I think some of these reactions are rather overstated. I can't find language that states that you're on the hook for software support and fines just because you pushed a patch to Github that one time. The text mostly objected to is:
> In order not to hamper innovation or research, free and open-source software
developed or supplied outside the course of a commercial activity should not be
covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
From context it reads like open source is excluded unless the company developing software is selling services in the EU, in which case I don't see why open source software would need to be treated any differently from closed source software.
I think it's very valid to object to the lack of a definition of what "free and open source" means (free as in speech or free as in mattress, for one). However, that doesn't seem to be the part that most of these companies object to.
"If we post the source, we don't have to follow the CRA" would probably just lead to source dumps of crapware so that the law can be ignored. The cynic in me says that many of these objections are from people who don't want to be forced to patch the software they sell.
Luckily, this is just a proposal for now. I see a lot of things I like in this proposal. Putting pressure on manufacturers to patch their shitty hardware might finally do something about the botnets of media players and security cameras that plague the modern internet.
> free and open-source software developed or supplied outside the course of a commercial activity
That seems extremely ambiguous to me. What does "software developed or supplied outside the course of a commercial activity" mean. Is it all of the piece of software? What if you pay me to develop and submit some patches to a gnu project? That means that, at least in part, the project was not developed wholly "outside the course of a commercial activity".
What about if I have a free and open source project, then you come along and pay me to make some changes you need. Is the whole project now covered by such a law?
You know, how with FLOSS software (IIRC) you MUST provide the source on request, but CAN demand to be paid for the inconvenience (hosting, bandwidth, shipping physical storage...)
Seems like this wouldn't be an issue, but it would still be nice that this situation had been covered by the law.
The payment you can demand under GPL explicitly isn't allowed to be a money maker. It's to cover the costs only. I wouldn't classify that as commercial and I'm not aware of any laws that would.
This is fearmongering. As others have mentioned, it hinges on whether offering open source software on GitHub is considered a product in the sense of the law. The details are probably up for courts to decide, and despite what we like to think, they are not completely stupid.
The law is not geared towards "just putting some software on a server and calling it open source" which is what most projects do. It is geared as far as I understand towards bad IOT devices, among others. People sell them and know outright that there are existing vulnerabilities, and that rightfully should be illegal.
I think (maybe after some adjustments) this will be a boon to open source. Because every company shipping a program or a physical product with some GPL or MIT source inside will now be forced to bring it up to good quality before making money out of it. And at least in case of GPL, it is likely it will be contributed back to upstream. (I personally prefer upstreaming all open source code even when not required to share it, because you don't have the burden of maintaining a fork, and you have a better relationship with the developers in case you need to incorporate new features.)
> I think (maybe after some adjustments) this will be a boon to open source
How can arbitrary fines that will be decided by the judge and that can reach up to hundreds of thousands of euros from a few thousand euros per violation be a boon to open source...
Open source already has a problem funding itself. The funding comes from major corporate donors, who naturally decide the direction of the large projects they fund. The only Open source segment that successfully funds itself through its community members, users is WordPress, which remained free of corporate domination for a very long time as a result.
With this law, any small time open source software producer and any small time private software producer risk themselves and their livelihood for producing software, based on ambiguous rules. Which would make it very difficult and risky for small time projects or companies to produce software in Europe, and as a result benefit the big companies that can actually afford those fines.
This looks like a law crafted by the large German software business that currently dominates the German govt. and Euparl to hamper small time software for their own benefit. When the small open source projects and private software developers close up shop, the software and SaaS of these large businesses will scoop up their users.
To the contrary of being a boon to Open source, this may be the biggest, most well-coordinated attack against Open source in decades...
European here. If German SAP companies want to bankrupt themselves because of global cuts on ties on FLOSS, where almost every component has some dependency on these in one way or another, that's ok.
Look what happened to the Amiga, and former propietary software companies with in-home rewritting refusing to co-operate with standards. If they want to be the next idio... dumb CEO's trying to not be lynched form the share holders, I'm totally fine. They... won't.
> European here. If German SAP companies want to bankrupt themselves because of global cuts on ties on FLOSS, where almost every component has some dependency on these in one way or another, that's ok.
Note how the legislation is drafted to exclude the large open source projects that these companies mooch off of - like Linux. Both the large software companies and the projects that they sponsor can afford the fines.
But smaller software producers and open source projects that fund themselves through their users cant. So basically the law will kill smaller software producers and let the larger ones scoop everyone into their profitable SaaSes and installable software...
> The details are probably up for courts to decide
As someone with lots of software publicly available with permissive licenses I absolutely do not want to participate in letting the "courts decide". If this was going through I would be strongly considering adding a banner saying that this software is not for EU consumers with the alternative being denying the fact that I am aware that EU people were using the software.
I am happy to provide my software as-is with no warranty. But if there is a chance that I am somehow on the hook for any guarantees about that software I'm out. It is just too much risk for very little gain.
Are you selling that software in the EU or are you merely making it available? Because there an exception for free and open source software and the EU can't regulate the business you do outside of the EU.
If you're selling support licenses to the EU for your open source software then you're on the hook for patching them, but you'd probably already be for other reasons.
> Are you selling that software in the EU or are you merely making it available?
What difference does it make... If small developers and software businesses risk thousands of euros of fines, decided arbitrarily by the courts based on civil minimum and maximum limits, open source and small software in the Eu will die and the only ones to benefit from this will be the larger software companies that can afford the fines - who will be scooping up all the users of these open source projects and small developers - like the German software businesses who back the current German government and the German contingent in Euparl.
Note how the draft is designed to exclude the software that these major software companies are mooching off of - like Linux. Its basically exclude what you benefit from, kill who eat into your profit margins and be happy - total American corporate style legislation...
In my case I am not selling, only making it available. If selling I am happy to consider their needs and my legal obligations (for the right price). But as the grandparent states we are talking about just making free software available:
> it hinges on whether offering open source software on GitHub is considered a product in the sense of the law.
From the context of the rest of the law it seems pretty obvious to me that just making your code available doesn't turn it into a product. I don't know why people assume it does.
I assume Github and friends are much more concerned with being on the hook for selling these products (i.e. through Copilot). Github does sell you software that happens to make open source code available, and that seems like a much more vague situation.
> The alternative would be a (paid) support contract for EU customers.
I imagine such a contract would be fabulously expensive. Typically, FLOSS software with support contracts is for relatively complex software; the organisation offering support is often not the organisation that develops it.
If offering support on FLOSS software exposes you to legal liability, then you need insurance, and insurers aren't going to have the expertise to price the risk. So premiums will be top-dollar.
I think the (misguided) intention is to strongly favour commercial software production over one-man-and-his-dog FLOSS developers.
Author implicitly raises a question, but fails to articulate it and then answer it clearly. The question is whether open source software is to be considered a product and somewhat related whether downloading/using open source software creates a transaction.
I can safely say that I don't now the answer to the question and therefore I cannot draw conclusions as far reaching as the article author does. Effectively, the CRA is going to impose certain security standard on software products. People in medical, automotive, aviation, military fields were already subject to certain security standards, so GitHub's claim regarding unobtainability is demonstrably misleading if not outright false, depending on definitions of safety/security standards.
As it pertains to open source, it all depends on whether mere publication of open source software would be considered product release. I can agree with the author here that clarification may be needed. An important note here is that such regulation (OS is not affected) would have tremendous effect on open source. The companies using open source software in products would essentially be forced to either take open source under their belt with proper controls in place or be effectively forced to properly support open source development by at least providing security oversight. Sincerely, I have no idea what effect that would have as a whole.
A little too alarmist take to my liking, but it is nevertheless a good thing that he is calling others to join the lobbying (which he oddly calls "education").
While also GitHub seems to have done a decent job during the consultation, I'd take the genuinity of their position with a grain of salt due to the CoPilot fiasco. In fact, they are saying that "open source licenses disclaim all warranty, making explicit the expectation that any entity seeking to use or integrate the open source software bears responsibility to ensure its compliance with relevant laws". The pot calling the kettle black.
Being alarmist and pedantic about specific language of legal text is precisely what is needed to point out flaws. The only thing more terrifying than a governing body making laws about things they fundamentally do not understand is having the courts, with their own incomplete understanding, decide their own interpretation of them.
I'd argue a small group of people on an obscure mail list defining things so as to best suit them is an even worse form of governance, despite its relative popularity in this forum compared to more standard methods.
Agreed, and that is also a good advice for those submitting responses to open consultations. Yet, Vaughan-Nichols certainly was not pedantic in this piece.
> "could chill or even prevent the availability of globally maintained open source software in Europe."
Chill? More like obliterate. If this bill goes through, almost every single open source repo is going to necessarily end up with a banner saying:
"MIT licensed ex EU. If you are an EU entity or intend to use this software in any way that may result in an EU entity coming into any contact (even indirectly) with this software, you are excluded from all rights granted under this license and prohibited from using any code provided here."
Why? If you sell commercial support for your software, you're just as liable as a closed source developer selling commercial support for their software. What's wrong with that?
Let's not forget that's already the case since 2015 for businesses of countries behaving like police states (like the US) being effectively banned if they are trying to handle personal data (including often IP addresses) :
Also there's an even more recent precedent with the new directive about the obligations of content displayers (typically regarding copyright takedown requests) : in the end the directive is at least somewhat accommodating for the small/new/nonprofit displayers.
The reason for this slow movement is because EU made a new agreement (Privacy Shield) that did not address the issues of the first one, and was invalidated in 2020 by Schrems II.
Why? Unless it's fixed, this act would be the cause of fear, uncertainty, and doubt. The most rational and likely outcome would be to add EU exclusions until and unless Open Source liability under the act is sorted.
German speaking. People seem to be downplaying the legal risks for “small” stakeholders that “would go under the radar of EU authorities” but the problem is that those laws introduce legal insecurity that many many developers I know are not willing to take. Those laws are shallowly formulated and will require plenty of court rulings over several years to form some kind of framework for concrete behavior. And as we’ve seen in the past, BigTech will be much better in handling this legal insecurity than smaller local startups.
If EU’s intention really is to assert a level playing field, then they just achieve the opposite.
> If EU’s intention really is to assert a level playing field, then they just achieve the opposite.
To even pretend otherwise is idiotic. Regulation benefits mainly big incumbents, this has always been so and should be known by everyone who is even remotely interested in this topic.
>The notional open source developer in Nebraska, thanklessly maintaining a vital small program, may not even know where Brussels is (it's in Belgium).
This remains a curious example. Nebraska is not an EU country, it's an American state. EU law doesn't apply. The Nebraska developer (or me in my state) don't need to care beyond that if enough Europeans were interested they might contribute patches to meet their own new reqs, or make requests over it, and then maintainer would need to judge if it matched/was worth it, and if not it might get forked into a CRA one, or not. Ie., just the normal open source process.
Unless someone can point to an American (Japanese/Australian/Canadian/Korean/Mexican/Chinese/Indian etc etc) law passed promising equivalence this continued notion that the EU laws are global is really weird. Certain things they've targeted at companies work, because said companies wish to have physical business within the EU, and the EU of course has jurisdiction over everyone within the EU. So the cost of not complying is the cost of losing a large chunk of business there, and since it's a huge market that's a big motivator (though not infinite, even for megacorps). But for those who don't have any physical interest, what's the issue?
This has nothing to do with patches. The problem is that when someone from EU intends to use the software of the dev from Nebraska, the dev from Nebraska may be contacted to provide a proof that their software meets certain requirements. The dev from Nebraska may don’t care, I would not… but the EU-based dev cannot use that bit of software in a bigger commercial part, even if the license allows it. The EU-based dev may opt for doing their own certification of that component.
It’s gate-keeping at its best. This is a blow to SMEs and a protectionist move on behalf of large enterprises.
In my head, the reasoning is the following: certification will be another bureaucratic process to follow. It will cost money, it will require human resources on both sides, it will feed some companies who don’t have to do shit to turn profit—companies started to feed on others as those who “certify”, it will most likely imply that someone from the bureaucratic machine will look into your source code -> trade secrets, anyone? Big players (not going to name them here) like companies like SA…, De… Te… have enough resources and financial backing to push through that. The point is, they cannot compete with OSS on dev pace, they found a workaround - kill OSS and impact SMEs by putting a legal barrier to entry.
On a personal note, as an EU-based person, I start getting fed up with this shit.
That's great, the company who wants to sell stuff in the EU pays for the audit and the bugfixes, and it benefits all.
As a PM in a previous position, I would have loved to fix known bugs, contribute back to open source, audit things properly. But when there was no legal pressure to do so, my bosses (understandably) said: great, that software is for free, take it, don't put to much work into it, ship it.
Like it or not, open source software is part of our supply chains, and if there is no incentive to maintain it properly then that's a big problem.
You assume that companies will share audits they conducted for free with everyone as a public service.
Edit: there the other side of the coin. A single dev who wants to enter the market has an uphill battle. He is required to certify their own work, and provide audits of all dependencies. Good luck starting a business from your bedroom un such climate. If this is what people in the EU want, paraphrasing:
>You assume that companies will share audits they conducted for free with everyone as a public service.
It depends, but in general there is significant, straightforward incentives to upstream most stuff. It makes things a lot cheaper over the long term for all involved, and particularly with security/stability and basic code hygiene there is basically never going to be any "special sauce" there where the company is getting some major additional value. It's all cost centers. So if an EU-based company audits and then needs to make some changes to a non-EU-based project, I'd assume by default they'd want all those changes upstreamed and made permanent since it'd reduce the burden going forward. Though again this is all highly speculative based on how it actually works. Also
>A single dev who wants to enter the market has an uphill battle. He is required to certify their own work, and provide audits of all dependencies. Good luck starting a business from your bedroom in such climate.
It is true I'm thinking of it from a non-European point of view, where it's not starting from scratch and by default it's not my problem. I'm not trying to downplay possible disincentives in those in the EU starting projects de novo. I just don't know enough about it.
> So if an EU-based company audits and then needs to make some changes to a non-EU-based project, I'd assume by default they'd want all those changes upstreamed and made permanent since it'd reduce the burden going forward.
Humans aren’t behaving logically. If a company A audited their dependencies, it doesn’t benefit them at all to “upstream” their audits because: 1) dependencies are already audited for that company and only new version has to be audited in the future, 2) holding an audit will be a competitive advantage because everyone else has to consume their resources to get audits in place, 3) “my people on my salary got those audits for me so if I had to pay for it, the others have to pay, why should I share that when I paid for it, it cost money and sweat, nobody’s getting it for free”.
>This has nothing to do with patches. The problem is that when someone from EU intends to use the software of the dev from Nebraska, the dev from Nebraska may be contacted to provide a proof that their software meets certain requirements.
I guess it depends on what counts as "proof", is that clear yet? I was thinking that if certain code practices and such were enough, then maybe an EU-based dev would then contribute the changes necessary to meet that should the original maintainer(s) not be interested, or fork it to do so. The details really matter, there are certain best practices that are a perfectly good idea anyway and also don't hurt future maintainability or the like at all, so the ideal would be something that encourages making such changes and then effectively "goes away" as a concern. Removing old ciphers/hash functions completely for new products for example, government might usefully provide industry a kick in the butt there, but once someone has moved on from MD5 it's not like they'd need to think about it again.
As you say though if it instead turns into an expensive bureaucratic mess, or as bad or arguably even worse pushes anti-maintainability/security practices (which has happened! in the US there was a long period of awful anti-security password policy stuff floating around that came from outdated "best practices" reqs), then that'd be a major issue. And regulatory capture is indeed always a concern with new acts like this too.
At the moment, it's quite easy for the EU to enforce fines on big companies because they tend to have lots of assets in the EU by way of their operations (buildings, bank accounts, inventories etc).
However, the EU would have a much more difficult time enforcing fines on entities with no European presence. In principal they could go through the international treaty system, but that would be very slow and expensive. I'm not aware of any case where they've actually successfully pursued this for non tax / copyright fines which tend to have special arrangements although I've not looked into it that much. Please let me know if anyone is aware of any precedent.
Ultimately the ability of one country to enforce fines on another relies on goodwill and diplomacy. What could the EU do to say, India, if their courts declined to enforce a $20k fine on a small developer or take 7 years to decide the matter? Even if they were technically allowed to go after sovereign Indian assets instead by a treaty or threaten sanctions, it's hard to see the diplomatic cost being worth such a small fine.
I don't agree with you (or sibling). I did consider that, and also for that matter that there could be a "Nebraska, Europe", after all there are various European cities/places names all over the US. But the extra context ("may not even know where Brussels is (it's in Belgium)") makes clear that while they are using the reference they are in fact referring to Americans as being covered, or else it makes no sense. And further, this has been an ongoing thread in relation to this act. ~3 weeks ago HN had a thread [0] on this as well regarding a letter to the European Parliament on the CRA from the Internet Systems Consortium [1], and it too had comments from non-Europeans thinking it applied to them. That over simplified narrative has been getting pushed on HN as well in general, such as with the GDPR.
>Unless someone can point to an American (Japanese/Australian/Canadian/Korean/Mexican/Chinese/Indian etc etc) law passed promising equivalence this continued notion that the EU laws are global is really weird.
Extraterritorial jurisdiction isn't a new or unusual concept in the slightest, and I don't understand the recent trend of pretending that it's only the EU does this. The classic examples of money laundering, organised crime, sexual crimes committed against children, female genital mutilation, anti-competitive laws, etc, are so mainstream at this point that I don't think any Westerner would consider it controversial for somebody who does these acts in countries where they are less regulated to be arrested for them upon arriving in a Western country.
There's also more HN specific examples like cybercrime, with a recent example being the arrest of Marcus Hutchins. Or copyright, where anybody from countries with less strict copyright laws from the US knows what I'm talking about. Japan has strict copyright laws too, and game companies like Sega and Nintendo are notoriously protective of their IP to the point where Sega has apologised for abusing the DMCA to take down videos produced by North American and European nationals. COPPA predates the GDPR by 15 years and is applicable everywhere. The Canadian Anti-Spam Legislation regulates sending spam to Canadians. The German NetzDG will send you a strongly worded letter if you criticise Germans.
Many data protection laws also regulate how you handle data of their nationals. For example, the data protection laws India introduced in 2011, applicable to businesses that outsource operations to India, were described as much more restrictive than the EU or US counterparts. China regulates that foreign businesses doing business in China store all their data in China. South Korea has no scope on territory for their PIPA, but it's hard to tell if this applied to their 2011 legislation or just their 2020 legislation as these laws obviously aren't in English. Many newer laws are modelled after the GDPR and also have no scope on territory, e.g., Brazil, California, Russia, etc.
There's other more general examples too. Many countries criminalise taking drugs, and evidence that you've taken drugs in the past can lead to you being deported. Consumer protection laws are generally pretty strong and banks will side with consumers in issuing charge backs. Anecdotally, Steam had a no refund policy for the longest time and support staff would berate you for asking for a refund for a game that doesn't work, but they still issued refunds and now have a refund policy (even if it doesn't fully comply with local laws). America regulates exporting arms, which caused a lot of drama in the Linux scene in the early 2000s when encryption was (still is?) considered munition. Doing commerce with embargoed or sanctioned countries can land you in hot water too, it might make sense for 'bad guy' countries like China, Russia, Iran, etc, but the US and Israel stand alone in defending the embargo on Cuba. Many countries have restrictions on freedom of speech, it might not be the best idea to travel to Turkey if you publicly criticise Erdoğan. Etc.
--
None of this is to say that I agree with what the EU is doing, or that these examples are 1:1 parallels, but I think the attitude of 'these laws don't/shouldn't affect me' is naive at best, unless you plan on never leaving or doing business outside of your own country.
There seems a pattern with legislators in EU trying to fit the digital ("hacker") culture into service provider/customer model. Individuals hacking on projects for fun, bringing up their standalone servers for fun etc. just shouldn't exist in their mind. "Customers" (i.e. non-tech people) demand protection and "service providers" (whoever puts their stuff online) should comply.
Rant over.
Honestly I don't understand why is it not done the same way as for other certification. You only need to have certification once you start selling your product in a regulated industry - e.g. a connected device in this case. If you use any components (hardware or software) it's your responsibility that they are either pre-certified for you (what commercial suppliers would do) or certify them yourself. This would shift responsibility from open source maintainers to where it's due.
Because this is designed exactly to go after open source. Big European Tech (which is an oxymoron) cannot compete with OSS on levrl-playing field so they lobbied for this to eliminate competition.
Open source is decentralized. Everyone is the maintainer. If there is a bug in the code, then anyone can fork and fix it. I don't understand how this law can apply to OSS period.
It's simple. The police get a warrant, pursuant to local laws. They show up and arrest someone. That person is put on trial. What happens next, I don't know.
Legal systems do not have to be coherent or logical, only actionable.
You seem to be acting deliberately ignorant. The police could in fact do that. But in reality a judge will write a warrant for either one individual or just a small group of individuals that a public prosecutor (I do not know the term in the EU) presents to the judge. The police will arrest only those people.
"arrest everyone" is some bizarre fantasy that the legal system is both ineffective and stupid.
> I don't understand how this law can apply to OSS period.
That's what the commenter is responding to. Laws are clearly not applied logically, and while you may be able to make that argument in court, it's never clear that it will be accepted.
The logical conclusion of that is that we shouldn't have any laws... Except it's not true. Of course laws are not applied strictly accordingly to the laws of logic, nothing is, but there is a relatively high degree of logic and predictability in the legal system.
That doesn't stop absurd rulings in some occasions. But from that concluding that "laws are not logical" is an overreaction.
ahah yeah, it's decentralized, everyone can, not obligated but can contribute.
either they sue everyone (as i think it's more of economic damage) or people contribute anonymously.
It applies if the maintainers if the project sell support. For example, Red Hat sells support for their open source licenses so Red Hat will have to follow the law.
Things may be less clear when it comes to donations, where customers don't directly purchase a service yet the developer makes a bit of money, but from the context of the proposed text I don't think that is what the law intends to cover.
> It applies if the maintainers if the project sell support.
Support is a gray area. Not only are there different kinds of support that have nothing to do with code, like selling training material, but there is also selling ones expertise of a codebase as a consultant without necessarily making code changes oneself. Presumably one could author a support contract to state that the code is a fork, regardless of whether there are changes or not, and that the price paid is merely a consulting fee.
If you accept the premise that OSS is decentralized, then so is the right to repair. Anyone can learn the code and charge a one-off service fee for fixing a defect. I'm not sure how liable one could be here. If you sell an annual support contact then presumably you're only on the hook for the year and not the "lifetime of the product" which is vague given the decentralized nature of OSS.
This exception only applies if you have clear intent to make no money on the software. As soon as you put "donate" button the site, you lose the protections.
to wit: under a reasonable reading of the legislation, having any commercial activity (classes, conference tickets, etc) opens you to liability. Or imagine selling support.
Additionally: if open source code is included by someone besides the author into a commercially available product, it's not clear that the open source author doesn't hold liability there. Even if the author received $0, or is unaware of the use of the software he/she created.
forget selling support. Imagine you are a FOSS author and you're on public transport. You strike up a conversation with someone who happens to work in the industry. You tell them about your authorship of a project and then they say "Oh wow, that's great! Let me buy you lunch!"
They are part of the law, sure, but they are not legally binding in the same way as articles are. If there is ambiguity in a law, as there often is, a judge may use these for interpreting the overall "spirit of the law". But even then, articles always take precedence and these cannot be overruled by recitals.
I think you've misunderstood something about democracy. It is not like lawmakers can in advance inform everyone and each stakeholder who might be affected. Nor do I think they were writing this law proposal for open source in mind; quite the contrary, I think they probably missed this point of view during the drafting but are probably now aware of the issues.
Perhaps the most striking issue revealed by the CRA is that open source stakeholders apparently do not have their NGOs at Brussels (or Capitol for that matter). There would be all kinds of opportunities like lobbying for funding, or fighting Big Tech if that is your game, etc.
Definitely just a misuse of the term. "Poison pill" doesn't just mean a terrible provision of legislation - it's possible for legislation to be terrible while conceived entirely in good faith. In this case it's bad legislation due to EU legislators not understanding open source.
A "poison pill" provision or amendment is an element deliberately added to turn people who otherwise would have supported the legislation against it. The person proposing the poison pill is acting it in bad faith - they have no expectation of it passing, they might not even support the idea themselves - the only reason it's added is to make the original legislation's supporters drop their support, killing said legislation.
I don't think anyone is seriously proposing that the EU is deliberately hamstringing open source in order to kill their own cyber-security act. They've just written a bad piece of legislation.
Given how frequently problems like this crop up in legislation these days, it seems like we do need a term for it, though.
Maybe something like "food poisoning pill"? Made with good intentions, but without proper understanding or taking proper precautions, so it becomes toxic...
> it's possible for legislation to be terrible while conceived entirely in good faith
This is way too fine-tuned to destroy small software segments, open source and private developers included, for the benefit of large companies that will be able to afford the potential fines.
That has nothing to do with what I mean by good faith - I just mean that the legislation they’ve proposed is the legislation that they want passed.
That’s different from a poison pill amendment, where the intention isn’t to actually implement the policy, just to kill the legislation that you’re attaching it to.
One could be inclined to think that in different circumstances. However large software businesses (especially German) are among the backers of the bloc that governs Germany and controls a significant part of Euparl. So you can easily conclude that they would want it to pass...
In contracts, a poison pill is typically a clause that makes some kind of action prohibitively expensive, usually "killing" the value of the contract. But that's not what this is, nor is it what the writer means.
The use of the term here is unfortunate because it's not a poison pill in this typical legal/contracts sense, but rather the writer's attempt to characterise the clause as a deathblow for OSS devs.
I wondered that. The implication of "poison pill" is that something that looks broadly OK actually contains a detail that renders it very perilous. The canonical example is a company arranging its finances in such a way that a hostile acquisition is too dangerous to risk.
GDPR was so completely inconsequential for EU start up. We have to stop with this constant EU bashing.
You know what EU-based start-up do to comply with GDPR ? They don't. Most of them copy paste a generic GDPR legal statement and name the CTO/CEO the DPO. And if they receive a GDPR request (it almost never happen), they just handle it manually.
Now, when you get big enough (or if you start to do really obvious egregious thing with data collection/processing) you might attract the eye of your local data protection agency. And if you really do naughty things they might, gasp, send you a letter and ask you to comply. Only repeated offender and company who really didn't care about even the most basic principle of the law end up being fined. And in most case, the fines are weeeell within reason. Or, as we say, "the cost of doing business".
The only actor who were somewhat annoyed by the GDPR were huge data hoarder.
I am not arguing about anything. I am stating facts. Have you worked for any EU start-ups ? Plus, if you worked long enough, you should know by now that most company take a "try it, and change it if we are asked to" about a lot of laws. This shouldn't be a surprise to anyone.
Shocking that this kind of knee-jerk anti-innovation sentiment seems to be the dominant mood on Hacker News these days. Whatever legitimate criticisms of SV startups there are, this is mere contentless anti-tech sniping.
Strangely the EU has no laws on the books about them accepting responsibility for unintended consequences of legislation ... when that is more or less the same problem.
I don’t know how you solve this exactly, but I do think allowing open source devs to just wash their hands of all responsibility isn’t a tenable solution. There’s a reason we don’t have “open source bridges”. You have to be a licensed civil engineer before you’re allowed to build a bridge, you can’t just build one and slap a “NO WARRANTY” disclaimer on it.
Bridges can’t be downloaded from Russia, however, and requiring open source devs to carry liability insurance probably just destroys open source, so I am genuinely unsure how you solve this in practice.
But I think that is a conversation we should be having, rather than just saying that the status quo is the ideal, and allowing no room for discussion.
It’s up to the person choosing and deploying the software to decide if the OSS project is sufficiently secured. This is the person (or party) who should shoulder the blame. I don’t see why someone pushing to GitHub or whatever should have any responsibility for how their stuff is misused.
It does not work so well in practice. Projects like sqlite and curl had to take steps to hide themselves from end users, who are grasping at straws in face of malfunctioning product.
Followed to its logical end, this also destroys open source as we know it today. If I’m going to have to vet your OSS with a fine tuned comb before I use it, I might as well just write it myself, and also be unencumbered from whatever license you chose. Only projects backed by FAANG would actually be used then.
Then watch the ActiveX disaster and Blaster coming back but by 20000. Worst Botnet/ransomware attack from NK/Russia ever. The UE on HUGE losses. BSD and GNU depending companies almost get bankrupt overnight. Productivity halts with a worse outcome than COVID.
What's stopping anyone from publishing specs, CAD models and instructions on how to build a bridge so that anyone can attempt to build it themselves on their property? Of course you can put a disclaimer on it and tell everyone that they're using it at their own risk.
In the area where I live there are few privately owned parks that are open to the public and according to the owner, they can basically do what they want in one of those parks as long as they tell people that they're using everything at their own risk.
Generally, there are laws governing construction that any larger scale construction work must be signed off by licensed professionals. A state can go as far as authorize decommission of a construction even on a private land, of course at the expense of the owner.
This is a really ridiculous position. All of the software that you pay for is provided with NO WARRANTY. Why do you think free software would be different?
Good joke. Now go get a non GNU/BSD licensed compiler, linker, TCP/IP stack, Unicode parsing library and so on, try rebuilding 60 years of 'hippie made software' IT by yourself.
Look how the EU standarized TM(R) software crashes into itself due to bugs and huge attacks from Russia in less than two weeks.
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
From context it reads like open source is excluded unless the company developing software is selling services in the EU, in which case I don't see why open source software would need to be treated any differently from closed source software.
I think it's very valid to object to the lack of a definition of what "free and open source" means (free as in speech or free as in mattress, for one). However, that doesn't seem to be the part that most of these companies object to.
"If we post the source, we don't have to follow the CRA" would probably just lead to source dumps of crapware so that the law can be ignored. The cynic in me says that many of these objections are from people who don't want to be forced to patch the software they sell.
Luckily, this is just a proposal for now. I see a lot of things I like in this proposal. Putting pressure on manufacturers to patch their shitty hardware might finally do something about the botnets of media players and security cameras that plague the modern internet.