The EU’s Proposed CRA Law May Have Unintended Consequences for the Python Ecosystem (as well as the entire free software movement).

@marado@twtxt.net Do you mind highlighting what the CRA and CLA are proposing that puts open source and individual open source authors at risk?

@prologic@twtxt.net Perhaps Eclipse’s article on the subject is clearer.. but the main focus on Python’s text is on the liability clauses: while it might make sense that if you buy a product with software (or a software product) the vendor should be liable for its safety, security, etc., that does not translate well to the free software world, and it will have a chilling effect if, suddenly you (as a free software developer) start being liable for the flaws in that software. Python folks point out (and I agree) that “Assigning liability to every upstream developer would create less security, not more”, Eclipse people point out that “Every open source license contains no liability clauses”, and argue that “It is the companies which commercialize the technology and make a business from it who need to accept liability and provide warranties to their paying customers, not the open source projects”.

@marado@twtxt.net I see. Thanks, read that article and it makes the problem a bit clear, especially on the liability issue. So, it seems EU lawmakers are trying to fix an economical problem by introducing a new set of laws that regulate a large part of the software industry (open source) that has effectively zero revenue?! This seems to be a bit counter intuitive to me, how are open source developers able to deal with liability for something they produce and publish for free?

What seems to be at play here is the capability of open source that has enabled great software reuse by large commercial ventures is under threat by lawmakers that don’t seem to fully grasp the landscape of open source.

The liability of software and products should be with the builders of that product. This is a bit of a tricky situation, because if you’re building a skyscraper a it falls down because of faulty concrete pylon footings, who’s at fault, who is liable? You or the company that poured the pylons?

The problem and difference though is that open source is produced, published and free at no cost to the consumer. I also find the situation a bit weird from a legal standpoint as I don’t understand how the CRA and CLA can possibly override open source licenses that are also legal documents and a contract between the open source author(s) and consumers of that open source software/library/whatever.

Finally, like the Eclipse suggests, if the new proposed EU laws would go ahead, I too as an open source developer would also have to either a) Put up a notice stating that none of my software, libraires, tools can be used within the EU or b) Simply go closed source. – This would be extremely sad 😢 and honestly at that point I would question even continuing to be a software developer at all.

@prologic@twtxt.net I think these proposals come from lawmakers that ignore the existence or the importance of the Open Source ecosystem; and indeed this moving forward as is would be tragic for all free software development. eg., out of my free time I’ve contributed a few patches to several twtxt/yarn related projects. I do not want to by liable for them, however.

@abucci@anthony.buc.ci that is an ironic example. Since the inventor of the seatbelt gave rights to use the technology freely.

@abucci@anthony.buc.ci that is an ironic example. Since the inventor of the seatbelt gave rights to use the technology freely.

@movq@www.uninformativ.de good example. Should the medical device manufacturer be liable? Yes. Should the library developer be liable? No.

@marado@twtxt.net I agree 💯

@xuu That has no relevance to the point!

@movq@www.uninformativ.de Cheers! I’m happy to agree to disagree too of course! Thanks for engaging!

More about this: In letter to EU, open source bodies say Cyber Resilience Act could have ‘chilling effect’ on software development

@marado@twtxt.net Does the latest version of the CRA still have this:

In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.

The Cyber Resilience Act can be improved by focusing on finished products,” Linksvayer added. “If open source software is not offered as a paid or monetized product, it should be exempt.”

This ☝️