[abbe98]

> This seems sort of reasonable. If you charge for tech support, you have a business. I’m all for not making it harder for people who are actually just sharing their hobby projects, but a project that makes money isn’t a hobby anymore.

With the current writing it might be that a distributor different from the commercial entity might be liable for vulnerabilities and reporting.

https://blog.sonatype.com/eu-cyber-resilience-act-good-for-s...

[908B64B197]

I'm always impressed at how little European regulators seem to understand tech (and at how little they want a healthy tech sector to grow in Europe, preferring American and Chinese alternatives).

To me it sounds like the "software is delivered as is" clause would nullify that.

[JohnFen]

But there are huge problems with "as is" clauses, and in the US anyway, they aren't always enforceable. If I sell a doohicky that I know is likely to kill people, slapping an "as-is" clause on it probably won't keep me out of jail.

[908B64B197]

In the case of OSS libraries and open-source distributors, there's no sale happening.

What I see emerging is a dual license system where you can buy a supported version that's compliant with whatever European law or get the one hosted on an American mirror (where thankfully European law doesn't apply).

[JohnFen]

> In the case of OSS libraries and open-source distributors, there's no sale happening.

True. I should have said "distribute". But the point holds.

[pjmlp]

Until the great EU firewall happens.

[pjmlp]

Thanks to current US politics, whatever gets developed over there might not be as widely embraced as in the heyday of all good friends over here, global economy.

[ghaff]

Furthermore, as the author of the Sonatype piece told me last fall, it also goes beyond the upstream project and any distributor. In the case of a lot of vulnerabilities, the fixes have existed in the upstream for maybe a year or more. But they're still in downstream code that has never been updated.