The EU’s Proposed CRA Law May Have Unintended Consequences for the Python Ecosystem (as well as the entire free software movement).
@marado@twtxt.net Do you mind highlighting what the CRA and CLA are proposing that puts open source and individual open source authors at risk?
@prologic@twtxt.net Perhaps Eclipse’s article on the subject is clearer.. but the main focus on Python’s text is on the liability clauses: while it might make sense that if you buy a product with software (or a software product) the vendor should be liable for its safety, security, etc., that does not translate well to the free software world, and it will have a chilling effect if, suddenly you (as a free software developer) start being liable for the flaws in that software. Python folks point out (and I agree) that “Assigning liability to every upstream developer would create less security, not more”, Eclipse people point out that “Every open source license contains no liability clauses”, and argue that “It is the companies which commercialize the technology and make a business from it who need to accept liability and provide warranties to their paying customers, not the open source projects”.
@marado@twtxt.net I see. Thanks, read that article and it makes the problem a bit clear, especially on the liability issue. So, it seems EU lawmakers are trying to fix an economical problem by introducing a new set of laws that regulate a large part of the software industry (open source) that has effectively zero revenue?! This seems to be a bit counter intuitive to me, how are open source developers able to deal with liability for something they produce and publish for free?
What seems to be at play here is the capability of open source that has enabled great software reuse by large commercial ventures is under threat by lawmakers that don’t seem to fully grasp the landscape of open source.
The liability of software and products should be with the builders of that product. This is a bit of a tricky situation, because if you’re building a skyscraper a it falls down because of faulty concrete pylon footings, who’s at fault, who is liable? You or the company that poured the pylons?
The problem and difference though is that open source is produced, published and free at no cost to the consumer. I also find the situation a bit weird from a legal standpoint as I don’t understand how the CRA and CLA can possibly override open source licenses that are also legal documents and a contract between the open source author(s) and consumers of that open source software/library/whatever.
Finally, like the Eclipse suggests, if the new proposed EU laws would go ahead, I too as an open source developer would also have to either a) Put up a notice stating that none of my software, libraires, tools can be used within the EU or b) Simply go closed source. – This would be extremely sad 😢 and honestly at that point I would question even continuing to be a software developer at all.
@prologic@twtxt.net I think these proposals come from lawmakers that ignore the existence or the importance of the Open Source ecosystem; and indeed this moving forward as is would be tragic for all free software development. eg., out of my free time I’ve contributed a few patches to several twtxt/yarn related projects. I do not want to by liable for them, however.
@marado@twtxt.net @prologic@twtxt.net personally I think there are good arguments in favor of accountability standards for some open source projects. Not all, obviously. But it is insane to act as though open source contributors bear exactly 0 responsibility in cases where they know full well that they are contributing code to potentially dangerous projects, and/or know they will profit from those contributions. We don’t do that in any other sphere of life and shouldn’t be doing it with software either. People die from this shit, or lose their life savings.
Also, open source provides an avenue for companies to launder their own responsibilities. That loophole should be closed.
Anyway, it’s not an open and shut caae of “absolutely no liability for open source developers ever.” Frankly, software quality would improve tenfold virtually overnight if developers knew they could be sued for doing lousy work. That’s not a “chilling effect”, it’s responsible regulation of potentially dangerous products.
@movq@www.uninformativ.de I respectfully disagree. I think the broad point you make makes sense, but there are details that matter.
Firstly, contributing software to an open source project cannot be a blanket “get out of jail free” card. That’s a sociopathic stance, on its face, and just cannot be accepted.
Secondly, the fact that software licenses state that the software is provided without warranty/liability is meaningless until those clauses are tested in court cases. If judges say “bullshit” to the “no warranty” clauses, and hold developers accountable anyway, then those clauses become meaningless (at least in the US, where case law and precedent matter).
But thirdly, and most importantly, there is always context that absolutely has to be taken into consideration. Sure, you’d be foolish to jump into a random person’s for-rent car thinking it’ll be a good ambulance. But if the car has “Ambulance” painted on it, and the driver repeatedly tells you they also drive ambulances for the city hospital, and there’s a siren on top, that person can and should be held liable for falsely presenting themselves as an ambulance. Even if they do have a tiny little note somewhere that says “not an actual ambulance”.
And the same should happen in software. If people are working on an open source project that has been used in dangerous situations, and they are fully aware that this could happen again, then they absolutely should face liability if their code kills somebody (for instance). We literally do this in almost every other aspect of life, so why should software developers be free from all responsibility? Engineers who design buildings have to take out liability insurance because they can be personally sued if their designs cause harm. Doctors take out malpractice insurance in case their advice causes harm. But software developers get to commit all manner of bullshit, and never face any consequences? No way, that’s stupid.
Firstly, contributing software to an open source project cannot be a blanket “get out of jail free” card. That’s a sociopathic stance, on its face, and just cannot be accepted.
I don’t understand. Why is that sociopathic? (Language barrier here? I really don’t get what you mean.)
Imagine an open source software project that is designed, from day 1, to produce software to drive a planet-destroying weapon. The fact that it is an open source project does not allow the software developers involved to freely make the software for the planet-destroying weapon without any responsibility for the consequences of using the weapon. They are directly involved in an activity that will destroy the planet, and they should be treated as such.
That is extreme, obviously, but the point is that there is a line somewhere. A hobby project is obviously not dangerous to anyone. A planet-destroying weapon is. It is sociopathic–literally, deadly to society–to pretend otherwise. I all other sphere of life, we are careful to distinguish which behaviors are dangerous from which behaviors are not. Why should open source software development be any different?
It should not be different. Some open source software development is dangerous, and should be treated appropriately.
@abucci@anthony.buc.ci that is an ironic example. Since the inventor of the seatbelt gave rights to use the technology freely.
@abucci@anthony.buc.ci that is an ironic example. Since the inventor of the seatbelt gave rights to use the technology freely.
@movq@www.uninformativ.de good example. Should the medical device manufacturer be liable? Yes. Should the library developer be liable? No.
@marado@twtxt.net I agree 💯
@xuu@txt.sour.is That has no relevance to the point!
@movq@www.uninformativ.de Cheers! I’m happy to agree to disagree too of course! Thanks for engaging!
More about this: In letter to EU, open source bodies say Cyber Resilience Act could have ‘chilling effect’ on software development
@marado@twtxt.net Does the latest version of the CRA still have this:
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
The Cyber Resilience Act can be improved by focusing on finished products,” Linksvayer added. “If open source software is not offered as a paid or monetized product, it should be exempt.”
This ☝️