Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
>>>>> "Bart" == Bart Martens <bartm@debian.org> writes:
Bart> On Wed, Nov 15, 2023 at 02:52:31PM +0100, Lucas Nussbaum wrote:
>> I wonder if we should have something like "Free software
>> development by nonprofit organizations" somewhere.
Bart> Are we now drawing a line between profit and nonprofit? In my
Bart> view, with Free Software it should not matter who produces,
Bart> publishes or uses the software, in commercial or nonprofit
Bart> context. That is, in my view, an essential element of the
Bart> continuous growth and success of Free Software. This should be
Bart> the main message if Debian would make a public statement in
Bart> this context. Debian should not try to fix the EU text by
Bart> defining which categories of contributors are to be
Bart> protected. On the contrary, we should aim at keeping the
Bart> existing freedoms for anyone alike, including commercial
Bart> companies. That is also publishing open source software under
Bart> licenses with the usual disclaimers of liabilities.
I think that when your practices can be best described as monatizing
your customers, or monatizing the users of your open-source software,
then you have extended beyond the free-software ethos, and I think
commercial liability makes sense.
So let's consider some situations.
* A commercial company writes free software. Should they have liability
to someone who grabs that software uses it unrelated to that company's
business and they never make money from that person? Example: A large
company makes a useful library that they and others use; the library
is ancillary to their business; they do not provide support for the
library.
I'd generally say that the commercial company is writing free software
and I agree that Debian should support the idea they should have all
the protections of anyone writing free software.
* A commercial company writes free-software that for all practical
purposes can be used only for access to their proprietary web
service. I'd rather not allow arguments about whether a flaw is on
the web service side or the client API side to be used to help the
company get out of liability to their customers/users.
*A company writes software. They sell support for that software. They
have a track record of being bad about providing security updates to
people who do not pay for support; it is hinted that this helps them
drive support revenue.
I think they should be in the same boat as any company giving software
away for free and also selling support. I.E. the fact that the source
is available should not in this instance help them escape liability.
Whether not giving away security updates for free should be considered
good business or a social evil seems like a debate for another forum,
but I don't think open source should be a factor here.
So, there are some cases where I agree with you that the commercial
nature of the company should not matter to free software protection and
other cases where it is a lot less clear to me.
I do think we want to avoid cases where releasing something as free
software or open source increases liability over giving the same
software away for gratis as closed-source.
--Sam
Reply to: