This has been a nit of mine as others cry out how I'm a "NIH" curmudgeon for not importing some library because I need, oh, "upshiftFirstCharacter" or some other thing.

Like many, I do incorporate other projects into my own. But, also, I tend to just write my own stuff for "little things", even when they creep into "big" things, as many are wont to do.

And the canard I hoist when challenged on this stuff, I simply point out "We may only being using a a small piece of it, but we're responsible for all of it." And point to the trail of jars that simple utility is dragging with it.

There's a lot of pressure for things to have fewer and fewer dependencies. As a Java developer, I strive to rely as much as practical on the JDK and the utilities they provide.

My code is as imperfect as anyone else's. But I watch threads on forums about "how can I do XXX" and what they really mean is "what package do I need to do XXX" rather than just, you know, "doing it". It's a spectrum of complexity, but if I can get away with a simple BlockingQueue instead of loading in some off the shelf behemoth for a simple twixt threads queue, I'm going to do that. Use the stuff I have until it fails before I drag and drop some onerous jar and a boat of dependencies to do the same thing. "This has monitoring and plugins and ...!" "Do we need that?" "...Maybe?" "Well lets wait and see, shall we?"

Keep making more changes, more regulation Europe. It'll make an interesting story one day. But only after extreme turmoil & chaos. After the dust settles.

And I don't think these attempts to regulate the planet, to impose your will & shift so much burden onto those doing & making & creating is going to work as you hope. I don't think it will give your societies the safety you think you can demand, and I think the difficulties you are creating are going to cause great suffering for your nations.

I respect your desire for a better more sensible world but forever more layering in more and more constraints & burdens on the active agents in your systems has such unfathomable costs.

And you don't have the right. You don't get to tell the entire world how to behave. There are impossible asks, utterly ridiculous, and you make them against everyone. You already have your foot on the floor, speeding us so quickly to breaking.

> it is that entire stack which the SME, as the party that places it on the market, is liable for.

> policy makers assume that these process improvements [...] are costly; on the order of 25% more in cost overhead

> for most European SMEs this extra effort over the full 100% would be several times their engineering effort and hence would not be feasible

> certifying the 5 or 10% of the code they build on top of the open source stack is a lot more achievable.

From what I understand of what the Apache Foundation has written, what the CRA does is to take the certification obligation from the entity that takes the open source products and profits from it, and push it on to the entity that produced the open source software.

So if I have a business that uses a tech stack built on top of Rocky Linux, for example, I only have to certify the part of the stack that I built, and I can push the liability for the rest of the stack to the Rocky Linux vendor, even if I never bought a support contract.

It's not clear to me how much knowledge the author has about the legislators opinion, but it's a very damning piece of text.

Pushing for the obligatory enforcement of unknown rules, extending the corporations embodiment into every action of their employees, and granting legislative power to private standard bodies are all very anti-democratic decisions.

I agree. But at the same time, this might indicate something.

Frustration.

Try to build a bridge, a building, a factory, and see how far one gets, without a lot of clear cut rules being followed.

Then look at ... say, Debian. Where every single piece of software follows guidelines, or it's in non-free.

Then look at the node ecosystem, where no one audits anything, or even cares if they're literally infringing, who wrote it, etc.

No one even checks, if any of the 25,000 packages, have just been replaced by malware, or if the license has changed.

And beyond that, we have endless orgs running code on deprecated compilers (eg php5), with no security updates.

These things are absurd, but we accept it, merely because prefer greed over security, safety, sustainability of code.

So, some of it may be frustration. I'm frustrated with it!

It doesn't make it right, but....

I do agree that the situation is dire, and we should do something. Up to now, that something is almost completely on the "research" area and almost not on the "legislate" area, but some exceptions may already apply. Acting on those exceptions would be a good thing, but this is really not some "hey, this small action is proven to help" kind of law. Laws like that one always lead to less secure software and broken markets.

And anyway, no legislative body anywhere should even think on doing any of the things I listed on that paragraph. Any of that is already enough to dismiss the entire thing (IMO, it's enough to dismiss the entire body too and call for replacement) even if the actual rules would improve software security.

Debian rules are not about software functionality or implementation.

For open source libraries which presently are 100% free have the certification company charge companies who want to use those libraries to audit and certify them and pass a substantial amount of the cost on to the authors of those libraries.

    “where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature.”

It applies not just to foundations and companies but basically all software created or distributed within the EU so basically all software created by professional developers even outside of their employment.

Where the creator is beyond the reach of the EU the onus doesn't cease to exist it just falls on the company to certify as part of their due diligence for their product and this doesn't even make that version of that software or library itself certified out of scope of that usage so all non-certified software would need to be verified once per work unless someone stands up an entity to provide a certified version of whatever.

For open source software you are asking companies to write or buy their own everything.

The most reasonable scenario is probably European developers using a limited palette of software versions behind the US wherein in many cases the have to pay a European maintainer who pays the cheapest offshore labor it can find to give its rubber stamping of security a thin veneer of respectability while contributing nothing back to the people who write the software.

What it logically needs is a requirement that such labor come from the EU and a portion go back to the source project. We can call it the FULL EMPLOYMENT for EUROPEAN DEVS MAINTAINERS and ENGINEERS

aka FEEDME

In this fantasy land non-europeans would register for their portion of the money.

Does the EU company then need to handle the details of certifying it? Do you end up with an entire industry around companies "importing" open source libraries into essentially a library of usable verified things that companies are then allowed to consume?

Does this end up with EU companies using out of date things because it requires certification? How do you avoid it either becoming a rubber stamp with a fee attached or EU industry being behind insofar as its ability to use technology.

EG a US developer can use A B or C whereas EU dev can only use a 2 year old version of A which may be less secure for lack of improvements on further versions rather than more secure. Essentially a certified predictable level of inferiority.

> Some of the obligations are virtually impossible to meet: for example there is an obligation to “deliver a product without known exploitable vulnerabilities”.

Is it possible we actually CAN meet something a lot closer to that? There isn't infinite ways to use something and if the use is novel and out of scope of the library itself wouldn't that be something out of scope and part of the companies job to certify?

Consider languages and technology that obviate or drastically decrease entire classes of bugs from memory safe langues, to comprehensive testing, to static analysis, to more secure OS like seL4.

That has been the natural consequence of every past effort to legislate security all over the world.

The fact that this one seems less attached to reality than the normal only reinforces that, so I'd expecting nothing else from it.

The people doing certification must have a active hand in the development process of the specific software component. who, at their option can charge for certification.

This would allow open source projects that are used in industry to charge for certification labels, to the commercial companies that require it. But non-commercial which does not need a certified stack, is business as usual.

Seems like it would incentivize funding of open source, right? As long as the fees are low enough, no one will fork. But since only the people maintaining the project can make (and optionally charge for) certifications, it would incentivize knowing your software stack, and paying for maintenance/contributing back.

It is a slippery slope and in no time it would spread to banning Chinese patches and developers, with people getting riled up by people from .gov mails and next up Muslims and on and on.

Besides, show me one of those "all" you mentioned that has the right to do so. Do you think open source is American? It could just as well be they all ban the US. Just... don't.

Like a lot of commenters are saying, these blog posts are nice, but they won't change the minds of the legislators.

The legislators, in their apparent naivety, are living in a dream world where they expect today's volunteer developers to take on real and unfair legal risk for their contributions.

That's why I think open-source projects ought to make a real statement and ban EU downloads of their software. This will catch the legislators' attention. Making the lives of whoever is using the software (practically everyone) difficult will get the point across and force change.

This has nothing to do with discriminating against who _contributes_ to the software, which is of course a bullshit thing to do.

The interesting question is really what happens when commercial software companies outside the EU that use open source libraries decide they don't want to deal with this headache _also_ start refusing to certify their software for use in the EU and stop doing business there.

Edit: In fact, reading the GPL it looks like it might implicitly already preclude usage in the EU under this law. There's this section right here:

    11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
    12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

I don't think this will impact any hobbyist open source developer - it is primarily going to impact commercial 'opencore' companies. I wouldn't be surprised if this targets companies like Red Hat / IBM, etc. Or benefits them. I'm not sure yet.

Microsoft is probably laughing all the way to the bank, and this will just solidify their hold on the European market.

From the other perspective: am I going to accept a contribution from anyone who may be remotely connected to any company in the EU? Well, nope. I don't want to deal with that stuff in my private time just because some EU bureaucrat decided that accepting a contribution from a corporate contributor is now legally speaking a "commercial activity".

They will now hold a huge fat stick but there's no carrot. So when it's a commercial activity, can I have benefits like any other commercial entity? Say, claim VAT back?

Unless EU itself employs developers to contribute to OSS and ensure verification, this will only do harm.

It also means that companies will be reluctant to allow their employees to contribute to software as that would practically force the maintainers to abide by this which costs a lot.

It also sets impossible standards like “must shop code that doesn’t have vulnerabilities”.

And screws the process of dealing with exploits. Instead of informing ahead of time the authors and getting them fixed, then after 3 months issuing an announcement, you first need to inform a public organisation within hours of finding the exploit and then get the organisation to fix the bug again within hours.