[spwa4]

So in order to use any open-source software you must commit to fix security bugs and accept liability? And software users will actually do this?

It would raise the cost of open source software a lot if you do this, and the cost of all other software. This seems very unlikely to actually happen. By which I mean, government and commercial users seem to me very, very unlikely to be willing to pay for this when they could just as well just use software from outside the EU, and this will just really suck for EU software developers and companies.

[Vespasian]

Not to use it but to sell it comercially (apparently except for "proffesional use" in the current iteration).

And that isn't really that outlandish as you make it (maybe inadvertently) sound.

If a wheel falls off of your car because the foundry that made the steels of the screws got their recipe wrong, initally the whole liabilty is on the car manufaturer and they got to fixt that.

For you as a customer it stops there.

The manufacturer may (if their contract permits) try to get some money back from screw factory and they in turn from the steel mill etc. If someone goes bankrupt along the supply chain, tough luck for the one up chain.

So car manufacturers (and their suppliers) are really motivated to QA their parts because recalls are expensive and they may not even get back everything or anything.

You can't blame the universe for putting the wrong ore composition into the ground. You can only blame the people who failed to do proper checks on the way.

Software may follow a similar trajectory with Open source being the ore in the ground. You must take reasonable (see directive) steps to prevent that (e.g. good development practices, updates, react to CVEs etc).

It's really nothing fundamentally new.

[spwa4]

> You can't blame the universe for putting the wrong ore composition into the ground. You can only blame the people who failed to do proper checks on the way.

Almost all mining companies in the EU are government-sponsored or owned (or, more often, owned by politicians or royal families, e.g. Total and (ex-)Frech presidents and ministers or Shell and the Dutch Royal Family, which then "somehow" results in government support for them, often with suspiciously little people supporting the mining effort. You know, suspiciously little support, given that they're democracies).

Needless to say, I've not heard of these sorts of companies being convicted to fix damages they've caused. If anything is done, it's always the government offering to do it from taxes (e.g. a harbor upgrade in Le Havre demanding the contracting company fixes Total refinery pollution). Have you?

Cars are different because while the German and French states have HUGE interests in car manufacturing, none of the others have. So any car defect, depending on if it's Renault or Mercedes/VW turns into the EU siding with the German or French camp in the EU and either demanding the companies fix it, or demanding nothing happens. Italy tried participating in this game, but, well, we all know what happened. So car QA is indeed done, to avoid the year-long EU-wide diplomatic incidents a recall causes.

Or take the example of public works contractors. These tend to be temporary alliances (e.g. need a big bridge? A company is created by 5 contracting companies just for the explicit purpose of building THAT one bridge, THAT specific tunnel, THAT train station, ordering for pre-agreed amounts of dollars from the specific contractors). Sometimes this company keeps existing to provide maintenance afterwards. If shit hits the fan, which is often, the company immediately goes bankrupt and nobody from whatever government approved the bid is held responsible, nor are the 5 contractors, but whatever repair money comes from the government budget anyway.

So, how will it work for software? Because your explanation sounds vaguely reasonable in theory, if you compare it to actual practice it becomes very unclear.

Is this created to make it impossible to have any kind of software company in the EU without government support, like for contractors? Is this made to be a threat or a weapon against American or Chinese companies?