Making commercial vendors who rely on open source software liable for bugs is fantastic news, that's how it always should have been. You can't have a commercial company throw their hands up and say "well github.com/cutefuzzypuppy is at fault for writing an open-source npm package we used so harm to our customers is not our fault!"
>But what if you’re just part of a collaborative open source project, give away your app, or if there’s open source code in the product you put on the market? Who gets blamed when open source might be the heart of the problem?
Every other sentence is dripping in "sympathy for open-source creators", but buried in the subtext is "sympathy for the innocent commercial vendors who decided to rely on open-source projects."
>So, how is open-source software implicated? If a commercial software product causes harm, whoever put the software on the market will soon be strictly liable.
Good!
>You will need to prove that your code wasn’t to blame to escape the costs. But what if you’ve embedded open-source code, used open-source tools, or called open-source APIs? Under the pending rules, you’d be liable for any errors in those sources as well, regardless of whether you directly contributed or not.
Better! Now a big evil company _can't_ pass the buck to the unpaid hobby project creator!
> My prediction, for what it’s worth, is that open source’s days outside academia and hobbyists are numbered.
The biggest issue I see with this law is around liability for open source projects that people are using directly. It'll be disastrous if all open source software ceases to exist or be available in Europe because volunteers face legal liability if their code has a bug. In theory this could even impact people outside of Europe if they don't prohibit access to their code by EU citizens.
I release a lot of code on github. Most of it is just random crap that I wrote to solve a specific need or to explore an idea, and I put it up under an open source license because why not? If it helps someone, that's great. Now I need to be concerned that the random "example-service" project I wrote in C and published a decade ago to go with a blog post I wrote will end up costing me all the money I have ever or will ever earn in my career.
That is actually kinda concerning, if my MIT license of "no guarantee" won't protect me.
Other commenters who got it:
Not even FAANG can achieve this for 1/10th of the code they rely on.
All those coding jobs lost to AI will be regained when everything needs to be reinvented in-house.
"What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated. Does it matter if they signed a license or didn’t pay someone? Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them. Someone should be strictly liable. But who?
The EU is grappling with that very question, and it culminates in whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in. But lawmakers know enough to realize that much of the open source out there – by definition – belongs to no one, or many someones, or really nobody that can be named and made liable. So waiting on a court case might provide clarity but no compensation and no one to even argue the case. Not the clarity a law is designed to provide."
But I rather think that no, the law just talks about products where you pay money for. And when I pay money for something, I do expect liablity in some way and this is allright. But it is not allright to mix them both up for politicial support (or whatever the motivation here is).
See here for example: https://www.euractiv.com/section/digital/news/eu-updates-pro...
Specifically: “The Directive will not apply to free and open-source software developed or supplied outside a commercial activity. The liability rules apply when the software is supplied in exchange for a price or personal data used for anything other than improving the software’s security or compatibility.”
IMHO the original article is either wrong or trying to spread FUD.
My take is, if this law passes, I’m an EU citizen, and I use your MIT software without paying you and without engaging with it through some service of yours (e.g. sevaghbook.com) then you’re not liable if I get damaged.
That might depend on the ubiquity of the OSS in question. If a company's option is to rely on a piece of open source software that has been used billions of times over without incident versus rolling their own solution that at best has only been tested in-house, could they say the latter is really the safer bet?
It is not surprising that volunteer run projects kinda can keep up.
Interesting times indeed. Though I think open source software generally is reliable enough that companies will simply continue business as usual and take on all the liability. They have enough deep pockets to pay compensation that one time something goes wrong, or at least that's my impression.
Would those execs rather . . .
a) publicly berate and fire the internal developer who created the problem
or
b) have to point out that the opaque series of tests internally just wasn't up to snuff and promise to improve them?
When the bug's in OSS and the company is held responsible, there is no option a.
Unless the OSS projects themselves are staffed up and able to provide legal responsibility, why use them?
As far as
> when faced with a choice between being liable for their own code or being liable for open source code, most companies will choose to write their own code. If so, that would be a net harm to open source and user freedom
goes, even if that is true (I'm not really convinced) it doesn't really matter. What matters is finding the correct answer to "who is responsible" to which the answer can't be "nobody". And if it can't be nobody, then it must be somebody. And if it must be somebody, it absolutely shouldn't be some random guy who never specifically signed off on your usage of their open source code.
Ianal but my intuition is that you're on point.
At the very least, I think it will have a chilling effect on the production and use of open source.
But here it is:
https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
> With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.
> Worse still, how will you in turn identify or sue the collaborator or collaboration that actually wrote the faulty open-source code to recoup your costs? In that case, the license you signed likely insulates your open-source partners from your claims.
I sincerely hope this will never become a possibility. The chilling effect would presumably be catastrophic for Free and Open Source software in the relevant legal jurisdiction. Why would anyone voluntarily release their code as FOSS if it opens them up to lawsuits?
I'm not certain the second order (or later) effects will necessarily be unequivocally good. Software supply chains are more like a double pendulum in that changes are probably chaotic enough to obscure their effects.
For example, my very first thought was that large businesses are generally risk adverse specifically in the realm of liability. Have you ever read a TOS? It feels to me the major elements of that interminable document are statements that limit liability. It is to the point of humor that we engage in the clicking through the "I accept" of a software license like some strange universal ritual. This is the realm we are dealing in here, deep and arcane. The ubiquitous TOS ritual should remind us all that software is beholden to forces outside of itself.
Companies go through insane effort to avoid legal liability. This law is going to change that calculus. If the cost of covering that change is high this could precipitate a change to closed-sourced alternatives that come with some delegation of liability. For the cynically minded, companies that offer equivalents to OSS that come with a liability waver might see an ascendance and potentially offer a good investment opportunity. Alternatively, repackaging existing OSS as a commercial product while only adding some legal liability as an add-on might become a viable business.
Those considerations challenge any argument towards unequivocally stating this is a good thing, even if there are definitely positive aspects to this change.
Some of the biggest open source projects are owned by megacorps, like React (Facebook), TypeScript (Microsoft), and Tensorflow (Google). And it's clear from these examples that their stewardship has wrought benefits for both the company and the community. The company benefits from what would otherwise be their internal tooling becoming an industry standard - Facebook doesn't need to train React devs after hiring them. And the code is more robust as more people use it - Microsoft doesn't even need to use its latest TypeScript version, they can just wait for the community to test it for them...
I only skimmed the OP and doubt it's intentionally confusing, but it is confusing because its prediction of doom is wacky. Manufacturers (eg developers of IoT devices, the insecurity of a major impetus for the legislation, apps, etc) will need to adopt modern development practices such as updating their dependencies when a vulnerability is known -- and that includes manufacturers that wrap a mostly open source codebase in a final product or monetise an open source codebase in various ways called out in the legislation.
Yes if a consumer is harmed by a completely open source thing not placed on the market, say something in Debian, they will not be able to sue the developers, and the developers aren't subject to fines etc under the CRA. That's the balance intended by the legislation (after lots of attempts to get it right), to not wreck incentives to develop open source, but to make product developers more responsible. In other words, the public policy is not exactly as you state it. :)
What will happen the opensource world once you're held liable for some moron who uses some software I wrote for myself? or incorrectly uses it?
do you really believe the curl should be held liable because some POST failed and a user lost something over it?
what about my old backup scripts? I need to remove them from my repos?
How does being liable for damages caused by software or services you sell equate to being an idiot? I just see it as the normal way to do business, and the reason why limited liability (the way I’ve been doing business for more than 2 decades) exists.
In light of it, I think the article I found didn’t link to it out of sloppiness, because their summary seems reasonably accurate to me, and the fine article didn’t link to it because they want to spread FUD, as the text you quoted directly contradicts some of the fear mongering in the original article.
My reading of the text is that the one actually selling the software product is the one having to abide by this law. Am I incorrect?
How could this be negative? I presume that most publishers of open source software would prefer that some Silicon Valley Unicorn did _not_ half-heartedly integrate their library, causing security issues and tainting their library name?
consider ghostscript, for example, which is open-source and a commercial product from artifex. the license terms are such that you generally only have to pay for it if you're embedding it in a printer, which many manufacturers do. but virtually every gnu/linux box has it installed without needing to pay for a license. suppose a security vulnerability in ghostscript (of which there have been a number) allows an attacker to own a million ubuntu machines and inject ransomware into thousands of companies in the eu who have no relationship with either the ubuntu company or with artifex
as i understand it, previous drafts of the product liability directive would have made artifex liable for damages in this situation, creating a strong incentive against making any commercial software open-source. do we know this cra avoids making artifex liable for fines? it seems that liability for fines would create the same kinds of incentives
has this been fixed?
as you likely know, i think a necessary and nearly sufficient step to solving the iot security problems is requiring the firmware to be open-source so that consumers can update it whether the manufacturer wants to or not
bingo
I think that's more-or-less fine. There's a concern that companies don't want to be responsible for open source code, and will write everything in-house instead. I wouldn't be surprised if some companies do that, even if it's a bad idea. I don't know how common it'll be, but the worst case scenario is that it turns out to be bad for developers and for free software.
The second, murkier issue, is what happens when there is no selling involved at all. If I download a debian iso, or clone some random repository on github, then there has been concern that the author of that code will be financially liable for any errors in the software. That would be very, very bad. Early versions of the law seem to explicitly say that it would be the case. More recent versions seem like they might have an exception so long as there is absolutely no money changing hands. It's unclear what would happen in cases where open source software accepts donations. It could still end up being harmful to individual developers and to open source software in general. It's hard to say.
... from a longer transcript here https://www.infoq.com/presentations/security-supply-chain-os...
I'm not surprised that's what you think. I'm doubtful anywhere close to sufficient, as much as I'd like that to be true. The focus of the CRA is of course to make the manufacturer be responsible, including for providing security updates for as long as the product is expected to be used (5 years or more typically). There probably is a weak recital suggesting manufacturers might make source code available to other undertakings so that they might provide security updates after the original manufactuerer's support period, but no enforcement of this, and explicitly not requiring open source. Seems like a potential area for future regulation to improve upon.
IANAL but it seems clear cut to me: if you asked for money in exchange for your software (or to access to your software through an API or similar), or if you asked for personal information (in exchange for your software) then you’re liable, otherwise, you’re not.
Which would in turn be very bad for society.
> "whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in.
What I was trying to communicate here is that I think meaningful negative impact to free software and to developers is a worst-case scenario and not the most likely scenario. It's plausible, and we should be concerned, but I think there's also a plausible outcome that is neutral or positive for free software if companies end up contributing more to free software as a way of ensuring they are meeting their obligations under the law.