Since the EU is bringing an act , that needs the products distributed to be flawless , and it applies to open source products too , if a single of their contributor / donor works for a corporate , what will be the future of FOSS in europe with this ?
For all the people not reading the actual law, this is the actual language of the proposal:
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
IMO the problem OP mentions does not really exist. You can work for a corp while working on the product, your FOSS project can take donations even from corps, the only thing you can’t do is monetize your FOSS product without caring for security.
Please add a link to the source in your comment
This is the actual proposal, it’s available in all EU official languages on the EU’s website. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0454
Companies need to conduct cyber risk assessments before a product is put on the market and throughout its lifecycle effectively manage its vulnerabilities, regularly test it, and so on. Products assessed as ‘critical’ will need to undergo external audits.
I have not read the proposal. Legal language makes me want to rip my own eyes off.
The only winners I see are those security auditors and similar providers.
Privative corpos from USA and China will arrive with all “security assesments” and “auditions” in place, and still have backdoors lol
They prepared a list of software that need mandatory audit , like browsers and all !
Lucky for me I don’t give a shit what the EU thinks
I think EU is the only reason why the internet is not full distopian and shit
You mean the web, not the internet. And no, they’re not the only reason, they just help facilitate consumer protection in ways that happen to be mutually beneficial—not motivated by altruism. There are a lot of people who work a lot harder than the EU, often for free, who are much more responsible for the web and the internet itself being in a decent state and being worth caring about.
No, the internet. My Multiplayer game that I play does not have something to do with the web but still needs to comply with GDPR, every service sold or serviced in EU need to comply with the GDPR.
Coz what ? GDPR? If they have good intentions they need to see the web integrity api !
What has a rootkit todo with GDPR?
I wonder if I am developing an app for lemmy and I am based in EU , am I obligated to get an external vulnerability audit done , or pay a 15.million euro fine , since I am working for a corporate with a full time job?
Without having read any part of this act I’d assume you having a job and you developing an open source app are two separate things unless your job involves developing that open source app.
The number of responses here saying they haven’t read up on it but…
I read several different drafts I could find since writing that comment and although it’s alll written somewhat vague in general, OP’s point isn’t in any draft I read.
Its been a while since i last read about it, but i thought they made some exempts so FOSS wouldnt suffer too much. One can only hope they did!
They consider foss products out of this requirement , only when the contributors are volunteers who are not working or are employed by a company !! Or get a corporate donation, if even one person contributing to the project is a corporate employee they need to go with the crazy rules they have laid !!
This is what Claude2 (with 100K context window) has to say about your comment, after I supplied him with the entire proposal of the regulation: Based on my understanding of the Cyber Resilience Act, I don’t think that assessment is entirely accurate. The key factor is whether the open source software is placed on the market in the course of commercial activity, not the employment status of individual contributors.
The regulation explicitly excludes open source software developed or supplied outside of commercial activity. As I mentioned before, this means pure community-driven projects where the software is freely shared and open should not fall under the requirements.
It does not matter if some contributors are corporate employees, as long as they contribute to a non-commercial community project in their personal capacity. For example, if a developer who works for Company X contributes code to Project Y in their free time, that alone would not make Project Y commercial.
The regulation would likely apply if a company systematically develops open source software as part of their business model. But just having corporate contributors among many community members would not automatically trigger the rules.
Overall, I think the regulation aims to avoid putting burdens on pure community open source projects, as long as the software is not placed on the market commercially. But the details of implementation will be important to watch to ensure a proper balance is struck.
