Will the cyber resilience act kill open source ?

panCatQ@lib.lgbt to Open Source@lemmy.ml – 98 points –
Cyber Resilience Act - Wikipedia
en.m.wikipedia.org

Since the EU is bringing an act , that needs the products distributed to be flawless , and it applies to open source products too , if a single of their contributor / donor works for a corporate , what will be the future of FOSS in europe with this ?

34

For all the people not reading the actual law, this is the actual language of the proposal:

In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.

IMO the problem OP mentions does not really exist. You can work for a corp while working on the product, your FOSS project can take donations even from corps, the only thing you can't do is monetize your FOSS product without caring for security.

Nick from The Linux Experiment youtube channel made a video recently talking about that, for him and for me it's clear that this quote:

software developed or supplied outside the course of a commercial activity should not be covered by this Regulation

means that any open source that gets any work from paid personnel from a company interested in the project in any commercial activity is covered by the regulation.

Here is the timestamp of his argument, I'm not from EU so I have no idea how this kind of idea could be implemented, but the text seems clear to me and seems bad.

If that is the case projects would be obligated to reject contributions from any companies.

The law also keeps it vague enough , that it says employed individual , so they could be waiting tables and this will still apply !!

Companies need to conduct cyber risk assessments before a product is put on the market and throughout its lifecycle effectively manage its vulnerabilities, regularly test it, and so on. Products assessed as 'critical' will need to undergo external audits.

I have not read the proposal. Legal language makes me want to rip my own eyes off.

The only winners I see are those security auditors and similar providers.

Privative corpos from USA and China will arrive with all "security assesments" and "auditions" in place, and still have backdoors lol

They prepared a list of software that need mandatory audit , like browsers and all !

I wonder if I am developing an app for lemmy and I am based in EU , am I obligated to get an external vulnerability audit done , or pay a 15.million euro fine , since I am working for a corporate with a full time job?

Without having read any part of this act I'd assume you having a job and you developing an open source app are two separate things unless your job involves developing that open source app.

The number of responses here saying they haven't read up on it but...

I read several different drafts I could find since writing that comment and although it's alll written somewhat vague in general, OP's point isn't in any draft I read.

Well if i am developing a product and I work for a corp or if my project is getting donation from a corp , it will be considered as a commerical project , it does not need me to be working on that product as part of my work !!

No, those are separate. It's about open source projects that have developers working on it in their free time (not getting paid for it) and developers who get paid for it. You having a job as a software developer and working on a project outside your work time doesn't make it a "commercial activity".

Just read the act then ! It keeps it vague enough to consider a person working in free time will be considered a commercial product

Please watch the video above !

What's the gist? I hate video articles

Basically A foss product is not exempted if an employee ( does not need to be a tech employee) contributes to a foss prod , or if a company donates to them ! So even npm packages by individual coders who are employed say.by dominos need to take audit and deliver vulnerability free code .

Its been a while since i last read about it, but i thought they made some exempts so FOSS wouldnt suffer too much. One can only hope they did!

They consider foss products out of this requirement , only when the contributors are volunteers who are not working or are employed by a company !! Or get a corporate donation, if even one person contributing to the project is a corporate employee they need to go with the crazy rules they have laid !!

This is what Claude2 (with 100K context window) has to say about your comment, after I supplied him with the entire proposal of the regulation: Based on my understanding of the Cyber Resilience Act, I don't think that assessment is entirely accurate. The key factor is whether the open source software is placed on the market in the course of commercial activity, not the employment status of individual contributors.

The regulation explicitly excludes open source software developed or supplied outside of commercial activity. As I mentioned before, this means pure community-driven projects where the software is freely shared and open should not fall under the requirements.

It does not matter if some contributors are corporate employees, as long as they contribute to a non-commercial community project in their personal capacity. For example, if a developer who works for Company X contributes code to Project Y in their free time, that alone would not make Project Y commercial.

The regulation would likely apply if a company systematically develops open source software as part of their business model. But just having corporate contributors among many community members would not automatically trigger the rules.

Overall, I think the regulation aims to avoid putting burdens on pure community open source projects, as long as the software is not placed on the market commercially. But the details of implementation will be important to watch to ensure a proper balance is struck.

Well the attemps they made are more like drop in the ocean ! I still dont understand how FOSS in eu at least will survive this disaster , while most corps , just use foss software anyway will flourish !

While I see how a law like that would create insecurities in the FOSS world I trust that it will not be abused to shut down FOSS projects as some of the largest EU members like France and Germany are relying heavily on Open Source software. I believe this do be the reason why this cumbersome exception was formulated in the first place.

However it could mean that the blurry line between commercial software and FOSS software could become a clear cut and FOSS projects that provide paid versions of their software could be forced to comply or go back to relying on donations.

tldr: I dont think it will kill FOSS per se. Potentially it will become more difficult to mometize FOSS apart from donations.

Lucky for me I don't give a shit what the EU thinks

I think EU is the only reason why the internet is not full distopian and shit

You mean the web, not the internet. And no, they're not the only reason, they just help facilitate consumer protection in ways that happen to be mutually beneficial—not motivated by altruism. There are a lot of people who work a lot harder than the EU, often for free, who are much more responsible for the web and the internet itself being in a decent state and being worth caring about.

No, the internet. My Multiplayer game that I play does not have something to do with the web but still needs to comply with GDPR, every service sold or serviced in EU need to comply with the GDPR.

Coz what ? GDPR? If they have good intentions they need to see the web integrity api !

2 more...