Let me pipe in here. I have been exposed quite a bit with EU legislation in the process of our fight against software patents back in 2012. The EU legislators are quite sensible when the underlying issues are clearly explained to them, bu the legal language of the documents can be quite dense and also quite nuanced with one word sometimes completely changing the meaning of the entire document.
Looking at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022PC0454 For example the intro clearly states the intent of *not* burdening the open source development process with the requirements of this directive: > (10) In order not to hamper innovation or research, free and open-source > software developed or supplied outside the course of a commercial activity > should not be covered by this Regulation. This is in particular the case > for software, including its source code and modified versions, that is > openly shared and freely accessible, usable, modifiable and > redistributable. In the context of software, a commercial activity might > be characterized not only by charging a price for a product, but also by > charging a price for technical support services, by providing a software > platform through which the manufacturer monetises other services, or by > the use of personal data for reasons other than exclusively for improving > the security, compatibility or interoperability of the software. > For this purpose the following point exists: > (23)‘making available on the market’ means any supply of a product with > digital elements for distribution or use on the Union market in the > course of a commercial activity, whether in return for payment or free of > charge; > Here the "in the course of a commercial activity" is the critical bit. All volunteer work no longer meets the "making available on the market" definition and thus all other provisions/definitions no longer apply, because they all use the "making available on the market" definition directly or indirectly (via "manufacturer" definition or "product with digital elements" definitions). Re-read the commercial activity mentioned in the point 10 above - it is quite explicit that the activity can only be commercial if its commercial nature is connected with the software in question. So a commercial company releasing open source software that is *not* part of their commercial activity (for example a router manufacturer releasing an in-house written Git UI) would be "supplied outside the course of a commercial activity" and thus not subject to this regulation. But if they release a WiFi driver that they also ship to their customers on their routers, that *would* be a commercial activity and both the open source and the customer version of that driver would need a safety compliance assessment. Even regardless of the specific legal wording in the legislation itself, the point 10 of the preamble would be enough to to fix any "bug" in the legislation in post-processing via courts. As in - if any interpretation of the wording of the directive is indeed found to be hampering open source development, then it is clearly in error and contrary to the stated intent of the legislation. I am *not* objecting to Debian taking such a vote and expressing the stance intended. However, I expect that it will be seen by the EU legislators with mifled amusement, because in their context and understanding the legislative proposal already contains all the necessary protections for open source and free software development processes. However, if a company (say Amazon or MySQL) takes an open source product and provides a commercial service based on that product, then they are expected to also provide security updates, vulnerability notifications and other relevant services to their customers. Which is also an intended consequence of the legislation. The EU puts the interests of the consumers and of the community above commercial interests. Even commercial interests of small businesses. Allowing small businesses to "pollute" the digital environment with insecure or unmaintained software just because they are small businesses makes no sense from a European perspective. On Mon, 13 Nov 2023 at 02:22, Ilulu <il...@gmx.net> wrote: > "Art. 3 > (1) ‘product with digital elements’ means any software or hardware > product ... > (18) ‘manufacturer’ means any natural or legal person who develops or > manufactures products with digital elements ... and markets them under > his or her name or trademark, whether for payment or free of charge; > (23) ‘making available on the market’ means any supply of a product with > digital elements for distribution or use on the Union market in the > course of a commercial activity ..." > > Am 12.11.23 um 19:19 schrieb Luca Boccassi: > > I don't see how the fact that Github is > > not responsible for software hosted on its platform goes to imply that > > ever such software is a product. Whether something is or is not a > > product on the market is already quite clear, and the sources cited in > > the original mail themselves say that the CRA does not change this > > aspect. > > Because everybody agrees that software is a product. And if you can > download the product on github or elsewhere, it's made available. There > is an explicit exemption only for the platform, not for the uploader. > It's fine if you think your software is not a product, but be aware that > european market authorities will not agree with you. > > > Are you responsible for the warranty for > > software you push to Github if someone git clones it? Of course not. > > Not yet, but this will change, depending on whether the activity is > considered commercial or not. Of course the details are still unclear. > In your example, pushing to your repo might not count as "making > available" (thanks to a lot of lobbying), but tagging a release probably > does. What about CI artifacts? Nobody knows. > > > Because repositories on Github are not products on the single market. > > Obviously repositories are not products. Software is. > > I'm not spreading fud. I've read the stuff, I'm working on this since > FOSDEM, I have the necessary background and I participate in weekly > meetings with several big FOSS organisations/foundations. This workgroup > had frequent consultations with EU representatives. We are not spending > considerable time on non-issues. > > Ilu > > -- Best regards, Aigars Mahinovs
