[knlje]

This is a quote from the linked document:

> 10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.

[mananaysiempre]

The Internet Society quotes[1] that part and thinks selling support for stuff would count it as being supplied in “the course of commercial activity” even to those who aren’t buying the support.

[1] https://www.internetsociety.org/blog/2022/10/the-eus-propose..., via another comment here: https://news.ycombinator.com/item?id=35525876

[A previous version of this comment mentioned BIND, because I confused ISOC and ISC.]

[ginko]

If someone sold me support for a piece of open source software (like ISC and BIND) then I definitely would expect some level of liability if there's something wrong with it.

Otherwise why would I pay for support if I could just self-host? They can strictly define the parts they are willing to support, though.

[croes]

You offer support for your open source software so it's commercial open source, someone else uses your software in his software without your knowledge and he doesn't pay and doesn't want support.

He doesn't update his version of your software and this leads to a security issue.

Are you liable?

[ginko]

Obviously not. Why would you think so? You're only liable for the software shared under a support agreement.

I feel people really try to pick the worst possible interpretation of these laws just so they can hate on the EU.

[codeflo]

No, it’s people who possibly even agree with the intention of this wanting the letter of the law to be as clear as possible — so that a hypothetical uninformed judge a few years down the road has less wiggle room for a bad decision. (Also note that in some European law traditions, written law is more important than case law.)

[lozenge]

But the whole point of the CRA is to increase cybersecurity even without a support agreement. Eg every device to receive 5 years security support.

[LolWolf]

unfortunately lawyers (et al) will similarly pick the worst possible interpretation of a law as needed to win a case

[croes]

> free and open-source software developed or supplied outside the course of a commercial activity

What is software in this case? The open source software you developed as such or only the Installations you sold support for?

[anigbrowl]

No. Liability only arises if someone is paying you and you give them assurances that PyThing is fit for a particular purpose or behaves a particular way.

[croes]

>free and open-source software developed or supplied outside the course of a commercial activity

This part isn't clear enough to confirm you assumption.

It could mean the software instance installed by your support customer, it could mean the software as such you intend to sell support for, no matter if you are really get paid for support or not.

[luckylion]

I believe the point they're making is that while you could expect liability, I couldn't if I'm not buying support services but run it myself. As in "offering the support services to anyone" would assume global liability.

[parasense]

> If someone sold me support for a piece of open source software (like ISC and BIND) then I definitely would expect some level of ...

The word you were looking for is "support".

If there is something wrong with the "supported" open-source software, then you may expect a certain level of "support". Full-stop.

That generally entails an SLA that says your issue will be reacted to within N-time of opening the issue, which might be nuanced by the tier-level of support purchased. That you are provided access to documentation, or even the source code itself. You might be provided with best-effort support by an agent, which is limited to resolving documented defects, or configuration, or acknowledging standing-bugs which cannot be resolved.

What you cannot expect is the software is updated in accordance with the support incident. For that, send patches, or pay somebody to send patches.

[908B64B197]

I want to believe the courts and non-elected bureaucrats will interpret it the same way.

Sadly, with these laws, we'll have to wait for some case law to be certain of the liabilities to serving Europeans customers.

[ctoth]

Does anyone else find this incredibly crazy?

I had a similar reaction to the whole thing about some new anti-Tiktok law in the US potentially banning a whole bunch of other things, but nobody is actually sure. Like, is it a weird idea of mine that you should define your laws based on what you want them to do and then test them to make sure they are right before they actually, you know, become laws? How can no one know what the law will actually do until the law is actually enforced?

If I wrote software like this I would be instantly fired. Can somebody please explain?

[ClumsyPilot]

> If I wrote software like this I would be instantly fired. Can somebody please explain?

If aerospace engineers built airplanes the way you (or me) code, they'd be in prison.

I don't think software developers have any right to criticise - we are the clowns of engineering world.

The software around me fails all the time, coffe machine refuses to make coffee becauae there is no wifi, toyota has spaghetti code controlling the accelerator, average home router has over 9000 securiry holes.

Even if you look at our industry standards, the HTTP standard has flaws allowing Request Smuggling, JSON standard is not compatiable with javascript, and Javascript itself...oof...

[908B64B197]

> If aerospace engineers built airplanes the way you (or me) code, they'd be in prison.

Really? I don't recall anyone going to prison for the 737 MAX. Not even the engineers reviewing the code written by the offshored 9$/h programmers Boeing hired...

> the HTTP standard has flaws allowing Request Smuggling

As if the building code didn't too change over time.

[DannyBee]

It isn't really like this. There's experienced attorneys helping draft most legislation. See, e.g., https://en.m.wikipedia.org/wiki/Office_of_the_Legislative_Co...

That doesn't mean they will always get it right, but it's often screwed up more by the legislators than the attorneys.

Laws that are so vague that they don't give notice to someone of what conduct is proscribed are not valid in the US.

Additionally, in the US, laws found to be unconstitutional are void ab initio. They are not struck down. They are declared never to have been valid in the first place.

(Though, like anything, perfect consistency is not a goal of the legal system, so you will see this screwed up at times as well)

[unixgoddess]

even with already published laws you need a lawyer to understand how a judge will be more likely to interpret them; even then, it's just an informed guess, you never know what the end ruling will be until it comes.

[ctoth]

So... Why not have a judge whose job is to come in and rule on potential new laws? You're pointing at this like it's some knockdown argument when it just shows lawmakers are lazy.

[DannyBee]

HN is not apparently aware of how laws are made in most countries. In fact, staff legislative attorneys and others greatly experienced in law often help write them and edit them.

For example, in the US, you have y things like https://en.m.wikipedia.org/wiki/Office_of_the_Legislative_Co... which helps the house draft bills.

[mananaysiempre]

Imagine all of your bugs were security bugs, hacking (and profiting from the results) was legal and incredibly lucrative, and (as a result) almost the entire available pool of testers was at best grey-hats each with their own political agenda. Even if you also had Designated Testers with lifetime appointments, would you expect them to do better in a year than a well-paid hacker could in a couple of weeks? Especially if the former category, though well-paid, is considerably understaffed and thus overworked, due in part to how hard it is to establish competence and good faith of a candidate?

I’m not sure this is a good metaphor, but I think the main thrust should be true: the whole thing is adversarial like you’ve never seen, and that’s not at all the best way to establish truth, just the best you can do without trust assumptions. (Law : science and engineering :: democracy : benevolent dictatorship.)

[lars_francke]

This section has been rewritten (changed) in the latest (internal) draft of the CRA based on feedback of various open source foundations as far as I know.

I'm not sure how much I'm allowed to share but it'll be public at some point in April I believe.

[tgvaughan]

How does this work for free software projects which aren't themselves commercial but list employees of big companies among their major contributors? E.g. the Linux kernel?

[layer8]

It will likely be tied to the “productization”. That is, the liability chain will only go as far as there is someone who turned the software into a product for monetization purposes. If a company sells a product that uses Linux, they will be liable regardless of whether they contributed to Linux development or not. If part of the product was itself purchased from a third party, the third party will be liable for that part. But open-source developers who don’t monetize the software won’t be liable.

One case that could potentially become problematic is OSS developers who have Patreon subscribers or similar, where those subscribers could conceivably pass on liability claims.

[paol]

That's from the "Cyber Resilience Act" link, and the "Product Liability Act" link has pretty much the same text in item 13.

[octacat]

that is sooo bad. Basically anyone can give you support with some open source code (i.e. consultancy, they fix a bug/deploy/tweak for you and go away) except the authors of the code. Because if the authors do this, they are liable for the whole code base of the product. Nice.

Also, many open source projects have very complex authorship, good luck digging which company is responsable to do the audit.

Also, basically your favourite cloud provider could host your favourite open source database, but the authors providing hosting would be liable. Because "This Regulation does not regulate services, such as Software-as-a-Service (SaaS)"

[mordae]

Having it in the recital is way less safe than it being explicitly spelled out in an Article.

[A4ET8a8uTh0]

Thank you. Do you think blogger missed it, focused on the 'should' part or it is part of clickbaity nature of our news cycle? Either seems as a likely possibility. I don't think EU would be stupid enough to kill open source.

[occamrazor]

It’s more than clickbait. The intent of the proposed legislation in not to make volunteer open-source contributors liable for bugs, but the current draft may set the boundary between commercial and non-commercial developers in the wrong place.

[luckylion]

I'm not a lawyer, but I see no way a sane and reasonable person could read this as "and if someone you've supplied the software in a foss & non-commercial setting to uses that software in a commercial way, you're on the hook for everything".

Yeah, it could be even clearer (but laws tend to not want to enumerate everything that is obvious or they'd become books), but it feels somewhat exaggerated. Or is the actual fear that commercial support services by the authors could trigger liability? As far as I understand, that has been a preferred way to get paid and remain not-liable for the original product.

[ncphil]

I _was_ a lawyer for a decade before going into tech. One of the good habits I acquired in practice was making sure to read all the way through every document, no matter how boring it got. I agree with you completely, except the article isn't just exaggerated: it's borderline FUD. Regulation is necessary because too many humans find self-regulation in the public interest too hard. The problem is that writing effective, targeted, regulations is also hard, and often beyond the capacity of those given the power to do it. Even when they mean well (never a given, as evidenced by a sordid history of self-sealing and favoritism), it often gets mucked up.