In every case, we used those projects in production in our own shop. The tools worked for us. If they didn't, we kept tweaking until they did. They may not have been perfect in all possible scenarios, but they were useful for us.
And if my employers faced any liability problems whatsoever, they'd never have given me permission to release them.
Imagine suing Linus because Linux turns out to be vulnerable to an attack that hasn't been invented yet. The OpenBSD gang for finding and fixing a bug, even though it wasn't known to be exploitable, because it could have been. My boss because a little tool I wrote turned out to have a problem in an environment and use case we'd never imagined anyone using it in.
This is bullshit.
Update: A lot of readers have been quick to point out that the BS laws don't apply to all situations. That doesn't help the situation. "Hey, boss, can I give this tool I made away? If an ambulance chaser sues us for idiotic reasons, we'll probably be fine because the law doesn't cover how we're releasing it. Hey, come back here! Stop running!" I present as evidence jackasses like this: https://www.abc15.com/news/local-news/investigations/disbarr...
Yeah, I'm sure my employer would eventually win a frivolous lawsuit, but the mere possibility of that being an issue would be catastrophic to FOSS as we know it.
Apparently the current state of affairs is that open source (non-commercial!) devs and projects are safe. If you pack OSS as part of a commercial offering, you're on the hook for that as well (read: you're liable for the whole product you sell and can't put off some aspects to open source). So nothing to fear for us so far. Still in process though.
That is actually kinda concerning, if my MIT license of "no guarantee" won't protect me.
Other commenters who got it:
See here for example: https://www.euractiv.com/section/digital/news/eu-updates-pro...
Specifically: “The Directive will not apply to free and open-source software developed or supplied outside a commercial activity. The liability rules apply when the software is supplied in exchange for a price or personal data used for anything other than improving the software’s security or compatibility.”
IMHO the original article is either wrong or trying to spread FUD.
My take is, if this law passes, I’m an EU citizen, and I use your MIT software without paying you and without engaging with it through some service of yours (e.g. sevaghbook.com) then you’re not liable if I get damaged.
The article is very ambiguous in the way it describes the regulation. I recommended this one for more clarity : https://www.euractiv.com/section/digital/news/eu-updates-pro...
Product liability excludes non commercial open source software, see:
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
If you sell a product e.g. a car and the brakes don't work you are liable
If you sell a product e.g. a medical software which calculates and runs your insulin pump and it responds to a division by zero error with injection 1000x the amount of insulin your are liable.
You don't have to focus on the how, only on if it was your product and was sold to a customer.
Who was at fault (product or customer) will be decided in a lawsuit.
If you don't sell anything then these laws don't apply to you, even if the article seems to be unclear about that.[1]
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
Edit: Somebody linked the full EU briefing: https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
On Page 5 there is a passage about how free-of-charge open source software is excluded and also who is liable in a commercial activity:
With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.
As far as the broader scope of the proposal compared to the existing PLD on liable parties is concerned, Article 7 of the revised PLD lists the types of 'economic operators' which can be held liable for defective products, by introducing a layered approach to liability depending on the different qualification of the economic operator.
Among the list of economic operators are:
(i) the manufacturer of a product or component,
(ii) the provider of a related service, (iii) the authorised representative, (iv) the importer, and (v) the fulfilment service provider or the distributor. The manufacturer should be liable for damage caused by a defect in their product or components. An innovation introduced in the revised PLD is considering any economic operator who has substantially modified the product outside the control of the manufacturer liable for any defect. Such a party is then considered as a manufacturer.
When a manufacturer is established outside the EU, the revised PLD would further attribute liability for a defective product to the importer and the authorised representative in the EU. As a last resort, the fulfilment service provider (offering at least two of: warehousing, packaging, addressing and dispatching of a product, without having ownership of the product), will be held liable when the importer and authorised representative in the EU are based outside the EU.
Distributors of a defective product (offline and online sellers) can also be held liable upon request by a claimant and when the distributor fails to identify any of the above operators.
Online platforms should be liable in respect of a defective product on the same terms as such economic operators when performing the role of manufacturer, importer or distributor.
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
You are still free to write and release any software you want, but as soon as you sell that software you are liable for damages.
See:
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
But here it is:
https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
> With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.
I recommend the linuxfoundations article[2] for a more comprehensive understanding of the proposed rules.
[1] https://blog.opensource.org/the-ultimate-list-of-reactions-t...
[2] https://www.linuxfoundation.org/blog/understanding-the-cyber...
With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity[1]
You are only in a commercial activity if you sell that product to that customer or you sold it to a distributor who then sold it to a customer.
E.g. if a customer doesn't buy from you he has no commercial activity with you so no liability.
I would argue that code is code and only becomes a non fungible product in the instance of selling it and only then the laws apply
[1]https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393... => page 5 under the light gray box
Edit: fixed italics
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
15% inflation in 2022 was fun, 11% in 2023 even more fun.
> In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. However where software is supplied in exchange for a price or personal data is used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity, the Directive should apply
Wheather sponsors/patreon means "outside the course of a commercial activity" would likely be for courts to decide. It could mean that you only work on something that is "sponsored"... yeah, that would likely be covered. Getting few euros with no obligations hopefully not. But ultimately, it's a chilling effect, until some court decides.
... from a longer transcript here https://www.infoq.com/presentations/security-supply-chain-os...
He's got many other examples of emails he gets from people. They find his name or whatever in some apps attribution.
It doesn't matter if there's legal grounds or not. Someone and some lawyer will make your life hell. They don't understand software nor do they care. It will be horrifically stressful and potentially very expensive for someone.
Maybe it's better in the EU but the second the lawyers or the insurance companies get involved it will make everything awful.
The part you quoted continues with:
> Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them.
Those are not consumers. That's B2B and comes with significantly lesser protections (if any) in EU law due to the EU’s view of B2B relationships being less asymmetrical w/r/t power and businesses being better at assessing the risks.
The implications are clear because this is not some new thing the EU conjured out of thin air but rather an expansion of which products will fall under the PLD, so we know how this has shaken out historically.
The long and short of it is that with physical merchandise, manufacturers have long been liable if their products caused damage (e.g., batteries of electric scooters catching fire). Still, when it came to software, companies often just shrugged and said, “We provided it as is, so tough luck.” The EU now says that's simply not good enough, and software companies should be held to the same liability standards as merchandise manufacturers.
Software lobbyists, of course, don't like this, so to stop that, they've decided to spread FUD about FOSS.
That's it, that's the story.
0: https://www.bigtechwiki.com/index.php/Developers_Alliance
The long and short of it is that this talks about expanding product liability laws in the EU. Currently, software doesn't fall within the PLD, and software developers can shrug and say their software was provided as is if damages occur (e.g., loss of data, data leak, etc.), whereas manufacturers of merchandise are on the hook if their product causes damage (e.g., fire)
The EU says this isn't good enough and wants to include software in the PLD. This would only pertain to commercially exploited software (e.g., sold, provided with maintenance contracts, etc.), excluding tiny software developers.
The only relation this has to FOSS is that software developers that use FOSS in their product would need to, you know, make sure they know what they are including in their software (something they should do anyway).
This has zero effect on Joe Schmoe and their GitHub repo, but this lobbyist likes you to think otherwise to help him stop this change in EU regulation.
That's it.
0: https://www.bigtechwiki.com/index.php/Developers_Alliance
That was the time the fda got far more rights to sanction and sue medical manufactures and I think we are in a better world for that.
The new law explicitly says what liability it wants to add:
* death or personal injury, including medically recognised psychological harm;
Whether software (including apps) was covered under the existing PLD has always been controversial.i For instance, there is controversy as to whether software should qualify as a product in the sense of the directive, ii or whether it is part of either the services or of the intangible goods category, iii which falls outside the scope of the existing PLD. iv
i) D. Wuyts, The product liability directive – more than two decades of defective products in Europe, 2014, and BEUC position paper on the Review of Product Liability Rules, 2017.
ii) See Article 2 of the existing PLD. A product has to be distinguished from a service and must be understood as 'all movables even if incorporated into another movable or into an immovable'.
iii) See pages 53-54 of the Commission staff working document on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products, 2018: 'The definition of "product" as per article 2 of the Directive is related to the concept of "movable". This has been interpreted as meaning that only tangible goods shall be considered products [...] the non-tangible nature of some new technological developments (software, applications, Internet of Things, Artificial Intelligence systems) makes it difficult to classify them as products rather than services'.
iv) K. Alheit, The applicability of the EU Product Liability Directive to software, 2001. EPRS | European Parliamentary Research Service 6
* property damage, while removing the threshold of €500 and the possibility for Member States to impose a financial ceiling of €70 million; and
* loss or corruption of data that is not used exclusively for professional purposes
You don't even have to do it flawless, you still have the same defences available as in other product liabilities:
* the defect did not exist when they placed the product on the market;
* or the state of technical knowledge at the time of placing the product on the market made it impossible to discover the defect (i.e., the 'development risk defence').
We all buy medical devices and the companies are fully liable for them and they contain software, so it is quite possible to build software without getting sued.
see:
https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
edit: formatting
> In the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.
https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...