https://www.debian.org/vote/2023/vote_002#statistics
(No matter how good LWN's original journalism is, this is just a news link that does little more than link to the source itself)
You can't just label everything as "doing business" and then regulate it all. If I make something interesting and give everyone in the world the blueprints so they can make one themselves that's not "doing business".
Our industry desperately needs better regulations, IMO.
And to answer your question more directly, the flour itself causes the damage. The vulnerability is only damaging if a malicious actor takes advantage of it.
Linux, World Wide Web… not worth the risk.
So I am making something in my free time, as a hobby, no monetary gain and suddenly I can easily get sued to oblivion. I need to at least buy insurance. My library is used left and right in commercial activity.
The impact assessment for CRA is a total lie. It assumes 100% decrease in cyber damages and laughably low compliance cost and very small amount of impacted entities (only companies, not individuals and each company makes one product).
TBF, version amended by EP explicitly excludes individual developers, hopefully it makes it through trialogue.
Edit: basically imagine authors of log4j. Remember that security flaw that impacted half the internet? That is what’s called liability. Did they use ‘ apply effective and regular tests and reviews of the security of the product with digital elements;’? Better make it industrial grade product, with no money, in their free time.
we do not need regulation limiting distribution of volunteer work.
and the vague language for the delineation line is what's problematic with this proposal.
volunteers have no resources (time, money) to defend themselves or their products against false accusations of lack of compliance. likewise companies that happen to provide foss components might be approached about compliance even for their github content.
bad analogies are bad
Famous last words of any dying industry
edit: Or if we go to the extreme of nothing except the action and potential for negative impact mattering then you'd need a license to give those cookies to your own kids or even yourself.
Much as I ardently support FOSS (and similar: open hardware, say) I also think this idea has some use and deserves substantial consideration.
It is difficult to draw the line here, much more difficult than it seems at first, in my personal opinion.
Food safety practices only became standardized after regulation was enacted.
> pre-approved and comparatively trivial recipes
That sounds like most software development.
I think you are unwittingly making the case that software development is a lot like food production. Software development is only beginning to get regulated because it is only now reaching the level where it is hazardous to public safety, unlike food production which reached that a long time ago.
Actually it’s an improved version. Hopefully it will make it through consolidation with EC version.
Posted Dec 27, 2023 19:32 UTC (Wed) by bluca (subscriber, #118303)
Can someone explain to me what in the statement from Debian is "anarco-capitalist FUD"? I find it quite reasonable overall.
Page 15:
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
This sounds sane-ish, but it the key is that it says Open Source Software is not exempted if it is part of commercial activity.
So what is commercial activity?
Page 34:
> 'making available on the market' means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge
That "free of charge" connected with "commercial activity" is what has people up in arms.
Does it include free stuff like Debian? Does it include donation-based FOSS like Zig?
These are the things that worry people.
[1]: https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...
There is a better way [2], but I don't know how we would convince politicians that there is a better way.
[1]: >>38788919
[2]: https://gavinhoward.com/2023/11/how-to-fund-foss-save-it-fro...
Ask log4j or OpenSSL.
Go read this: https://blogs.eclipse.org/post/mike-milinkovich/european-cyb...
Getting the spirit of the law into writing is tricky, and it will most likely improve over time. Closing loopholes and making exceptions when merited.
I understand need to somehow include them, but the line should be at the for-profit companies and exclude non profits and individual developers.
How to formulate it without easy loopholes is no easy task.
We do need something like the CRA; we just need to make sure that it doesn't destroy our shining City of Open Source.
They're just using that as support for why they disagree with the EU rules, since it can be considered "commercial" even if you're making no money, just because someone is losing money.
Because you actually can standardize them. Software isn't so simple.
"> pre-approved and comparatively trivial recipes
That sounds like most software development."
Lol no that does not. Why wouldn't high school graduates or drop outs work in software instead of at fast food? The number of languages, frameworks, patterns, etc are much more complex than basic sanitation and time/temp/acidity.
It isn't simple due to choice, not due to the nature of software. Software is relatively simple compared to other meat-space engineering disciplines. Software engineering is an relatively immature engineering discipline, but it is implicated in enough safety critical systems these days that it is about time to start maturing.
It will be painful but I welcome more software regulatory standards, because it is necessary for our trade to mature.
In other fields there is a direct relation between number of customers and liability.
But if i offer free software and also offer commercial support for it, and because of that i would be liable to everyone who uses that software, not just to those who pay for commercial support, then there is no relation between number of customers and liability, and liability cannot be really priced-in.
They just need to clarify some points. They need to explicitly make an exception for free and open source software developers. Because free and open source software development will be killed if they don't. Can you imagine getting sued because someone had problems with the free software you published on GitHub? The sustainability of free software development is questionable enough as it is. If publishing a project exposes me to that kind of risk I'll simply not publish.
They are now hashing out a final consolidated version in a trialogue.
Can you explain how you believe better regulations would improve software (assuming you're talking about software)?
If Debian depends on people's work so badly maybe they should pay for it.
It’ll turn into the aerospace industry where “if it hasn’t flown, it can’t fly.” This is among other things why we still burn leaded gas in small planes. Replacing it is easy, but the cost of certifying any kind of new design is insane.
I’ve always just been against any such regulation because I have zero confidence our technically ignorant politicians can do it well.
I also think it’s likely to be sabotaged by consultants and big tech monopolists who see an opportunity to lock out competitors or create gravy trains.
Vendors of Debian Installation Media https://www.debian.org/CD/vendors/
They are hardly Adobe, but all it takes is one zealous lawyer on a crusade to force an interpretation that Debian and Adobe are equivalent organisations when it comes to the commercial production of software.
pizza points out that Commercial Activity is apparently a bit more carefully defined, in the act, than simply “money changing hands”: https://lwn.net/Articles/956191/
I’ve never been a fan of the moral position that says certain laws only apply to commercial contracts. If two parties make an agreement (get married, have a child, adopt a cat, go fishing, etc.) then they ought to be held to that agreement. Whether or not money exchanged hands seems immaterial and considering whether it did or not, when trying to decide if someone acted in the right or in the wrong, feels dirty.
For example, one might require some software to undergo various degrees of planning, testing, analysis, support, documentation, etc.
Right now, the amount of planning, testing, analysis, support, and documentation required by law is generally zero. This might be fine for someone's hobby project, but it is not okay for software that human lives depend on.
That is why I want the industry to self-regulate with professional licensure first.
If we let politicians do it, they'll do it wrong. If we do it first, and push hard to have politicians adopt our system when they've decided that regulation will happen, then we have a chance that it won't be awful.
As for consultants, yes, that could be a problem. However, I think professional licensure would minimize that because requiring a Professional Software Engineer (PSWE) on a project means having someone there for the long term, dedicated to the project, which is antithetical to consultants game plan to run either short projects or many projects at once.
As for Big Tech monopolists, yes that could be a problem. However, I think professional licensure, with a Code of Ethics, would actually give the PSWE at such companies the ability to say no to such monopolization. And they would, if we could actually threaten loss of license.
So you are correct that my proposal isn't perfect, but I do think it minimizes the risk of bad things happening among the others.
Insane tbh. EU is all about safety to the extreme and it’s nauseating. Pretty soon you won’t be able to fart there without getting a permit and sign off from some kind of council.
Compared to the relatively high engineering standards and slow but at least continuous improvements in actual engineering disciplines, software is built so badly most of it should never see the light of day. If most machines we build were as insecure and crappy as software we'd have brought the Code of Hammurabi back already.
I just hope it doesn't destroy the nice things.
If it does, well, this is why we can't have nice things.
Of course, an outside agreement can establish such duties.
I personally think that any criteria that SQLite and Curl can't pass is too strict.
What tends to happen with professional licensing is that barriers to entry are erected, reducing the supply of labour and artificially increasing the price of labour for existing software engineers.
See cosmetology licenses for example: it is ludicrous that it is illegal to shampoo someone's hair in New York without completing a 1,000 hour course of study or having 5 years (!!!) of experience [1]. Yeah, sure, you shouldn't be spreading diseases or anything, but this is far, far beyond that.
A less ridiculous example: doctors. In the US, there is a hilariously restrictive number of residency places available, and this number is set by the government and backed by the American Medical Association. This inflates doctors' wages and makes it much harder to become a doctor than is necessary. There's a strong case for licensing doctors, but the particular way it's done in the US is obviously suboptimal.
My point is that yes, politicians writing regulations wrong will hurt the industry, but strangling the industry by limiting the number of software engineers can also cause harm.
I believe you know this already ("my proposal isn't perfect") so don't take this as an argument, I'm just making the possible downsides explicit and adding some detail.
Yes, I do, and I agree. This could go horribly wrong.
That depends a lot on the circumstances. If a malicious, sophisticated, actor broke into your shop and poisoned your dough, which resulted in you selling poisonous cookies, should you be liable because your security systems weren't good enough to stop the poisoner?
On what basis do you make this claim? If you do the same degree of optimization in software that is routinely applied in physical engineering disciplines that have some of most complex system dynamics problems, such as chemical engineering, the dynamics of software systems are qualitatively much more complex. We expect chemical engineering to design systems that asymptotically approach theoretically optimal efficiency along multiple dimensions. In software we rarely see anything approaching similar optimality except for small and exquisitely engineered components that are beyond the ken of most software engineers. In large software systems, the design problem is so complex that computational optimization to the degree we see in physical engineering is completely intractable, so similar approaches do not apply.
In chemical engineering, the measure of system complexity is roughly the size of the system of differential equations the govern the total dynamics of the system. Computers then solve for the system, which can be computationally intensive. We do this routinely, with some caveats. An optimal design is not computable but we can get asymptotically close via approximation.
In software engineering, the equivalent would be formal optimization and verification of the entire program. The complexity of doing this for non-trivial software is completely intractable. Software has so many degrees of freedom compared to physical systems that they aren’t even the same class of problem. It is arguable if it is even possible in theory to achieve similar degrees of design robustness and efficiency that we see in physical engineering systems.
Unlike physical engineering, where a computer takes a set of equations and constraints, crunches numbers, and produces an approximately optimal design, no such thing is possible in software.
I don't find the idea useful to anyone but the unscrupulous. I find it very easy to draw the line. If I design something and publish it and people find it useful and put it to use that's clearly not commerce, that's just creativity.
A regulator doesn't really care about the internal complexities of an LLM and whether or not that is more difficult than cracking petroleum. They care more about how those things interact with the rest of the world. Software is pretty limited in how it interacts with the rest of the world.
The entire point of the CRA is to make "manufacturers" liable for the quality of the software they produce, in a similar manner to how car manufactures were held liable for the Takata air bags. But who is the manufacturer. In the Takata case it was the car manufacturers the car owners held liable. This LWN comment spells how how difficult it is for software: https://lwn.net/Articles/956218/
One sentence from that highlights hints at the problem:
> the CRA's explicit statement that things qualify whether or they are provided gratis.
The CRA as it stands doesn't draw the line in a way that clearly exempts a bunch of high schoolers uploading their code to github, possibly because no one has figured out how to do it in a way that doesn't also give Google Chrome & Android a free pass.
To put it another way, you've asked an impossible question. You can't point to the faulty clause that exempts open source, because it doesn't exist.
Isn't that the idea? If you can't innovate, litigate - see regulatory capture [1].
We hold the power, not the EU. Debian, FOSS developers, and small businesses world-wide should block EU IP addresses. No more Linux, no more Python, no more nothing. When the EU's digital infrastructure begins crumbling they'll change their tune.
[1]: https://totsipaki.net/ikiwiki/nparafe/posts_en/posts/Can_Eur...
It also creates artificial scarcity which will easily 10X costs.
Dealing with security problems is much cheaper.
Is disqualifying EU users even possible?
Last year in the UK the creator of BitCoin won a multi-billion pound judgement against usurper "open source" developers who refused to alter the protocol to allow him to recover coins a hacker took from him.
Developers have a duty of care to their users which no license can remove even if they are communists calling themselves "open source". You either make good software and comply with your duty or you will be ruined. That is the law.
Both are concerned with non-discriminatory _licensing._ That would remain the case.
Neither of those documents obligate anyone to provide the specific service of providing downloads to anyone else, or providing any act of distribution at all.
Nevertheless, not being able to access the Debian servers would be most unfortunate.
There is always the possibility to only offer the priced version, even if it is free software. Someone else could of course redistribute it and then it would be their responsibility. That would be a less convenient world.
An open question certainly also is, when it becomes a product? Source Code alone (inredients)? Or executable form (usable)?
I have two projects and added such a clause in protest.
> commercial activity, whether in return for payment or free of charge
That definitely includes people like me who thought signing up for GitHub Sponsors was a good idea. What's the worst that could happen, right? For all I know it could include projects that accept donations too. Is writing a book about the project or offering screencasts or whatever the same as offering "technical support services"? Is building a community on GitHub or Discord or whatever "providing a software platform through which the manufacturer monetises other services"? Who knows? I'm not a lawyer.
And then they want other people to be accountable, how about government be accountable first.
Now rewind to 1990 or so. Add a Cyber resilience act. At best we maybe have a phone about as advanced as an old Nokia. But yeah, maybe hardly any cyber security flaws because the Internet would hardly function.
Instead of thanking all of the millions of developers who contributed to this, they proceed to kick them in the teeth and enact laws to steal from them in principle by raising the cost of entry.
1) this means MIT, Apache and many other licenses are dead in EU.
2) Laws override licenses, so the government can just make a law to ignore the 'no government use' clause.
How does someone know that a particular application is something lives depend on? Either your lawyer, insurance company, or regulator explicitly tells you.
so if you do pay for software you know which cybersecurity scrutiny is in place --- while no cost software comes at no warranties whatsoever.
The deadline for submitting presentation proposals has passed, but the schedule should be available shortly at https://fosdem.org/2024/schedule/track/eu-policy/
Why? I don't know. Is the medical world just messed up? Or is there something wrong with licensure?
Well, I sent an email with the link; that is all I can do.
I thought the CRA would make the original distributor responsible for what they distributed. So A distributed to B and B redistributes to C, A is still has responsibilities to C. B might also have be in trouble when something goes wrong but B redistributing does not shield A to my understanding.
Seems like you are over simplifying the process and goals of those creating new regulations and law makers often have to care about the internal complexities because they care about the consequences new regulations will have.
When a law maker is making regulations for an industry they should care about the internal complexities since that determines the long term effects of the regulation. Law makes should care if new regulations kill small businesses or, in an extreme case that is not happening with the CRA, kills of an industry, since that effects the economy of the the country they are law makers for in addition to directly impact people represented by those law makers.
To make an analogy to the physical world. We have a company, B, that makes bolts, they publishes the characteristics of that bolt but do not certify it for any particular use.
Company C makes cars and decides to use bolts form company B. It turns out that is not a good choice since company B bolts do not have the characteristics that are need to use in a car.
The CRA from the a simple reading used in the discussions here[1], holds company B responsible for company C using the bolts in a way where peoples lives depend on it.
This sort of reuse can be much more common in software than it is bolts for example and just like company B did not control how company C used their product after buying it open source developers do not control how others use there software but CRA might make them liable for it.
This does not make sense to me, company C should be liable for their choice of bolt, company B should be liable for any false or incorrect claims for the characteristics of their bolt. Company B should not be held liable for the misuse of their bolt by company C which is what the CRA seems to do.
[1] >>38788919
Our profession is still in a very early stage, sort of like the era of barbers performing surgery.
Such gatekeeping almost always ends up preventing new innovative entrants from coming in. It protects those who have the certification from competition. Thus leading to stagnation in the industry.
They will seek feedback from industry experts to determine if their rules should be refined, which is what is happening. The details of any internal complexity of an industry is entirely delegated.
I agree with what you're saying. I don't have enough of knowledge of EU law or the full text of the CRA to make a judgement about it specifically. I was just sharing my point of view on software regulation generally.
> Company B should not be held liable for the misuse of their bolt by company C
Putting aside this specific analogy, but on this topic: I do generally think that implied warranties are a good thing, and I don't think it should be legal to disclaim them in all scenarios. Most other professionals are held to professional liability standards, and it is expected that they follow certain basic standards when they practice.
Consider basic best practices, like testing and documentation. It probably is fine if a hobby video game developer doesn't do these things, but if you are putting out software that claims to be intended for "enterprise" or "commercial" use, it is certainly reasonable for others to expect that this software is "fit for this particular purpose", and was built with good software engineering methodology.
I do think it shouldn't be permissible to hide behind a shrink-wrap liability disclaimer when publishing software claimed to be of "commercial" or "enterprise" quality that doesn't even meet basic standard of rigor.
What software really needs right now is a standardized way to measure development quality, and some legal guardrails around standards for dependency management.
MS give away a browser with their OS, that's still business activity but not directly commerce, IMO.
Now, you say "but I'm not doing that", however the law needs to account for those who would use the freedom to create something and give it away in order to manipulate the market. It happens.
So in my opinion, whilst I absolutely want to ensure FOSS projects can operate, I also want to ensure large companies can't simply release a product as OSS destroy the market and once captured then only update their commercial offerings, for example. So, it needs a bit of thought.
Think if it were something else as an exercise: say some nation implemented rules requiring you to pay $10k USD/year to that government as some nonsense open-source fee. Common sense says you should be able to say, in response, “well, then I guess I’m cutting that country off.” If the rule making country shouts “no takebacks!” and supersedes licensing, then wouldn’t that impinge on sovereignty?
If you can’t tell I am deeply and profoundly cynical of systems like this. They always turn into rent extraction schemes for bureaucrats, consultants, etc.
We may be working with different definitions here. If they did not care they would not delegate away the details of the internal complexity.
I am not sure that "commercial" or "enterprise" implies anything in terms of quality or should. "enterprise" for example is defined as "Enterprise software, or enterprise application software, is computer software used by organizations rather than individual users." by the following aws page[1].
Aerospace software already has to follow aerospace regulations, medical software already has to meet medical regulations.
Holding a company responsible for selling software with implicit claims but a liability disclaimer makes sense to me. Clarity in contracts, advertisements, terms of service, and similar makes sense. The CRA currently seem to to hold non commercial entities or individuals who are not making claims and explicitly going out of their way to disclaim liability responsible. That does not make sense to me and seems counter productive to the goal of safe software as well as a productive economy.