It is a slippery slope and in no time it would spread to banning Chinese patches and developers, with people getting riled up by people from .gov mails and next up Muslims and on and on.
Besides, show me one of those "all" you mentioned that has the right to do so. Do you think open source is American? It could just as well be they all ban the US. Just... don't.
Like a lot of commenters are saying, these blog posts are nice, but they won't change the minds of the legislators.
The legislators, in their apparent naivety, are living in a dream world where they expect today's volunteer developers to take on real and unfair legal risk for their contributions.
That's why I think open-source projects ought to make a real statement and ban EU downloads of their software. This will catch the legislators' attention. Making the lives of whoever is using the software (practically everyone) difficult will get the point across and force change.
This has nothing to do with discriminating against who _contributes_ to the software, which is of course a bullshit thing to do.
The interesting question is really what happens when commercial software companies outside the EU that use open source libraries decide they don't want to deal with this headache _also_ start refusing to certify their software for use in the EU and stop doing business there.
> it is that entire stack which the SME, as the party that places it on the market, is liable for.
> policy makers assume that these process improvements [...] are costly; on the order of 25% more in cost overhead
> for most European SMEs this extra effort over the full 100% would be several times their engineering effort and hence would not be feasible
> certifying the 5 or 10% of the code they build on top of the open source stack is a lot more achievable.
From what I understand of what the Apache Foundation has written, what the CRA does is to take the certification obligation from the entity that takes the open source products and profits from it, and push it on to the entity that produced the open source software.
So if I have a business that uses a tech stack built on top of Rocky Linux, for example, I only have to certify the part of the stack that I built, and I can push the liability for the rest of the stack to the Rocky Linux vendor, even if I never bought a support contract.
It's not clear to me how much knowledge the author has about the legislators opinion, but it's a very damning piece of text.
Pushing for the obligatory enforcement of unknown rules, extending the corporations embodiment into every action of their employees, and granting legislative power to private standard bodies are all very anti-democratic decisions.
I agree. But at the same time, this might indicate something.
Frustration.
Try to build a bridge, a building, a factory, and see how far one gets, without a lot of clear cut rules being followed.
Then look at ... say, Debian. Where every single piece of software follows guidelines, or it's in non-free.
Then look at the node ecosystem, where no one audits anything, or even cares if they're literally infringing, who wrote it, etc.
No one even checks, if any of the 25,000 packages, have just been replaced by malware, or if the license has changed.
And beyond that, we have endless orgs running code on deprecated compilers (eg php5), with no security updates.
These things are absurd, but we accept it, merely because prefer greed over security, safety, sustainability of code.
So, some of it may be frustration. I'm frustrated with it!
It doesn't make it right, but....
For open source libraries which presently are 100% free have the certification company charge companies who want to use those libraries to audit and certify them and pass a substantial amount of the cost on to the authors of those libraries.
From the other perspective: am I going to accept a contribution from anyone who may be remotely connected to any company in the EU? Well, nope. I don't want to deal with that stuff in my private time just because some EU bureaucrat decided that accepting a contribution from a corporate contributor is now legally speaking a "commercial activity".
They will now hold a huge fat stick but there's no carrot. So when it's a commercial activity, can I have benefits like any other commercial entity? Say, claim VAT back?
Unless EU itself employs developers to contribute to OSS and ensure verification, this will only do harm.
Does the EU company then need to handle the details of certifying it? Do you end up with an entire industry around companies "importing" open source libraries into essentially a library of usable verified things that companies are then allowed to consume?
Does this end up with EU companies using out of date things because it requires certification? How do you avoid it either becoming a rubber stamp with a fee attached or EU industry being behind insofar as its ability to use technology.
EG a US developer can use A B or C whereas EU dev can only use a 2 year old version of A which may be less secure for lack of improvements on further versions rather than more secure. Essentially a certified predictable level of inferiority.
> Some of the obligations are virtually impossible to meet: for example there is an obligation to “deliver a product without known exploitable vulnerabilities”.
Is it possible we actually CAN meet something a lot closer to that? There isn't infinite ways to use something and if the use is novel and out of scope of the library itself wouldn't that be something out of scope and part of the companies job to certify?
Consider languages and technology that obviate or drastically decrease entire classes of bugs from memory safe langues, to comprehensive testing, to static analysis, to more secure OS like seL4.
That has been the natural consequence of every past effort to legislate security all over the world.
The fact that this one seems less attached to reality than the normal only reinforces that, so I'd expecting nothing else from it.
This has been a nit of mine as others cry out how I'm a "NIH" curmudgeon for not importing some library because I need, oh, "upshiftFirstCharacter" or some other thing.
Like many, I do incorporate other projects into my own. But, also, I tend to just write my own stuff for "little things", even when they creep into "big" things, as many are wont to do.
And the canard I hoist when challenged on this stuff, I simply point out "We may only being using a a small piece of it, but we're responsible for all of it." And point to the trail of jars that simple utility is dragging with it.
There's a lot of pressure for things to have fewer and fewer dependencies. As a Java developer, I strive to rely as much as practical on the JDK and the utilities they provide.
My code is as imperfect as anyone else's. But I watch threads on forums about "how can I do XXX" and what they really mean is "what package do I need to do XXX" rather than just, you know, "doing it". It's a spectrum of complexity, but if I can get away with a simple BlockingQueue instead of loading in some off the shelf behemoth for a simple twixt threads queue, I'm going to do that. Use the stuff I have until it fails before I drag and drop some onerous jar and a boat of dependencies to do the same thing. "This has monitoring and plugins and ...!" "Do we need that?" "...Maybe?" "Well lets wait and see, shall we?"
Keep making more changes, more regulation Europe. It'll make an interesting story one day. But only after extreme turmoil & chaos. After the dust settles.
And I don't think these attempts to regulate the planet, to impose your will & shift so much burden onto those doing & making & creating is going to work as you hope. I don't think it will give your societies the safety you think you can demand, and I think the difficulties you are creating are going to cause great suffering for your nations.
I respect your desire for a better more sensible world but forever more layering in more and more constraints & burdens on the active agents in your systems has such unfathomable costs.
And you don't have the right. You don't get to tell the entire world how to behave. There are impossible asks, utterly ridiculous, and you make them against everyone. You already have your foot on the floor, speeding us so quickly to breaking.
The people doing certification must have a active hand in the development process of the specific software component. who, at their option can charge for certification.
This would allow open source projects that are used in industry to charge for certification labels, to the commercial companies that require it. But non-commercial which does not need a certified stack, is business as usual.
Seems like it would incentivize funding of open source, right? As long as the fees are low enough, no one will fork. But since only the people maintaining the project can make (and optionally charge for) certifications, it would incentivize knowing your software stack, and paying for maintenance/contributing back.
