[galdor]

In kitchens as in plumbings:

- There are rules, and clear established practices that allow you to follow these rules. In software the rabbit hole goes so deep that your average developer cannot even be aware of all the risks.

- You do not have to rely on millions of lines of code you have no control on.

As a simple example, if you are using network communications, you are probably using OpenSSL, GnuTLS or one of the few other TLS implementations. All of them have regular security issues, and simply selling support on an Open Source software you built using one of them will make you liable for these issues. There is no choice: you need TLS, and you're not going to implement it yourself. What are you supposed to do?

The fact that a solo developer selling 100€/month of support is treated the same way than a billion dollar company demonstrates the complete insanity of this act.

[Lariscus]

Most regulations work like that. For example, just because you are cooking in a food truck does not exempt you from basic hygiene requirements. Also CRA will not put you into hot water because of a vulnerability in your dependencies. You may get in trouble if you refuse to provide a security update during the lifetime of your software product.

[hyperman1]

For some reason I can't seem to open the text right now, but from my previous reading I remember a smaller variant of annex V for small businesses. So the solo dev is not treated the same.

As I read it, and with the caveat that the exact requirements are not yet determined: You will need a SBOM stating you use openssl, and how you plan to update openssl if it contains security bugs.

Update: found it, paragraph 46a: In relation to small and micro enterprises, in order to ensure proportionality, it is appropriate to alleviate administrative costs without [...]

[EMIRELADERO]

> The fact that a solo developer selling 100€/month of support is treated the same way than a billion dollar company demonstrates the complete insanity of this act.

But they're not treated the same way. Both by the law itself and the standards courts and regulatory agencies use throught Europe.

[galdor]

The text of this act treat them the same way unless I'm missing something (feel free to point me the text saying otherwise). A sane legal text would put in place thresholds with different levels of expectations and liability depending on the size of the company, who you are selling to (companies or individuals) and its revenues, respecting the principle of proportionality.

[EMIRELADERO]

The principle of proportionality is a mandate of courts and regulatory agencies too. You're implying that they would act in bad faith by putting all their might on small/one-person businesses, while it's just not the case with EU bodies.