Page 15:
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
This sounds sane-ish, but it the key is that it says Open Source Software is not exempted if it is part of commercial activity.
So what is commercial activity?
Page 34:
> 'making available on the market' means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge
That "free of charge" connected with "commercial activity" is what has people up in arms.
Does it include free stuff like Debian? Does it include donation-based FOSS like Zig?
These are the things that worry people.
[1]: https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...
Ask log4j or OpenSSL.
Go read this: https://blogs.eclipse.org/post/mike-milinkovich/european-cyb...
I understand need to somehow include them, but the line should be at the for-profit companies and exclude non profits and individual developers.
How to formulate it without easy loopholes is no easy task.
We do need something like the CRA; we just need to make sure that it doesn't destroy our shining City of Open Source.
Vendors of Debian Installation Media https://www.debian.org/CD/vendors/
They are hardly Adobe, but all it takes is one zealous lawyer on a crusade to force an interpretation that Debian and Adobe are equivalent organisations when it comes to the commercial production of software.
pizza points out that Commercial Activity is apparently a bit more carefully defined, in the act, than simply “money changing hands”: https://lwn.net/Articles/956191/
I’ve never been a fan of the moral position that says certain laws only apply to commercial contracts. If two parties make an agreement (get married, have a child, adopt a cat, go fishing, etc.) then they ought to be held to that agreement. Whether or not money exchanged hands seems immaterial and considering whether it did or not, when trying to decide if someone acted in the right or in the wrong, feels dirty.
The entire point of the CRA is to make "manufacturers" liable for the quality of the software they produce, in a similar manner to how car manufactures were held liable for the Takata air bags. But who is the manufacturer. In the Takata case it was the car manufacturers the car owners held liable. This LWN comment spells how how difficult it is for software: https://lwn.net/Articles/956218/
One sentence from that highlights hints at the problem:
> the CRA's explicit statement that things qualify whether or they are provided gratis.
The CRA as it stands doesn't draw the line in a way that clearly exempts a bunch of high schoolers uploading their code to github, possibly because no one has figured out how to do it in a way that doesn't also give Google Chrome & Android a free pass.
To put it another way, you've asked an impossible question. You can't point to the faulty clause that exempts open source, because it doesn't exist.