|
|
|
|
|
|
by earthnail
3 days ago
|
|
|
Sounds like plausible clauses to me? Please explain why they are so toxic. What cases are there where these clauses present an unfair threat or disadvantage to a business? In case it is unclear from my tone, I am genuinely curious. |
|
|
- CRA mandates vulnerability patches for products. This puts undue burden on manufacturers whose products are out of the production cycle. Basically the EU wants updates for products no longer manufactured.
- PLD requires fixes for products deemed to have critical vulnerabilities, again, if the product is not manufactured anymore, why should the manufacturer have to support who knows what old software?
Then, for OSS it is even worse: you have a pet project, you give it away for free, it has success, you want to sell a paid version of it. Automatically you're on the hook for vulnerability fixing. Which takes time. And if you're in the early stages of maybe selling a few copies here and there, the time spent fixing stuff will outweigh any winnings.
Than again with "you're on the hook if you ship commercial products using some OSS components" - either no one ships OSS packages with their commercial software given the advent of coding agents that can replicate OSS software functionality, or there will be a ton of forks, with vendors claiming they fixed the problem in their own way.
With all this said, then the EU has the nerve to come and say "use OSS" because freedom and BS.