[croes]

You offer support for your open source software so it's commercial open source, someone else uses your software in his software without your knowledge and he doesn't pay and doesn't want support.

He doesn't update his version of your software and this leads to a security issue.

Are you liable?

[ginko]

Obviously not. Why would you think so? You're only liable for the software shared under a support agreement.

I feel people really try to pick the worst possible interpretation of these laws just so they can hate on the EU.

[codeflo]

No, it’s people who possibly even agree with the intention of this wanting the letter of the law to be as clear as possible — so that a hypothetical uninformed judge a few years down the road has less wiggle room for a bad decision. (Also note that in some European law traditions, written law is more important than case law.)

[lozenge]

But the whole point of the CRA is to increase cybersecurity even without a support agreement. Eg every device to receive 5 years security support.

[LolWolf]

unfortunately lawyers (et al) will similarly pick the worst possible interpretation of a law as needed to win a case

[croes]

> free and open-source software developed or supplied outside the course of a commercial activity

What is software in this case? The open source software you developed as such or only the Installations you sold support for?

[anigbrowl]

No. Liability only arises if someone is paying you and you give them assurances that PyThing is fit for a particular purpose or behaves a particular way.

[croes]

>free and open-source software developed or supplied outside the course of a commercial activity

This part isn't clear enough to confirm you assumption.

It could mean the software instance installed by your support customer, it could mean the software as such you intend to sell support for, no matter if you are really get paid for support or not.