[kube-system]

All software is simple enough to regulate. You don't have to micromanage every single line someone writes to regulate something. The way most professional regulations work is that someone writes down the safety practices that should be done, and then the law requires people to do those things.

For example, one might require some software to undergo various degrees of planning, testing, analysis, support, documentation, etc.

Right now, the amount of planning, testing, analysis, support, and documentation required by law is generally zero. This might be fine for someone's hobby project, but it is not okay for software that human lives depend on.

[jocoda]

> ...for software that human lives depend on.

who decides, and how?

[kube-system]

For every other technology regulated this way, this is determined at the end application.

How does someone know that a particular application is something lives depend on? Either your lawyer, insurance company, or regulator explicitly tells you.

[davorak]

> How does someone know that a particular application is something lives depend on? Either your lawyer, insurance company, or regulator explicitly tells you.

To make an analogy to the physical world. We have a company, B, that makes bolts, they publishes the characteristics of that bolt but do not certify it for any particular use.

Company C makes cars and decides to use bolts form company B. It turns out that is not a good choice since company B bolts do not have the characteristics that are need to use in a car.

The CRA from the a simple reading used in the discussions here[1], holds company B responsible for company C using the bolts in a way where peoples lives depend on it.

This sort of reuse can be much more common in software than it is bolts for example and just like company B did not control how company C used their product after buying it open source developers do not control how others use there software but CRA might make them liable for it.

This does not make sense to me, company C should be liable for their choice of bolt, company B should be liable for any false or incorrect claims for the characteristics of their bolt. Company B should not be held liable for the misuse of their bolt by company C which is what the CRA seems to do.

[1] https://news.ycombinator.com/item?id=38788919

[kube-system]

> company C should be liable for their choice of bolt, company B should be liable for any false or incorrect claims for the characteristics of their bolt

I agree with what you're saying. I don't have enough of knowledge of EU law or the full text of the CRA to make a judgement about it specifically. I was just sharing my point of view on software regulation generally.

> Company B should not be held liable for the misuse of their bolt by company C

Putting aside this specific analogy, but on this topic: I do generally think that implied warranties are a good thing, and I don't think it should be legal to disclaim them in all scenarios. Most other professionals are held to professional liability standards, and it is expected that they follow certain basic standards when they practice.

Consider basic best practices, like testing and documentation. It probably is fine if a hobby video game developer doesn't do these things, but if you are putting out software that claims to be intended for "enterprise" or "commercial" use, it is certainly reasonable for others to expect that this software is "fit for this particular purpose", and was built with good software engineering methodology.

I do think it shouldn't be permissible to hide behind a shrink-wrap liability disclaimer when publishing software claimed to be of "commercial" or "enterprise" quality that doesn't even meet basic standard of rigor.

What software really needs right now is a standardized way to measure development quality, and some legal guardrails around standards for dependency management.

[davorak]

> I do think it shouldn't be permissible to hide behind a shrink-wrap liability disclaimer when publishing software claimed to be of "commercial" or "enterprise" quality that doesn't even meet basic standard of rigor.

I am not sure that "commercial" or "enterprise" implies anything in terms of quality or should. "enterprise" for example is defined as "Enterprise software, or enterprise application software, is computer software used by organizations rather than individual users." by the following aws page[1].

Aerospace software already has to follow aerospace regulations, medical software already has to meet medical regulations.

Holding a company responsible for selling software with implicit claims but a liability disclaimer makes sense to me. Clarity in contracts, advertisements, terms of service, and similar makes sense. The CRA currently seem to to hold non commercial entities or individuals who are not making claims and explicitly going out of their way to disclaim liability responsible. That does not make sense to me and seems counter productive to the goal of safe software as well as a productive economy.

[1] https://aws.amazon.com/what-is/enterprise-software/