bureaucrats.
No colonization happening. If you don't want to follow the CRA, then don't make a product that gets into the EU market. If you want in the EU market, you have to follow EUs rules.
Maybe you're misunderstanding what I said. Otherwise it would be ridiculous.
If I buy a screw made in the USA, no EU authority can know what's the software used in the machine tool. They can control physical properties, packaging, information... but the process used is opaque.
If you live in the EU it is hard to move. You have to find a country that will let you in. Most countries restrict immigration and so you are likely to only file a country that is dangerous to live in. You also leave your friends and extended family behind, which is difficult.
That assumes it is your company to move in the first place. Which is unlikely. So add find a new job to the list of things you need to do.
Doesnt this version still screw up the individual developers or smaller outfits that provide paid addons/upgrades to their open source software? It exonerates open source projects that dont engage in any business activity, but holds responsible the 'stewards' who provide paid services and addons? This would kill a lot of individual software developers and small outfits that fund themselves by selling paid upgrades/addons or other services whereas the non-profit projects still remain for major corporations to leech off of them. Added bonus is that the law will eliminate the small competitors of all those major corporations as individual devs and small outfits cant handle the financial burden of this compliance. To make an example from a healthy open source ecosystem: WordPress project would continue without issues, but all the small developers and outfits who make a living by creating plugins, themes and other things for that ecosystem will go kaput.
there are improvements but please, the implementations are the test. Regulators, senior politicians and others can and do change the course in implementation phase.
> Even if only "commercial activities" are in the scope of CRA, the Free Software community - and as a consequence, everybody - will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneurs.