There is a better way [2], but I don't know how we would convince politicians that there is a better way.
[1]: https://news.ycombinator.com/item?id=38788919
[2]: https://gavinhoward.com/2023/11/how-to-fund-foss-save-it-fro...
It’ll turn into the aerospace industry where “if it hasn’t flown, it can’t fly.” This is among other things why we still burn leaded gas in small planes. Replacing it is easy, but the cost of certifying any kind of new design is insane.
I’ve always just been against any such regulation because I have zero confidence our technically ignorant politicians can do it well.
I also think it’s likely to be sabotaged by consultants and big tech monopolists who see an opportunity to lock out competitors or create gravy trains.
That is why I want the industry to self-regulate with professional licensure first.
If we let politicians do it, they'll do it wrong. If we do it first, and push hard to have politicians adopt our system when they've decided that regulation will happen, then we have a chance that it won't be awful.
As for consultants, yes, that could be a problem. However, I think professional licensure would minimize that because requiring a Professional Software Engineer (PSWE) on a project means having someone there for the long term, dedicated to the project, which is antithetical to consultants game plan to run either short projects or many projects at once.
As for Big Tech monopolists, yes that could be a problem. However, I think professional licensure, with a Code of Ethics, would actually give the PSWE at such companies the ability to say no to such monopolization. And they would, if we could actually threaten loss of license.
So you are correct that my proposal isn't perfect, but I do think it minimizes the risk of bad things happening among the others.
Compared to the relatively high engineering standards and slow but at least continuous improvements in actual engineering disciplines, software is built so badly most of it should never see the light of day. If most machines we build were as insecure and crappy as software we'd have brought the Code of Hammurabi back already.
The deadline for submitting presentation proposals has passed, but the schedule should be available shortly at https://fosdem.org/2024/schedule/track/eu-policy/
Well, I sent an email with the link; that is all I can do.
Isn't that the idea? If you can't innovate, litigate - see regulatory capture [1].
We hold the power, not the EU. Debian, FOSS developers, and small businesses world-wide should block EU IP addresses. No more Linux, no more Python, no more nothing. When the EU's digital infrastructure begins crumbling they'll change their tune.
Both are concerned with non-discriminatory _licensing._ That would remain the case.
Neither of those documents obligate anyone to provide the specific service of providing downloads to anyone else, or providing any act of distribution at all.
Nevertheless, not being able to access the Debian servers would be most unfortunate.
And then they want other people to be accountable, how about government be accountable first.
Page 15:
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
This sounds sane-ish, but it the key is that it says Open Source Software is not exempted if it is part of commercial activity.
So what is commercial activity?
Page 34:
> 'making available on the market' means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge
That "free of charge" connected with "commercial activity" is what has people up in arms.
Does it include free stuff like Debian? Does it include donation-based FOSS like Zig?
These are the things that worry people.
[1]: https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...
Vendors of Debian Installation Media https://www.debian.org/CD/vendors/
They are hardly Adobe, but all it takes is one zealous lawyer on a crusade to force an interpretation that Debian and Adobe are equivalent organisations when it comes to the commercial production of software.
pizza points out that Commercial Activity is apparently a bit more carefully defined, in the act, than simply “money changing hands”: https://lwn.net/Articles/956191/
I’ve never been a fan of the moral position that says certain laws only apply to commercial contracts. If two parties make an agreement (get married, have a child, adopt a cat, go fishing, etc.) then they ought to be held to that agreement. Whether or not money exchanged hands seems immaterial and considering whether it did or not, when trying to decide if someone acted in the right or in the wrong, feels dirty.
I understand need to somehow include them, but the line should be at the for-profit companies and exclude non profits and individual developers.
How to formulate it without easy loopholes is no easy task.
Ask log4j or OpenSSL.
Go read this: https://blogs.eclipse.org/post/mike-milinkovich/european-cyb...
The entire point of the CRA is to make "manufacturers" liable for the quality of the software they produce, in a similar manner to how car manufactures were held liable for the Takata air bags. But who is the manufacturer. In the Takata case it was the car manufacturers the car owners held liable. This LWN comment spells how how difficult it is for software: https://lwn.net/Articles/956218/
One sentence from that highlights hints at the problem:
> the CRA's explicit statement that things qualify whether or they are provided gratis.
The CRA as it stands doesn't draw the line in a way that clearly exempts a bunch of high schoolers uploading their code to github, possibly because no one has figured out how to do it in a way that doesn't also give Google Chrome & Android a free pass.
To put it another way, you've asked an impossible question. You can't point to the faulty clause that exempts open source, because it doesn't exist.
https://www.debian.org/vote/2023/vote_002#statistics
(No matter how good LWN's original journalism is, this is just a news link that does little more than link to the source itself)
I have two projects and added such a clause in protest.
[1]: https://totsipaki.net/ikiwiki/nparafe/posts_en/posts/Can_Eur...
Is disqualifying EU users even possible?
1) this means MIT, Apache and many other licenses are dead in EU.
2) Laws override licenses, so the government can just make a law to ignore the 'no government use' clause.
Of course, an outside agreement can establish such duties.
Think if it were something else as an exercise: say some nation implemented rules requiring you to pay $10k USD/year to that government as some nonsense open-source fee. Common sense says you should be able to say, in response, “well, then I guess I’m cutting that country off.” If the rule making country shouts “no takebacks!” and supersedes licensing, then wouldn’t that impinge on sovereignty?
Posted Dec 27, 2023 19:32 UTC (Wed) by bluca (subscriber, #118303)
Can someone explain to me what in the statement from Debian is "anarco-capitalist FUD"? I find it quite reasonable overall.
You can't just label everything as "doing business" and then regulate it all. If I make something interesting and give everyone in the world the blueprints so they can make one themselves that's not "doing business".
edit: Or if we go to the extreme of nothing except the action and potential for negative impact mattering then you'd need a license to give those cookies to your own kids or even yourself.
bad analogies are bad
That depends a lot on the circumstances. If a malicious, sophisticated, actor broke into your shop and poisoned your dough, which resulted in you selling poisonous cookies, should you be liable because your security systems weren't good enough to stop the poisoner?
Last year in the UK the creator of BitCoin won a multi-billion pound judgement against usurper "open source" developers who refused to alter the protocol to allow him to recover coins a hacker took from him.
Developers have a duty of care to their users which no license can remove even if they are communists calling themselves "open source". You either make good software and comply with your duty or you will be ruined. That is the law.
In other fields there is a direct relation between number of customers and liability.
But if i offer free software and also offer commercial support for it, and because of that i would be liable to everyone who uses that software, not just to those who pay for commercial support, then there is no relation between number of customers and liability, and liability cannot be really priced-in.
Our industry desperately needs better regulations, IMO.
Actually it’s an improved version. Hopefully it will make it through consolidation with EC version.
Insane tbh. EU is all about safety to the extreme and it’s nauseating. Pretty soon you won’t be able to fart there without getting a permit and sign off from some kind of council.
we do not need regulation limiting distribution of volunteer work.
and the vague language for the delineation line is what's problematic with this proposal.
volunteers have no resources (time, money) to defend themselves or their products against false accusations of lack of compliance. likewise companies that happen to provide foss components might be approached about compliance even for their github content.
Getting the spirit of the law into writing is tricky, and it will most likely improve over time. Closing loopholes and making exceptions when merited.
Famous last words of any dying industry
They just need to clarify some points. They need to explicitly make an exception for free and open source software developers. Because free and open source software development will be killed if they don't. Can you imagine getting sued because someone had problems with the free software you published on GitHub? The sustainability of free software development is questionable enough as it is. If publishing a project exposes me to that kind of risk I'll simply not publish.
Linux, World Wide Web… not worth the risk.
So I am making something in my free time, as a hobby, no monetary gain and suddenly I can easily get sued to oblivion. I need to at least buy insurance. My library is used left and right in commercial activity.
The impact assessment for CRA is a total lie. It assumes 100% decrease in cyber damages and laughably low compliance cost and very small amount of impacted entities (only companies, not individuals and each company makes one product).
TBF, version amended by EP explicitly excludes individual developers, hopefully it makes it through trialogue.
Edit: basically imagine authors of log4j. Remember that security flaw that impacted half the internet? That is what’s called liability. Did they use ‘ apply effective and regular tests and reviews of the security of the product with digital elements;’? Better make it industrial grade product, with no money, in their free time.
Can you explain how you believe better regulations would improve software (assuming you're talking about software)?
Now rewind to 1990 or so. Add a Cyber resilience act. At best we maybe have a phone about as advanced as an old Nokia. But yeah, maybe hardly any cyber security flaws because the Internet would hardly function.
Instead of thanking all of the millions of developers who contributed to this, they proceed to kick them in the teeth and enact laws to steal from them in principle by raising the cost of entry.
If Debian depends on people's work so badly maybe they should pay for it.
