> I am *not* objecting to Debian taking such a vote and expressing the stance intended. However, I expect that it will be seen by the EU legislators with mifled amusement, because in their context and understanding the legislative proposal already contains all the necessary protections for open source and free software development processes. However, if a company (say Amazon or MySQL) takes an open source product and provides a commercial service based on that product, then they are expected to also provide security updates, vulnerability notifications and other relevant services to their customers. Which is also an intended consequence of the legislation.
>
> The EU puts the interests of the consumers and of the community above commercial interests. Even commercial interests of small businesses. Allowing small businesses to "pollute" the digital environment with insecure or unmaintained software just because they are small businesses makes no sense from a European perspective.
Indeed. This is good legislation, and the parts you quoted make it
exceedingly obvious that the legislators in fact do care about not
hampering open source development. It would be very, very strange and
self-defeating for the project to come out against this, as the next
time around (because if this doesn't pass, something else will -
software security in commercial products is too important to leave the
current far-west as-is) we might not be so lucky.
By now the EU is actually quite used to dealing with volunteer projects and open source projects in general. So they would not
be surprised in the slightest. And I do not believe it would tarnish the image of Debian.
A lot of the same comments *were* communicated to EU Commission and EU Parliament by
IT industry associations, which employ lawyers that track such things and analyse possible impacts, including towards open
source software, because that is a solid backbone of the modern digital economy (their words, not mine). And there were
indeed many bugs in earlier revisions of these texts that would have made a bad impact if implemented as written.
The EU listens *very* well to national IT associations of the member states for feedback on such matters and open source experts
are very well represented in those. Opinions of IT people from outside of the EU are usually not considered to be relevant. As in
not adding anything new that the EU experts have not already considered.
Volunteer open source projects are seen as ... not being able to invest sufficient legal understanding into the topics to be able
to contribute to the discussion meaningfully *and* keep up with the nuanced changes in the proposals over time.
But umbrella organisations, like EFF are better positioned for this.
Note how the open source language has become very much softened and nuanced after changes in the
proposal removed most of the bugs that would have affected open source previously.
-- Best regards,
Aigars Mahinovs