EU Cyber Resilience Act can be a problem for opensource

Report this for eu: (in Italian, but with translatable subtitles)

Care to give a TL;DR?

It seems that they basically make “software distributors” liable for software security, which in the case of open source/free/libre model doesn’t make much (if any) sense

From The Python Software Foundation (PSF):
The Product Liability Act updates Europe product liability rules by including, among other things, digital product changes arising from software updates. It allows consumers to seek damages if they are harmed by products made unsafe through software revisions…
…Under the current language, the PSF could potentially be financially liable for any product that includes Python code…
… The first is Article 16, which says “A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements shall be considered a manufacturer for the purposes of this Regulation.”…
The second is a passage that exempts “free and open-source software developed or supplied outside the course of a commercial activity” but defines “commercial activity” as “providing a software platform through which the manufacturer monetizes other services” — a definition that could apply to organizations like PSF that offer any sort of paid products or services, like t-shirts, event tickets, or coding classes…
The PSF is asking anyone who shares its concerns to convey that sentiment to an appropriate EU Member of Parliament by April 26, while amendments focused on protecting open source software are being considered…"


Could one really say that sale by PFS of a Python t-shirt is monetized “through” “a software platform” – so as to make PSF liable for any change in a product because someone has updated the FOSS packages they utilize in a product ??

I strongly doubt that the text can be understood in this way. (Their product liability should go no further than the garment.).


Yeah. I interpret that clause as meaning, “If you sell a support contract for an opensource product, your support contract shall actually do something.”

1 Like

I’m not so sure, I believe you become responsible for all the software, not just your support in using it, but I understand little of laws much less if not in Italian.

I feel that exempts developers of the software. T shirts are not software. The bigger question would be not for profit fund raising to support the developers who make open-source software. But even that should be excempt. I defer to the lawyers for answers here, but I doubt there is much to worry about.

1 Like

Thanks, I add this:
Basically they ask for a text that in no case gives rise to unpleasant interpretations for open source developers.