> 10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
The Internet Society quotes[1] that part and thinks selling support for stuff would count it as being supplied in “the course of commercial activity” even to those who aren’t buying the support.
This section has been rewritten (changed) in the latest (internal) draft of the CRA based on feedback of various open source foundations as far as I know.
I'm not sure how much I'm allowed to share but it'll be public at some point in April I believe.
How does this work for free software projects which aren't themselves commercial but list employees of big companies among their major contributors? E.g. the Linux kernel?
that is sooo bad. Basically anyone can give you support with some open source code (i.e. consultancy, they fix a bug/deploy/tweak for you and go away) except the authors of the code. Because if the authors do this, they are liable for the whole code base of the product. Nice.
Also, many open source projects have very complex authorship, good luck digging which company is responsable to do the audit.
Also, basically your favourite cloud provider could host your favourite open source database, but the authors providing hosting would be liable. Because "This Regulation does not regulate services, such as Software-as-a-Service (SaaS)"
Thank you. Do you think blogger missed it, focused on the 'should' part or it is part of clickbaity nature of our news cycle? Either seems as a likely possibility. I don't think EU would be stupid enough to kill open source.
I'm not a lawyer, but I see no way a sane and reasonable person could read this as "and if someone you've supplied the software in a foss & non-commercial setting to uses that software in a commercial way, you're on the hook for everything".
Yeah, it could be even clearer (but laws tend to not want to enumerate everything that is obvious or they'd become books), but it feels somewhat exaggerated. Or is the actual fear that commercial support services by the authors could trigger liability? As far as I understand, that has been a preferred way to get paid and remain not-liable for the original product.
> If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility for the way their components are applied in someone else’s commercial product.
Oh shit, this is huge. I wonder if it applies retroactively for code in the wild, as an open source contributor you can't recollect you code back.
You can potentially hold those responsible who published the first open source TCP/IP stack for anything happening on the internet if it retroactively applies to existing code, fun times.
Not all things can be or even should be regulated. This is almost akin to a law punishing good samaritan for helping someone in need because that someone ended up a criminal later. Not only is it dumb but also a perversion of authority.
Hopefully they know what they are doing and revise the law.
"Good samaritan" is a pretty relevant keyword here because many countries have so called Good Samaritan Laws that explicitly give legal protection to those aiding others in peril. The idea is that you won't want to discourage people from helping those in need by fear of repercussions. Its not unreasonable that similar liability protections should apply to those freely sharing software.
The open source community in general needs to pay more attention to this space – not just the python ecosystem. More maintainers need to know that well intentioned people are proposing policies that would in some instances make them financially and legally liable for the code they write.
The new EU AI Act also has this problem, in that it imposes liability for developing components that may at some future point be misused by others.
The source of the problem is a particular approach to legislation that has become popular in the EU that purports to regulate across the entire supply chain for a product. Which might make sense for production of physical items or for software developed completely from scratch 30 years ago under a waterfall model, but is strongly disconnected from the way software is currently built.
“Well intentioned” does not actually describe the strong IT companies that support actions like this to try and recapture value. European big tech companies like Siemens, Ericsson, Nokia and so on are not fans of open source since it negatively impacted their captive customer bases.
>If your open-source software project is considered "critical", you could be facing a lot more work and responsibility in the future. But for now, it's just some ideas from a few of Google's top engineers.
IANAL but I would expect you can only be held reponsible for a product if you say it fits a particular purpose.
But the python licence explicitly says:
PSF is making Python 3.11.3 available to Licensee on an "AS IS" basis.
PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF
EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR
WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE
USE OF PYTHON 3.11.3 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.
So it's not sold to you, and not distributed with any implied level of quality or guaranted service.
> I would expect you can only be held reponsible for a product if you say it fits a particular purpose.
That is an incorrect expectation. Even in the American legal system "I said don't do that" is not a shield against liability. In the EU framework a new law can pretty much create any new liability they want, so a disclaimer absolutely could be rendered meaningless.
Why on earth would they make the original vendor of a component liable instead of the last corporate vendor wholly liable for all components of the final product they sell? This seems like something which can only benefit:
1) very large corporations
2) who use a lot of components they don’t make
This seems almost designed as protectionist legislation for dinosaur companies unable to manage their software dependencies at any level of competence.
Yep, it's interesting because this is the case in eg. device warranties... if something breaks down, you don't search who the manufacturer of the capacitor was, but just take the device to the seller/retailer/store and have them deal with it.
Because the EU wants to make sure someone else than the user liable for everything. Fully controlling the Internet is part of this development. It started with cookie laws and is now creeping towards total controlism a la China.
In the EUs model of social democracy citizens does not need to bear responsibility for their actions, but it’s government’s job to enforce everything is in harmony. “Someone else” e.g. corporates are responsible for any negative outcomes. Whether or not open source, or many other Internet produced contents, fits into this model is secondary. This is also very easy for politicians to sell as the evil is always outside (US corporations, China, Russia) and there is never anything wrong with country or its citizens themselves. If people can go to Internet and hurt themselves e.g. by downloading an application or a package of course it must be someone else’s liability.
Basically every license out there has some "can't be held liable" clause in it (see the mit license for an easy to find one).
Does this mean the license may be invalid entirely in the EU, making it so you actually just can't use the software at all? I know that's how the GPL basically works, if you don't accept the GPL, then you simply have no license at all.
Usually the respective clause just becomes legally void. This is different from you not accepting that clause. It doesn’t invalidate the license as such (even if the license would like that to happen).
I discussed this with an AI language model (GPT-4), and the general idea I gathered was that in the EU, it's possible that the "no warranty" clause in open source licenses could be invalidated by consumer protection laws, while the rest of the license remains valid. This could potentially expose authors to liability, even as their work continues to be used for free. However, it's important to note that this information came from an AI and should not be considered legal advice. The specific application of these laws may vary depending on the jurisdiction and circumstances.
I remember when everybody was telling me that the demise of "net neutrality" would force me to pay my ISP for special "packages" to use different sites. Want to use HN? It's blocked unless you pay for the "tech forum package". ...Except that never happened. It turned out that the hysteria was manufactured by American tech corps like Google and Netflix that feared having to renegotiate their peering arrangements.
This sounds like more of the same. The proposed EU law applies to commercial activity, which volunteer FOSS development is not. So now we have commercial interests trying to fan the flames of another hysteria.
Many companies contribute to open source software, would they be responsible if some random user of Linux leaks some data due to a change redhat implemented? Despite that user having signed no contract with them?
And last time this came up it seemed widely believe that a donation link is commercial activity.
I’m all for software vendors requiring to take more responsibility. Anything better then the current “if it works you’re lucky” guarantee that drives drives the bug parching normality.
The responsibility lies with the commercial vendors however, not with the open source developers. What a perverse world we live in, that that can even be possible… Using our software for free and then holding us responsible… ha!
I find it interesting that the EU does not define "free and open-source software" in either of the proposals. I think they need to define the terms as used. There isn't complete agreement in the software world as what that applies to. For example MongoDB and the SSPL license.
This law will literally freeze software development in place, much like the US FAA did with civil aviation in the 1970s. Suddenly going from 100% disclaimed away warranty to a statutory warranty doesn't work. This may even be less intelligent than my home state's attempt to legislate that pi=3.15.
So, if you work for a commercial company and wanna contribute something back to some open source project - you will not get a green light from your lawyers department once this is enforced (it is already pretty hard to convince them).
I think I will call this - "Revere Censorship" and it's the way the likes of
George Orwell's "1984",
John Carpenter's "They Live",
Aldus Huxley's "A Brave New World",
along with the ideas pushed by the government (WEF) in Ayan Rand's "Atlas Shrugged"
are slowly being brought to life.
Soon there will be a City of Ember to contend with, not to mentioned Enders Game...
As I keep saying, the future is written in the past.
[+] [-] knlje|3 years ago|reply
> 10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
[+] [-] mananaysiempre|3 years ago|reply
[1] https://www.internetsociety.org/blog/2022/10/the-eus-propose..., via another comment here: https://news.ycombinator.com/item?id=35525876
[A previous version of this comment mentioned BIND, because I confused ISOC and ISC.]
[+] [-] lars_francke|3 years ago|reply
I'm not sure how much I'm allowed to share but it'll be public at some point in April I believe.
[+] [-] tgvaughan|3 years ago|reply
[+] [-] paol|3 years ago|reply
[+] [-] octacat|3 years ago|reply
Also, many open source projects have very complex authorship, good luck digging which company is responsable to do the audit.
Also, basically your favourite cloud provider could host your favourite open source database, but the authors providing hosting would be liable. Because "This Regulation does not regulate services, such as Software-as-a-Service (SaaS)"
[+] [-] mordae|3 years ago|reply
[+] [-] A4ET8a8uTh0|3 years ago|reply
[+] [-] luckylion|3 years ago|reply
Yeah, it could be even clearer (but laws tend to not want to enumerate everything that is obvious or they'd become books), but it feels somewhat exaggerated. Or is the actual fear that commercial support services by the authors could trigger liability? As far as I understand, that has been a preferred way to get paid and remain not-liable for the original product.
[+] [-] 2rsf|3 years ago|reply
Oh shit, this is huge. I wonder if it applies retroactively for code in the wild, as an open source contributor you can't recollect you code back.
[+] [-] Asmod4n|3 years ago|reply
[+] [-] josefx|3 years ago|reply
[+] [-] canadiantim|3 years ago|reply
[+] [-] fermigier|3 years ago|reply
- From the Eclipse Foundation: https://eclipse-foundation.blog/2023/01/15/european-cyber-re... and https://blogs.eclipse.org/post/mike-milinkovich/cyber-resili...
- From the Internet Society: https://www.internetsociety.org/blog/2022/10/the-eus-propose...
With more to come... This is a serious situation.
[+] [-] galaxytachyon|3 years ago|reply
Hopefully they know what they are doing and revise the law.
[+] [-] account42|3 years ago|reply
[+] [-] qwerki|3 years ago|reply
[+] [-] AlanYx|3 years ago|reply
The source of the problem is a particular approach to legislation that has become popular in the EU that purports to regulate across the entire supply chain for a product. Which might make sense for production of physical items or for software developed completely from scratch 30 years ago under a waterfall model, but is strongly disconnected from the way software is currently built.
[+] [-] foobiekr|3 years ago|reply
[+] [-] agilob|3 years ago|reply
>Google wants to work with government to secure open-source software
https://blog.google/technology/safety-security/making-open-s...
https://www.techradar.com/news/white-house-calls-summit-on-o...
https://www.engadget.com/google-open-source-private-public-p...
And 2 years since:
>If your open-source software project is considered "critical", you could be facing a lot more work and responsibility in the future. But for now, it's just some ideas from a few of Google's top engineers.
https://www.zdnet.com/article/open-source-google-wants-new-r...
[+] [-] acedTrex|3 years ago|reply
[+] [-] BiteCode_dev|3 years ago|reply
But the python licence explicitly says:
PSF is making Python 3.11.3 available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 3.11.3 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.
So it's not sold to you, and not distributed with any implied level of quality or guaranted service.
[+] [-] advisedwang|3 years ago|reply
That is an incorrect expectation. Even in the American legal system "I said don't do that" is not a shield against liability. In the EU framework a new law can pretty much create any new liability they want, so a disclaimer absolutely could be rendered meaningless.
[+] [-] AbrahamParangi|3 years ago|reply
1) very large corporations
2) who use a lot of components they don’t make
This seems almost designed as protectionist legislation for dinosaur companies unable to manage their software dependencies at any level of competence.
[+] [-] ajsnigrutin|3 years ago|reply
[+] [-] miohtama|3 years ago|reply
In the EUs model of social democracy citizens does not need to bear responsibility for their actions, but it’s government’s job to enforce everything is in harmony. “Someone else” e.g. corporates are responsible for any negative outcomes. Whether or not open source, or many other Internet produced contents, fits into this model is secondary. This is also very easy for politicians to sell as the evil is always outside (US corporations, China, Russia) and there is never anything wrong with country or its citizens themselves. If people can go to Internet and hurt themselves e.g. by downloading an application or a package of course it must be someone else’s liability.
[+] [-] yazzku|3 years ago|reply
The FSFE has already explained to them why the liability should be shifted to the company shipping the actual product.
[+] [-] octacat|3 years ago|reply
Same was with GDPR... It will benefit companies, who have money to do audits (and companies which do audits).
[+] [-] ApolloFortyNine|3 years ago|reply
Does this mean the license may be invalid entirely in the EU, making it so you actually just can't use the software at all? I know that's how the GPL basically works, if you don't accept the GPL, then you simply have no license at all.
[+] [-] layer8|3 years ago|reply
[+] [-] jart|3 years ago|reply
[+] [-] stametseater|3 years ago|reply
This sounds like more of the same. The proposed EU law applies to commercial activity, which volunteer FOSS development is not. So now we have commercial interests trying to fan the flames of another hysteria.
[+] [-] ApolloFortyNine|3 years ago|reply
And last time this came up it seemed widely believe that a donation link is commercial activity.
[+] [-] Asmod4n|3 years ago|reply
- it only applies if you are directly selling a IT product/software to consumers.
- when you use third party components and find a security flaw in them you have to inform the third party immediately.
- in addition if you find a flaw in open source code you should send a patch if you are capable of doing so.
[+] [-] gdcbe|3 years ago|reply
The responsibility lies with the commercial vendors however, not with the open source developers. What a perverse world we live in, that that can even be possible… Using our software for free and then holding us responsible… ha!
[+] [-] game_the0ry|3 years ago|reply
Yeah...slap in the face for open source contributions that literally chnage the world for the better.
[+] [-] tskguarantee|3 years ago|reply
[+] [-] dsr_|3 years ago|reply
If true, this is insane.
[+] [-] marginalia_nu|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] indymike|3 years ago|reply
[+] [-] hunglee2|3 years ago|reply
[+] [-] miohtama|3 years ago|reply
[+] [-] octacat|3 years ago|reply
[+] [-] dp-hackernews|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]