Has anyone read about this?
https://pyfound.blogspot.com/2023/04/the-eus-proposed-cra-law-may-have.html?m=1
It seems that a controversial EU proposal law has received great attention from some of the Open Source major players, most notably PSF, and Eclipse.
Look also at Eclipse's open letter
https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act
Git blame on the line that introduced the error and shaft some poor person
PR approvers will be co-defendants; gotta add a lawyer fund section to my patreon bio
@nasl
Yes, as it has been highlighted by someone, this is precisely the model of company like e.g. Red Hat. Commercial definition covers a wide range.
Well, I've tried but one of first links in google search https://www.european-cyber-resilience-act.com/ tells how important its for cyber security for pages, without giving me a link to real thing.
Besides, I've looked python foundation's page where it says, "In particular, we believe that there are two phrases in the CRA that cast too wide of a net. In Article 16, “A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements shall be considered a manufacturer for the purposes of this Regulation.” is too broad. "
IANAL but I'm pretty sure real manufacturers will try to use that article somehow to blame contributors.
“A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements shall be considered a manufacturer for the purposes of this Regulation.”
If that's the case, that would include, for example, OpenWRT contributors, or maybe even anyone who compiles their own binaries, which does not make sense.
The Eclipse (second link) open letter to EU parlament is co-signed by many Open source players. European citizens could try to reach out for some european parlament member by email, inviting him/her to seriously care of these arguments. That is exactly what I"ve done.
(...) The undersigned organisations collectively represent the governance of much of the open source software which industry and society rely on. We offer our collective expertise, including envisioning how these professional organisations may support a more inclusive and effective process to inform the CRA today. The same increase in dialog and collaboration will continue to support the CRA’s successful implementation in this new regulatory paradigm. We are prepared to send a representative delegation to meet with the members now.
We appreciate your attention to this matter and look forward to working with you to ensure that the Cyber Resilience Act reflects the concerns and contributions of the entire software industry, including the open source community.
Co-signed by the Executive Directors, Board Chairs, and Presidents on behalf of their respective organisations:
Associaçāo de Empresas de Software Open Source Portuguesas (ESOP)
CNLL, the French Open Source Business Association
The Document Foundation (TDF)
Eclipse Foundation
European Open Source Software Business Associations (APELL)
COSS - Finnish Centre for Open Systems and Solutions
Linux Foundation Europe
Open Forum Europe (OFE)
Open Source Business Alliance (OSBA)
Open Source Initiative (OSI)
Open Systems and Solutions (COSS)
OW2
Software Heritage Foundation
I don't agree. Who knows if more regulations are really "needed", the road to hell is paved with good intentions.
You can let the market filter out the products with bad security. It helps if you still have a market and not a planned economy. It also helps if you have independent testers outlining security problems. It doesn't help to involve more lawyers.
When you remember Netscape then you also remember the stupid standardization of OOXML...
No, the only rule that the EU needed to have (but of course they don't) is to mandate FOSS, especially in governments.