zlacker

[return to "Debian Statement on the Cyber Resilience Act"]
1. candid+Eo[view] [source] 2023-12-28 00:23:55
>>diyftw+(OP)
What about the CRA is so bad? The requirements seem like common sense. Can anyone point out something specific that seems overly onourous? Debian couldn't...

Our industry desperately needs better regulations, IMO.

◧◩
2. ManBea+jq[view] [source] 2023-12-28 00:39:37
>>candid+Eo
Big parts of the legislation are good and long overdue. The big problem is that this effectively also includes many free/open-source software projects, as the definition for what constitutes "commercial" or "commercial-grade" is very broad. You host a FOSS library on Github that can/is used by others? Congrats, you now have to fulfil all requirements. Look for "Update on the European Cyber Resilience Act" by the Eclipse Foundation on YouTube for infos.
◧◩◪
3. shadow+ru[view] [source] 2023-12-28 01:20:57
>>ManBea+jq
But if they don't include free/OSS projects, then commercial companies sponsoring FLOSS is an obvious way to launder liability, is it not?
◧◩◪◨
4. ManBea+6C[view] [source] 2023-12-28 02:38:28
>>shadow+ru
Sure, that is something that has to be avoided. The problem is that "commercial" is so broadly defined that basically everyone is covered, even non-profit organizations or single developers. A lot of those that want to release open-source stuff suddenly have to comply with all the requirements, which means having to spend a lot of time or money that non-commercial entities often don't have. This effectively kills nearly all of open-source in the EU. A sibling response mentions some improvements, but it still contains stuff like: (10a) "[...]Similarly, where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature."
[go to top]