this post was submitted on 15 Aug 2023
76 points (100.0% liked)

Open Source

823 readers
28 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Since the EU is bringing an act , that needs the products distributed to be flawless , and it applies to open source products too , if a single of their contributor / donor works for a corporate , what will be the future of FOSS in europe with this ?

top 28 comments
sorted by: hot top controversial new old
[–] maynarkh@feddit.nl 42 points 1 year ago (1 children)

For all the people not reading the actual law, this is the actual language of the proposal:

In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.

IMO the problem OP mentions does not really exist. You can work for a corp while working on the product, your FOSS project can take donations even from corps, the only thing you can't do is monetize your FOSS product without caring for security.

[–] library_napper@monyet.cc 1 points 1 year ago (1 children)

Please add a link to the source in your comment

[–] maynarkh@feddit.nl 4 points 1 year ago

This is the actual proposal, it's available in all EU official languages on the EU's website. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0454

[–] vsis@feddit.cl 18 points 1 year ago (1 children)

Companies need to conduct cyber risk assessments before a product is put on the market and throughout its lifecycle effectively manage its vulnerabilities, regularly test it, and so on. Products assessed as 'critical' will need to undergo external audits.

I have not read the proposal. Legal language makes me want to rip my own eyes off.

The only winners I see are those security auditors and similar providers.

Privative corpos from USA and China will arrive with all "security assesments" and "auditions" in place, and still have backdoors lol

[–] jungekatz@lib.lgbt 5 points 1 year ago

They prepared a list of software that need mandatory audit , like browsers and all !

[–] jungekatz@lib.lgbt 15 points 1 year ago (1 children)

I wonder if I am developing an app for lemmy and I am based in EU , am I obligated to get an external vulnerability audit done , or pay a 15.million euro fine , since I am working for a corporate with a full time job?

[–] zaphod@feddit.de 22 points 1 year ago (3 children)

Without having read any part of this act I'd assume you having a job and you developing an open source app are two separate things unless your job involves developing that open source app.

[–] wagoner@infosec.pub 6 points 1 year ago (1 children)

The number of responses here saying they haven't read up on it but...

[–] zaphod@feddit.de 2 points 1 year ago

I read several different drafts I could find since writing that comment and although it's alll written somewhat vague in general, OP's point isn't in any draft I read.

[–] jungekatz@lib.lgbt 4 points 1 year ago (1 children)

Well if i am developing a product and I work for a corp or if my project is getting donation from a corp , it will be considered as a commerical project , it does not need me to be working on that product as part of my work !!

[–] zaphod@feddit.de 8 points 1 year ago (1 children)

No, those are separate. It's about open source projects that have developers working on it in their free time (not getting paid for it) and developers who get paid for it. You having a job as a software developer and working on a project outside your work time doesn't make it a "commercial activity".

[–] jungekatz@lib.lgbt 3 points 1 year ago

Just read the act then ! It keeps it vague enough to consider a person working in free time will be considered a commercial product

[–] jungekatz@lib.lgbt 2 points 1 year ago (1 children)

Please watch the video above !

[–] lowleveldata@programming.dev 16 points 1 year ago (1 children)

What's the gist? I hate video articles

[–] jungekatz@lib.lgbt 4 points 1 year ago

Basically A foss product is not exempted if an employee ( does not need to be a tech employee) contributes to a foss prod , or if a company donates to them ! So even npm packages by individual coders who are employed say.by dominos need to take audit and deliver vulnerability free code .

[–] johannes@lemmy.jhjacobs.nl 12 points 1 year ago (2 children)

Its been a while since i last read about it, but i thought they made some exempts so FOSS wouldnt suffer too much. One can only hope they did!

[–] jungekatz@lib.lgbt 11 points 1 year ago (1 children)

They consider foss products out of this requirement , only when the contributors are volunteers who are not working or are employed by a company !! Or get a corporate donation, if even one person contributing to the project is a corporate employee they need to go with the crazy rules they have laid !!

[–] G020B@lemmy.zip 2 points 1 year ago

This is what Claude2 (with 100K context window) has to say about your comment, after I supplied him with the entire proposal of the regulation: Based on my understanding of the Cyber Resilience Act, I don't think that assessment is entirely accurate. The key factor is whether the open source software is placed on the market in the course of commercial activity, not the employment status of individual contributors.

The regulation explicitly excludes open source software developed or supplied outside of commercial activity. As I mentioned before, this means pure community-driven projects where the software is freely shared and open should not fall under the requirements.

It does not matter if some contributors are corporate employees, as long as they contribute to a non-commercial community project in their personal capacity. For example, if a developer who works for Company X contributes code to Project Y in their free time, that alone would not make Project Y commercial.

The regulation would likely apply if a company systematically develops open source software as part of their business model. But just having corporate contributors among many community members would not automatically trigger the rules.

Overall, I think the regulation aims to avoid putting burdens on pure community open source projects, as long as the software is not placed on the market commercially. But the details of implementation will be important to watch to ensure a proper balance is struck.

[–] jungekatz@lib.lgbt 1 points 1 year ago

Well the attemps they made are more like drop in the ocean ! I still dont understand how FOSS in eu at least will survive this disaster , while most corps , just use foss software anyway will flourish !

[–] makeasnek@lemmy.ml 11 points 1 year ago
[–] sarsaparilyptus@midwest.social 6 points 1 year ago (1 children)

Lucky for me I don't give a shit what the EU thinks

[–] ReakDuck@lemmy.ml 33 points 1 year ago* (last edited 1 year ago) (2 children)

I think EU is the only reason why the internet is not full distopian and shit

[–] jungekatz@lib.lgbt 3 points 1 year ago (1 children)

Coz what ? GDPR? If they have good intentions they need to see the web integrity api !

[–] ReakDuck@lemmy.ml 2 points 1 year ago

What has a rootkit todo with GDPR?

[–] sarsaparilyptus@midwest.social 2 points 1 year ago (1 children)

You mean the web, not the internet. And no, they're not the only reason, they just help facilitate consumer protection in ways that happen to be mutually beneficial—not motivated by altruism. There are a lot of people who work a lot harder than the EU, often for free, who are much more responsible for the web and the internet itself being in a decent state and being worth caring about.

[–] ReakDuck@lemmy.ml 3 points 1 year ago

No, the internet. My Multiplayer game that I play does not have something to do with the web but still needs to comply with GDPR, every service sold or serviced in EU need to comply with the GDPR.

[–] jungekatz@lib.lgbt 3 points 1 year ago
[–] jungekatz@lib.lgbt 1 points 1 year ago