Python Foundation Raises Concerns Over EU's Proposed Cybersecurity Rules (theregister.com) 40
The Python Software Foundation is "concerned that proposed EU cybersecurity laws will leave open source organizations and individuals unfairly liable for distributing incorrect code," according to the Register. The PSF reviewed the EU's proposed "Cyber Resilience Act" and "Product Liability Act" and reports "issues that put the mission of our organization and the health of the open-source software community at risk."
From the Register's report: "If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility for the way their components are applied in someone else's commercial product," the PSF said in a statement shared on Tuesday by executive director Deb Nicholson. "The existing language makes no differentiation between independent authors who have never been paid for the supply of software and corporate tech behemoths selling products in exchange for payments from end-users...."
The PSF argues the EU lawmakers should provide clear exemptions for public software repositories that serve the public good and for organizations and developers hosting packages on public repositories. "We need it to be crystal clear who is on the hook for both the assurances and the accountability that software consumers deserve," the PSF concludes. The PSF is asking anyone who shares its concerns to convey that sentiment to an appropriate EU Member of Parliament by April 26, while amendments focused on protecting open source software are being considered.
Bradley Kuhn, policy fellow at the Software Freedom Conservancy, told The Register that the free and open source (FOSS) community should think carefully about the scope of the exemptions being sought. "I'm worried that many in FOSS are falling into a trap that for-profit companies have been trying to lay for us on this issue," he said. "While it seems on the surface that a blanket exception for FOSS would be a good thing for FOSS, in fact, this an attempt for companies to get the FOSS community to help them skirt their ordinary product liability. For profit companies that deploy FOSS should have the same obligations for security and certainty for their users as proprietary software companies do."
The article points out that numerous tech organizations are urging clarifications in the proposed regulations, including NLnet Labs and the Eclipse Foundation.
From the Register's report: "If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility for the way their components are applied in someone else's commercial product," the PSF said in a statement shared on Tuesday by executive director Deb Nicholson. "The existing language makes no differentiation between independent authors who have never been paid for the supply of software and corporate tech behemoths selling products in exchange for payments from end-users...."
The PSF argues the EU lawmakers should provide clear exemptions for public software repositories that serve the public good and for organizations and developers hosting packages on public repositories. "We need it to be crystal clear who is on the hook for both the assurances and the accountability that software consumers deserve," the PSF concludes. The PSF is asking anyone who shares its concerns to convey that sentiment to an appropriate EU Member of Parliament by April 26, while amendments focused on protecting open source software are being considered.
Bradley Kuhn, policy fellow at the Software Freedom Conservancy, told The Register that the free and open source (FOSS) community should think carefully about the scope of the exemptions being sought. "I'm worried that many in FOSS are falling into a trap that for-profit companies have been trying to lay for us on this issue," he said. "While it seems on the surface that a blanket exception for FOSS would be a good thing for FOSS, in fact, this an attempt for companies to get the FOSS community to help them skirt their ordinary product liability. For profit companies that deploy FOSS should have the same obligations for security and certainty for their users as proprietary software companies do."
The article points out that numerous tech organizations are urging clarifications in the proposed regulations, including NLnet Labs and the Eclipse Foundation.
Um, What? (Score:2)
So you are saying that if I manufacture a shovel and some one buys that shovel and then whacks someone over the head with said shovel then I, as the manufacturer, is liable for said act?
Or in simpler terms, if I write some code and some other chap uses it nefariously I am liable?
What a load of carp. Rotten, dead carp.
Re: (Score:2, Informative)
Nope. You need to learn to read. Actually, I rather suspect you need to learn to think.
To stay with the shove example: If the shovel suddenly explodes while you are digging a hole with it, the manufacturer is liable. If it rests in your shed and then bursts into flame and your shed burns down, the manufacturer is liable. If it comes to live and assists somebody breaking into your house, the manufacturer is liable. If, on the other hand, somebody uses the shove to whack somebody over the head, the manufactur
Re:Um, What? (Score:4, Insightful)
"If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility for the way their components are applied in someone else's commercial product,"
Apparently YOU don't know how to read.
Re: (Score:2)
Things are a bit more complex and there is more text to read. Try again.
Re: (Score:2)
Doesn't look or get any more complex than what I quoted. It is quite simple actually, a group of people think that their thoughts are somehow more important than others and they feel the need to control others. It is a tired fucking mantra.
Control freaks need to fuck right off.
End of message.
Re: (Score:2)
Doesn't look or get any more complex than what I quoted.
Well, those with simple minds will forever mistake things for simple that are not.
Re: (Score:2)
Your subliminal burns signify your lust for confrontation. I said what I said. I don't need to hear from an asshole to convince me I am right. But you do you. Maybe one day when you grow up you will understand what the fuck freedom really means.
Re: (Score:2)
Re: (Score:2)
It really depends on the modification. And that will be a court decision.
Re: Um, What? (Score:2)
Do you believe in equal protection under the law or how? Why should we treat guns, software, shovels, or cars (drunk driving) differently?
Re: (Score:2)
We shouldn't treat anything differently. It is all the responsibility of the bearer. Where the bearer got it is irrelevant.
Defining what the use is MAY be tied to the law but unforeseen uses can't be dictated after the fact. I thought this would be common sense, but I have been alive too long to know that to be a useful judgement.
I agree (Score:3)
I agree that for-profit organizations distributing FOSS commercially (directly or indirectly) in any way should have just the same responsibility for the quality of the product they are selling as anybody selling directly commercial software. Providing stuff truy free and not having any commercial interests (e.g. not having the FOSS part being a component in a for-pay product) is the only reasonable exception I see. Of course, companies like Red Hat or Suse or any IoT provider or the like would love to continue not being responsible for the stuff they sell. That is not acceptable though.
Re:I agree (Score:4, Interesting)
I don't think the rules as written would affect open source developers who were not acting on behalf of their employers anyway.
Also worth remembering how the EU works with stuff like this. These are the general principles, and it's down to individual member states to enact them in local laws. The specifics of stuff like this tends to be worked out based on the implementations. That's how it worked with GDPR, and we are still improving that through the courts.
I'm not saying there is no reason at all for concern, but having read the draft I'm not worried about any of my open source code.
Re: (Score:1)
" it's down to individual member states to enact them in local laws"
This is true for EU DIRECTIVES (https://en.wikipedia.org/wiki/Directive_(European_Union))
Note that this is an EU REGULATION (https://en.wikipedia.org/wiki/Regulation_(European_Union)) - as such, it will become binding in all member states once adopted.
Re: (Score:2)
Indeed. The GDPR did not cause the sky to fall. Sure, some fuckers got called out on their bad practices, but that is a good thing. Most just needed to do some cleanup and better processes, but that is it. It will be the same for this thing.
Re: (Score:2)
A law that's spawned a few million pop-ups per day of content that no one ever reads before hitting 'agree' is really not a great model for "oh but it will interpreted to produce reasonable results".
Collection of personal data was a real and serious problem, but the solution didn't actually do anything to solve it.
Re: (Score:2)
The pop-ups are probably not legal in most cases. We are working on it.
Re: (Score:2)
A law that's spawned a few million pop-ups per day of content that no one ever reads before hitting 'agree' is really not a great model
I understand why people agree to long, complex Terms of Use without reading all the legaleze. I don't understand why anyone would routinely agree to unnecessary cookies when the settings are so simple to adjust.
These Laws are Going to Cause a lot of Turmoil (Score:2)
The requirements of the CRA are going to make proprietary software more secure and safer, but but probably more expensive as well (keeping in mind we've only seen a draft of the text, not the final text).
The PLU is much earlier in its process than the CRA and thus the eventual requirements are very uncertain. There's at least three different possible standards that could come out based on the initial document (which isn't even a draft, more just a statement of intentions). However, one of those standards
Re: (Score:1)
Simple Solution (Score:2)
The requirements of the CRA are going to make proprietary software more secure and safer, but but probably more expensive as well
There is a simple solution to this: limit the fines to some multiple of what they charge for the product. This would automatically exempt OSS and the more companies charge the more their liability which would motivate them to keep prices down.
Re: (Score:2, Insightful)
Re: Simple Solution (Score:2)
That "solution" is wrong. It would mean that anyone (and any corporation) could get away with "oh it's not my fault, we're not liable, it's an open source component that did it".
The law should help corporations take their responsibilities (i.e. help fix open source components) without putting the burden on devs that are not paid by these corporations.
Re: (Score:2)
Re: (Score:3)
Coding should be mature enough that we can handle it. If the answer is using more mature languages like Rust instead of bare-metal C, that's the price of progress.
I'm fully onboard with requiring damages as a result of vulnerabilities, I think you're saying merely having a vulnerability shouldn't be the trigger for enforcement.
AFAIK, and we love our car analogies, auto recalls happen because something has happened enough times, not that some engineer has found a potential problem. That model seems okay.
Re: (Score:2)
AFAIK, and we love our car analogies, auto recalls happen because something has happened enough times, not that some engineer has found a potential problem. That model seems okay.
Actually, manufacturers can and do initiate voluntary recalls because someone has identified a "potential problem", if it's considered serious enough. But mandatory government recalls are indeed typically reactive rather than proactive.
Re: (Score:2)
> I think you're saying merely having a vulnerability shouldn't be the trigger for enforcement.
I am. No software vendor would sell in the EU if that happened. Imagine Microsoft, with dozens if not hundreds of vulnerabilities fixed every month, couldn't afford the liability in that situation. Same thing with Oracle and other literally every other vendor. Either that or software that cost hundreds of dollars today would cost hundreds of thousands of dollars (or whatever currency) in the future, pricing
Re: (Score:2)
It's not. It's impossible to develop 100% vulnerable free software today in any sort of cost effective manner. It would kill software sales (and art least commercial development) in the EU. It would also force users to keep on using old vulnerable software because vendors wouldn't sell them upgrades. I'm hopeful that the EU Commission isn't dumb enough to go that route.
The CRA recognizes this and just requires that vendors provide security updates "without delay." That's not a great approach as it does
Re: (Score:1)
Re: (Score:2)
Unless you write a trivial "hello world" program, there would be the chance to introduce subtle errors that may cause serious issues in the future. Rust will protect you from some memory related problems, but it will not protect you from implementing an algorithm incorrectly - or to shoot yourself in the foot. If you write a library in Rust, for example a library that makes API requests to a remote server, and you do a simple mistake (like Microsoft has done on several occasions) that makes the response to
Business model (Score:3)
Re: Business model (Score:2)
Re: (Score:2)
Pretty sure the EU will make an exception.
Who even knows - they might usher in a new age of perfect software after a few miscreants meet the guillotine. 8^)
Re: Business model (Score:2)
Heard people are investing back in guillotines these days. Stock of the company that makes em is going up! Heard a lot of wealthy people are doubling their earnings by putting money in it.
Re: (Score:2)
Re: (Score:1)
ummm,
this should scare those eurocrats, but I guess nothing can derail them once they start their crusade...