Let me pipe in here. I have been exposed quite a bit with EU legislation in the process of our fight against software patents back in 2012. The EU legislators are quite sensible when the underlying issues are clearly explained to them, bu the legal language of the documents can be quite dense and also quite nuanced with one word sometimes completely changing the meaning of the entire document.
For example the intro clearly states the intent of *not* burdening the open source development process with the requirements of this directive:
(10) In order
not to hamper innovation or research, free and open-source software
developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is
in particular the case for software, including its source code and
modified versions, that is openly shared and freely accessible, usable,
modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by
the use of personal data for reasons other than exclusively for
improving the security, compatibility or interoperability of the
software.
For this purpose the following point exists:
(23)‘making available on the market’ means any supply of a product with digital elements
for distribution or use on the Union market in the course of a
commercial activity, whether in return for payment or free of charge;
Here the "in the course of a commercial activity" is the critical bit. All volunteer work no longer meets the "making available on the market" definition and thus all other provisions/definitions no longer apply, because they all use the "making available on the market" definition directly or indirectly (via "manufacturer" definition or "product with digital elements" definitions). Re-read the commercial activity mentioned in the point 10 above - it is quite explicit that the activity can only be commercial if its commercial nature is connected with the software in question. So a commercial company releasing open source software that is *not* part of their commercial activity (for example a router manufacturer releasing an in-house written Git UI) would be "supplied outside the course of a commercial activity" and thus not subject to this regulation. But if they release a WiFi driver that they also ship to their customers on their routers, that *would* be a commercial activity and both the open source and the customer version of that driver would need a safety compliance assessment.
Even regardless of the specific legal wording in the legislation itself, the point 10 of the preamble would be enough to to fix any "bug" in the legislation in post-processing via courts. As in - if any interpretation of the wording of the directive is indeed found to be hampering open source development, then it is clearly in error and contrary to the stated intent of the legislation.
I am *not* objecting to Debian taking such a vote and expressing the stance intended. However, I expect that it will be seen by the EU legislators with mifled amusement, because in their context and understanding the legislative proposal already contains all the necessary protections for open source and free software development processes. However, if a company (say Amazon or MySQL) takes an open source product and provides a commercial service based on that product, then they are expected to also provide security updates, vulnerability notifications and other relevant services to their customers. Which is also an intended consequence of the legislation.
The EU puts the interests of the consumers and of the community above commercial interests. Even commercial interests of small businesses. Allowing small businesses to "pollute" the digital environment with insecure or unmaintained software just because they are small businesses makes no sense from a European perspective.
"Art. 3
(1) ‘product with digital elements’ means any software or hardware
product ...
(18) ‘manufacturer’ means any natural or legal person who develops or
manufactures products with digital elements ... and markets them under
his or her name or trademark, whether for payment or free of charge;
(23) ‘making available on the market’ means any supply of a product with
digital elements for distribution or use on the Union market in the
course of a commercial activity ..."
Am 12.11.23 um 19:19 schrieb Luca Boccassi:
> I don't see how the fact that Github is
> not responsible for software hosted on its platform goes to imply that
> ever such software is a product. Whether something is or is not a
> product on the market is already quite clear, and the sources cited in
> the original mail themselves say that the CRA does not change this
> aspect.
Because everybody agrees that software is a product. And if you can
download the product on github or elsewhere, it's made available. There
is an explicit exemption only for the platform, not for the uploader.
It's fine if you think your software is not a product, but be aware that
european market authorities will not agree with you.
> Are you responsible for the warranty for
> software you push to Github if someone git clones it? Of course not.
Not yet, but this will change, depending on whether the activity is
considered commercial or not. Of course the details are still unclear.
In your example, pushing to your repo might not count as "making
available" (thanks to a lot of lobbying), but tagging a release probably
does. What about CI artifacts? Nobody knows.
> Because repositories on Github are not products on the single market.
Obviously repositories are not products. Software is.
I'm not spreading fud. I've read the stuff, I'm working on this since
FOSDEM, I have the necessary background and I participate in weekly
meetings with several big FOSS organisations/foundations. This workgroup
had frequent consultations with EU representatives. We are not spending
considerable time on non-issues.
Ilu
Best regards,
Aigars Mahinovs