[ManBeardPc]

Big parts of the legislation are good and long overdue. The big problem is that this effectively also includes many free/open-source software projects, as the definition for what constitutes "commercial" or "commercial-grade" is very broad. You host a FOSS library on Github that can/is used by others? Congrats, you now have to fulfil all requirements. Look for "Update on the European Cyber Resilience Act" by the Eclipse Foundation on YouTube for infos.

[jahav]

There is some hope for individual developers in EP amended version https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COM... article 10c: > Developers contributing individually to free and open-source projects should not be subject to obligations pursuant to this Regulation.

Actually it’s an improved version. Hopefully it will make it through consolidation with EC version.

[ManBeardPc]

Thank you for providing that, didn't knew about that amended version. This only includes individual developers though and if you are employed this is already a problem again: (10a) "[...]Similarly, where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature." A small step in the right direction, but not quite there yet. Companies that want to just release (old) projects would also be more hesitant now. Recurring donations from companies would also contaminate the project.

[jahav]

That is one of them, here is the second version with different amendedments by European Council: https://data.consilium.europa.eu/doc/document/ST-11726-2023-...

They are now hashing out a final consolidated version in a trialogue.

[shadowgovt]

But if they don't include free/OSS projects, then commercial companies sponsoring FLOSS is an obvious way to launder liability, is it not?

[ManBeardPc]

Sure, that is something that has to be avoided. The problem is that "commercial" is so broadly defined that basically everyone is covered, even non-profit organizations or single developers. A lot of those that want to release open-source stuff suddenly have to comply with all the requirements, which means having to spend a lot of time or money that non-commercial entities often don't have. This effectively kills nearly all of open-source in the EU. A sibling response mentions some improvements, but it still contains stuff like: (10a) "[...]Similarly, where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature."

[davorak]

Does not seem like it would, the company would still be responsible for their choice of open source software, that is how I would assume it would work at least.

[awwaiid]

Sounds like a feature rather than a bug!

[whalesalad]

Get ready for the next evolution of “this website is not available in your country” except it’ll be GitHub repos, huggingface models, etc. The internet became worse with the gdpr/cookie warning stuff and this will continue that trend.

Insane tbh. EU is all about safety to the extreme and it’s nauseating. Pretty soon you won’t be able to fart there without getting a permit and sign off from some kind of council.