zlacker

[parent] [thread] 7 comments
1. joketh+(OP)[view] [source] 2023-12-30 21:47:15
Good that the backtracked on a lot of the CRAp (which would have meant the end of OSS in Europe, talk about destroying the world with the wrong swift movement of a pen!) BUT I'm still angry:

1. This adds barriers to sell OSS software, which helps solidify existing markets and prevents new competitors from stepping up

2. This won't change anything except forcing projects to waste money in legal BS, when the responsibility should be uniquely on the commercial entities USING and providing a service (and therefore making money) with the OSS software

3. This is only the first step, I'm sure they'll keep adding rules

4. I'm thinking they may have been heavy handed in the first draft just so that people would think at the end "oh, phew! the regulators didn't kill ALL OSS software in Europe, great!" without thinking why do we need this regulation or how it improves ANYTHING

Will it actually improve security? I don't think so.

If someone is paying for commercial support they likely already have security updates and, once vulnerabilities are known by the maintainers, the news spread.

The security problem with OSS is not that things are not communicated promptly, but that it's hard to make money with OSS so there is no staff working on security.

This would have not saved us from eg. OpenSSL vulnerabilities and it will be even harder to $NextOSSOrg to start charging for their product and improve their security.

replies(5): >>EMIREL+A >>wolves+V5 >>troupo+v7 >>mqus+Q7 >>octaca+h6a
2. EMIREL+A[view] [source] 2023-12-30 21:51:13
>>joketh+(OP)
> This adds barriers to sell OSS software, which helps solidify existing markets and prevents new competitors from stepping up

All commercial software is included, I don't see how (commercial) OSS is somehow special. Did you read the article?

3. wolves+V5[view] [source] 2023-12-30 22:27:19
>>joketh+(OP)
"which helps solidify existing markets and prevents new competitors from stepping up"

So exactly like any other regulation.

replies(1): >>Murome+Ba
4. troupo+v7[view] [source] 2023-12-30 22:40:22
>>joketh+(OP)
> it's hard to make money with OSS so there is no staff working on security.

Sooo.... Because of that you should be exempt even though you're expecting to sell that software?

How does this make sense?

replies(1): >>octaca+Z6a
5. mqus+Q7[view] [source] 2023-12-30 22:44:11
>>joketh+(OP)
> 2. This won't change anything except forcing projects to waste money in legal BS, when the responsibility should be uniquely on the commercial entities USING and providing a service (and therefore making money) with the OSS software

First of all, most of the software companies do SaaS, meaning they also provide the service. And then, even if they don't, the users will just hand down the paperwork to the companies developing the software. Because those know what was put in, security and components, and want to have this in legal writing.

Secondly, imagine your average IoT seller. They should not be liable for their bad product because they don't run it themselves? "The user" is liable? In most cases the "user" can't even do anything about their insecure device.

I think developers are rightly responsible here. It's pretty comparable to other industries where the products have to be safe when getting sold, think pharma, food, toys, cars, etcpp.

> Will it actually improve security? I don't think so.

Think B2C. It will improve things there, and massively so. Software in B2B was already somewhat regulated via audits and certifications.

◧◩
6. Murome+Ba[view] [source] [discussion] 2023-12-30 23:05:40
>>wolves+V5
I like the author's analogy and I'm pretty sure this country has regulations around selling food, but there isn't much of market consolidation. People open and own small restaurants and it's not only chains and franchises all around. People even start new banks and get licenses and the product is quite good. And there are things that are more regulated than opening a bank. I suspect that the CRA is not on a level of operating a bank and somewhat more lax than operating a restaurant.
7. octaca+h6a[view] [source] 2024-01-03 19:10:00
>>joketh+(OP)
The last time I've checked the draft, it looked like MySQL project would be responsible if a security bug occurs and responsible to do certification, because they provide paid support. But Amazon could just host MySQL without spending anything on dev or certification of MySQL codebase (because MySQL would be forced to do certification because they do make money with their code by providing the paid support).
◧◩
8. octaca+Z6a[view] [source] [discussion] 2024-01-03 19:12:47
>>troupo+v7
Sell OSS software? The way OSS makes money is: hosting the service (good luck) or providing paid support (does not scale, unless u scale the number of your devs too).
[go to top]