this post was submitted on 15 Aug 2023
97 points (92.2% liked)

Open Source

29773 readers
240 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
97
Will the cyber resilience act kill open source ? (en.m.wikipedia.org)
submitted 1 year ago by [email protected] to c/[email protected]
34 comments fedilink hide all child comments
 

Since the EU is bringing an act , that needs the products distributed to be flawless , and it applies to open source products too , if a single of their contributor / donor works for a corporate , what will be the future of FOSS in europe with this ?

all 35 comments
sorted by: hot top controversial new old
[–] [email protected] 47 points 1 year ago (2 children)

For all the people not reading the actual law, this is the actual language of the proposal:

In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.

IMO the problem OP mentions does not really exist. You can work for a corp while working on the product, your FOSS project can take donations even from corps, the only thing you can't do is monetize your FOSS product without caring for security.

[–] [email protected] 9 points 1 year ago (2 children)

Nick from The Linux Experiment youtube channel made a video recently talking about that, for him and for me it's clear that this quote:

software developed or supplied outside the course of a commercial activity should not be covered by this Regulation

means that any open source that gets any work from paid personnel from a company interested in the project in any commercial activity is covered by the regulation.

Here is the timestamp of his argument, I'm not from EU so I have no idea how this kind of idea could be implemented, but the text seems clear to me and seems bad.

If that is the case projects would be obligated to reject contributions from any companies.

[–] [email protected] 4 points 1 year ago

Here is an alternative Piped link(s): https://piped.video/QK0rmOuzSVM?t=87

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source, check me out at GitHub.

[–] [email protected] 1 points 1 year ago

The law also keeps it vague enough , that it says employed individual , so they could be waiting tables and this will still apply !!

[–] [email protected] 1 points 1 year ago (1 children)

Please add a link to the source in your comment

[–] [email protected] 3 points 1 year ago

This is the actual proposal, it's available in all EU official languages on the EU's website. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0454

[–] [email protected] 22 points 1 year ago (1 children)

Companies need to conduct cyber risk assessments before a product is put on the market and throughout its lifecycle effectively manage its vulnerabilities, regularly test it, and so on. Products assessed as 'critical' will need to undergo external audits.

I have not read the proposal. Legal language makes me want to rip my own eyes off.

The only winners I see are those security auditors and similar providers.

Privative corpos from USA and China will arrive with all "security assesments" and "auditions" in place, and still have backdoors lol

[–] [email protected] 5 points 1 year ago

They prepared a list of software that need mandatory audit , like browsers and all !

[–] [email protected] 18 points 1 year ago (1 children)

I wonder if I am developing an app for lemmy and I am based in EU , am I obligated to get an external vulnerability audit done , or pay a 15.million euro fine , since I am working for a corporate with a full time job?

[–] [email protected] 25 points 1 year ago (3 children)

Without having read any part of this act I'd assume you having a job and you developing an open source app are two separate things unless your job involves developing that open source app.

[–] [email protected] 10 points 1 year ago (1 children)

The number of responses here saying they haven't read up on it but...

[–] [email protected] 2 points 1 year ago

I read several different drafts I could find since writing that comment and although it's alll written somewhat vague in general, OP's point isn't in any draft I read.

[–] [email protected] 4 points 1 year ago (1 children)

Well if i am developing a product and I work for a corp or if my project is getting donation from a corp , it will be considered as a commerical project , it does not need me to be working on that product as part of my work !!

[–] [email protected] 12 points 1 year ago (1 children)

No, those are separate. It's about open source projects that have developers working on it in their free time (not getting paid for it) and developers who get paid for it. You having a job as a software developer and working on a project outside your work time doesn't make it a "commercial activity".

[–] [email protected] 3 points 1 year ago

Just read the act then ! It keeps it vague enough to consider a person working in free time will be considered a commercial product

[–] [email protected] -2 points 1 year ago (1 children)

Please watch the video above !

[–] [email protected] 20 points 1 year ago (1 children)

What's the gist? I hate video articles

[–] [email protected] 2 points 1 year ago

Basically A foss product is not exempted if an employee ( does not need to be a tech employee) contributes to a foss prod , or if a company donates to them ! So even npm packages by individual coders who are employed say.by dominos need to take audit and deliver vulnerability free code .

[–] [email protected] 13 points 1 year ago (2 children)

Its been a while since i last read about it, but i thought they made some exempts so FOSS wouldnt suffer too much. One can only hope they did!

[–] [email protected] 9 points 1 year ago (1 children)

They consider foss products out of this requirement , only when the contributors are volunteers who are not working or are employed by a company !! Or get a corporate donation, if even one person contributing to the project is a corporate employee they need to go with the crazy rules they have laid !!

[–] [email protected] 3 points 1 year ago

This is what Claude2 (with 100K context window) has to say about your comment, after I supplied him with the entire proposal of the regulation: Based on my understanding of the Cyber Resilience Act, I don't think that assessment is entirely accurate. The key factor is whether the open source software is placed on the market in the course of commercial activity, not the employment status of individual contributors.

The regulation explicitly excludes open source software developed or supplied outside of commercial activity. As I mentioned before, this means pure community-driven projects where the software is freely shared and open should not fall under the requirements.

It does not matter if some contributors are corporate employees, as long as they contribute to a non-commercial community project in their personal capacity. For example, if a developer who works for Company X contributes code to Project Y in their free time, that alone would not make Project Y commercial.

The regulation would likely apply if a company systematically develops open source software as part of their business model. But just having corporate contributors among many community members would not automatically trigger the rules.

Overall, I think the regulation aims to avoid putting burdens on pure community open source projects, as long as the software is not placed on the market commercially. But the details of implementation will be important to watch to ensure a proper balance is struck.

[–] [email protected] -3 points 1 year ago

Well the attemps they made are more like drop in the ocean ! I still dont understand how FOSS in eu at least will survive this disaster , while most corps , just use foss software anyway will flourish !

[–] [email protected] 12 points 1 year ago

How to contact your MEP https://www.europarl.europa.eu/meps/en/home

[–] [email protected] 4 points 1 year ago

While I see how a law like that would create insecurities in the FOSS world I trust that it will not be abused to shut down FOSS projects as some of the largest EU members like France and Germany are relying heavily on Open Source software. I believe this do be the reason why this cumbersome exception was formulated in the first place.

However it could mean that the blurry line between commercial software and FOSS software could become a clear cut and FOSS projects that provide paid versions of their software could be forced to comply or go back to relying on donations.

tldr: I dont think it will kill FOSS per se. Potentially it will become more difficult to mometize FOSS apart from donations.

[–] [email protected] 3 points 1 year ago (1 children)

https://youtu.be/iUgAS1luxEQ a video here !

[–] [email protected] 8 points 1 year ago

Here is an alternative Piped link(s): https://piped.video/iUgAS1luxEQ

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source, check me out at GitHub.

[–] [email protected] 1 points 1 year ago