zlacker

What about the CRA is so bad? The requirements seem like common sense. Can anyone point out something specific that seems overly onourous? Debian couldn't...

Our industry desperately needs better regulations, IMO.

>>candid+(OP)
Big parts of the legislation are good and long overdue. The big problem is that this effectively also includes many free/open-source software projects, as the definition for what constitutes "commercial" or "commercial-grade" is very broad. You host a FOSS library on Github that can/is used by others? Congrats, you now have to fulfil all requirements. Look for "Update on the European Cyber Resilience Act" by the Eclipse Foundation on YouTube for infos.

>>candid+(OP)
To put it bluntly, it means a significant risk when creating any open source project. It’s a common knowledge that there is no money in open source, but suddenly I am liable. Half of open source licenses is disclaimer of liability. Also a lot of other yet to be defined requirements (harmonised regulations it is called I believe).

Linux, World Wide Web… not worth the risk.

So I am making something in my free time, as a hobby, no monetary gain and suddenly I can easily get sued to oblivion. I need to at least buy insurance. My library is used left and right in commercial activity.

The impact assessment for CRA is a total lie. It assumes 100% decrease in cyber damages and laughably low compliance cost and very small amount of impacted entities (only companies, not individuals and each company makes one product).

TBF, version amended by EP explicitly excludes individual developers, hopefully it makes it through trialogue.

Edit: basically imagine authors of log4j. Remember that security flaw that impacted half the internet? That is what’s called liability. Did they use ‘ apply effective and regular tests and reviews of the security of the product with digital elements;’? Better make it industrial grade product, with no money, in their free time.

>>candid+(OP)
there needs to be regulation of for profit services, so when you _buy_ software, there is a baseline that you can rely on, as a buyer.

we do not need regulation limiting distribution of volunteer work.

and the vague language for the delineation line is what's problematic with this proposal.

volunteers have no resources (time, money) to defend themselves or their products against false accusations of lack of compliance. likewise companies that happen to provide foss components might be approached about compliance even for their github content.

>>candid+(OP)
> Our industry desperately needs better regulations, IMO.

Famous last words of any dying industry

>>ManBea+F1
There is some hope for individual developers in EP amended version https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COM... article 10c: > Developers contributing individually to free and open-source projects should not be subject to obligations pursuant to this Regulation.

Actually it’s an improved version. Hopefully it will make it through consolidation with EC version.

>>ManBea+F1
But if they don't include free/OSS projects, then commercial companies sponsoring FLOSS is an obvious way to launder liability, is it not?

>>froh+Y2
The problem with giving a pass to volunteer work and not to commercial activity is that there is a lot of potential for loopholes. Like by having a nonprofit tied to a for-profit company.

Getting the spirit of the law into writing is tricky, and it will most likely improve over time. Closing loopholes and making exceptions when merited.

>>jahav+E5
Thank you for providing that, didn't knew about that amended version. This only includes individual developers though and if you are employed this is already a problem again: (10a) "[...]Similarly, where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature." A small step in the right direction, but not quite there yet. Companies that want to just release (old) projects would also be more hesitant now. Recurring donations from companies would also contaminate the project.

>>GuB-42+88
Also many non-profits are big enough that you should absolutely apply rules to them. Think of Mozilla... It has very big and expensive products. And somehow just because they are non-profit and open source they should get away with murder...

>>shadow+N5
Does not seem like it would, the company would still be responsible for their choice of open source software, that is how I would assume it would work at least.

>>shadow+N5
Sure, that is something that has to be avoided. The problem is that "commercial" is so broadly defined that basically everyone is covered, even non-profit organizations or single developers. A lot of those that want to release open-source stuff suddenly have to comply with all the requirements, which means having to spend a lot of time or money that non-commercial entities often don't have. This effectively kills nearly all of open-source in the EU. A sibling response mentions some improvements, but it still contains stuff like: (10a) "[...]Similarly, where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature."

>>candid+(OP)
There's nothing wrong with it at first glance. It's high time they start adding some liability to these corporations because way too many of them just don't give a shit.

They just need to clarify some points. They need to explicitly make an exception for free and open source software developers. Because free and open source software development will be killed if they don't. Can you imagine getting sued because someone had problems with the free software you published on GitHub? The sustainability of free software development is questionable enough as it is. If publishing a project exposes me to that kind of risk I'll simply not publish.

>>ManBea+Ea
That is one of them, here is the second version with different amendedments by European Council: https://data.consilium.europa.eu/doc/document/ST-11726-2023-...

They are now hashing out a final consolidated version in a trialogue.

>>candid+(OP)
> Our industry desperately needs better regulations, IMO.

Can you explain how you believe better regulations would improve software (assuming you're talking about software)?

>>ManBea+F1
Get ready for the next evolution of “this website is not available in your country” except it’ll be GitHub repos, huggingface models, etc. The internet became worse with the gdpr/cookie warning stuff and this will continue that trend.

Insane tbh. EU is all about safety to the extreme and it’s nauseating. Pretty soon you won’t be able to fart there without getting a permit and sign off from some kind of council.

>>shadow+N5
Sounds like a feature rather than a bug!

>>Ekaros+eb
well you could easily put regulations on whatever is delivered to paying customers.

so if you do pay for software you know which cybersecurity scrutiny is in place --- while no cost software comes at no warranties whatsoever.