Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"

[Sam Hartman <hartmans@suchdamage.org>]

>>>>> "Bart" == Bart Martens <bartm@debian.org> writes:

    Bart> On Wed, Nov 15, 2023 at 02:52:31PM +0100, Lucas Nussbaum wrote:
    >> I wonder if we should have something like "Free software
    >> development by nonprofit organizations" somewhere.

    Bart> Are we now drawing a line between profit and nonprofit? In my
    Bart> view, with Free Software it should not matter who produces,
    Bart> publishes or uses the software, in commercial or nonprofit
    Bart> context. That is, in my view, an essential element of the
    Bart> continuous growth and success of Free Software. This should be
    Bart> the main message if Debian would make a public statement in
    Bart> this context. Debian should not try to fix the EU text by
    Bart> defining which categories of contributors are to be
    Bart> protected. On the contrary, we should aim at keeping the
    Bart> existing freedoms for anyone alike, including commercial
    Bart> companies. That is also publishing open source software under
    Bart> licenses with the usual disclaimers of liabilities.

I think that when your practices can be best described as monatizing
your customers, or monatizing the users of your open-source software,
then you have extended beyond the free-software ethos, and I think
commercial liability makes sense.

So let's consider some situations.

* A commercial company writes free software.  Should they have liability
  to someone who grabs that software uses it unrelated to that company's
  business and they never make money from that person?  Example: A large
  company makes a useful library that they and others use; the library
  is ancillary to their business; they do not provide support for the
  library.
  I'd generally say that the commercial company is writing free software
  and I agree that Debian should support the idea they should have all
  the protections of anyone writing free software.

* A commercial company writes free-software that for all practical
  purposes can be used only for access to their proprietary web
  service.  I'd rather not allow arguments about whether a flaw is on
  the web service side or the client API side to be used to help the
  company get out of liability to their customers/users.

*A company writes software.  They sell support for that software.  They
 have a track record of being bad about providing security updates to
 people who do not pay for support; it is hinted that this helps them
 drive support revenue.
I think they should be in the same boat as any company giving software
 away for free and also selling support.  I.E. the fact that the source
 is available should not in this instance help them escape liability.
 Whether not giving away security updates for free should be considered
 good business or a social evil seems like a debate for another forum,
 but I don't think open source should be a factor here.

So, there are some cases where I agree with you that the commercial
nature of the company should not matter to free software protection and
other cases where it is a lot less clear to me.

I do think we want to avoid cases where releasing something as free
software or open source increases liability over giving the same
software away for gratis as closed-source.

--Sam