What is it about this law that will make FOSS mantainers' lives unduly difficult? Are the requirement ridiculous? To me it just seems like they need to be more proactive and careful with publishing releases if they're aware of CVEs affecting the component.
The problem with this law is that unless the organisation is fully decentralised, it will be considered for profit and thus need to abide by all this.
It also means that companies will be reluctant to allow their employees to contribute to software as that would practically force the maintainers to abide by this which costs a lot.
It also sets impossible standards like “must shop code that doesn’t have vulnerabilities”.
And screws the process of dealing with exploits. Instead of informing ahead of time the authors and getting them fixed, then after 3 months issuing an announcement, you first need to inform a public organisation within hours of finding the exploit and then get the organisation to fix the bug again within hours.
