Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"

[Simon Richter <sjr@debian.org>]

Hi,

On 11/15/23 15:22, Lucas Nussbaum wrote:

> >      The Debian project however notes that not enough emphasis has been
> >      employed in all parts of these regulations to clearly exonerate Free
> >      and Open Source Software Projects from being subject to the same
> >      liabilities as commercial products

> I find this part a bit ambiguous. When GitLab or Proxmox or RedHat sells
> services around a free software product, I think it's OK if they are
> covered by this regulation. Maybe it would be better with
> s/Projects/Organizations/?

That is exactly why I think this is dangerous: I want GitLab and Proxmox 
to be responsible for what they release, but it is very difficult to 
draw a line between their offering and what Microsoft is doing by paying 
for systemd development while they are also selling Azure cloud.

> Maybe we should underline specific borderline situations where the
> impact of the regulation would be unclear?

There is no defined borderline, that is part of the problem. Development 
happens on a continuum between "commercial enterprise releases part of 
their product as open source, but contributions are not actively 
solicited" to "a project some random person in Nebraska has been 
thanklessly maintaining since 2003."

What Microsoft are doing, with developers being paid by them and then 
given a lot of freedom, is somewhere in the middle, but the proposed 
legislation does not have a provision for that. So it either falls into 
the same category as GitLab, or it doesn't.

So:

 - do we believe GitLab should be classed as a commercial enterprise?
 - do we believe systemd development should not be classed as a 
commercial enterprise?
 - can we identify a distinguishing criterion that can be applied by a 
regulatory body that will give the results we believe are correct, and 
that is also difficult to subvert?

Luca's proposal is only "please take our position into account" without 
actually spelling our position out: we are asking for a carve-out for 
certain commercially supported projects, but not others. This problem 
applies to more than just systemd, but they are a good test case.

We should at least identify

 - which projects these are
 - why we believe they should be exempted (is it internal governance? 
is it because we rely on them? is it because we trust the people involved?)
 - how new commercially supported projects could make the list 
(sustainability)

and then derive rules from that, see if they sound sensible, and then 
ask the EU to implement them.

   Simon