Debian statement on the Cyber Resilience Act
source link: https://lwn.net/Articles/956187/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Debian statement on the Cyber Resilience Act
Even if only "commercial activities" are in the scope of CRA, the Free Software community - and as a consequence, everybody - will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneurs
(Log in to post comments)
Debian statement on the Cyber Resilience Act
Posted Dec 27, 2023 19:19 UTC (Wed) by darwi (subscriber, #131202) [Link]
AFAIK, all the popular open-source licenses claim zero liability. It is usually companies which ship a product (e.g. a router company shipping the Linux kernel), or utilizing a project in a commercial activity (e.g. a bank using Apache's Java frameworks) who are usually the target of such legislations.
Will the proposed legislation override that and force-expand the liability further?
Debian statement on the Cyber Resilience Act
Posted Dec 27, 2023 19:32 UTC (Wed) by bluca (subscriber, #118303) [Link]
Debian statement on the Cyber Resilience Act
Posted Dec 27, 2023 19:58 UTC (Wed) by pizza (subscriber, #46) [Link]
Simply put, laws override licenses.
For example, the GPL text explicitly acknowledges this in section 15 ("THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.") and section 16 ("IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW [...] WILL ANY COPYRIGHT HOLDER [...] BE LIABLE TO YOU FOR DAMAGES [,,,]")
The CRA, even in its current drafts, broadly exempts F/OSS authors... unless they are engaged in some sort of commercial activity. Said "commercial activity" is very broadly defined, and explicitly includes stuff like being paid to work on the software as part of $dayjob or accepting money to provide support.
> Will the proposed legislation override that and force-expand the liability further?
That's the near-universal consensus.
Debian statement on the Cyber Resilience Act
Posted Dec 27, 2023 20:34 UTC (Wed) by nickodell (subscriber, #125165) [Link]
Similarly, the point of the CRA is that the private market isn't providing sufficiently secure software. If a software creator can write a software license that says "we disclaim all CRA liability," it would defeat the point of the CRA. Every company would make a one line change to their EULA, and we'd be back to the status quo.
For that reason, I think it is unlikely that any liability limitation will be held to be enforceable in the context of the CRA. You could still argue that the project is non-commercial, but there are grey areas there, as the statement notes.
Debian statement on the Cyber Resilience Act
Posted Dec 27, 2023 20:01 UTC (Wed) by Subsentient (subscriber, #142918) [Link]
There are parties with a strong incentive to harm FOSS deliberately.
Paired with eIDAS 2.0/Article 45, this is effective at destroying online privacy by sabotaging encryption, forcing the trust of government-compromised certificates, making open source, secure alternatives too painful to trust with red tape, especially in a corporate environment, and discouraging non-corporate (e.g. not as likely to cooperate with mass surveillance) development of tools such as messengers etc.
Welcome to the future. They've turned your computer into your warden.
Recommend
-
2
homebloghow puppet provides cyber security resilience to customersHow Puppet provides cyber security resilience to customersby
-
7
Site ColorhexText ColorAd ColorhexText Color
-
8
Bitdefender tackles cyber resilience challenges with a new XDR solution Image Credit: iLexx // Getty Images We are excited to bri...
-
6
News EU Cyber Resilience Act sets global standard for connected products European Commiss...
-
4
Immersive Labs uses cyber resilience to solve human security risk, raises $66M
-
4
News MoD recruits Immersive Labs to bolster cyber resilience UK’s Ministry of Defence wil...
-
5
Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs) [Posted November 14, 2022 by corbet] NLnet Labs has put up
-
7
November 16, 2022 ...
-
3
General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive" Time Line
-
1
Statement about the EU Cyber Resilience Act On Wed 27 December 2023 with tags debian
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK