Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Mon, 13 Nov 2023 at 12:57, Aigars Mahinovs <aigarius@gmail.com> wrote:
>
> True, the employment status is irrelevant. However, in this example Microsoft will actually have the liability of
> providing the security assurances and support for systemd and related systems, because they are providing
> images of such systems as part of their commercial offering on the Azure cloud platforms. And that will be
> true regardless of the employment status of a few developers.
>
> A company that does not provide any Linux system services to EU customers, like some integrator operating
> just in Canada, would not have such exposure and thus would not incur any such obligations.
Yes, but they have to do that *as part of that commercial product*,
which is not systemd, it's whatever product uses it, together with the
Linux kernel, glibc, gcc, etc. That's a good thing, and it applies to
any corporation that ships any open source software as part of their
products. The corporation is responsible for security aspects of said
product and its part as shipped in that product, which is great.
It doesn't mean that the upstream open source project is now suddenly
encumbered as a commercial product out of the blue - which is what the
person I was replying to concluded - because it's plainly and
obviously not developed solely and exclusively for that commercial
offering, given it's used everywhere on any Linux image from any
vendor that you can get your hands on by any means.
Reply to: