I was recently made aware of EU's Cyber Resilience Act, which seemingly is set to override any nonliability clauses in all open source software licenses (making it possible to sue OSS authors in Europe for security issues). Has anyone looked at what this might mean for Coq, which at least has the Coq Consortium "commercial" wing?
A worst case scenario from a comment to the Eclipse Foundation blog post:
As written, the CRA could spell the end of free and open source software in Europe, not only at Eclipse but also at countless projects that are backed by small businesses and will not be able to afford any of this level of ceremony: the road to hell is paved with good intentions. As it is written now, it could IMHO trigger a massive FOSSXIT out of Europe.
@Karl Palmskog : I am citing from the proposal page 15, number 10:
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
I'm well aware of clauses like this, which is why I brought up the Coq Consortium (which arguably is engaged in "commercial activity"). OSI also said:
The term “commercial” has always led to legal uncertainty for software and is a term which should not be applied in the context of open source as specific commercial uses of open source projects by some users are frequently disconnected from the motivations and potential compensation of the wider community of maintainers. The software itself is thus independent of its later commercial application.The problem is not the lack of a taxonomy of “commercial”, it is the very act of making “commercial” the qualification rather than, for example, “deployment for trade”. Thus adding a taxonomy of commerciality is not a solution. OSI would be pleased to collaborate over better approaches to qualifying an exception.
I don't think the Coq Consortium is considered commercial in this sense, since its objective is not to generate money. Besides I would think that Coq development lives up to the standards requested in this proposal. It is essentially about forwarding known security fixes in a reasonable way to users. It explicitly says that with the state of the art it is not possible to create bug free software, but that one should at least live up to reasonable standards in providing security fixes.
according to my local expert, it doesn't matter if the goal is making money / profit or not: as soon as you do anything related to any EU market, like providing a service for a fee, it's commercial
as to "providing security fixes", see the Eclipse Foundation analysis, which says they are barely able to reach the standard they are proposing in CRA. People/organizations doing OSS inside EU with fewer resources are doomed, if they [Eclipse Foundation] are correct.
if GitHub becomes considered as a distributor of commercial software according to CRA, the likely outcome is that GitHub blocks EU as a whole rather than assume liability
I think the point I cited makes it clear that this is explicitly not the intention of the regulation. I expect that the final results lives up to that. But indeed we should do some lobbying to take care that it does.
to go with the classic analogy, if I write a recipe for traditional omelette, I can still claim that it is my intention that no eggs are broken by anyone following this recipe. But how credible is that claim?
OTOH if I write an omelette recipe and someone serves it to people allergic to eggs I hope I'm not the one who is liable for it
also, another interesting reading of the clause Michael cited: apparently the only reason they will make this exception for FOSS is to "not hamper innovation or research". In other words, FOSS that doesn't produce or is not connected to innovation/research (e.g., regular free expression or entertainment) deserves no special protection.
OK, you convinced me to write a letter to my responsible EU parliamentarian. Up to now it always went the way I wanted in the (few) cases I felt inclined to do so.
I guess I'd write a letter too if not all "my" parliamentarians were corrupt to the bone. Possibly-unpopular view: the language in the proposal actually makes me think this is a hit job against OSS from "big proprietary EU software" [which can easily afford all the compliance theater]
Could be relevant: https://fosdem.org/2023/schedule/event/cyber_resilience/ (I did not attend this presentation and did not watch the recording yet.)
@Karl Palmskog : the outcome of the EU software patents legislation gives some hope.
Last updated: Jun 05 2023 at 09:01 UTC