[smarx007]

All right, now that someone downvoted you (not me), I feel a mild obligation to respond.

Regarding the ad hominem part, I invite you to watch https://www.youtube.com/watch?v=Gv2I7qTux7g to understand why I think our industry needs to elevate the level of our craft. And also please take a look at the actual requirements CRA puts on devs in https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-... (pages 2 and 3 – yes, just those two pages* plus requirements on documentation on page 8, which could be a bit more annoying than the requirements on pp. 2 and 3). I hope you will find them reasonable for the most part.

Regarding GDPR, I am indeed sad that so many people interpret it incorrectly. This happens in part due to the influence of various groups, as you say. I invite you to read the blog of https://noyb.eu/en to understand the spirit of GDPR (indeed, there is a thing called "data minimization" that could be the reason you find it difficult to collect more data without a solid justification; in a fun twist, §1(3)(e) of the CRA annex also mentions data minimization) and see that the progress is made slowly yet steadily. If you noticed big websites recently show the option to deny tracking cookies directly instead of "manage cookies", you got these folks to thank ( https://noyb.eu/en/where-did-all-reject-buttons-come ). BTW, I donate to them and think they are doing awesome work.

* unless you are doing "serious stuff" (TM) as described on pages 5 and 6.

[thayne]

The requirement to provide a postal address is pretty bad if you are an individual developer, or a decentralized organization without an office.

And the "if applicable" part is kind of vague. For just one example, is it applicable for a database to have built in support for encryption at rest? Or is it sufficient to depend on the user setting up an encrypted filesystem? 1.3 is a reasonable list for a complete system, but less so for individual components. Some of those items, such as authentication, event monitoring, and high availability, are frequently "enterprise" features for open core projects. I'm not sure what the impact of that would be. Maybe companies will start including those in the opens offerings, or maybe we'll see those projects become completely proprietary.

And a lot of open source projects do the "serious stuff" described on pages 5 and 6. Some of which accept donations but have very small teams.

I don't think putting this burden entirely on the developers of open source projects is the right way to do it. I agree with the spirit of this, but think the implementation has some serious problems. I feel much the same way about GDPR.

[smarx007]

> The requirement to provide a postal address is pretty bad

In Germany/Austria, everyone with a blog must give their address in an Imprint (see the bottom of http://armin.ronacher.eu/#contact , for example). In Sweden, everyone's address is in a public register (see https://www.hitta.se/ , for example). In other words, Americans may find this mildly intrusive from a privacy perspective, but in Europe it's common to know who are you dealing with. Often, I check what country a SaaS company is based in before signing up and get quite uncomfortable when neither the Privacy Policy nor the ToS pages mention even the country let alone an address.

> decentralized organization without an office

I think there were quite specific remarks that dev teams that don't have central management or at least leadership, will not be part of this regulation, e.g. Mastodon devs.

> And the "if applicable" part is kind of vague.

Yes, I agree with you that those points especially are a bit stressful because we don't know precise bounds. Precise bounds, however, tend to make any tech law obsolete very quickly. We had a similar panic with GDPR and now everything has settled rather nicely (in my opinion).

> 1.3 is a reasonable list for a complete system, but less so for individual components.

I think this is precisely why "if applicable" is there. You would just write "not applicable (this is a software component for use in a larger software product)". At least, that's what I plan to do.

> Some of those items, such as authentication, event monitoring, and high availability, are frequently "enterprise" features for open core projects. I'm not sure what the impact of that would be. Maybe companies will start including those in the opens offerings, or maybe we'll see those projects become completely proprietary.

I think this is the point where EU is saying "enough is enough". Just like GDPR largely "cancelled" the business model "if you are not paying for the product, you are the product", I think CRA demands that open core projects get crippled in any way companies want except for security. And while I see how it will be painful for some companies, I also understand the hard regulatory line EU has taken here.

> And a lot of open source projects do the "serious stuff" described on pages 5 and 6. Some of which accept donations but have very small teams.

Again, I think EU is saying "enough is enough". We can't have our most essential systems be vulnerable just because they are maintained by an unpaid dev in Nebraska ( https://xkcd.com/2347/ ). EU is essentially forcing the businesses to donate enough money to audit those allegedly crucial pieces of software or have those projects close down. However, I want to note that companies running such critical software would have to audit it whether it's OSS or not. Therefore, I think that for critical projects like Wireguard or libsodium, there will be enough corp sponsors to split (!) the costs of an audit. Because otherwise, each company using Wireguard will have to pay the same costs to repeat an audit over and over again.

And to be clear, simply refusing donations will not get the project out of CRA compliance. I think this is FUD being spread here. If a project is usable "in the course of a commercial activity" and gets regular releases, it will have to comply with CRA. One example I could think of is apache2. It is used by millions of business websites and even if the core devs don't accept donations, it's still a software clearly usable "in the course of a commercial activity".

[Kye]

>> "In other words, Americans may find this midly intrusive from a privacy perspective, but in Europe it's common to know who are you dealing with."

It's not intrusive, it's dangerous. I know it's popular to say the US is different where those differences don't account for why things aren't done, but this is one of the exceptions. We don't really have much in the way of protections, so it only takes a few pieces of information to find everything out about someone. Address is one of those. That's useful for creeps, snoops, identity thieves, stalkers, and other unscrupulous characters.

Also, SWATting. I really don't want someone to be able to easily find my address to send a murder squad to because I said/did something they don't like. We also have more guns than people, so someone with sufficient disconnect from reason might skip calling the police and take matters into their own hands.

[sam_lowry_]

This is where I find myself agreeing with smarx007.

I ran a community website with hundreds of active and tens of thousands of irregular visitors for 20 years. I received regular death threats and all kinds of insults, my address could be found online with some effort, but none ever showed at my doorstep over these years to claim what is due.

The only mild dorrstep clash I had was with a disgruntled husband of the babysitter we fired on the spot. A totally offline affair.

Dunno about USA, but a properly functioning society does not need PO boxes nor fences.

And the only peeple working hard to take down the UBO register are Putin's cronies (this is no exageration, google for Patrick Hansen)

[thayne]

> We can't have our most essential systems be vulnerable just because they are maintained by an unpaid dev in Nebraska

I don't disagree with that. But I don't think saying that one dev in Nebraska has to pay for security audits, or at least convince companies who use their project to pay for it and take charge of coordinating that effort, is the right way to solve the problem. I suspect that this will result in some projects distancing themselves from the EU, and have a chilling effect on new OSS projects in these areas, especially inside the EU.