Proposed EU laws to restrict irresponsible businesses might be abused to hurt FOSS free & open-source software
volunteers due to poor wording.

  • the Cyber Resilience Act (CRA) & Product Liability Act (PLA) aim to increase software security & accountability
    • Article 16 states a “person, other than [manufacturer/importer/distributor, who makes] a substantial modification of [a software product] shall be considered a manufacturer”
  • many (Python Software Foundation, Eclipse Foundation, NLnet Labs) believe the broad wording may cause unintentional harm
    • Article 16 implies FOSS devs “might bear legal and financial responsibility for the way their components are applied in someone else’s commercial product”
    • instead, “increased liability should be carefully assigned to the entity that has entered into an agreement with the consumer”
    • indirect monetisation (e.g. advertising paid courses & conference tickets) should not always make software qualify as “commercial”
  • however scope of any FOSS exemptions should be carefully limited to prevent commercial abuse/loopholes

personal opinions

  • if you hire an engineer to build a safe and they use substandard components, you sue the engineer. The engineer in turn can sue the component makers if they had a contract. You don’t sure the component makers directly
  • I’m sceptical that any new law could realistically override the “PROVIDED AS IS/NO WARRANTY” clause in FOSS licences
    • the lack of warranties for widely-used FOSS libraries is a problem which can & should be tackled separately (and more urgently than the mere commercial libraries which the CRA & PLA target)