3

Debian statement on the Cyber Resilience Act

 8 months ago
source link: https://lwn.net/Articles/956187/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Debian statement on the Cyber Resilience Act

[Posted December 27, 2023 by corbet]
The Debian project has completed a general-resolution vote, adopting a statement expressing concern about the Cyber Resilience Act (CRA) pending in the European Union.
Even if only "commercial activities" are in the scope of CRA, the Free Software community - and as a consequence, everybody - will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneurs
(Log in to post comments)

Debian statement on the Cyber Resilience Act

Posted Dec 27, 2023 19:19 UTC (Wed) by darwi (subscriber, #131202) [Link]

Can someone with some expertise on the topic shed a light on how can this be "dangerous" for solo (or small-business sponsored) open-source contributors?

AFAIK, all the popular open-source licenses claim zero liability. It is usually companies which ship a product (e.g. a router company shipping the Linux kernel), or utilizing a project in a commercial activity (e.g. a bank using Apache's Java frameworks) who are usually the target of such legislations.

Will the proposed legislation override that and force-expand the liability further?

Debian statement on the Cyber Resilience Act

Posted Dec 27, 2023 19:32 UTC (Wed) by bluca (subscriber, #118303) [Link]

It is not, in any way. It's very unfortunate to see such anarco-capitalist FUD being voted as the preferred option, on such a low turnout. I put forward a more balanced alternative (option B in the ballot) but it came short by 5 votes, sadly.

Debian statement on the Cyber Resilience Act

Posted Dec 27, 2023 19:58 UTC (Wed) by pizza (subscriber, #46) [Link]

> AFAIK, all the popular open-source licenses claim zero liability.

Simply put, laws override licenses.

For example, the GPL text explicitly acknowledges this in section 15 ("THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.") and section 16 ("IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW [...] WILL ANY COPYRIGHT HOLDER [...] BE LIABLE TO YOU FOR DAMAGES [,,,]")

The CRA, even in its current drafts, broadly exempts F/OSS authors... unless they are engaged in some sort of commercial activity. Said "commercial activity" is very broadly defined, and explicitly includes stuff like being paid to work on the software as part of $dayjob or accepting money to provide support.

> Will the proposed legislation override that and force-expand the liability further?

That's the near-universal consensus.

Debian statement on the Cyber Resilience Act

Posted Dec 27, 2023 20:34 UTC (Wed) by nickodell (subscriber, #125165) [Link]

For public policy reasons, there are kinds of liability that you can't disclaim within a private contract. For example, you can't write an employment contract that says that the parties agree not to sue each other over labor law violations. The point of these laws is to provide employees with rights that they can't obtain through negotiation. Allowing employees to give those rights up would defeat the point of the law.

Similarly, the point of the CRA is that the private market isn't providing sufficiently secure software. If a software creator can write a software license that says "we disclaim all CRA liability," it would defeat the point of the CRA. Every company would make a one line change to their EULA, and we'd be back to the status quo.

For that reason, I think it is unlikely that any liability limitation will be held to be enforceable in the context of the CRA. You could still argue that the project is non-commercial, but there are grey areas there, as the statement notes.

Debian statement on the Cyber Resilience Act

Posted Dec 27, 2023 20:01 UTC (Wed) by Subsentient (subscriber, #142918) [Link]

You all act as if the damage to open source is accidental.
There are parties with a strong incentive to harm FOSS deliberately.

Paired with eIDAS 2.0/Article 45, this is effective at destroying online privacy by sabotaging encryption, forcing the trust of government-compromised certificates, making open source, secure alternatives too painful to trust with red tape, especially in a corporate environment, and discouraging non-corporate (e.g. not as likely to cooperate with mass surveillance) development of tools such as messengers etc.

Welcome to the future. They've turned your computer into your warden.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK