If this isn’t done extremely carefully and with deep understanding of the industry, software will get 10X as expensive and innovation will halt due to liability concerns.
It’ll turn into the aerospace industry where “if it hasn’t flown, it can’t fly.” This is among other things why we still burn leaded gas in small planes. Replacing it is easy, but the cost of certifying any kind of new design is insane.
I’ve always just been against any such regulation because I have zero confidence our technically ignorant politicians can do it well.
I also think it’s likely to be sabotaged by consultants and big tech monopolists who see an opportunity to lock out competitors or create gravy trains.
FYI, there will be a FOSDEM devroom specifically on the European Legislative Landscape, where a number of people involved in drafting this and similar regulations are expected to be present.
> CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA.
Isn't that the idea? If you can't innovate, litigate - see regulatory capture [1].
We hold the power, not the EU. Debian, FOSS developers, and small businesses world-wide should block EU IP addresses. No more Linux, no more Python, no more nothing. When the EU's digital infrastructure begins crumbling they'll change their tune.
And don't skip over the part where they want developers to report any zero day's you discover to them within 24 hours so they can use them as exploits against innocent civilians not involved in any crime. And yes, the Netherlands changed the law recently so they can do this and without requiring any judge involved. And yes, they are allowed to hack people not involved with any crime as well. As well as changing the law in 2020 so all of government, including their prosecutors may law in court under oath and not be held liable.
And then they want other people to be accountable, how about government be accountable first.
A lot of folks seem very angry about this and are making some broad statements with no specific citations. Can someone please give me a specific quote from the bill and explain how that will for sure be detrimental to open source projects?
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
This sounds sane-ish, but it the key is that it says Open Source Software is not exempted if it is part of commercial activity.
So what is commercial activity?
Page 34:
> 'making available on the market' means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge
That "free of charge" connected with "commercial activity" is what has people up in arms.
Does it include free stuff like Debian? Does it include donation-based FOSS like Zig?
You are asking how requiring open source with no money to satisfy plethora of regulations along with legal liability (I.e. making it a commercial grade) makes it less likely for open source be made?
> Can someone please give me a specific quote from the bill and explain how that will for sure be detrimental to open source projects?
The entire point of the CRA is to make "manufacturers" liable for the quality of the software they produce, in a similar manner to how car manufactures were held liable for the Takata air bags. But who is the manufacturer. In the Takata case it was the car manufacturers the car owners held liable. This LWN comment spells how how difficult it is for software: https://lwn.net/Articles/956218/
One sentence from that highlights hints at the problem:
> the CRA's explicit statement that things qualify whether or they are provided gratis.
The CRA as it stands doesn't draw the line in a way that clearly exempts a bunch of high schoolers uploading their code to github, possibly because no one has figured out how to do it in a way that doesn't also give Google Chrome & Android a free pass.
To put it another way, you've asked an impossible question. You can't point to the faulty clause that exempts open source, because it doesn't exist.
It’s time for governments to have more responsibility. The cyber resilience acts pushes 15,000,000 euros penalty to software developers. How much liability does government have for anything bad they do ? First it’s extremely difficult to get to them to be responsible for anything. Then in the Netherlands any liability would be a pittance. Nothing like 15,000,000 euros.
The Debian team announcement is on the right track.
Asking freelancers and free software groups to face the same measures and fines as big tech companies is unfair competition.
The E.U. of course, was never friendly to free software[1].
The bureaucratic and neoliberal extremists that are in the lobby of Brussels will always try to destroy free and independent creation.
Every small developer should now start to ban government use. Even if they are not affected the law. To associate consequences to actions. They will never learn otherwise.
Obviously it wouldn’t work for a project as large as Debian, but I wonder if there is some exclusion clause that can be inserted that forbids all users that would be covered under the Cyber Resilience Act from using the software?
Whats really funny is seeing the 180 flip. The EU was, and is depending on the post here, God's gift to men when it was crushing big bads like Apple and Google. Now it should be obvious to me that they hate the little guy? The 180 is a little funny, you gotta admit.
I don’t know what this act specifically covers, but if I were a small business that sold (unintentionally) poisonous cookies to my neighbors, I ought very well to be shut down. That applies no matter my revenue stream size (or even if it was zero!) So I don’t find your argument particularly compelling. There is no inherent right to do business, if doing that business is harmful in some way. The E.U. rightly recognizes that consumers in general are more protected that businesses. I much rather this than the capitalist hellhole that the US is turning into.
This makes a lot of sense if you follow judgements internationally.
Last year in the UK the creator of BitCoin won a multi-billion pound judgement against usurper "open source" developers who refused to alter the protocol to allow him to recover coins a hacker took from him.
Developers have a duty of care to their users which no license can remove even if they are communists calling themselves "open source". You either make good software and comply with your duty or you will be ruined. That is the law.
Professional does for money, by definition. That doesn’t apply for most open source. RedHat employee contributing to Linux kernel is an exception, not a rule.
Professional accountability would be saying that companies like Riot can't deploy root-level code with no oversight onto millions of machines "for competitive integrity", not taking down git repos because they don't meet some regulations around security.
Programming is not my profession though, it's my hobby. I chose to pursue another profession specifically so I could keep programming as a hobby. By all means hold the corporations accountable but please leave people like me out of it.
Small businesses and solo-entrepreneurs have to deal with liability and permits all the time in other fields, even actual street bazaars for that matter, exception being when there is some "flexibility" between the laws and how they happen to be applied.
> Small businesses and solo-entrepreneurs have to deal with liability and permits all the time in other fields,
In other fields there is a direct relation between number of customers and liability.
But if i offer free software and also offer commercial support for it, and because of that i would be liable to everyone who uses that software, not just to those who pay for commercial support, then there is no relation between number of customers and liability, and liability cannot be really priced-in.
I’m curious what the liability and permits being discussed are here. Because the permit required to prevent some Joe Schmoe from selling me a tainted brownie off a street cart feels a little bit different and perhaps difficult to compare to software
What about the CRA is so bad? The requirements seem like common sense. Can anyone point out something specific that seems overly onourous? Debian couldn't...
Our industry desperately needs better regulations, IMO.
Additionally, there's nothing wrong with what we have now. So there are some security flaws. But we have really fancy mobile phones and an amazing Internet.
Now rewind to 1990 or so. Add a Cyber resilience act. At best we maybe have a phone about as advanced as an old Nokia. But yeah, maybe hardly any cyber security flaws because the Internet would hardly function.
Instead of thanking all of the millions of developers who contributed to this, they proceed to kick them in the teeth and enact laws to steal from them in principle by raising the cost of entry.
>CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work.
If Debian depends on people's work so badly maybe they should pay for it.
[+] [-] gavinhoward|2 years ago|reply
There is a better way [2], but I don't know how we would convince politicians that there is a better way.
[1]: https://news.ycombinator.com/item?id=38788919
[2]: https://gavinhoward.com/2023/11/how-to-fund-foss-save-it-fro...
[+] [-] api|2 years ago|reply
It’ll turn into the aerospace industry where “if it hasn’t flown, it can’t fly.” This is among other things why we still burn leaded gas in small planes. Replacing it is easy, but the cost of certifying any kind of new design is insane.
I’ve always just been against any such regulation because I have zero confidence our technically ignorant politicians can do it well.
I also think it’s likely to be sabotaged by consultants and big tech monopolists who see an opportunity to lock out competitors or create gravy trains.
[+] [-] zvr|2 years ago|reply
The deadline for submitting presentation proposals has passed, but the schedule should be available shortly at https://fosdem.org/2024/schedule/track/eu-policy/
[+] [-] hgs3|2 years ago|reply
Isn't that the idea? If you can't innovate, litigate - see regulatory capture [1].
We hold the power, not the EU. Debian, FOSS developers, and small businesses world-wide should block EU IP addresses. No more Linux, no more Python, no more nothing. When the EU's digital infrastructure begins crumbling they'll change their tune.
[1] https://en.wikipedia.org/wiki/Regulatory_capture
[+] [-] pabs3|2 years ago|reply
[+] [-] hcfman|2 years ago|reply
And then they want other people to be accountable, how about government be accountable first.
[+] [-] 6R1M0R4CL3|2 years ago|reply
[+] [-] 63|2 years ago|reply
[+] [-] gavinhoward|2 years ago|reply
Page 15:
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
This sounds sane-ish, but it the key is that it says Open Source Software is not exempted if it is part of commercial activity.
So what is commercial activity?
Page 34:
> 'making available on the market' means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge
That "free of charge" connected with "commercial activity" is what has people up in arms.
Does it include free stuff like Debian? Does it include donation-based FOSS like Zig?
These are the things that worry people.
[1]: https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...
[+] [-] jahav|2 years ago|reply
Ask log4j or OpenSSL.
Go read this: https://blogs.eclipse.org/post/mike-milinkovich/european-cyb...
[+] [-] rstuart4133|2 years ago|reply
The entire point of the CRA is to make "manufacturers" liable for the quality of the software they produce, in a similar manner to how car manufactures were held liable for the Takata air bags. But who is the manufacturer. In the Takata case it was the car manufacturers the car owners held liable. This LWN comment spells how how difficult it is for software: https://lwn.net/Articles/956218/
One sentence from that highlights hints at the problem:
> the CRA's explicit statement that things qualify whether or they are provided gratis.
The CRA as it stands doesn't draw the line in a way that clearly exempts a bunch of high schoolers uploading their code to github, possibly because no one has figured out how to do it in a way that doesn't also give Google Chrome & Android a free pass.
To put it another way, you've asked an impossible question. You can't point to the faulty clause that exempts open source, because it doesn't exist.
[+] [-] hcfman|2 years ago|reply
[+] [-] Karellen|2 years ago|reply
https://www.debian.org/vote/2023/vote_002#statistics
(No matter how good LWN's original journalism is, this is just a news link that does little more than link to the source itself)
[+] [-] froh|2 years ago|reply
[+] [-] hcfman|2 years ago|reply
I have two projects and added such a clause in protest.
[+] [-] nparafe|2 years ago|reply
[1]: https://totsipaki.net/ikiwiki/nparafe/posts_en/posts/Can_Eur...
[+] [-] jocoda|2 years ago|reply
Is disqualifying EU users even possible?
[+] [-] hcfman|2 years ago|reply
[+] [-] teeray|2 years ago|reply
[+] [-] kube-system|2 years ago|reply
[+] [-] Palomides|2 years ago|reply
[+] [-] gavinhoward|2 years ago|reply
Of course, an outside agreement can establish such duties.
[+] [-] mycall|2 years ago|reply
[+] [-] hcfman|2 years ago|reply
[+] [-] omgmajk|2 years ago|reply
Posted Dec 27, 2023 19:32 UTC (Wed) by bluca (subscriber, #118303)
Can someone explain to me what in the statement from Debian is "anarco-capitalist FUD"? I find it quite reasonable overall.
[+] [-] gunapologist99|2 years ago|reply
[+] [-] halJordan|2 years ago|reply
[+] [-] LadyCailin|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] witsThatsonHo|2 years ago|reply
[deleted]
[+] [-] ImmutiableTruth|2 years ago|reply
Last year in the UK the creator of BitCoin won a multi-billion pound judgement against usurper "open source" developers who refused to alter the protocol to allow him to recover coins a hacker took from him.
Developers have a duty of care to their users which no license can remove even if they are communists calling themselves "open source". You either make good software and comply with your duty or you will be ruined. That is the law.
[+] [-] voxic11|2 years ago|reply
[+] [-] cvalka|2 years ago|reply
[deleted]
[+] [-] 6R1M0R4CL3|2 years ago|reply
[deleted]
[+] [-] miohtama|2 years ago|reply
[deleted]
[+] [-] bitwize|2 years ago|reply
[deleted]
[+] [-] jahav|2 years ago|reply
Professional does for money, by definition. That doesn’t apply for most open source. RedHat employee contributing to Linux kernel is an exception, not a rule.
[+] [-] Xelynega|2 years ago|reply
[+] [-] turtleyacht|2 years ago|reply
Now, if folks want regulation, introduce the Certified Professional Software Engineer. (Pay commensurate with tort, of course.)
[+] [-] marcinzm|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] matheusmoreira|2 years ago|reply
Programming is not my profession though, it's my hobby. I chose to pursue another profession specifically so I could keep programming as a hobby. By all means hold the corporations accountable but please leave people like me out of it.
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] pjmlp|2 years ago|reply
[+] [-] zajio1am|2 years ago|reply
In other fields there is a direct relation between number of customers and liability.
But if i offer free software and also offer commercial support for it, and because of that i would be liable to everyone who uses that software, not just to those who pay for commercial support, then there is no relation between number of customers and liability, and liability cannot be really priced-in.
[+] [-] SOLAR_FIELDS|2 years ago|reply
[+] [-] whalesalad|2 years ago|reply
[+] [-] candiddevmike|2 years ago|reply
Our industry desperately needs better regulations, IMO.
[+] [-] hcfman|2 years ago|reply
Now rewind to 1990 or so. Add a Cyber resilience act. At best we maybe have a phone about as advanced as an old Nokia. But yeah, maybe hardly any cyber security flaws because the Internet would hardly function.
Instead of thanking all of the millions of developers who contributed to this, they proceed to kick them in the teeth and enact laws to steal from them in principle by raising the cost of entry.
[+] [-] charcircuit|2 years ago|reply
If Debian depends on people's work so badly maybe they should pay for it.