|
|
|
|
|
|
by thayne
1068 days ago
|
|
|
The requirement to provide a postal address is pretty bad if you are an individual developer, or a decentralized organization without an office. And the "if applicable" part is kind of vague. For just one example, is it applicable for a database to have built in support for encryption at rest? Or is it sufficient to depend on the user setting up an encrypted filesystem? 1.3 is a reasonable list for a complete system, but less so for individual components. Some of those items, such as authentication, event monitoring, and high availability, are frequently "enterprise" features for open core projects. I'm not sure what the impact of that would be. Maybe companies will start including those in the opens offerings, or maybe we'll see those projects become completely proprietary. And a lot of open source projects do the "serious stuff" described on pages 5 and 6. Some of which accept donations but have very small teams. I don't think putting this burden entirely on the developers of open source projects is the right way to do it. I agree with the spirit of this, but think the implementation has some serious problems. I feel much the same way about GDPR. |
|
|
In Germany/Austria, everyone with a blog must give their address in an Imprint (see the bottom of http://armin.ronacher.eu/#contact , for example). In Sweden, everyone's address is in a public register (see https://www.hitta.se/ , for example). In other words, Americans may find this mildly intrusive from a privacy perspective, but in Europe it's common to know who are you dealing with. Often, I check what country a SaaS company is based in before signing up and get quite uncomfortable when neither the Privacy Policy nor the ToS pages mention even the country let alone an address.
> decentralized organization without an office
I think there were quite specific remarks that dev teams that don't have central management or at least leadership, will not be part of this regulation, e.g. Mastodon devs.
> And the "if applicable" part is kind of vague.
Yes, I agree with you that those points especially are a bit stressful because we don't know precise bounds. Precise bounds, however, tend to make any tech law obsolete very quickly. We had a similar panic with GDPR and now everything has settled rather nicely (in my opinion).
> 1.3 is a reasonable list for a complete system, but less so for individual components.
I think this is precisely why "if applicable" is there. You would just write "not applicable (this is a software component for use in a larger software product)". At least, that's what I plan to do.
> Some of those items, such as authentication, event monitoring, and high availability, are frequently "enterprise" features for open core projects. I'm not sure what the impact of that would be. Maybe companies will start including those in the opens offerings, or maybe we'll see those projects become completely proprietary.
I think this is the point where EU is saying "enough is enough". Just like GDPR largely "cancelled" the business model "if you are not paying for the product, you are the product", I think CRA demands that open core projects get crippled in any way companies want except for security. And while I see how it will be painful for some companies, I also understand the hard regulatory line EU has taken here.
> And a lot of open source projects do the "serious stuff" described on pages 5 and 6. Some of which accept donations but have very small teams.
Again, I think EU is saying "enough is enough". We can't have our most essential systems be vulnerable just because they are maintained by an unpaid dev in Nebraska ( https://xkcd.com/2347/ ). EU is essentially forcing the businesses to donate enough money to audit those allegedly crucial pieces of software or have those projects close down. However, I want to note that companies running such critical software would have to audit it whether it's OSS or not. Therefore, I think that for critical projects like Wireguard or libsodium, there will be enough corp sponsors to split (!) the costs of an audit. Because otherwise, each company using Wireguard will have to pay the same costs to repeat an audit over and over again.
And to be clear, simply refusing donations will not get the project out of CRA compliance. I think this is FUD being spread here. If a project is usable "in the course of a commercial activity" and gets regular releases, it will have to comply with CRA. One example I could think of is apache2. It is used by millions of business websites and even if the core devs don't accept donations, it's still a software clearly usable "in the course of a commercial activity".