Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, 12 Nov 2023 at 17:35, Ilulu <ilulu@gmx.net> wrote:
>
> Am 12.11.23 um 18:09 schrieb Luca Boccassi:
> > We do know whether something is commercial or not though ...
>
> I sincerely doubt that. Just to illustrate this I'm citing a part (only
> a part) of one of the regulation drafts which are presently considered
> in trilogue.
>
> "(10) Only free and open-source made available on the market in the
> course of a commercial activity should be covered by this Regulation.
> Whether a free and open-source product has been made available as part
> of a commercial activity should be assessed on a product-by-product
> basis, looking at both the development model and the supply phase of the
> free and open-source product with digital elements.
> (10a) For example, a fully decentralised development model, where no
> single commercial entity exercises control over what is accepted into
> the project’s code base, should be taken as an indication that the
> product has been developed in a non-commercial setting. On the other
> hand, where free and open source software is developed by a single
> organisation or an asymmetric community, where a single organisation is
> generating revenues from related use in business relationships, this
> should be considered to be a commercial activity. Similarly, where the
> main contributors to free and open-source projects are developers
> employed by commercial entities and when such developers or the employer
> can exercise control as to which modifications are accepted in the code
> base, the project should generally be considered to be of a commercial
> nature.
> (10b) With regards to the supply phase, in the context of free and
> open-source software, a commercial activity might be characterized not
> only by charging a price for a product, but also by charging a price for
> technical support services, when this does not serve only the
> recuperation of actual costs, by providing a software platform through
> which the manufacturer monetises other services, or by the use of
> personal data for reasons other than exclusively for improving the
> security, compatibility or interoperability of the software. Accepting
> donations without the intention of making a profit should not
> count as a commercial activity, unless such donations are made by
> commercial entities and are recurring in nature."
That all looks exceedingly clear to me: if you are selling a product
or a service, then just because the software is free software doesn't
exempt you from being liable for its security. That's good! Great,
even. If a for-profit private company, say, sells a phone running
Debian, just because Debian is open source doesn't mean it should get
away with not providing security support to its customers. Just as it
doesn't discount it from the minimum warranty period - if you buy the
phone and it doesn't work, they can't just say "sorry it's the open
source software's fault, no refund/exchange", and so on.
It seems clear to me what the intent of the legislators is here: avoid
loopholes. Another ad-absurdum: if Microsoft were to push all the code
behind Azure to Github, it shouldn't mean that it should be exempt
from providing security support to its customers according to this
legislation, just because it's open source. That sounds like a good
thing to me!
As far as I can see, the key thing here is always that there's a
product put on the single market. Pushing a repository to Github is
not putting a product on the market. Publishing Debian images on
debian.org is not putting a product on the market. Selling a service
that uses a Debian image is - and then the service provider is the
party responsible.
Reply to: