[ginko]

If someone sold me support for a piece of open source software (like ISC and BIND) then I definitely would expect some level of liability if there's something wrong with it.

Otherwise why would I pay for support if I could just self-host? They can strictly define the parts they are willing to support, though.

[croes]

You offer support for your open source software so it's commercial open source, someone else uses your software in his software without your knowledge and he doesn't pay and doesn't want support.

He doesn't update his version of your software and this leads to a security issue.

Are you liable?

[ginko]

Obviously not. Why would you think so? You're only liable for the software shared under a support agreement.

I feel people really try to pick the worst possible interpretation of these laws just so they can hate on the EU.

[codeflo]

No, it’s people who possibly even agree with the intention of this wanting the letter of the law to be as clear as possible — so that a hypothetical uninformed judge a few years down the road has less wiggle room for a bad decision. (Also note that in some European law traditions, written law is more important than case law.)

[lozenge]

But the whole point of the CRA is to increase cybersecurity even without a support agreement. Eg every device to receive 5 years security support.

[LolWolf]

unfortunately lawyers (et al) will similarly pick the worst possible interpretation of a law as needed to win a case

[croes]

> free and open-source software developed or supplied outside the course of a commercial activity

What is software in this case? The open source software you developed as such or only the Installations you sold support for?

[anigbrowl]

No. Liability only arises if someone is paying you and you give them assurances that PyThing is fit for a particular purpose or behaves a particular way.

[croes]

>free and open-source software developed or supplied outside the course of a commercial activity

This part isn't clear enough to confirm you assumption.

It could mean the software instance installed by your support customer, it could mean the software as such you intend to sell support for, no matter if you are really get paid for support or not.

[luckylion]

I believe the point they're making is that while you could expect liability, I couldn't if I'm not buying support services but run it myself. As in "offering the support services to anyone" would assume global liability.

[parasense]

> If someone sold me support for a piece of open source software (like ISC and BIND) then I definitely would expect some level of ...

The word you were looking for is "support".

If there is something wrong with the "supported" open-source software, then you may expect a certain level of "support". Full-stop.

That generally entails an SLA that says your issue will be reacted to within N-time of opening the issue, which might be nuanced by the tier-level of support purchased. That you are provided access to documentation, or even the source code itself. You might be provided with best-effort support by an agent, which is limited to resolving documented defects, or configuration, or acknowledging standing-bugs which cannot be resolved.

What you cannot expect is the software is updated in accordance with the support incident. For that, send patches, or pay somebody to send patches.