Seems like the most lucrative part of this proposal is to become the auditor. /s
This reminds me of the Gaia-X / IDSA certification and approval framework blanketing the whole software industry in the EU. I am not sure yet what to think about it.
On one side, it looks a bit like proprietary software vendors trying to cut out SMEs who can match the quality with the same open-source software the big players use, but have no funds to go through the certification. The really funny part of this legislation is: the big players who can afford certification will be able to use ANY open-source component for free but the people who built it will have a tough time to go to the market because they will require the funds they don't necessarily have. Crazy situation.
On the other hand, if this is applied to everyone, well, it will get rolled into the cost of providing a service. You want to buy this from me? Sure, I'll charge you for compliance report.
> The initiative is expected to have positive economic impacts.
That section completely misses to mention that increased compliance cost will inevitably lead to increased software and services pricing, thus will lead to decreased competitiveness of European SMEs on the international market.
Hot take: I can see two options to cripple this: 1) Drown the legislator in compliance requests for minor code. 2) Dual-licensing: AGPLv3 + commercial license.
Long ago I remember talking with colleague working for big brand anti-burglary alarm manufacturer. They had to obtain CE certification of their equipment releases, and once they have put a hair across box seal taped it. The hair came back uncut...
CE certification is based on results, not efforts. You don't "obtain CE certification", you simply are liable for non-compliance if your product is non compliant, even if you gave money to someone who runs a "CE certification" business.
Note that there are tons of CE certification. For radio cert for instance they don't need to open the box.
Drafts are modified or rejected because of expert/public commentary. As such, it's weird for dang to consider proposals offtopic since HN is not supposed to be like Reddit a general audience discussion platform.
Parliamentary committees are where the true work is done both in the US and the EU, so there is always value in attracting attention to their work in progress.
Finally, many drafts may not go anywhere but they are often used as a foundation for future legislation which does go through.
The argument isn't that these things are somehow intrinsically bad, they're just not good topics for HN. One reason is that they tend to attract a lot of repetitive advocacy which is normal for proposed legislation but is pretty bad for interestingness, especially for a forum with 30 front page slots.
It's really easy to make an argument for almost anything being somehow within HN's rubric or important in some way. These arguments are often true! But that also tells you they aren't useful criteria for deciding what works and doesn't on the forum since if you accepted them all, everything is good for the forum.
Repetition and repetition-generation is HN-bad. Another example are software release posts. Those are super HN-y by topic but the bulk of them are also not great HN posts and routinely get downweighted because they tend to produce the same generic discussions which are fine in general but not (for HN purposes) at the release cadence of most active software projects.
That's both a slippery slope and a strawman argument. No one argued we should allow all links to any legislative work no matter its significance. Not to mention that HN does allow repetition as long as there is a fair period of silence between similar submissions. The criteria has always been that of relevance, impact, and depth.
So what mods could demand is a submission statement with a quote/source describing the momentum or the viability of the discussed regulation . In the EU when it's at the public consultation or commission adoption stage it's already serious enough, in the US you want to some evidence the bill won't just die in the next chamber.
First, that is nonsense. Just because there are people accusing others of fallacious arguments for no good reason doesn't mean you can always just disregard the claim.
Second, you're the one not addressing my actual points but I'm supposed to be the one who's dismissive and immature?
You can just search for proposed bill, draft eu, and such. There's plenty evidence that the argument such submissions are offtopic is false.
You then insinuate that this would lead to a load of overly similar submissions and conversations by comparing legislation to software releases. How's that not a slippery slope? Where will all those tech bills suddenly come from?
Besides, I'm not arguing for more of the same but simply against the notion that early stage submissions are not appropriate for HN. This would not bring any major changes to the queue.
This thread is getting silly. He's just trying to help explain some of the rationale behind the rule. But the rule itself is real; you can't argue it out of existence. You should mail hn@ycombinator.com if you've got concerns.
It seems to be time for this. There's a war on. We're now seeing regular attempts to sneak backdoors into open source code.[1][2] And those are the ones that have been found. There was a Linux kernel bug where someone put a test for root in as "if (uid = 0)" instead of "if (uid == 0)", so that when a rarely used system call was made, the process became root.[3]
The EU is most concerned about "Class II software". The stuff that runs industry.
> There was a Linux kernel bug where someone put a test for root in as "if (uid = 0)" instead of "if (uid == 0)", so that when a rarely used system call was made, the process became root.[3]
No there was not!
Someone in 2003 submitted a patch. To the wrong repo. The patch was looked at anyway and rejected for this reason. It was never merged. No machine ever had this bug.
Once again, we have dictates and rules based security policy and no solutions provided.
If the EU is so concerned about cyber security they should:
1) provide A LOT of funding and support for Linux / BSD and other operating systems and flavors for testing, hardening, and rapid patch rollout
2) provide infrastructure to support such activities
3) use open source software actively in government with a focus on providing feedback and patches from government IT back to the mainline projects
A founding tenet of security is that open systems and techniques are the ones that will be most battle tested and therefore resilient.
Alas open source has terrible lobbying, so the closed source vendors can lobby politicians and policy to go the opposite way: prescribe closed source solutions and additional onus on open source.
If first world economies were serious about cyberdefense and hardening, there would be 10 billion dollars annually invested into the foundations of open source software: Linux/BSD, databases, webservers, browsers, programming languages, etc. The militaries alone should be dedicating this level of funding to defend our infrastructure, economies, and whatever technological edge we have over China.
And the EU in particular should like Linux: it originated there, and has strong roots throughout the EU, and most importantly isn't controlled by a major US corporation (unlike Apple/Microsoft) and therefore indirectly controlled by the US government.
The EU is a bureaucracy and any bureaucracy's goal is to justify its existence by creating more bureaucracy. I'm personally anti-EU. European countries are way too different so that broad legislations can work with 27+ different countries.
All 50 states have the same language, the same general culture, have fought the same wars, vote for the same 2 political parties, watch the same media, and more or less have the same economy.
But really, just the language thing is enough to make the comparison silly.
I mean thats the whole point of federalism and is why we have a Senate which represents states equally (no matter their size) at the same time the House represents people.
If something isn't popular enough to pass muster for the majority of people and the majority of states, it should stay a state law instead of a federal one.
> the legislation and its (unintended) negative effects on developers of open-source software.
The negative effects seem pretty intended to me. The legislators are aware of open source software and have an exception for non-commercial activities, but intentionally penalize OSS related to commercial activities, by leaving them out of that exception.
And, at this point, I don't believe that these legislators are so stupid that they can't see the consequences of their proposals. They probably just don't care about the negative consequences, or the "negative consequences" (negative for us) are actually what they're striving for.
I wonder where would be the boundaries in case such legislation was pushed through. If my software is python-based then would python itself would have to be audited too? If I run my software in Podman containers then should Podman be audited too? What about operating system I execute my software on? Lets say thousand of companies use dependency X - would that dependency have to be audited 1000 times independently? That would be huge waste in my opinion..
Usually only the original producer of each component has to do the certification and apply the CE stamp. Any conglomerate doesn't need to reevaluate all the components themselves, only their interactions in the conglomerate.
So for your Python software you are fine either just providing the software alone, without an interpreter, having the customer get a Python-standard-compliant (if there were such a thing...) interpreter for themselves. Or you could provide a CE-certified Python interpreter that you got somewhere else along with your software, provided you do not change the interpreter you got and the interaction between your software and the interpreter is standard, run-of-the-mill, unsurprising normal use as intended and certified.
This feels like trying to match physical-world regulations to software products... I'm skeptical about this legislation, it feels like another step for policy makers to conquer software domain which is still very open for anybody to enter... I remember living in London and talking with friend who is electrician, the amount of papers he needed in order to be able to do his job was mind boggling...
3) large rich American closed source companies will very happy to comply
4) where will they find all the auditors to check the zillion of small open source projects inside node_modules for a commercial project? And who's going to pay them? Again, closed source companies are very happy.
HN crowd is completely missing the intent. Nobody wants to chase open source developers. The problem is that right now a person can go buy a smartphone or WiFi router which uses obsolete software components already and will never receive any updates. Hopefully it gets fixed through this legislation.
The "fix" will be that Europeans will only be able to buy from a handful of the largest smartphone manufacturers, and there will never be another European company selling smartphones.
That might be true for the lawmakers. But as it is, there will be unintended consequences:
First, what the article criticizes: Open-Source development might be discouraged because the exemption isn't clear and encompassing enough. Compliance is enough of a burden to stop any "halfway commercial" OSS developments in the EU, with a very wide interpretation of "halfway commercial".
Second, there will be the ambulance chasing kind of lawyers profiting from any kind of ambiguity by sending expensive warning letters ("Abmahnungen"). Those scumbag lawyers definitely want to chase open source developers and everybody else without a big legal team who provides them with an opportunity...
And experience shows that lawmakers have always been unable or unwilling to write laws with the necessary clarity and non-ambiguity.
OSS developers could simply include a disclaimer along with their chosen license:
"The developer of this software attests that it does not and will not comply with the EU CRA, and may not be used as critical infrastructure within the European Union. Any entity incorporating this software in products sold in the European Union agrees to perform all required compliance, and hold the developer harmless. Any compliance failure shall terminate all licensing of this software to all involved parties."
What that does to [vendors in] the EU would be interesting to see.
Not sure if it's literally regulatory capture, but it certainly has the same effects, as you've mentioned. Except I think it's actually the established, non-tech EU companies that benefit more than big US tech but I could see them benefiting too.
edit: apparently there is a similar bill in the US. So that does sound like regulatory capture.
The level of vitriol from the commenters here is honestly frightening.
If the Commission was proposing a law mandating that cars have seat-belts, people would be jumping in to shout "Europe is destroying free enterprise, they're trying to destroy small car-makers!"
Seriously, when you look at the list of concerned software, you have password managers, operating systems, certificate infrastructure, remote access software, industrial IoT, etc. For any software in these categories, it's not completely insane to think that "This software is provided as-is with no warranty whatsoever, good luck!" doesn't quite cut it.
And yes, open-source is concerned as well, when it's part of a commercial activity. Again, if you're being paid to provide software, it seems fair to say you're leaving the "lobbyist" category and entering the "paid professional" category and you have to worry about security requirements. Especially given that, outside of the critical projects mentioned above, you're allowed to display the CE mark if you self-audit.
Are there deeper discussions to be had here, concerns to be addressed, etc? Absolutely. I think a critical point is how "commercial activity" is defined. A threshold of gross revenue could be an interesting solution.
Are these deeper discussion happening in this thread? No. It's all "Europe hates innovation" and "I hate the EC and cookie banners so much!" Most commenters seem to automatically assume that any level of regulation is automatically going to drown small businesses and favor FAANG-scale corporations, which is more extreme than even the article calling out the regulation.
I think the fundamental problem here is that it's all about avoiding mistakes, not about doing good things. This attitude in general is a pox on humanity. Once you start to see the pattern it's everywhere. Schools, science funding, hospitals, building codes, policing, banking, aerospace, and on and on.
No one cares if you improve anything. They just care if you make a mistake. This attitude is a disaster.
As an european I do believe that the European Comission really hates innovation and they believe everyting should be regulated as if only the politicians know what's best for every one. Like they're trying to regulate what kind of chargers we can use, the maximum speed cars can reach, what you can say on the internet and so on. All in the name of safety, terrorism and all other buzzwords politicians throw around to make it sound important. If we'd had the EC 30-40 years ago, most probably would all still be using dial-up for internet or maybe DSL at best and still have BBSs.
And PoignardAzure, yes, I do believe seatbelts and motorcycle helmets should be optional. If you die because you're too cool for them, you die - simple as that.
I'm an American that sells software to clients in the EU that this legislation considers a Class I critical product (https://vuplex.com). If this law is passed, what would be the consequence of not hiring an auditor to comply with it? Depending on the cost of an auditor, compliance may cost more than the revenue generated from the EU. If that's the case, it may no longer be economical for me to sell to clients in the EU.
Usually CE regulations do not care if you hired an auditor or not. They only care about the regulations being obeyed. My understanding is that warning the users of the level of security they can expect, and handling security flaws reasonably is probably going to be enough.
Certainly; that's the idea. Regulation is usually designed to favor large incumbents with some fig leaf of justification, in this case hand waving about security.
The CRA is intended to protect the EU from pooling all its critical eggs in too few baskets, especially if those baskets are not EU based companies. I'm not sure what duplex does, but I'll use AWS or Azure as an example. This is where a lot of our critical software, like stuff that operates our public sector, banking and what not is put, because that's basically where everything is put these days. With the CRA, the EU is going to identify a range of businesses of a certain size, I work for one such business since green energy production is critical, and potentially demand that half of us leave Azure within 3-6 months because the EU can't function if Azure somehow becomes hostile to us. As with the GDPR, this actually has very little to do with software or development itself. It mostly have to do with bureaucracy, so we're not expected to build things that can take us out of Azure and put os into X, not technically, but we are required to plan for the eventuality and to get those plans audited. As I see it, it will be on your customers to handle these audits, not you, and it's not a contingency that is likely to ever actually happen, unless America goes full Right Wing populist, which frankly seems less likely than the EU doing it judging by this years elections.
Anyway, where this will become sort of an issue in regards to open source software and actual development, as the article points out, is when too many companies rely on the same business critical piece of software. I'm not sure I agree that this will be such a big issue, however, as most organisations that I know of tend to in-source the most vital open source projects exactly because it's too dangerous to rely on some random person.
We've done this our selves. We needed an ODATA package for TypeScript projects, and while there were a few options out there, none of them were great. Some of them would've been "good enough", sort of, but they were either maintained by one or two people or not at all. So instead of using these, we wrote our own. Which is frankly how I suspect a lot of Open Source projects happen, because while you can use GORM as your GO ORM and where we could have used one of these packages and even made it better, it was simply easier to make our own.
The CRA doesn't really change this, however, at least not if you're already taking security seriously.
I personally think the only area that will actually be interesting to follow the CRA on is what the EU intended to do with all the public sector smartphone Apps. Here in Denmark we can have things like our drivers licence in apps, but these apps are only available through either Google or Apple, and those aren't European companies. :p For everything else, I think this will mostly be bureaucracy, bureaucracy, bureaucracy, which is sort of fine, because as the GDPR has shown us, not every organisation can be trusted to do security that impacts the EU.
I am not an author of popular OSS project so my view is probably distorted, but as OSS develpper would you give a dime about legislation like this?
Edit:
It made me thinking, how would legislator ensure legislation is implemented? Would they start requiring escrow so they can check by themselves if software is developed to the correct security standard?
Developers working for free are explicitly exempt. The article lays out that the carve-out has issues and those should get resolved, but fundamentally it‘s there.
What happens with EU-based developers that work on OSS projects while on a company’s dime? I.e. said company doesn’t have any direct relation with that project, but wants to support it by paying some of its developers to put in the work. Or to developers that receive Patreon money based on their OSS projects? It can get pretty murky pretty fast.
Example: I contributed to the Elixir version of faker years ago. My customer allowed me to issue a PR with the Italian translations and it was accepted. This is clearly commercial because my customer was paying me and I was working at a commercial service. With this legislation I think they wouldn't let me send the PR (because maybe they would have had to pay for the certification) and/or it wouldn't be accepted (because the costs could be on the project.)
Then they‘re no longer working for free. That‘s exactly the issues this article is discussing - but that‘s not the point the parent poster was alluding to. They specifically mentioned „for free.“
However, if you build security critical software and get paid to do so it‘s not entirely unreasonable to require some sort of certification. You can‘t just build medical devices for money either without some sort of regulation. Or produce food for money. Or repair cars for money.
"THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ...... "
It is on the user (or a third party certification authority) to accept any liability for the quality of the software.
You cannot waive such rights in many jurisdictions, and such clauses are void there. Even where you can generally waive such warranty rights as a buyer in a contract, such waivers may still be curtailed in allowed scope. That includes most US states, too. E.g. if you sell a consumer product that's shoddily made and unfit for purpose and it blows up and injures its user, a signed contract where the buyer fully waives all implied warranties for fitness of purpose and accepts full responsibility -- caveat emptor! -- is probably void, and you are probably on the hook anyway.
> Limitation of consequential damages for injury to the person in the case of consumer goods is prima facie unconscionable
As I understand it, at least with contract law in common law jurisdictions, simply writing and freely posting OSS would not fall under this; a warranty is an implied part of a contract, and there is no contract that exists between the authors, and those who receive copies. No contract, no sale, no warranty. (A licence is not a contract, at least in some common law jurisdictions. But licences are contracts in civil law jurisdictions, usually...)
This would, however, not remain true if you're actually dealing with your users in a way that establishes mutual obligations (be careful you don't fall into a contract unawares!) Providing support for pay would do it, for example.
That law would override any such disclaimer by the seller (or other kind of "commercial producer") of OSS software. What is "critical" is determined by the catalogue of critical software categories.
Which would move up the chain to all dependencies of a critical project.
Libc, clang/gcc, whatever. Needs to be audited.
Perhaps they require the “integrator” to perform the audit or maybe the fact someone provides software which can be useful in critical environments is enough to signal an implied warranty and they are on the hook for compliance. Nobody knows until it all goes through costly legal procedures where everyone is trying to cover their asses and pass the buck.
I’m waiting for the day where FLOSS devs are greeted at EU airports by process servers because they released some software while in college and it got used in some critical software.
No, the draft requires the purpose of a software to be declared. So if you declare Linux to be a terminal emulator, not an operating system, and only sell/import/distribute it as such, you only need to comply with the somewhat easier self-certification requirements for non-critical software.
However, that declaration of purpose of course binds all other users/distributors of Linux, if they should dare to use or bundle it as a desktop, server or mobile operating system, they are doing so outside the original certification and need to have the required audit for critical software performed.
That, as far as I read it, also means that something like GCC, which is unambiguously a compiler, isn't critical and need not be audited, only self-certified, even if used to compile a critical software component.
> Developers working for free are explicitly exempt.
The problem lies, among other things, in the fact that a business activity might be assumed even if one does not explicitly receive money for the software directly, but indirectly. For example via donations, ads on the download Web-site, using it for self-promotion, paid consultancy, selling tutorials, ...
"[inside] the course of a commercial activity" "Commercial activity is understood as providing goods in a business related context."
secondary self-promotion, donations and ads are imho not "providing goods in a business-related context". Paid consultancy and selling tutorials might be though, But I assume that judges will rule on that if it comes to it and I assume that they will set some monetary boundary to which this still counts as "outside the course of commercial activity".
If "business-related" means: "what contributes to earn you money", then they are. The boundary is typically not the amount of money, but whether there is an intention to make a profit over a longer period of time.
So if you have a permanent Website of your open-source product to promote some other product or service, or ask for donations or put ads on the site, you intent to make a profit out of your open-source product. (Almost?) every possible answer to the question: "How can I generate revenue with my open source project?" describes a business related context.
As long as you‘re not financially profiting from the project, the legislation does not affect you. The moment you do financially profit of it (for example, if you have a business around it, or the software is developed by a business), then things get a little more complicated - if you have no clients in the EU and don‘t market or sell to the EU, you can mostly just ignore this. If you do, then you probably have to care about this.
You're saying this so definitively even though you can't know that what you're saying is true, based on the article:
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. [..]
> Commercial activity is understood as providing goods in a business related context. Non-profit organisations may be considered as carrying out commercial activities if they operate in such a context. This can only be appreciated on a case by case basis taking into account the regularity of the supplies, the characteristics of the product, the intentions of the supplier, etc. In principle, occasional supplies by charities or hobbyists should not be considered as taking place in a business related context.
> Open-source software is provided both within and outside of business related contexts. And the 'occasional supplies' exception in this quote seems to be of limited use to projects society comes to depend on. Would you consider an open-source operating system (MINIX) that has been freely available for 35 years an 'occasional supply'? What does its integration in all Intel processors since 2015 mean for being 'goods' outside a 'business related context'? How about the BIND project, a staple of open-source core Internet infrastructure shipping for 40 years?
This feels like a huge issue to me and that's before considering how most OSS we use everyday is worked on by full-time employees as a part of their jobs.
If you release TerminatorOS which is an experimental OS for AIs hellbent on destroying the world, you are fine.
If someone uses TerminatorOS and you did not sell it to them, they will be responsible for its use, you are fine.
If you start terminator.io, a startup that sells TerminatorOS powered drones that shoot you in the face, you are not fine and need to comply.
In the same way, if BIND starts BIND.io to sell Bind-as-a-Service, then they'll have to be compliant. If BIND is found to be ran at 90% by AWS with AWS paid employees, they won't need to be compliant. Otherwise, you'll be fine.
Source: this is not the US, European law takes context into account.
What if I've already released TerminatorOS for free and would prefer not to leave my users in the EU high and dry, but I also don't want to start a business or spend my free time dealing with legalese while getting nothing in return?
If you are not selling it to your EU users, you are fine. If you are selling it to EU users, leave them high and dry and offer no support. They can still clone it and run it on their own.
It's really the same thing as selling non certified products in Europe. If you are a registered EU business, you have to sell CE certified products, so we know that you're not going to burn my house down. If i buy from alibaba an LED strip that draws 500W and ends up burning my house down, it'll be my fault, the seller was in China and i knew what i was getting into.
Any kind of commercial gain can be considered "profit". 10ct/month from an ad banner is considered a commercial activity in Germany and courts treat it as such, with consequences like Impressumspflicht (need to publish personal data, tax number, phone and fax number of the person responsible for a website) and DSGVO applicability. Same for indirect "profit": there have been judgements that considered blogging a commercial activity if the topic of the blog is similar to the dayjob of the blogger because the blog is considered an advertisement to a future employer or customer.
Therefore I would consider any kind of open source contribution by an IT professional a commercial activity. Only if the open source contribution is strictly a hobby and your normal job involves nothing IT-like at all you'd maybe be safe.
Is having your name on a project “profiteering”? Is publishing a project to sustain the reputation of a conference speaker made as a sidekick, profiteering?
That is not true - donations are not usually considered profit, at least in Germany. They occupy a bit a weird middle ground. They may count as income, but for example donations we receive for the open source projects that our company runs are VAT exempt. However, it must be true donations and not provide material benefit - if the donations provide any substantial benefit (priority when considering features or bug fixes, access to special features, …), then it‘s no longer donations but services. Things like a mention on a supporter page, occasional swag and stickers, … are usually fine.
As always, talks to your tax accountant about your specific case, this is not legal or tax advice, …
You seem to be conflating being eligible for vat with income that would qualify as “profiting”. Profiting just means you benefitted. And taxable income is nearly always profiting.
all legislation is designed for Mittelstand (medium sized german companies)
tax, privacy, communications, employment, now software
this was seen with the VAT changes: it was raised that this would badly affect small companies, so they passed the legislation then penciled a meeting in for 3 years time to maybe think about small companies
False. In many cases you might be collecting it in the first place without realizing it (e.g. Analytics). Also it's a problem for developing anything to spend a lot of thinking "would this violate GDPR" instead of actual creative thinking and development.
I don't remember how many DAYS we've collectively lost in all the apps we're making, to make sure we comply with GDPR instead of focusing on productivity.
So it sounds like there is no point to comply ahead of time as if they do come after you they would just get future payments in which case you can close up sales in that region.
Say I'm an EU company. I use a small bit of GPL code in the course of my business, and I see a problem with it, so I change the code, fix the bug/add a feature/etc, push it back, does that count profiting from it?
I could instead not push it back, which is less immediate risk
> As long as you‘re not financially profiting from the project, the legislation does not affect you.
As highlighted in the article, "commercial activity" is what triggers the legislation, not profit, and it's a broader concept.
Note also this section on page 34:
‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
Supposedely, if this legislation passes then the EU will be in its rights to ask GitHub or any such platform to remove completely or to block OS projects that do not meet EU’s new security criteria.
Take what I’m saying with a huge grain of salt, cause I’m also not a OSS contributor nor do I work with tech-related legislation.
I'd guess large producers of commercial software. BigCo doesn't have any problem having an entire compliance & audit b.s. department. However, all the smaller companies, independent developers and OSS software will be regulated out of the market.
It's interesting that EC is not looking at addressing the obvious loophole big corporations are using - that is they are saving on R&D and tax by using open source software without paying the developers for their time.
If these big corporations were paying up the fair share of profit generated by the open source software they use, I am sure the developers behind it would have funds essential to ensure the security of the software they make.
That being said, even if above was not feasible (shame!), then it should be up to corporation using the software to ensure it is secure (and possibly contributing any fixes back to the software).
This kind of reminds me of when encryption became a munition in some countries—development moved to countries where encryption wasn’t outlawed. Something tells me a bit of a brain drain will happen if this comes to fruition as groups will go out of their way to develop software outside of the EU. Either that or the EU will be full of undesirable software that has been audited, but is still vulnerable.
I think this is long overdue and virtually all posts in this thread seem to be generic, entirely contentless 'EU bureaucracy' rants. From the article:
(i) it is designed to run with elevated privilege or manage privileges;
(ii) it has direct or privileged access to networking or computing resources;
(iii) it is designed to control access to data or operational technology;
(iv) it performs a function critical to trust, in particular security functions such as network control, endpoint security, and network protection.
(b) the intended use in sensitive environments, including in industrial settings[...]
There's a clear distinction here between what the EU labels 'critical products' and non-critical software. Seeing the increasingly insecure global situation, the importance of software in infrastructure and the potential threats I think it's wild that something like this hasn't passed a decade ago. Digital infrastructure needs to be as secure as physical infrastructure.
I wonder what would happen if some Heartbleed-esque bug that went undiscovered for years took out a huge chunk of a nation's electricity grid in a military conflict. What the EU needs in addition is if course also more funding for software security, but they're already doing a halfway decent job. If you didn't know, if you fix open source bugs in the EU you can get paid for doing just that: https://ec.europa.eu/info/news/european-commissions-open-sou...
The EU, in their misguided attempts to regulate everything, invented the NIS and NIS2 directives where the government can interfere in a company's security practices and tell it how to run its business. This is complete and utter non-sense.
The sensible approach to so called critical infrastructure would be to just make a company provide free service for a number of days for every hour/day of downtime for preventable errors. Like say the power went out for an hour, you get 100kW of free electricity. You didn't have natural gas for 1 hour, you get 100cm of gas for free. And I find this approach better than having some random person from a government agency with a clipboard and a checklist fining you because you don't have antivirus on your phone or some other stupid thing like this.
If there's a sophisticated cyber attack, then the utilities get to walk away scot-free. Just like the insurance company waives all liabilities in case of unforeseen circumstances like war & stuff.
> it has direct or privileged access to networking or computing resources
Sure, but what does “direct” mean in this context?
My little IRC client library or a device driver in the kernel?
Either one could be used in an exploit chain to take down the EU power grid. Theoretically, of course, because I don’t actually have an IRC lib and I don’t think it would be used to control a power grid if I did…at least I would hope so.
It would be totally reasonable to require special certification for software running on critical infrastructure (is it not the case already by the way?). They are trying to blanket cover the whole market though which looks like another attempt to fight the market reality frankly, with predictable outcome.
The OSS community thought that Microsoft would destroy OSS, but the real danger is throwing some legislators in the game.. I always thought that the way that we would destroy OSS was making it political, but making it bureaucratic is a easier and cheaper way to destroy OSS.
"Tänker" sometimes means "think" but it also means "plan". The Wikipedia article states that it was illegal to make formal preparations to build a power plant, but even that was not enforced.
"In Bill 2005/2006:76, the Persson Government stated the reasons for abolishing the law when it stated that there *had never been any ban on thought*, but that the "incorrect perception of the meaning of the provision is well established"
True. If your thoughts stayed entirely in your head then it probably wasn’t a crime. But if you for instance jotted down some rough cost estimates on a piece of paper you were in trouble. :)
Red Hat has been providing indemnification for patents for RHEL. This seems like another regulatory bag they will have to carry. Everybody will just use Red Hat, because it is already certified so they can just pass the certification along.
"outside the course of a commercial activity should not be covered by this Regulation" Is this kind of wording normal In EU laws? Why use "Should" in the law, since we are in the middle of defining what is going to happen shouldn't it be "is"?
It sucks they should just set up a fund for fundamental projects - Linux, LibreSSL, OpenSSL, etc. and then make companies of a certain size contribute. It could even be a way of boosting the European Tech industry by funding FOSS consultancies within Europe.
Instead we just get more bureaucratic anti-innovation makework - just like the Link Tax, Cookie law and GDPR, etc.
Or, the foundations could come together and provide a compliancy/audition foundation that does these audits, letsencrypt-style, for (nearly) free.
A fund sounds like a great idea as well, but who would decide who gets the money? You don't want overseas companies syphoning the fund because they have 0.01% of their userbase in the EU.
Overall, as others have stated: how unreasonable is it if you create a 'critical' product, and you make money off of it, to invest some of that money to show it is secure.
> Overall, as others have stated: how unreasonable is it if you create a 'critical' product, and you make money off of it, to invest some of that money to show it is secure.
I suppose it depends on how many hurdles you want to place in front of innovation.
I learned after driving a cab for nine years just how little I can live off of and if I cut out the luxuries (like hot water) it was surprisingly little.
Now suppose I were able to get people to pay me peanuts (through donations for the sake of the argument) to maintain some critical software because, you know, “someone has to do it and this guy will work for peanuts”, just how many luxuries am I expected to do without to comply with some overbearing regulation?
> Now suppose I were able to get people to pay me peanuts (through donations for the sake of the argument) to maintain some critical software because, you know, “someone has to do it and this guy will work for peanuts”, just how many luxuries am I expected to do without to comply with some overbearing regulation?
That's a weirdly specific hypothetical.
In this situation, we're assuming the regulation is morally responsible for you living an austere life and not, like... you for choosing to pick the job instead of other better-paid software jobs, or the software users for not being willing to pay for critical software they depend on? And the regulation is therefore immoral if it costs any non-zero amount to anybody to comply with it, even if that amount is low?
What I’m really saying is they are pushing the burden of compliance on someone who just so happens to be professional because some people think they are providing a service they find useful enough to toss them a few bucks here and there — like a ton of FLOSS projects with a “buy me a beer” donations button. In a weirdly specific manner because once I get started on an idea it just flows.
Either they take absolutely no compensation or they are responsible for (probably costly because government) compliance measures if some bureaucrat finds the project “critical” without them intentionally producing “critical software”.
That isn't an audit. Audits are not about actually doing anything about security. Audits are about having documented procedure and properties and reviewing documentation.
The typical software you need to google in the context of an audit is "Excel" for the endless fill-me-in lists of compliance b.s. your auditor will make you fill in...
The regulation looks reasonable: if someone is selling software, or products containing software components, they have to certify the security of their products.
OSS developers who don’t charge for the software have no obligations. If their software is used in a commercial product, the seller of that product is responsible.
Technically you have to do it at $0/month because once it changes to $20/month you're not in compliance. It's a minor distinction - your point is the important one. You have to do it way before you have the means.
> I’m not getting an auditor over to audit my $20 program.
Self-assesment is an option. The problem is that now you're responsible for the bugs, no matter whether the user uses it for securing his cafe or bank...
No, CE markings are normally for finished products, not components. (in many cases the software is a component). Most open sourced projects are not user-facing finished software products.
No, the regulation explicitly includes components:
> For the purposes of this Regulation, the following definitions apply:
(1) ‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately
So, I think this new legislation might be bad, as the distinction between a component vs a finished product is a lot less clear in software, and particularly open-source projects. I'm not sure the lawmakers will consider this carefully.
Another garbage idea out of Brussels. Given the fact that we're lacking in the system engineering space for more than a decade, this will only curb some of the decent innovations people have began expanding upon in the last couple of years. (See the various talks & ideas from usenix for example, amongst other events)
On the "bright side", this will realistically be impossible to enforce. Any national court who deems such industry important will probably use a local constitutional amendment to reinforce that CODE easily falls under freedom of expression, just like any other craft.
EU showing once again how desperate it is for money. Let's strangle out all our industries until nobody can make anything anymore: See agriculture, energy, manufacturing, and "now" even a bigger range of the IT spectrum.
> Any national court who deems such industry important will probably use a local constitutional amendment to reinforce that CODE easily falls under freedom of expression, just like any other craft.
if you're in the EU then EU legislation overrides any local law
At some point in the past decade, EU civil servants have completely lost the plot and they now seem to think that creating new reporting obligations is the solution to all problems and that people have nothing better to do that read hundreds of pages of European legalese poorly explaining technical concepts.
The European Green Taxonomy is a brillant exemple. It’s both complicated, costly and a poor way to achieve the goals it wants to achieve.
At this point, I have to assume it’s voluntary self-sabotage.
Considering it's looking very likely that US based companies are going to be locked out of the EU over GDPR and FISA - creating an EU based version of all the major players seems like a very wise move.
To me the whole regulation frenzy looks not as much as locking out US-based companies, but rather limiting power of software industry and community in general in favour of old industries and bureaucrats.
This. But it's the same with everything in Europe - sky-high income tax and VAT, but zero to little inheritance tax, property tax, land value tax, capital gains tax, etc.
Like the idea is to punish workers (skilled and unskilled) and keep the power and wealth in the hands of the aristocrats.
What's the long term play? The climate is so hostile that any success is likely to be rewarded with a regulatory response that mandates giving up any competitive advantage.
I don't see it as attractive for any for-profit investment. Maybe it's the right incubator for open source / nonprofit alternatives?
> I don't see it as attractive for any for-profit investment.
Well don't forget, it applies to non-profits too. Or an individual who makes money from it.
edit: can't reply to the reply below (too nested? IDK).
> I'm not sure I'm understanding your point... could you please elaborate?
My point is the compliance laws apply to "non-profits" (the legal entity) and individuals that make a profit from OSS. Perhaps you covered that in
"for profit" but that term is often used for companies and in contrast to "non-profit"
Yeah, I hear you... the burdens are also real for non-profits and individuals. I should have said it is more about motivations. I wouldn't go into EU to complete against displaced ROW companies in the hopes of making money (personally or as a company or a VC).
But if the mission was to make the world a better place and profit wasn't important, sure. As business-unfriendly as the environment is, it is very consumer friendly, at least in intent. IMO there may be unintended consequences that harm consumers but their hearts are in the right place.
But they could just do that directly - like Russia and China have done with Yandex, VK, WeChat, TikTok, Baidu, etc.
But for some reason the EU is still hooked on neoliberalism and anti-protectionism, even when it has ravaged the continent with the energy crisis and the US monopolising the Tech industry, etc. (remember that the ZX Spectrum, BBC Micro, Acorn, ARM, Linux and Nokia were all European once).
Like in this case - it'd be better to just invest directly into support for EU-based FOSS consultancies to contribute and maintain critical libraries like OpenSSL, LibreSSL, Linux, etc. - and then all EU government and industry would benefit with that, whilst keeping the jobs and investment in the EU.
They're just so short-sighted and dogmatic about neoliberalism (as well as doing whatever the US asks, regardless of the negative effect on Europe). It's no wonder we're being eclipsed by China. Just look at the GDP per capita and Productivity since 2008 - https://data.worldbank.org/indicator/NY.GDP.PCAP.CD?location...
So much this. This morning I was thinking about the supposed CIA handbook to ruin companies, at this stage I wonder if it wasn't done for states.
My wife asked me why I don't create startup, well it's all due to these bullshits.
Because the idea behind it is that commoners like me and you shouldn't be able to start a business without backing of an investor blessed by the EU officials.
That's how they are introducing neo-communism by the backdoor. Technically private initiative is still legal and possible, but it is not in practice.
So if you have an idea, your only option, eventually will be to get hired at one of big corporations and try to sell your idea at one of their start-up incubators.
Difference is that you'll always be a salaried worker (and remain in working class) and shareholders will profit from your idea not yourself.
> But for some reason the EU is still hooked on neoliberalism and anti-protectionism, even when it has ravaged the continent with the energy crisis and the US monopolising the Tech industry, etc. (remember that the ZX Spectrum, BBC Micro, Acorn, ARM, Linux and Nokia were all European once).
So the EU and it's consumer/people right's over company rights caused Russia to invade Ukraine and therefore decrease the supply of energy causing an increase in prices??? This is one of the craziest, nonsensical takes I've ever read.
The EU bureaucracy decided to cripple its economy because they feel like the interests of of a non-EU country are more important than the interests of the european citizens they claim to represent.
The EU politicians and especially the EC members are beyond insane at this point.
This comment is also nonsensical. Russia increasing the energy prices would have happened if NATO stepped in or not. In fact, they would have increased a lot more.
Isn't this how the markets work? You extract the maximum amount of profit. It is not like the Russians were forcing the EU to buy gas from them.
The EU were the ones trying to force Russia to sell gas to everyone, and not only that, but to also deliver it to specific transit routes. Like "you can't cut off Ukraine" because they're gonna freeze or something.
There's a lot of nonsense that is happening just because bureaucrats are stubborn and think the world should work how they dream it at night.
It’s exactly how markets work. Build a dependency and remove
Competitors and raise prices.
Also, part of the issue isn’t Russia raising their prices but a reduction in supply either from Russia removing a supply or countries not wanting to buy from Russia.
I think the draft still some minor kinks to iron out but overall I see it as a good idea. This gives a clear pathway to determine the boundary where a software component becomes more then just “a little experiment” with meaningful impact on a bigger software system.
My first reaction is also that this could be a good thing. We need
secure software infrastructure. Markets have not provided that and
this could be one part of the road to a solution.
Despite the headline this is about all software, not just code
that's developed with open source and software freedom as features.
Now could be the time that FOSS gets to put the many-eyes reasoning to
the test with crowdsourced standards compliance. It could make paid
jobs for open source developers as CE auditors for code. That code is
currently just taken by big companies for free, plus the ingratitude
of blaming developers who work for nothing when it goes wrong.
It's mostly a checklist exercise anyway. So long as there's no
monetary cost to compliance it may create a cadre of OS reviewers who
are skilled and prepared to do it for free for projects they support.
Surely, in a real security meritocracy the cruft that passes for
"closed proprietary" software will soon be exposed for what it is. How
long will Windows 11 last in an environment with good security
culture?
Proprietary software will not only have to compete against free, it
will have to compete against _good_, and certified good free and
commercial FOSS. The FUD, disinformation and fearmongering of Big Tech
and it's shills may end up having less impact, not more.
OTOH I doubt this will impact hobby developers and Non-Commercial FOSS
that comes with liability disclaimers from the get-go. It will
however, impact those who want to take that work and deploy it in
critical roles for commercial gain.
This is trending towards requiring a license to develop software. You will need to ask the government for permission to develop software just like you do for countless other professions.
This reminds me of an aphorism: "When you owe the bank a million dollars, that's your problem. When you owe the bank a billion dollars, it's the bank's problem."
What happens when/if core technologies like SSL, BIND, and even the Linux kernel fail to meet these requirements? Will EU entities have to stop using noncompliant open source software? As someone who is not a fan of bureaucracy, the consequences of this could be almost hilarious.
Edit: TFA is writing about this as legislation to be concerned about. I'd wonder if the best response to this is malicious compliance: "sorry $EU_ENTITY, we never certified, so you can't use our tech that happens to be fundamental to the security/networking/OS stack."
CE certification requirements concern the sale of products in the EU. You are not allowed to import, make available or sell products that do not have a CE certification, if one is required for that kind of product. CE certification is usually just a self-declaration by the producer. If you make "Chemical Ali's colourful children's chew-toy" you have to provide a CE self-certification that e.g. certifies that you didn't use any lead-based paint, and all the other requirements for this category of product.
Enforcement of compliance would thus be via the seller, distributor, importer or producer, whichever is a EU entity and available/responsible.
Generally it would be permissible to use non-CE-certified products e.g. at home, provided you do not make them available to others, give them away or sell them. Using non-certified products can be prohibited for companies and other legal entities, usually through the safety regulations they have to obey.
What the legal consequences for a user of non-CE-certified software would be, I don't know. There will certainly be an assumption of negligence if anything goes wrong.
> There will certainly be an assumption of negligence if anything goes wrong.
This was a long time coming for our entire industry- ever since internet stopped being just about kittens and porn and started handling serious money.
This is a good thing because it will force decision makers at major compabies to sober the fuck up and pay real attention to security. We still have consumer products, like phones and routers, that are being shipped with known security holes and without any updates.
The issue is pervasive throughout the industry and will take decades to resolve.
There are lots of alternatives for SSL libraries, and there are also indeed increasing alternatives to Linux. But in reality, Linux tends to get patches for compliance purposes, or forks for meeting various obligations.
These smaller projects are probably even less likely to be compliant.
If anything, it will create a situation where e.g. OpenSSL is audited and compliant, but other newer solutions aren't so you can't use them. If "has been audited and approved" would be a good assurance the project is of good quality then that might be okay, but overall I find it's a rather weak signal.
Usually a combination of less usage and general interest, fewer developers and development time, less or no funding, etc.
Details depend on the project, of course. The lesser used WolfSSL is also FIPS verified; it's clearly not impossible to do these things, it just puts additional pressure on what are often already constrained resources. I mean, the amount of general resources Linux has available compared to, say, OpenBSD is just huge.
I'm not sure that this is really proven out to be a generally true concept. Boringssl is a good example of a very well funded project. There are FIPS modes in the Linux kernel for various things like RNG.
Same as for GDPR probably. Selective enforcement and chilling effect. Companies will have to take risk of legal action into account, but not really adhere to it, except in some really basic cases.
"(13) In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. However where software is supplied in exchange for a price or personal data is used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity, the Directive should apply."
Asking as somebody who does not really get this law jargon - if you distribute your software, which might be a little bit of glue code putting together some freely available open-source libraries, then would you be liable for auditing only this glue code or libraries as well? (since you would have to distribute them with your glue code, otherwise your product would be incomplete)
However, as I understand it: If it applies (e.g. commercial context) and you distribute the software or offer a product based on the software, you need to show the audit of all, not just a part (e.g. the glue code).
Thank you for providing the whole quote. If indeed all software that is not directly supplied in exchange for a price is excluded, that would be a huge relief for the community.
The fear is that they will proceed with extended definition of "commercial activity" though, out of fear of loopholes.
Here is an excerpt from the article that puts into context why this is concerning. But honestly, just read the article.
> Now, what is a commercial activity?
The CRA does not define this term. However, conversations with people more knowledgeable on product legislation pointed me to the EU Blue guide to the implementation of EU product rules:
> Commercial activity is understood as providing goods in a business related context. Non-profit organisations may be considered as carrying out commercial activities if they operate in such a context. This can only be appreciated on a case by case basis taking into account the regularity of the supplies, the characteristics of the product, the intentions of the supplier, etc. In principle, occasional supplies by charities or hobbyists should not be considered as taking place in a business related context.
> This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. However where software is supplied in exchange for a price...
This says that publicly available open-source software that is not supplied in exchange of a price (as in, say, customised versions of software that are not available to general public) is exempt. It doesn't cite any other commercial activity (technical support, donations etc.) from EU Blue guide.
I seem to recall that the heartbeat bug was in a library where the author received (very little) monetary compensation for their work.
Who’s responsible for compliance in that case, the dev or the thousands of companies who used the library in a critical role?
I know this is supposed to fix such a situation but they aren’t going to be taking hundreds of thousands of website operators to court who used the freely provided library without auditing the code.
This reminds me of the Gaia-X / IDSA certification and approval framework blanketing the whole software industry in the EU. I am not sure yet what to think about it.
On one side, it looks a bit like proprietary software vendors trying to cut out SMEs who can match the quality with the same open-source software the big players use, but have no funds to go through the certification. The really funny part of this legislation is: the big players who can afford certification will be able to use ANY open-source component for free but the people who built it will have a tough time to go to the market because they will require the funds they don't necessarily have. Crazy situation.
On the other hand, if this is applied to everyone, well, it will get rolled into the cost of providing a service. You want to buy this from me? Sure, I'll charge you for compliance report.
The really funny part of the "Call for evidence for an impact assessment - Ares(2022)1955751" document (section C.) from https://ec.europa.eu/info/law/better-regulation/have-your-sa... reads:
> The initiative is expected to have positive economic impacts.
That section completely misses to mention that increased compliance cost will inevitably lead to increased software and services pricing, thus will lead to decreased competitiveness of European SMEs on the international market.
Hot take: I can see two options to cripple this: 1) Drown the legislator in compliance requests for minor code. 2) Dual-licensing: AGPLv3 + commercial license.