zlacker

[return to "EU Cyber Resilience Act: What does it mean for open source?"]
1. martin+Df[view] [source] 2023-12-30 22:04:54
>>ahuber+(OP)
Am I right in thinking that if you were a small indie OSS developer that offers commercial support or similar "services", all these regulations will now apply to you?

While I get they new draft has changed it so if you are non profit or accepting donations it doesn't apply (I think?) The biggest problem is that isn't a great model for OSS anyway.

A much better model imo is charging for a "pro" version with support included and maybe some extra features.

This regulation is likely to totally kill the viability of that model if you need to do expensive security audits.

◧◩
2. onepla+ug[view] [source] 2023-12-30 22:10:33
>>martin+Df
It applies to you in the sense that your services are covered by the CRA. Your projects themselves probably don't unless you have an open-core model where you have a commercialised 'supported' version, in which case you're not responsible for all users, but you are on the hook for the commercial users.

In a way, I don't think it's that much at odds, if someone comes up with a great open source project but not to 'give away' as a present or in a classic FOSS style, but instead as some sort of funnel to get paying customers (which includes pure support), you're already doing it commercial, and even without the CRA you'd probably be on the hook for doing it right anyway.

[go to top]