[ExoticPearTree]

I guess the hate is because the EU also invented the following monstrosities:

- CRA (cyber resiliency act): Manufacturers must handle and release security patches for vulnerabilities, and developers are required to report actively on exploited vulnerabilities and breaches.

- PLD (Product Liability Directive): A failure to provide critical security updates or the presence of exploitable vulnerabilities can now legally constitute a "defect" and if defective software causes physical harm or property damage, manufacturers are strictly liable and cannot contractually exclude or limit this liability.

And the kicker is this: Non-commercial open-source software is generally exempt from these commercial liability frameworks. However, if an open-source component is integrated into a commercial, for-profit product, the responsibility shifts to the corporate manufacturer.

So good luck making some money of your open source project where the risk outweighs any potential profit, or integrate an open source project into your commercial offering.

[earthnail]

Sounds like plausible clauses to me? Please explain why they are so toxic. What cases are there where these clauses present an unfair threat or disadvantage to a business?

In case it is unclear from my tone, I am genuinely curious.

[ExoticPearTree]

Here it goes:

- CRA mandates vulnerability patches for products. This puts undue burden on manufacturers whose products are out of the production cycle. Basically the EU wants updates for products no longer manufactured.

- PLD requires fixes for products deemed to have critical vulnerabilities, again, if the product is not manufactured anymore, why should the manufacturer have to support who knows what old software?

Then, for OSS it is even worse: you have a pet project, you give it away for free, it has success, you want to sell a paid version of it. Automatically you're on the hook for vulnerability fixing. Which takes time. And if you're in the early stages of maybe selling a few copies here and there, the time spent fixing stuff will outweigh any winnings.

Than again with "you're on the hook if you ship commercial products using some OSS components" - either no one ships OSS packages with their commercial software given the advent of coding agents that can replicate OSS software functionality, or there will be a ton of forks, with vendors claiming they fixed the problem in their own way.

With all this said, then the EU has the nerve to come and say "use OSS" because freedom and BS.

[Kinrany]

All of this makes perfect sense

[sam_lowry_]

There was so much more they could do... like 25 years before requiring detachable batteries, they should have required selling the OS separately.

[mjanx123]

IIRC Microsoft has a no liability clause in its licenses. How did they react to this?

[snowpid]

? Usually the clauses arent valid from the contracts and you can sue Microsoft on court. What did you expect?

[regexorcist]

What is your point again? All of the above sounds perfectly fine to me.