The EU’s Proposed CRA Law May Have Unintended Consequences for the Python Ecosystem (as well as the entire free software movement).
@marado@twtxt.net Do you mind highlighting what the CRA and CLA are proposing that puts open source and individual open source authors at risk?
@prologic@twtxt.net Perhaps Eclipse’s article on the subject is clearer.. but the main focus on Python’s text is on the liability clauses: while it might make sense that if you buy a product with software (or a software product) the vendor should be liable for its safety, security, etc., that does not translate well to the free software world, and it will have a chilling effect if, suddenly you (as a free software developer) start being liable for the flaws in that software. Python folks point out (and I agree) that “Assigning liability to every upstream developer would create less security, not more”, Eclipse people point out that “Every open source license contains no liability clauses”, and argue that “It is the companies which commercialize the technology and make a business from it who need to accept liability and provide warranties to their paying customers, not the open source projects”.
@marado@twtxt.net I see. Thanks, read that article and it makes the problem a bit clear, especially on the liability issue. So, it seems EU lawmakers are trying to fix an economical problem by introducing a new set of laws that regulate a large part of the software industry (open source) that has effectively zero revenue?! This seems to be a bit counter intuitive to me, how are open source developers able to deal with liability for something they produce and publish for free?
What seems to be at play here is the capability of open source that has enabled great software reuse by large commercial ventures is under threat by lawmakers that don’t seem to fully grasp the landscape of open source.
The liability of software and products should be with the builders of that product. This is a bit of a tricky situation, because if you’re building a skyscraper a it falls down because of faulty concrete pylon footings, who’s at fault, who is liable? You or the company that poured the pylons?
The problem and difference though is that open source is produced, published and free at no cost to the consumer. I also find the situation a bit weird from a legal standpoint as I don’t understand how the CRA and CLA can possibly override open source licenses that are also legal documents and a contract between the open source author(s) and consumers of that open source software/library/whatever.
Finally, like the Eclipse suggests, if the new proposed EU laws would go ahead, I too as an open source developer would also have to either a) Put up a notice stating that none of my software, libraires, tools can be used within the EU or b) Simply go closed source. – This would be extremely sad 😢 and honestly at that point I would question even continuing to be a software developer at all.
@prologic@twtxt.net I think these proposals come from lawmakers that ignore the existence or the importance of the Open Source ecosystem; and indeed this moving forward as is would be tragic for all free software development. eg., out of my free time I’ve contributed a few patches to several twtxt/yarn related projects. I do not want to by liable for them, however.
@abucci@anthony.buc.ci Many (most?) licenses in the world of free software explicitly deny any liability (is that how you say it in English? I think you know what I mean). So, if a user still uses that software for “potentially dangerous” things, who’s to blame? The software? Or the user?
We Germans always have to make an analogy with cars 😅, so here you go: If there’s a guy on the street offering you a car and he says, “oh, maybe it’ll drive, maybe it’ll explode, who knows – either way, the risk is yours, I’m just offering it”, you might still be interested in using that car for certain things. But you wouldn’t use it as an ambulance car or a taxi or whatever. Or you might actually do that after carefully inspecting it and/or fixing some things.
So, if there actually are any liability issues here in the current laws – I know nothing about that field, especially not when it comes to corporations –, I think this should be fixed at the user’s end. You run a hospital? Then there are certain standards for you and you’re liable for certain things. If that implies that you can no longer use, say, nginx, then that’s not nginx’s problem, but yours.
I would argue that you cannot hold programmers liable if they contribute to a free software project that is publicly available, because you don’t know how this software is going to be used.
(Plus, I have a hard time imagining how you as a programmer could prove that you’ve done a good job. What’s the criterium here? Clearly, it can’t be “no bugs ever”. So, what is it, “no damage above 1000 dollars” or something like that? What does the EU thingy say here?)
Firstly, contributing software to an open source project cannot be a blanket “get out of jail free” card. That’s a sociopathic stance, on its face, and just cannot be accepted.
I don’t understand. Why is that sociopathic? (Language barrier here? I really don’t get what you mean.)
But thirdly, […] And the same should happen in software. […]
How do you really know if a project has been used in dangerous situations? (If this changes in the future, are programmers that contributed in the past – when this project was not yet used in dangerous situations – also liable?)
Yeah, we probably have to agree to disagree here.
I still think it would be better to put the burden of liability on the users – no matter if they’re private individuals or big companies. (And isn’t that already the case? Do we even have to solve a legal liability problem? Not talking about software quality here, that’s a whole other issue.)
Trust me, if people got sued or went to jail, the tech industry would figure out really fast how to make these determinations.
Yeah, they would. It’s simple: No more free software, no more publicly available projects. The only software that would ever exist is software made by large corporations who can afford the appropriate insurances and lawyers.
What you’re proposing is either classifying software in advance as “dangerous” or “harmless” (I’d argue that’s impossible – as an extreme, think of libraries, they’d all be “potentially dangerous”), or threatening free software projects with lawsuits if, at some point in the future, these projects caused an accident.
Why would anyone publish free software or contribute to it under these conditions?
Why should open source software development be any different?
IMHO because you can make software publicly available and anyone can use it for whatever they want, which the author has zero control over.
Anyway, have a good night, I’m gonna enjoy a couple of movies now. 👋 😊
@abucci@anthony.buc.ci that is an ironic example. Since the inventor of the seatbelt gave rights to use the technology freely.
Seatbelts and cars are so much simpler than software. It is easy to see that you might crash your car into a tree and that a belt will help you here (if you’re going slow enough, yadda yadda).
If I write a library for a compression algorithm, how can I ever prepare for someone using this in, I don’t know, a medical device in a hospital, but then my code has a bug, crashes that device and a person dies? There are so many more indirections here than with cars and seatbelts. It is completely out of my control.
Anyway, I think we both made our points clear. I’m out, cheers! 👋 🥃
@movq@www.uninformativ.de good example. Should the medical device manufacturer be liable? Yes. Should the library developer be liable? No.
@marado@twtxt.net I agree 💯
@xuu@txt.sour.is That has no relevance to the point!
@movq@www.uninformativ.de Cheers! I’m happy to agree to disagree too of course! Thanks for engaging!
More about this: In letter to EU, open source bodies say Cyber Resilience Act could have ‘chilling effect’ on software development
@marado@twtxt.net Does the latest version of the CRA still have this:
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
The Cyber Resilience Act can be improved by focusing on finished products,” Linksvayer added. “If open source software is not offered as a paid or monetized product, it should be exempt.”
This ☝️
@prologic@twtxt.net The EU as well as the UN are all non-tech not smart people who think, the internet is a bad place because of all the algorithms.