https://www.debian.org/vote/2023/vote_002#statistics
(No matter how good LWN's original journalism is, this is just a news link that does little more than link to the source itself)
Actually it’s an improved version. Hopefully it will make it through consolidation with EC version.
Page 15:
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
This sounds sane-ish, but it the key is that it says Open Source Software is not exempted if it is part of commercial activity.
So what is commercial activity?
Page 34:
> 'making available on the market' means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge
That "free of charge" connected with "commercial activity" is what has people up in arms.
Does it include free stuff like Debian? Does it include donation-based FOSS like Zig?
These are the things that worry people.
[1]: https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...
There is a better way [2], but I don't know how we would convince politicians that there is a better way.
[1]: >>38788919
[2]: https://gavinhoward.com/2023/11/how-to-fund-foss-save-it-fro...
Ask log4j or OpenSSL.
Go read this: https://blogs.eclipse.org/post/mike-milinkovich/european-cyb...
They are now hashing out a final consolidated version in a trialogue.
Vendors of Debian Installation Media https://www.debian.org/CD/vendors/
They are hardly Adobe, but all it takes is one zealous lawyer on a crusade to force an interpretation that Debian and Adobe are equivalent organisations when it comes to the commercial production of software.
pizza points out that Commercial Activity is apparently a bit more carefully defined, in the act, than simply “money changing hands”: https://lwn.net/Articles/956191/
I’ve never been a fan of the moral position that says certain laws only apply to commercial contracts. If two parties make an agreement (get married, have a child, adopt a cat, go fishing, etc.) then they ought to be held to that agreement. Whether or not money exchanged hands seems immaterial and considering whether it did or not, when trying to decide if someone acted in the right or in the wrong, feels dirty.
What tends to happen with professional licensing is that barriers to entry are erected, reducing the supply of labour and artificially increasing the price of labour for existing software engineers.
See cosmetology licenses for example: it is ludicrous that it is illegal to shampoo someone's hair in New York without completing a 1,000 hour course of study or having 5 years (!!!) of experience [1]. Yeah, sure, you shouldn't be spreading diseases or anything, but this is far, far beyond that.
A less ridiculous example: doctors. In the US, there is a hilariously restrictive number of residency places available, and this number is set by the government and backed by the American Medical Association. This inflates doctors' wages and makes it much harder to become a doctor than is necessary. There's a strong case for licensing doctors, but the particular way it's done in the US is obviously suboptimal.
My point is that yes, politicians writing regulations wrong will hurt the industry, but strangling the industry by limiting the number of software engineers can also cause harm.
I believe you know this already ("my proposal isn't perfect") so don't take this as an argument, I'm just making the possible downsides explicit and adding some detail.
I don't find the idea useful to anyone but the unscrupulous. I find it very easy to draw the line. If I design something and publish it and people find it useful and put it to use that's clearly not commerce, that's just creativity.
The entire point of the CRA is to make "manufacturers" liable for the quality of the software they produce, in a similar manner to how car manufactures were held liable for the Takata air bags. But who is the manufacturer. In the Takata case it was the car manufacturers the car owners held liable. This LWN comment spells how how difficult it is for software: https://lwn.net/Articles/956218/
One sentence from that highlights hints at the problem:
> the CRA's explicit statement that things qualify whether or they are provided gratis.
The CRA as it stands doesn't draw the line in a way that clearly exempts a bunch of high schoolers uploading their code to github, possibly because no one has figured out how to do it in a way that doesn't also give Google Chrome & Android a free pass.
To put it another way, you've asked an impossible question. You can't point to the faulty clause that exempts open source, because it doesn't exist.
Isn't that the idea? If you can't innovate, litigate - see regulatory capture [1].
We hold the power, not the EU. Debian, FOSS developers, and small businesses world-wide should block EU IP addresses. No more Linux, no more Python, no more nothing. When the EU's digital infrastructure begins crumbling they'll change their tune.
[1]: https://totsipaki.net/ikiwiki/nparafe/posts_en/posts/Can_Eur...
The deadline for submitting presentation proposals has passed, but the schedule should be available shortly at https://fosdem.org/2024/schedule/track/eu-policy/
To make an analogy to the physical world. We have a company, B, that makes bolts, they publishes the characteristics of that bolt but do not certify it for any particular use.
Company C makes cars and decides to use bolts form company B. It turns out that is not a good choice since company B bolts do not have the characteristics that are need to use in a car.
The CRA from the a simple reading used in the discussions here[1], holds company B responsible for company C using the bolts in a way where peoples lives depend on it.
This sort of reuse can be much more common in software than it is bolts for example and just like company B did not control how company C used their product after buying it open source developers do not control how others use there software but CRA might make them liable for it.
This does not make sense to me, company C should be liable for their choice of bolt, company B should be liable for any false or incorrect claims for the characteristics of their bolt. Company B should not be held liable for the misuse of their bolt by company C which is what the CRA seems to do.
[1] >>38788919
I am not sure that "commercial" or "enterprise" implies anything in terms of quality or should. "enterprise" for example is defined as "Enterprise software, or enterprise application software, is computer software used by organizations rather than individual users." by the following aws page[1].
Aerospace software already has to follow aerospace regulations, medical software already has to meet medical regulations.
Holding a company responsible for selling software with implicit claims but a liability disclaimer makes sense to me. Clarity in contracts, advertisements, terms of service, and similar makes sense. The CRA currently seem to to hold non commercial entities or individuals who are not making claims and explicitly going out of their way to disclaim liability responsible. That does not make sense to me and seems counter productive to the goal of safe software as well as a productive economy.