On Mon, 13 Nov 2023 at 12:31, Luca Boccassi <bluca@debian.org> wrote:
I am *not* objecting to Debian taking such a vote and expressing the
stance intended. However, I expect that it will be seen by the EU
legislators with mifled amusement, because in their context and
understanding the legislative proposal already contains all the necessary
protections for open source and free software development processes.
However, if a company (say Amazon or MySQL) takes an open source product
and provides a commercial service based on that product, then they are
expected to also provide security updates, vulnerability notifications and
other relevant services to their customers. Which is also an intended
consequence of the legislation.
The EU puts the interests of the consumers and of the community above
commercial interests. Even commercial interests of small businesses.
Allowing small businesses to "pollute" the digital environment with
insecure or unmaintained software just because they are small businesses
makes no sense from a European perspective.
Indeed. This is good legislation, and the parts you quoted make it
exceedingly obvious that the legislators in fact do care about not
hampering open source development. It would be very, very strange and
self-defeating for the project to come out against this, as the next
time around (because if this doesn't pass, something else will -
software security in commercial products is too important to leave the
current far-west as-is) we might not be so lucky.
By now the EU is actually quite used to dealing with volunteer projects and
open source projects in general. So they would not
be surprised in the slightest. And I do not believe it would tarnish the
image of Debian.
A lot of the same comments *were* communicated to EU Commission and EU
Parliament by
IT industry associations, which employ lawyers that track such things and
analyse possible impacts, including towards open
source software, because that is a solid backbone of the modern digital
economy (their words, not mine). And there were
indeed many bugs in earlier revisions of these texts that would have made a
bad impact if implemented as written.
The EU listens *very* well to national IT associations of the member states
for feedback on such matters and open source experts
are very well represented in those. Opinions of IT people from outside of
the EU are usually not considered to be relevant. As in
not adding anything new that the EU experts have not already considered.
Volunteer open source projects are seen as ... not being able to invest
sufficient legal understanding into the topics to be able
to contribute to the discussion meaningfully *and* keep up with the nuanced
changes in the proposals over time.
But umbrella organisations, like EFF are better positioned for this.
See:
https://www.eff.org/deeplinks/2023/10/eff-and-other-experts-join-pointing-out-pitfalls-proposed-eu-cyber-resilience-act
Note how the open source language has become very much softened and nuanced
after changes in the
proposal removed most of the bugs that would have affected open source
previously.