I personally will not allow people in the EU to use any software I write going forward, I imagine other open source developers will take these steps as well.
I'm mostly curious what that means for something like the MIT license... For those who need a refresher, this is the part I mean.
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
That being said, if you don't audit your open source libraries, you should be held liable. I've seen open source encryption libraries do some really dumb things that I wouldn't touch with a ten foot pole. Yet they are some of the more popular ones.
"If open source resources are in/called/touched your code, you’re responsible for their performance too. The open source resource licensed away their liability to you."
This is the norm. The private company holds responsibility for vetting everything they ship.
It's a speculation on how the law will be enforced for a law with no history and I don't see why you would assume the worst interpretation
Are there cases of open source projects being careless or negligent that have caused harm that this would address? Aside from some unintentional vulnerabilities that have been found, it’s hard for me to think of an example that would necessitate more regulation.
> all blame/liability should lie with ... the provider of commercial software
Is precisely what the EU intend to do (according to the article - no idea how accurate it is), not put the liability on open source devs.
From the article:
> So, how is open-source software implicated? If a commercial software product causes harm, whoever put the software on the market will soon be strictly liable. You will need to prove that your code wasn’t to blame to escape the costs. But what if you’ve embedded open-source code, used open-source tools, or called open-source APIs? Under the pending rules, you’d be liable for any errors in those sources as well, regardless of whether you directly contributed or not. A license like the one Apache provides won’t help, since state-imposed strict liability isn’t a harm that can be licensed away by private actors. The user must be made whole, and that’s on you. Worse still, how will you in turn identify or sue the collaborator or collaboration that actually wrote the faulty open-source code to recoup your costs? In that case, the license you signed likely insulates your open-source partners from your claims.
/e: let me clarify, I agree with the three comments under me. You, the commercial entity using my code, is accountable. I am not liable if you as a private person run my shitty code. I was thinking of private persons and being on the hook for my GitHub repos.
Making commercial vendors who rely on open source software liable for bugs is fantastic news, that's how it always should have been. You can't have a commercial company throw their hands up and say "well github.com/cutefuzzypuppy is at fault for writing an open-source npm package we used so harm to our customers is not our fault!"
The author should have been liable for the damage they caused. The industry self-regulated itself but that is a case that I can think of, specifically caused by negligence.
The last draft clearly excludes open source software as long as there is no commercial activity associated. If voted in this state, it won't affect the vast majority of developers releasing some code under an Open Source license. But it will wipe out all small businesses: if you're a solo company selling support or feature development on some Open Source software you wrote, paperwork and liability are just not worth it.
And good luck selling anything relying on existing Open Source libraries, because you're now liable for them too. Given the cost of a security audit, you may as well stop trying and just sell SaaS (which is explicitely excluded from the bill, funny).
Larger companies of course won't care and will continue shipping buggy software riddled with security holes because they can afford the paperwork and absorb the legal risk.
I concur, but I don't agree this is in the right direction.
> I'm mostly curious what that means for something like the MIT license
I think the article addressed that. Let me quote it for you:
> Today you can license-away that liability by putting the onus on the user to accept the risk, since bugs happen and hackers hack. Not your fault, you did your best, and you told the user that upfront. My read of the emerging regime changes that. It forces you to prove your code wasn’t the cause of the harm – “strict liability” in legal circles. Products like cars often get regulated this way. Essentially, the carmaker is at fault when something goes wrong unless they can prove they’re not.
> A license like the one Apache provides won’t help, since state-imposed strict liability isn’t a harm that can be licensed away by private actors.
If strict liability isn't a harm that can be licensed away by private actors then the last sentence you quoted couldn't be enforced:
> IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
In every case, we used those projects in production in our own shop. The tools worked for us. If they didn't, we kept tweaking until they did. They may not have been perfect in all possible scenarios, but they were useful for us.
And if my employers faced any liability problems whatsoever, they'd never have given me permission to release them.
Imagine suing Linus because Linux turns out to be vulnerable to an attack that hasn't been invented yet. The OpenBSD gang for finding and fixing a bug, even though it wasn't known to be exploitable, because it could have been. My boss because a little tool I wrote turned out to have a problem in an environment and use case we'd never imagined anyone using it in.
This is bullshit.
Update: A lot of readers have been quick to point out that the BS laws don't apply to all situations. That doesn't help the situation. "Hey, boss, can I give this tool I made away? If an ambulance chaser sues us for idiotic reasons, we'll probably be fine because the law doesn't cover how we're releasing it. Hey, come back here! Stop running!" I present as evidence jackasses like this: https://www.abc15.com/news/local-news/investigations/disbarr...
Yeah, I'm sure my employer would eventually win a frivolous lawsuit, but the mere possibility of that being an issue would be catastrophic to FOSS as we know it.
This over the top article is, I guess, pointing to open source software that's used by an individual directly from the source as an enduser and then causes harm, not to parts of commercial software that includes open source software when they talk about holding open source devs liable.
The article makes it clear that (as the author understands it, at least) someone who uses open source software in their commercial product is liable; the people who wrote the open source code [1] are not.
> If a user is harmed by software, the person they paid (targeted ads would count) must compensate them for the harm – unless the software provider can prove their software played no role in the ... harm. If open source resources are [used by] your code, you’re responsible for their performance too. *The open source resource licensed away their liability to you*.
(Emphasis mine)
[1] Assuming they used a license that limits liability, such as Apache.
Basically they can't just brush off responsibility for using FOSS code by saying "well I didn't write it, it's not my fault" unless you as the FOSS developer are selling them a support contract for any potential issues in your code.
>But what if you’re just part of a collaborative open source project, give away your app, or if there’s open source code in the product you put on the market? Who gets blamed when open source might be the heart of the problem?
Every other sentence is dripping in "sympathy for open-source creators", but buried in the subtext is "sympathy for the innocent commercial vendors who decided to rely on open-source projects."
>So, how is open-source software implicated? If a commercial software product causes harm, whoever put the software on the market will soon be strictly liable.
Good!
>You will need to prove that your code wasn’t to blame to escape the costs. But what if you’ve embedded open-source code, used open-source tools, or called open-source APIs? Under the pending rules, you’d be liable for any errors in those sources as well, regardless of whether you directly contributed or not.
Better! Now a big evil company _can't_ pass the buck to the unpaid hobby project creator!
Citation?
Apparently the current state of affairs is that open source (non-commercial!) devs and projects are safe. If you pack OSS as part of a commercial offering, you're on the hook for that as well (read: you're liable for the whole product you sell and can't put off some aspects to open source). So nothing to fear for us so far. Still in process though.
Please stop measuring the EU using US standards.
This is about liability for the organization that releases a product to be liable for it - all parts of it - regardless of whether some of those parts were developed by 3rd parties (e.g. Apache). But again, the headline and most of the article are not clear about this.
> My prediction, for what it’s worth, is that open source’s days outside academia and hobbyists are numbered.
The biggest issue I see with this law is around liability for open source projects that people are using directly. It'll be disastrous if all open source software ceases to exist or be available in Europe because volunteers face legal liability if their code has a bug. In theory this could even impact people outside of Europe if they don't prohibit access to their code by EU citizens.
I release a lot of code on github. Most of it is just random crap that I wrote to solve a specific need or to explore an idea, and I put it up under an open source license because why not? If it helps someone, that's great. Now I need to be concerned that the random "example-service" project I wrote in C and published a decade ago to go with a blog post I wrote will end up costing me all the money I have ever or will ever earn in my career.
It is completely open, and they produce an installer for people or you can build it yourself from Git.
Can you help me understand now, if there is a bug in NVDA (which is under the GPL) and it causes me trouble, say, it can't read a webpage that I need for some government thing, I could now sue my screen reader, which is actually just a bunch of dudes hacking something together? Is that the new behavior that is enabled by this upcoming law?
Next question, if this is the actual state of things, why would anyone ever make anything open source and allow it to be distributed in the EU now? It sounds like, and please please correct me if I am wrong, but it sounds like you could sue the makers of The Gimp, for instance, if a bug caused ... what, your pictures to come out looking wrong?
> Someone, or some entity, will need to accept financial and legal responsibility for what the project does in consumer hands.
Here's a crazy idea, maybe that person should be the consumer?
That is actually kinda concerning, if my MIT license of "no guarantee" won't protect me.
Other commenters who got it:
Not even FAANG can achieve this for 1/10th of the code they rely on.
This, especially the last sentence, sounds like a good thing.
I understand this. My reading and understanding of the issue leads me to believe that it's potentially disastrous.
Seems to me that you'll be liable for any issues.
The article is attempting to create a scare about things that have always been true. If a telco's services crash the telco has to compensate customers even if it was a postgres failure that caused it by failing to authorise handsets for a connection in a cell. For example.
All those coding jobs lost to AI will be regained when everything needs to be reinvented in-house.
> nothing specifying that you need to continue making your open-source package continually and indefinitely available.
There's a difference between making it available, and deliberately causing harm and untold productivity loss in a single day. This was a case of the latter.
Case 1: I have a blog that takes a conspiracy-level, anti-tax position. In it, I say crazy things like, “The IRS is illegitimate and financial records are unnecessary.” From reading this, someone shreds all their financial documents. As far as I can tell, the blog is perfectly legal under the First Amendment.
Case 2: I am an open source maintainer of a home assistant program. It includes personal file management. Due to a bug in the software, an end-user’s financial documents are deleted.
The easiest distinction is that the conspiracy reader is taking an affirmative act of destroying their own documents. But, I think that’s less different than at first glance. The software user is setting up a computer system based on an open source program that may have bugs in it, and that causes a loss of data. The conspiracy reader is setting up a worldview based on information that may have bugs in it, and that causes a loss of data.
Why would the software bug be regulated, but the conspiracy falsehood not?
> What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated.
It's expressly not clear what the implications here are, according to the article.
My recollection, from previous discussion on HN, is that the definition of "commercial activity" is far more broad than the open source community would like it to be. And by "open source community", I mean the people that run various foundations and non-profits and things like that.
I don't think that throwing up a virtual tip jar on your Github page counts, but offering paid support would. If you collect telemetry and then sell "usage insights" that would also count as commercial activity. Advertising on the download page is commercial activity. If you have a Patreon account? I actually don't know about that. Anyone know?
I write open-source software, and make it available on GitHub, together with a nice installer. I deny any liability in my license, and the users are free to install it or not. They don't pay me in any way (not even in ads).
Am I liable according to new EU law?
"What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated. Does it matter if they signed a license or didn’t pay someone? Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them. Someone should be strictly liable. But who?
The EU is grappling with that very question, and it culminates in whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in. But lawmakers know enough to realize that much of the open source out there – by definition – belongs to no one, or many someones, or really nobody that can be named and made liable. So waiting on a court case might provide clarity but no compensation and no one to even argue the case. Not the clarity a law is designed to provide."
But I rather think that no, the law just talks about products where you pay money for. And when I pay money for something, I do expect liablity in some way and this is allright. But it is not allright to mix them both up for politicial support (or whatever the motivation here is).
See here for example: https://www.euractiv.com/section/digital/news/eu-updates-pro...
Specifically: “The Directive will not apply to free and open-source software developed or supplied outside a commercial activity. The liability rules apply when the software is supplied in exchange for a price or personal data used for anything other than improving the software’s security or compatibility.”
IMHO the original article is either wrong or trying to spread FUD.
My take is, if this law passes, I’m an EU citizen, and I use your MIT software without paying you and without engaging with it through some service of yours (e.g. sevaghbook.com) then you’re not liable if I get damaged.
This regulation ensures that whoever sells the software to the consumer is responsible, and that's the way it should be. The creator of a library doesn't know how his library will be used in the wild, he can't anticipate all possible problems, the product maker can. It is the product maker's responsibility to integrate external components properly, having validated that they are up to standard.
If you're a manufacturer, you can't just pick components at random and then say it's not your fault if your product doesn't work. That's why manufacturers have whole teams of people working to ensure that what they receive from a supplier is up to spec.
- Why does this person think they can release open source blueprints if they aren't qualified for what they design?
- Or, if a company used these blueprints to build a car, why didn't they do their due diligence?
That might depend on the ubiquity of the OSS in question. If a company's option is to rely on a piece of open source software that has been used billions of times over without incident versus rolling their own solution that at best has only been tested in-house, could they say the latter is really the safer bet?
It is not surprising that volunteer run projects kinda can keep up.
The telco has service agreement with customers and it's clear exactly what service it was supposed to do and failed. Where is such agreement for a random github repository? To put it a bit ad absurdum, say user supplies parameter to your math function so that it divides by zero and it results in some injury or loss. Who is liable for that? Shold judge try to parse some piece of code for whether it was reasonable for user to expect passing zero will work?
There is a tremendous difference between creator and licensee, and lumping them together shows either a fundamental misunderstanding or incentives so perverse they're blinding the author.
From what I understood, the liability would only touch the creator if they're providing a _service_ to the public, and wouldn't touch people who release code for others to use.
And looking at it like that, doesn't this make sense? Who would have ever expected the provider of a service would be free from liability they cause? Regardless of what tools they're using to provide it.
I’m very happy with my public healthcare. I think every American would be as well.
And not to mention that our kids don’t need to do active shooter drills in school.
The article directly contradicts this:
> What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated. Does it matter if they signed a license or didn’t pay someone? Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them. Someone should be strictly liable.
Interesting times indeed. Though I think open source software generally is reliable enough that companies will simply continue business as usual and take on all the liability. They have enough deep pockets to pay compensation that one time something goes wrong, or at least that's my impression.
The article is very ambiguous in the way it describes the regulation. I recommended this one for more clarity : https://www.euractiv.com/section/digital/news/eu-updates-pro...
If I make a public repository `ComputerCleaner` with a single file:
#!/usr/bin/env bash
# <imagine an MIT license here>
rm -rf /
Would those execs rather . . .
a) publicly berate and fire the internal developer who created the problem
or
b) have to point out that the opaque series of tests internally just wasn't up to snuff and promise to improve them?
When the bug's in OSS and the company is held responsible, there is no option a.
Unless the OSS projects themselves are staffed up and able to provide legal responsibility, why use them?
Product liability excludes non commercial open source software, see:
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
I concur that the long term likely outcome for the late adopter crowd is "certified lts editions, supported by BlahCorp" and the long tail of decay. I don't envy anyone in that system.
The early adopter crowd probably won't notice, they will steam ahead and keep their own patchset on upstream with regular contribute-back and CI. Sure, they are liable, but they will staff to certify their own systems.
OK, so let's say you bought a special computer monitor that had screen reading technology built in so it could read out or describe anything displayed on it regardless of operating system, even a raw video feed. And one day it catches fire and burns your house down.
Most people would think it was acceptable to sue the manufacturer of the hardware device. But if using NVDA somehow ended up making your laptop catch fire and your house burned down, in that case, oh well, it's just tough luck, caveat downloador etc?
What if it came out in discovery that the author was previously made aware via numerous emails that their application had a tendency to cause laptops to dangerously overheat, and they chose to disregard the problem? Is that still the consumer's financial and legal responsibility?
(Not saying there's any right answer, just wondering if I understand your position properly.)
EDIT: Just read other comments that clarified that OSS isn't subject to this new directive, so this a moot issue I suppose.
If you sell a product e.g. a car and the brakes don't work you are liable
If you sell a product e.g. a medical software which calculates and runs your insulin pump and it responds to a division by zero error with injection 1000x the amount of insulin your are liable.
You don't have to focus on the how, only on if it was your product and was sold to a customer.
Who was at fault (product or customer) will be decided in a lawsuit.
If you don't sell anything then these laws don't apply to you, even if the article seems to be unclear about that.[1]
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
Edit: Somebody linked the full EU briefing: https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
On Page 5 there is a passage about how free-of-charge open source software is excluded and also who is liable in a commercial activity:
With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.
As far as the broader scope of the proposal compared to the existing PLD on liable parties is concerned, Article 7 of the revised PLD lists the types of 'economic operators' which can be held liable for defective products, by introducing a layered approach to liability depending on the different qualification of the economic operator.
Among the list of economic operators are:
(i) the manufacturer of a product or component,
(ii) the provider of a related service, (iii) the authorised representative, (iv) the importer, and (v) the fulfilment service provider or the distributor. The manufacturer should be liable for damage caused by a defect in their product or components. An innovation introduced in the revised PLD is considering any economic operator who has substantially modified the product outside the control of the manufacturer liable for any defect. Such a party is then considered as a manufacturer.
When a manufacturer is established outside the EU, the revised PLD would further attribute liability for a defective product to the importer and the authorised representative in the EU. As a last resort, the fulfilment service provider (offering at least two of: warehousing, packaging, addressing and dispatching of a product, without having ownership of the product), will be held liable when the importer and authorised representative in the EU are based outside the EU.
Distributors of a defective product (offline and online sellers) can also be held liable upon request by a claimant and when the distributor fails to identify any of the above operators.
Online platforms should be liable in respect of a defective product on the same terms as such economic operators when performing the role of manufacturer, importer or distributor.
Liability to the vendor sounds like a good idea - too many cowboys out there. Also with stretched supply chains someone has to pay attention.
But full liability..? What if I make a crappy, low effort, cheap spreadsheet app, someone builds their business on top of it and it goes boom. Should I really be liable, on the basis of what I consider a casual product?
And then, the main point of the article, what if Vim deletes my files? The suggestion seems to be that Vim "owner" (???) is liable.
It feels like there should be some slider as to what liability the creator accepts (OSS - none, casual app - not much etc) but then we're back to square one, everyone disclaims liability etc.
Maybe it should be somehow linked to the price paid for the software?
With this new act, even selling 100€/month of support for a piece of software you are contributing to makes you subject to the full force of the bill (and the full force includes scary numbers, millions, with zero information on how precise amounts will be calculated).
We can only hope that it is not voted in this sorry state.
As far as
> when faced with a choice between being liable for their own code or being liable for open source code, most companies will choose to write their own code. If so, that would be a net harm to open source and user freedom
goes, even if that is true (I'm not really convinced) it doesn't really matter. What matters is finding the correct answer to "who is responsible" to which the answer can't be "nobody". And if it can't be nobody, then it must be somebody. And if it must be somebody, it absolutely shouldn't be some random guy who never specifically signed off on your usage of their open source code.
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
You are still free to write and release any software you want, but as soon as you sell that software you are liable for damages.
See:
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
Ianal but my intuition is that you're on point.
At the very least, I think it will have a chilling effect on the production and use of open source.
But here it is:
https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
> With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.
There's a reference to "Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008", which does not distinguish for-profit activity at all. Just "all poducts on market and all who manufacture and distribute shall conform".
(if you receive donations, it isn't commercial activity. If you display ads like Firefox or Brave, it is)
Counter to some fears about liability with a move like this, I am not convinced this will result in a negative outcome.
Businesses will pay big bucks to dump liability on someone else. And an author won't accept that liability for free.
I see an opportunity for authors or distributors of open source software to demand a fee for maintenance and shouldering some of some the liability for its use.
I see an opportunity for software professionals to vet the paid consumers of their libraries and, via consult, approve to take on the liability based on sound usage (charging fees to confirm sound usage).
I see an opportunity for a license that requires you, as the consumer, agree to take on all liability via signature if you aren't paying.
Is this not in the spirit of traditional open source? Maybe yes...
Or, maybe it is more like a source available model with as few strings attached as possible to get the story straight.
Maybe this is not a bad thing.
Personally? If the dynamics change so that I can realistically write software for a living independendent from a single company without begging for donations, I would more strongly consider doing so. Incentives here might allow for that.
> Worse still, how will you in turn identify or sue the collaborator or collaboration that actually wrote the faulty open-source code to recoup your costs? In that case, the license you signed likely insulates your open-source partners from your claims.
I sincerely hope this will never become a possibility. The chilling effect would presumably be catastrophic for Free and Open Source software in the relevant legal jurisdiction. Why would anyone voluntarily release their code as FOSS if it opens them up to lawsuits?
>> As far as I can tell, the blog is perfectly legal under the First Amendment.
The blog is legal, but things can be legal and still have consequences.
Let's say you work at the office, and forget to lock up one night. Someone walks in and takes a laptop. -you- haven't committed a crime, but you'll likely lose your job.
Free Speech prevents the govt from locking you up based on what you say. (Unless what you say is a crime, like say inciting a riot.)
It does not provide you with the right to say whatever you like on a private (non govt) platform, nor does it absolve you from legal liability (consequences) of what you say.
The obvious example is "conspiracy to commit xxx" - sure all you did was -talk-, but Free Speech doesn't give you a pass for that.
I don't understand why you want to know what the provider is?
For the purpose of liability and open source the definition is that any open source free of charge software is excluded from the proposed changes, so the provider doesn't matter.
This can be seen in the first link,on the third headline bullet point "Not applicable to free-of-charge open-source software" as well as the second paragraph.
The provisional agreement on the liability of economic operators for damage caused by defective products aims to respond to the increase in online shopping (including from outside the EU) and the emergence of new technologies (such as AI) as well as to ensure the transition to a circular economic model. In order not to stifle innovation, the rules will not apply to open-source software developed or supplied outside of a commercial activity.
I also added the the briefing of the proposed EU law with the details
On a not-so-rational footing, I hope this puts an end to megacorps freeloading and using FOSS without contributing in any way despite making tons of money off of it.
An acknowledgment that it costs some small amount of money to host a website for the code, or that you may from time to time want to hire someone to do something specialized (design a logo?) and need to raise some amount of money for that to happen.
By world-wide standards (though not necessarily by Silicon Valley standards) I am fairly wealthy and thus could afford to support a completely commercial-free open-source project out of my professional salary. And this would make my project liability-free in the EU. But someone else, who didn't grow up in the USA at a time when university tuition was cheap, would not be able to do the same and their otherwise-identical project is subject to legal liability.
How is that fair? Isn't this just going to further concentrate open source contribution and leadership in a handful of rich countries (that are mostly not in the EU)?
The gray area where this often gets litigated is liability due to inappropriate use of a product, since liability for clear and obvious inappropriate use typically falls on the user. What constitutes an "inappropriate use" is frequently unclear, especially for casual products where you are unlikely to clearly document and delineate what does and does not constitute appropriate use. If you read the fine print of commercial enterprise software licenses, it frequently has a long list of applications for which the software is deemed inappropriate for legal purposes. The product may in fact be fine for those applications but the producer does not want to take on the liability.
It is difficult to enumerate all possible inappropriate uses of software. Enumerating inappropriate use cases to limit liability arguably conflicts with open source's principle of non-discriminatory licensing.
Are you from the US? In New Zealand sueuing is mostly a foreign idea and very rarely occurs.
Occasionally criminally negligent behaviour gets spanked - but even there it's often an idiotic scapegoating farce (local examples: CTV building, fund fraud, Royal Commission of Inquiry into the terrorist attack on Christchurch masjidain).
One alternative system is government insurance against harm e.g. New Zealand has a no-fault ACC system for helping victims of industrial accidents.
OSS is infrastructure and trying to scapegoat an individual developer or company for unforeseen harm is insanity. Finger pointing and a culture of blame seem to be unproductive.
A good place to start thinking about policy would be to look at log4j. What policy would prevent that? Would a culture of victimising creators have prevented that vulnerability?
> sue the manufacturer of the hardware device [that starts a fire].
There's the implicit philosophy that we can use reductionism to find a cause.
Finding cause is getting more difficult as we complexify the world. Read reports on disasters, and then try to imagine how to prevent them? There's an almost Christian religious belief that penalising the person who makes a mistake will fix the system.
Cue blaming the pilot. We still often blame the pilot even after decades of work in aviation management to try and produce safety systems that try to apply a fix in the correct place.
I recommend the linuxfoundations article[2] for a more comprehensive understanding of the proposed rules.
[1] https://blog.opensource.org/the-ultimate-list-of-reactions-t...
[2] https://www.linuxfoundation.org/blog/understanding-the-cyber...
I'm not certain the second order (or later) effects will necessarily be unequivocally good. Software supply chains are more like a double pendulum in that changes are probably chaotic enough to obscure their effects.
For example, my very first thought was that large businesses are generally risk adverse specifically in the realm of liability. Have you ever read a TOS? It feels to me the major elements of that interminable document are statements that limit liability. It is to the point of humor that we engage in the clicking through the "I accept" of a software license like some strange universal ritual. This is the realm we are dealing in here, deep and arcane. The ubiquitous TOS ritual should remind us all that software is beholden to forces outside of itself.
Companies go through insane effort to avoid legal liability. This law is going to change that calculus. If the cost of covering that change is high this could precipitate a change to closed-sourced alternatives that come with some delegation of liability. For the cynically minded, companies that offer equivalents to OSS that come with a liability waver might see an ascendance and potentially offer a good investment opportunity. Alternatively, repackaging existing OSS as a commercial product while only adding some legal liability as an add-on might become a viable business.
Those considerations challenge any argument towards unequivocally stating this is a good thing, even if there are definitely positive aspects to this change.
Also, it will raise the barrier to entry for any small vendor or a solo dev trying to make a living with open source.
"Trying to start your own small business in the EU? Tough shit. Go get a job, peasant!"
Unless I've terribly misinterpreted the text which is entirely plausible given a lack of sleep and a enough coffee to jump start a small star.
Edit: typo
Some of the biggest open source projects are owned by megacorps, like React (Facebook), TypeScript (Microsoft), and Tensorflow (Google). And it's clear from these examples that their stewardship has wrought benefits for both the company and the community. The company benefits from what would otherwise be their internal tooling becoming an industry standard - Facebook doesn't need to train React devs after hiring them. And the code is more robust as more people use it - Microsoft doesn't even need to use its latest TypeScript version, they can just wait for the community to test it for them...
Then somebody linked it in a comment below and then it was fairly easy as I knew what to search for from the short description in the first link.
But I have no real basis for that, I would assume that based kickstarter and co also getting money from consumers without having to abide by any consumer rights.
I assume that the option of donating while keeping the software available free of charge would fall under the same category as getting gifts from strangers
Contrary getting displaying ads directly in the app would fall under commercial activity because you force the user of the app to give you money(via an ad provider)
If I give away the software but sell support, am I only liable to customers or to everyone? Similarly, if I let people opt in to commercialization of their data, am I liable to those that opt out? Does someone signing a terms of service qualify as commercial activity?
If I fork something and give it away can I sue the person I forked it from? If I tell people "YOU ARE NOT ALLOWED TO USE THIS BUT YOU CAN FORK IT" am I liable if they ignore me? Does a fork qualify as a new product or is the original author liable?
I wonder if this new legislation might muddy the waters as to whether people like him might actually get sued for the software they provide to the world?
Even if the legalese doesn't actually support the notion that this could happen, we won't know for sure until someone puts it to the test. Which means someone needs to get sued so the actual law is tested in a courtroom. A chilling effect for any developer who doesn't have big money backing them. The risk of getting sued or even the very notion of it might just be too great to risk it and not worth the hassle for majority of people.
With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity[1]
You are only in a commercial activity if you sell that product to that customer or you sold it to a distributor who then sold it to a customer.
E.g. if a customer doesn't buy from you he has no commercial activity with you so no liability.
I would argue that code is code and only becomes a non fungible product in the instance of selling it and only then the laws apply
[1]https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393... => page 5 under the light gray box
Edit: fixed italics
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
I only skimmed the OP and doubt it's intentionally confusing, but it is confusing because its prediction of doom is wacky. Manufacturers (eg developers of IoT devices, the insecurity of a major impetus for the legislation, apps, etc) will need to adopt modern development practices such as updating their dependencies when a vulnerability is known -- and that includes manufacturers that wrap a mostly open source codebase in a final product or monetise an open source codebase in various ways called out in the legislation.
Yes if a consumer is harmed by a completely open source thing not placed on the market, say something in Debian, they will not be able to sue the developers, and the developers aren't subject to fines etc under the CRA. That's the balance intended by the legislation (after lots of attempts to get it right), to not wreck incentives to develop open source, but to make product developers more responsible. In other words, the public policy is not exactly as you state it. :)
TFA might of course be wrong, but otherwise, my concerns stand I think.
What will happen the opensource world once you're held liable for some moron who uses some software I wrote for myself? or incorrectly uses it?
do you really believe the curl should be held liable because some POST failed and a user lost something over it?
what about my old backup scripts? I need to remove them from my repos?
Cool, don't use my code if you're in Europe or within Europe.
We will need amended licensing for denying use within Europe.
The question is, are boilers the same as software? Sometimes maybe? Theros-25 is definitely true. Crud HR apps are a maybe.
How does being liable for damages caused by software or services you sell equate to being an idiot? I just see it as the normal way to do business, and the reason why limited liability (the way I’ve been doing business for more than 2 decades) exists.
In light of it, I think the article I found didn’t link to it out of sloppiness, because their summary seems reasonably accurate to me, and the fine article didn’t link to it because they want to spread FUD, as the text you quoted directly contradicts some of the fear mongering in the original article.
My reading of the text is that the one actually selling the software product is the one having to abide by this law. Am I incorrect?
How could this be negative? I presume that most publishers of open source software would prefer that some Silicon Valley Unicorn did _not_ half-heartedly integrate their library, causing security issues and tainting their library name?
For most of my early career (Security focused), companies would download copies of packages for use, they would go through a rigorous security scanning and vulnerability management processes before being included into a whitelist of internally approved tooling for product dev. Licensing, regulatory compliance and international involvement in dependencies was reviewed at this stage.
In this type of environment, which is very good from a security perspective, it would be virtually impossible for the Left-pad removal to have the impact that it did. So the problem as I see it is not that the author of Left-pad did a naughty thing (he was well within his rights given the 'why' of it all), the problem is that generations of developers have been successfully trained to believe that all their assurance work has just magically been done for them: In many cases the modern ecosystems make it virtually impossible for them to verify and control packages themselves.
consider ghostscript, for example, which is open-source and a commercial product from artifex. the license terms are such that you generally only have to pay for it if you're embedding it in a printer, which many manufacturers do. but virtually every gnu/linux box has it installed without needing to pay for a license. suppose a security vulnerability in ghostscript (of which there have been a number) allows an attacker to own a million ubuntu machines and inject ransomware into thousands of companies in the eu who have no relationship with either the ubuntu company or with artifex
as i understand it, previous drafts of the product liability directive would have made artifex liable for damages in this situation, creating a strong incentive against making any commercial software open-source. do we know this cra avoids making artifex liable for fines? it seems that liability for fines would create the same kinds of incentives
has this been fixed?
as you likely know, i think a necessary and nearly sufficient step to solving the iot security problems is requiring the firmware to be open-source so that consumers can update it whether the manufacturer wants to or not
1 - This regulation only concerns commercial activity. So you could only sue the company I work for, and only if you've bought their products. Also by definition that excludes my personal projects.
2 - You can only sue for defects (in this legal context it means unsafe to use) or damage (physical or material). You can't sue for simple bugs.
These kinds of liabilities already exist for all the objects in your life and yet you don't spend your time suing people every time something does not work as expected I imagine
bingo
So yes if you sell software, whether it is open source or not, you better have the balls to be liable.
I think that's more-or-less fine. There's a concern that companies don't want to be responsible for open source code, and will write everything in-house instead. I wouldn't be surprised if some companies do that, even if it's a bad idea. I don't know how common it'll be, but the worst case scenario is that it turns out to be bad for developers and for free software.
The second, murkier issue, is what happens when there is no selling involved at all. If I download a debian iso, or clone some random repository on github, then there has been concern that the author of that code will be financially liable for any errors in the software. That would be very, very bad. Early versions of the law seem to explicitly say that it would be the case. More recent versions seem like they might have an exception so long as there is absolutely no money changing hands. It's unclear what would happen in cases where open source software accepts donations. It could still end up being harmful to individual developers and to open source software in general. It's hard to say.
Developers have a duty of care to their users which no license can remove. You either make good software and comply with your duty or you will be ruined. That is the law.
Next year those Bitcoin developers will go to prison because the have not paid the billions they owe. Open source communism doesn't protect you from the law.
Yes. The developers of software have a fiduciary duty to users of their software.
The UK court of appeals already determined that the MIT license does not eliminate these duties when it found the authors of Bitcoin Core liable for billions of pounds of damages to Satoshi Nakamoto when they failed to change the Bitcoin protocol to return the coins that hackers took from him.
If you don't want to get sued and end up homeless and bankrupt like those Bitcoin Core developers you need to learn to obey the law and act in the best interest of your user.
* Person A makes OSS project P
* Organisation/Person B uses P
* A vulnerability in P causes financial harm to B
Is person A now liable under this law? What happens if person A has a Patreon or GitHub sponsor page? The latter seems to imply you're being paid for development and so this is now a commercial project?
Or is the requirement that the end user directly pays for the product? In that case this directive would not cover a variety of large objectively commercial products: Chrome, Slack, Java, arguably macOS and iOS (because you get new versions for "free" so the software is "free", right? Apple makes a point of stating its products are the hardware), etc - hence you can't say the "commercial" restriction requires money being exchanged directly for the software, but that gets you back to "does a Patreon, GitHub sponsor, etc mean you're now a commercial developer?"
Again the problem here is the ambiguity, and the massive disparity between revenue and liability. If you make a few hundred (or even a few thousand) a year from sponsorship should you be subject to massive liability because a huge organisation, or a large number of different organizations pick up your project, you could now be liable due to damages the organizations are subject to.
There's a lot of focus in these threads on "company uses your OSS project in products they sell and a a bug impacts their customers" rather than "company uses your OSS project, and a bug causes the company itself harm", e.g. the company is now the end user. To make it even more direct, what would happen if (as some companies do) the companies provide "sponsorships"(or whatever) for the OSS project development, now the company is the end user and they're paying for development and that sounds pretty "commercial".
But also this legislation completely undermines all OSS licenses as they all say the software is distributed without liability or warrantee. The liability restriction is completely neutered, so now contributing to any OSS project requires you to be able to afford a lawyer to determine whether you can do so without acquiring boundless liability, which seems like a sure fire way to immediately price-out the overwhelming majority of OSS contributors from ever contributing to any OSS projects.
[addendum] One other follow on from this would be that if you do have any sponsorship mechanism it would seem you're now liable for bugs in code submitted from other people unless you're paying every contributor for their contributions, specifically to transfer liability. If you don't do that you're acquiring liability for code written by others.
> It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties.
> Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability to the person or entity maintaining the component.
EDIT: Also, I concur the poster below. It's developers who oppose against management to allocate time for bugs and technical debt instead of new features.
In 1350, people were dying of the plague, and doctors didn’t know how to treat them. That sucks, but medicine wouldn’t exist if they couldn’t have kept trying and failing. That’s where we are.
15% inflation in 2022 was fun, 11% in 2023 even more fun.
> In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. However where software is supplied in exchange for a price or personal data is used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity, the Directive should apply
Wheather sponsors/patreon means "outside the course of a commercial activity" would likely be for courts to decide. It could mean that you only work on something that is "sponsored"... yeah, that would likely be covered. Getting few euros with no obligations hopefully not. But ultimately, it's a chilling effect, until some court decides.
... from a longer transcript here https://www.infoq.com/presentations/security-supply-chain-os...
I'm not surprised that's what you think. I'm doubtful anywhere close to sufficient, as much as I'd like that to be true. The focus of the CRA is of course to make the manufacturer be responsible, including for providing security updates for as long as the product is expected to be used (5 years or more typically). There probably is a weak recital suggesting manufacturers might make source code available to other undertakings so that they might provide security updates after the original manufactuerer's support period, but no enforcement of this, and explicitly not requiring open source. Seems like a potential area for future regulation to improve upon.
IANAL but it seems clear cut to me: if you asked for money in exchange for your software (or to access to your software through an API or similar), or if you asked for personal information (in exchange for your software) then you’re liable, otherwise, you’re not.
Hypothetical:
I write a nifty alarm clock app. To cover some costs I charge a nominal fee. Some unknown condition occurs a user misses a flight and loses their job.
According to your position I should be sued.
Why should I be held liable?
Daniel Stenberg has a blog post somewhere about all the hate mail he gets over the fact that curl is bundled in some software. You don't think some litigious person won't attempt to go after him over it?
My family has personally impacted by a dumb lawyer trying to subpoena information incorrectly. Dealing with this was 7k in lawyer fees, covered by an insurance policy. Technically he could legally held for this terrible usage of the courts but it would have been an even bigger mess.
He's got many other examples of emails he gets from people. They find his name or whatever in some apps attribution.
It doesn't matter if there's legal grounds or not. Someone and some lawyer will make your life hell. They don't understand software nor do they care. It will be horrifically stressful and potentially very expensive for someone.
Maybe it's better in the EU but the second the lawyers or the insurance companies get involved it will make everything awful.
this is the core issue, essentially if you want to publish OSS code you now need to know you can afford a lawyer, because even if a court decides you aren't liable, getting to that point requires a lawyer.
This is about the EU, not the US.
As someone who used to practice law in the EU before moving into software development, I can tell you that your hypothetical will never lead to a suit nor judgment in the EU, nor is your personal experience concerning a subpoena a thing that happens in the EU, if only because the concept of discovery doesn’t exist in civil law systems.
To put it differently and respectfully, you’re applying your knowledge of and experience with the US legal system to a completely different legal system that rarely produces outcomes similar to those in the US system.
Even the order of magnitude of judgments is leagues apart.
€1m judgments lead to coverage in legal outlets there if not regular mainstream media. In contrast, in the US, that money is thrown across the table to make an unviable but annoying class action disappear just because it’s cheaper than litigating it.
I’m bringing that up because, even in the unlikely instance of your hypothetical leading to a case that makes it to a hearing in the EU, the judgment against you will be close to, if not outright be, the nominal fee you charged the user (+ court fees) due to how the chain of causation works in the EU. The connection with losing your job is just too remote for any judge to consider liability.
Even if this would be about a car breaking down on the way to work, which already has strict liability under the current PLD, loss of job is just not going to be part of the equation, ever.
The part you quoted continues with:
> Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them.
Those are not consumers. That's B2B and comes with significantly lesser protections (if any) in EU law due to the EU’s view of B2B relationships being less asymmetrical w/r/t power and businesses being better at assessing the risks.
The implications are clear because this is not some new thing the EU conjured out of thin air but rather an expansion of which products will fall under the PLD, so we know how this has shaken out historically.
The long and short of it is that with physical merchandise, manufacturers have long been liable if their products caused damage (e.g., batteries of electric scooters catching fire). Still, when it came to software, companies often just shrugged and said, “We provided it as is, so tough luck.” The EU now says that's simply not good enough, and software companies should be held to the same liability standards as merchandise manufacturers.
Software lobbyists, of course, don't like this, so to stop that, they've decided to spread FUD about FOSS.
That's it, that's the story.
0: https://www.bigtechwiki.com/index.php/Developers_Alliance
The long and short of it is that this talks about expanding product liability laws in the EU. Currently, software doesn't fall within the PLD, and software developers can shrug and say their software was provided as is if damages occur (e.g., loss of data, data leak, etc.), whereas manufacturers of merchandise are on the hook if their product causes damage (e.g., fire)
The EU says this isn't good enough and wants to include software in the PLD. This would only pertain to commercially exploited software (e.g., sold, provided with maintenance contracts, etc.), excluding tiny software developers.
The only relation this has to FOSS is that software developers that use FOSS in their product would need to, you know, make sure they know what they are including in their software (something they should do anyway).
This has zero effect on Joe Schmoe and their GitHub repo, but this lobbyist likes you to think otherwise to help him stop this change in EU regulation.
That's it.
0: https://www.bigtechwiki.com/index.php/Developers_Alliance
That was the time the fda got far more rights to sanction and sue medical manufactures and I think we are in a better world for that.
The new law explicitly says what liability it wants to add:
* death or personal injury, including medically recognised psychological harm;
Whether software (including apps) was covered under the existing PLD has always been controversial.i For instance, there is controversy as to whether software should qualify as a product in the sense of the directive, ii or whether it is part of either the services or of the intangible goods category, iii which falls outside the scope of the existing PLD. iv
i) D. Wuyts, The product liability directive – more than two decades of defective products in Europe, 2014, and BEUC position paper on the Review of Product Liability Rules, 2017.
ii) See Article 2 of the existing PLD. A product has to be distinguished from a service and must be understood as 'all movables even if incorporated into another movable or into an immovable'.
iii) See pages 53-54 of the Commission staff working document on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products, 2018: 'The definition of "product" as per article 2 of the Directive is related to the concept of "movable". This has been interpreted as meaning that only tangible goods shall be considered products [...] the non-tangible nature of some new technological developments (software, applications, Internet of Things, Artificial Intelligence systems) makes it difficult to classify them as products rather than services'.
iv) K. Alheit, The applicability of the EU Product Liability Directive to software, 2001. EPRS | European Parliamentary Research Service 6
* property damage, while removing the threshold of €500 and the possibility for Member States to impose a financial ceiling of €70 million; and
* loss or corruption of data that is not used exclusively for professional purposes
You don't even have to do it flawless, you still have the same defences available as in other product liabilities:
* the defect did not exist when they placed the product on the market;
* or the state of technical knowledge at the time of placing the product on the market made it impossible to discover the defect (i.e., the 'development risk defence').
We all buy medical devices and the companies are fully liable for them and they contain software, so it is quite possible to build software without getting sued.
see:
https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
edit: formatting
Which would in turn be very bad for society.
> "whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in.
> whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in.
What I was trying to communicate here is that I think meaningful negative impact to free software and to developers is a worst-case scenario and not the most likely scenario. It's plausible, and we should be concerned, but I think there's also a plausible outcome that is neutral or positive for free software if companies end up contributing more to free software as a way of ensuring they are meeting their obligations under the law.
> In the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.
https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
If that's true (I have no idea if it is or not) - I'd class it as a bug in the legalisation. Consider a router I've purchased. It has a bug that allows 1000's of them to be corralled into launching a DDOS against someone. The reality is I don't particular care that happened - it didn't effect me. But the person it did effect didn't buy it.
Because open source would then be used as a loop hole you can drive a A380 through. Say I say invent a "house hold chores" robot. The robot has a bug that kills you. But your family can't sue because they made the bulk of it's software open source, and say give it to you for free. You paid for the hardware.
So if someone downloaded the software from some public repository without consulting you (let alone paying you), it doesn't apply to you. I imagine that would be true if they downloaded a binary and there was no source available (so it's not open source), and it had some horrible proprietary licence that nonetheless let you use it for free.
But on the other hand, if you made them pay for some GPL'ed software and them made the source available on request as the GPL insists you must, then it does effect you despite it being open source. So really, open source and open source licences have nothing to with it.
In fact from what I can tell, part of the reason this law exists it to forbid shrink wrap licences on paid software exempting the supplier from liability. The licence having no effect on the applicability of the law is a desired feature. If the consumer paid for it, it applies no matter what your licence says.
Why this wasn't always the case is what's odd here, not this attempt to fix it.
As you said reaction is based on my personal experience in the US. However at times the US does pickup ideas and concepts from the EU, specifically California.
Must admit, they are two-sided proposals, but anyway, I think we should be ready to react in time.
My prediction, if this will happen, many people will remove their software from public repositories, to avoid liability.
And/or will be changed licenses, probably many OSS will become "only for educational purposes", something like this.
This is from one side, dangerous for OSS, as will lost many third part "unimportant" depends, but from other side, will be powerful opportunity to make paid version to cover costs of development and could significantly increase level of OSS quality.
It's not exactly such way.
This is only case, if you are 21 or 25 years old (depend on country/state) and if you have insurance which cover this case, or if you have some juridical document for exactly this case.
For example if you toddler/teenager, NOT accompanied by an adult, will be responsible people, who have responsibility to restrict your appearance (entrance) in this park.
So in EU, usage of OSS or products with OSS dependencies, will be effectively prohibited for teenagers. This is not very large share of customers, but approximately 7% of EU residents.
As I understand, if you work making more than 90% of your income as gardener, but on free time develop OSS, you will guaranteed not liable.
But if you are professional software developer, and make for example 50% of your income from software, you will need some powerful proof, that OSS from case and made by you was not part of commercial activity.