Python Software Foundation Says EU's 'Cyber Resilience Act' Includes Wins for Open Source (blogspot.com) 18
Last April the Python Software Foundation warned that Europe's proposed Cyber Resilience Act jeopardized their organization and "the health of the open-source software community" with overly broad policies that "will unintentionally harm the users they are intended to protect."
They'd worried that the Python Software Foundation could incur financial liabilities just for hosting Python and its PyPI package repository due to the proposed law's attempts to penalize cybersecurity lapses all the way upstream. But a new blog post this week cites some improvements: We asked for increased clarity, specifically:
"Language that specifically exempts public software repositories that are offered as a public good for the purpose of facilitating collaboration would make things much clearer. We'd also like to see our community, especially the hobbyists, individuals and other under-resourced entities who host packages on free public repositories like PyPI be exempt."
The good news is that CRA text changed a lot between the time the open source community — including the PSF — started expressing our concerns and the Act's final text which was cemented on December 1st. That text introduces the idea of an "open source steward."
"'open-source software steward' means any legal person, other than a manufacturer, which has the purpose or objective to systematically provide support on a sustained basis for the development of specific products with digital elements qualifying as free and open-source software that are intended for commercial activities, and ensures the viability of those products;" (p. 76)
[...] So are we totally done paying attention to European legislation? Ah, while it would be nice for the Python community to be able to cross a few things off our to-do list, that's not quite how it works. Firstly, the concept of an "open source steward" is a brand new idea in European law. So, we will be monitoring the conversation as this new concept is implemented or interacts with other bits of European law to make sure that the understanding continues to reflect the intent and the realities of open source development. Secondly, there are some other pieces of legislation in the works that may also impact the Python ecosystem so we will be watching the Product Liability Directive and keeping up with the discussion around standard-essential patents to make sure that the effects on Python and open source development are intentional (and hopefully benevolent, or at least benign.)
They'd worried that the Python Software Foundation could incur financial liabilities just for hosting Python and its PyPI package repository due to the proposed law's attempts to penalize cybersecurity lapses all the way upstream. But a new blog post this week cites some improvements: We asked for increased clarity, specifically:
"Language that specifically exempts public software repositories that are offered as a public good for the purpose of facilitating collaboration would make things much clearer. We'd also like to see our community, especially the hobbyists, individuals and other under-resourced entities who host packages on free public repositories like PyPI be exempt."
The good news is that CRA text changed a lot between the time the open source community — including the PSF — started expressing our concerns and the Act's final text which was cemented on December 1st. That text introduces the idea of an "open source steward."
"'open-source software steward' means any legal person, other than a manufacturer, which has the purpose or objective to systematically provide support on a sustained basis for the development of specific products with digital elements qualifying as free and open-source software that are intended for commercial activities, and ensures the viability of those products;" (p. 76)
[...] So are we totally done paying attention to European legislation? Ah, while it would be nice for the Python community to be able to cross a few things off our to-do list, that's not quite how it works. Firstly, the concept of an "open source steward" is a brand new idea in European law. So, we will be monitoring the conversation as this new concept is implemented or interacts with other bits of European law to make sure that the understanding continues to reflect the intent and the realities of open source development. Secondly, there are some other pieces of legislation in the works that may also impact the Python ecosystem so we will be watching the Product Liability Directive and keeping up with the discussion around standard-essential patents to make sure that the effects on Python and open source development are intentional (and hopefully benevolent, or at least benign.)
What's unique about the EU... (Score:4, Interesting)
... is that they're the only Govt which actually and consistently wants to do the right thing.
More specifically, it a democratically-elected body across diverse countries where each country's foibles are ironed out by the other countries.
Of course, the EU has its flaws -- it can notably do very little about Orban and can do almost nothing without him getting his 30 pieces of silver. This makes it even slower to act than 27 diverse countries who don't speak the same language otherwise would
Nor is it easy to lobby the EU. You have to compete with paid lobbyists from multinationals. Credit to the PSF for working with and being patient the system.
Re: (Score:3)
Would I would not characterize the EU government as "good", it is indeed noticeably better than most of what can be observed in the rest of the world and it is the only body of government of its size-class that gets things right more often than not and generally works reasonably well. (Exceptions do apply.) I think the very reason is that so many different countries have so many different interests, that the actually sensible paths often remain the only thing that consent can be reached on.
Re: (Score:2)
That was my point. There's also much less partisanship because there are literally 70+ different parties in there. The biggest party will have around 4% of seats.
Re:What's unique about the EU... (Score:5, Insightful)
The EU government is not elected, it's appointed. The government is the EU Commission. The commissioners are *not* elected. It's the EU Commission which proposes legislation and makes decisions, not the elected EU Parliament. The EU Parliament is a rubber stamp and a hot air generator. It *cannot* propose legislation. This means it is not like any parliament as understood in the Anglosphere. It appears to be democratic only on casual inspection but in fact the citizens of the EU *cannot* vote in or out any member of the EU government who actually makes government policy, decisions or proposed laws. That is not democracy.
Re:What's unique about the EU... (Score:5, Informative)
I thought like you 20 years ago, but both situation and practice prove us wrong. Also the legal verbiage and the attitude of the Parliament were updated to close the gap of what was referred EU's democratic deficit.
This means it is not like any parliament as understood in the Anglosphere.
To the contrary, it's not only more similar to the parliamentary democracies (of which "the anglosphere" is an example), but even slightly more democratic than them.
1) Typically prime ministers (in European monarchies such as UK, an eminent member of "the anglosphere") are appointed by an *unelected* monarch. (It does not seem to pose a democracy problem as long as the monarch follows the rules; several of the highest ranked in "Democracy Index" https://en.wikipedia.org/wiki/... [wikipedia.org] are Nordic monarchies that follow the same government model as UK).
In EU the president of the Commission is appointed by the Council. At the Council, every member is some sort of elected person (the Prime minister / the President of each Member State), which is much better than the solution of the one single unelected monarch solution.
2) In most countries (are there exceptions?), the Prime Minister or President presents a cabinet and nobody can say anything to say against the composition in detail, though in several countries the Parliament must approve the Cabinet as a whole upon nomination.
In EU, each and every candidates to member of the commission is audited by the Parliament on its competences and political program. There is always a couple of unlucky fellows who are voted OUT and do not make it into the Cabinet (and the Council then proposes another name). Note the criteria "Members of the commission shall be chosen on the ground of their general competence and European commitment from persons whose independence is beyond doubt" TEU 17-3 https://en.wikisource.org/wiki... [wikisource.org] . If their competence audition is unconvincing, or if they don't have a spotless CV, they get voted out. The fact that some, even if very few, are consistently voted out, makes it for the Council not to propose incompetent or corrupt candidates.
(unrelated to the topic being discussed, but there is a second guard against corruption at the Commission in that the Council would not propose incompetent or corrupt candidates anyway, as it has to approve them internally as well, and Member States A, B, C would not want dirty their vote and name to let pass some corrupt idiot from Member State YZ whose corrupt business they have nothing to do with.)
3) The treaties now say that the President of the commission and the Commissioner are elected by the Parliament. As you are certainly aware, the Parliament already threatened (in 2009) to vote OUT any president of the Commission that would not be the head of the party earning the largest amount of votes. In 2009 the Parliament finally agreed to another name and did not take its word to the act, but it still can do it anytime in the future.
in fact the citizens of the EU *cannot* vote in or out any member of the EU government
Untrue, the commission can be voted OUT by the Parliament with 2/3 majority (TEU 17-8, see wikisource link above). in 1999, EU Commission President Jacques Santer resigned on behalf of the whole cabinet to avoid the shame of being voted out by the Parliament. This happened after an investigation committee of the Parliament published a shocking report accusing Commissioner Edith Cresson of nepotism -- she was later sentenced for corruption.
Re: (Score:2)
Prime ministers in real democracies are people who have been elected by voters.
The EU parliament *cannot* propose legislation. What kind of parliament is that? You can compare it to parliaments in UK, Aus, NZ, Canada and the Congress in the US.
In the EU the government is *not* made up of people elected by the voters. They are all appointees. None have been elected. None. Often they are people who have been unambiguously *rejected* by the electorates in their own country and the EU allows them to "fail
Re: (Score:2)
Prime ministers in real democracies are people who have been elected by voters.
Not true, prime ministers are always appointed by a guy up. Even though there are elections and the candidates to prime ministers claims they want to be "elected", they only compete to be appointed by a (previously elected or appointed) President or King. If we take as example the Presidential systems (e.g. Poland, France, Portugal), a candidate becomes President by the virtue of having his name most voted (nobody nominates him, other than an Electoral Commission certifying the operations). The subsequent P
Re: (Score:2)
Prime ministers in real democracies are people who have been elected by voters.
So that excludes the US, and every country that doesn't directly elect their Prime Minister.
It's actually vastly saner to get the representatives who know the candidates rather than the people who don't know and don't care that much.
The EU parliament *cannot* propose legislation.
Wrong. There is literally a procedure to tell the Commission to write the legislation.
In the EU the government is *not* made up of people elected by the voters.
The elected Parliament who control the President & the Commission are half of the govt. Only they can pass laws -- they have the ultimate power.
We know this doesn't fit your narrative.
Often they are people who have been unambiguously *rejected* by the electorates in their own country and the EU allows them to "fail upwards".
And
Re: (Score:2)
>Wrong. There is literally a procedure to tell the Commission to write the legislation.
Which procedure is this? The commission holds ''right of initiative''. As far as I can see, Parliament can only invite the EC to propose legislation - not tell them.
https://commission.europa.eu/l... [europa.eu]
Re: (Score:2)
The Parliament can sack the Commission if they don't do it.
Re: (Score:2)
In that case you can't use the UK as an example. It hasn't happened recently that the PM isn't an MP, but it has happened many times [blog.gov.uk] and there's no legal impediment to it happening again.
Brexiters can't deal with facts (Score:2)
Support for Brexshit is now around 25%. The only people who still support it are the ones who can't admit they were wrong even to themselves.
Re: (Score:2)
The parliament gets approval over the commissioners.
Fun fact, technically the U.S. president is elected by the 50 states. The States holding a popular vote and abiding by that is a matter of convention rather than being enshrined in the U.S. Constitution.
Just to make it more fun, the U.S. Constitution does not bind State Electors to abide by the wishes of the State, though many individual State constitutions do bind them.
Re: (Score:2)
Well said!
Use This Software At Your Own Risk (Score:1)
Remember that sticker?
Sample of commercial software warranty (Score:2)
Re: (Score:2)
Open Source developers should immediately respond to this act by excluding government. Not because it will save you from the impact but to attach consequences to immoral law making relating to software.