One of the biggest problems I have with the currently proposed EU laws is that there is no distinction being made between “Free, non-Paid, Open Source” vs. “Commercial Software Products built from Open Source”.

I find the current situation highlights the fact that large corporations build Paid-for products and services to consumers and makes Millions or Billions of $ £ € often without as much as either a) contributing back to open source or the projects from which they borrow and depend on b) or pay for what they use or support it in any financial way.

A large part of the Open Source Model in my view is often confused with “FREE” as in $0, but this is total bullshit. Companies need to understand that reusing a piece of open source software, library or component does not imply it is FREE to you. Companies today DO NOT vet, understand, review or even remotely contribute (in many cases) bug fixes, security fixes, etc, of the component they freely take and use and profit from.

It is only until after that company has a breach, with harm caused to its end-users does the company do anything about it. I’m not really convinced that’s happening either, because the current laws scream and cry out “OMG! 😱 We need to fix the Open Source supply chain!” by companies that refuse to take any financial liability for freely using other people’s hard work that they didn’t get paid for.

Companies that use open source component freely without paying for them or contributing back should absolutely be held liable when things go wrong, NOT the open source developers. Why? Because those companies are often exploiting their end-users and often making them pay for something that is largely otherwise free (-some conveniences added on top).