Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"

Correct. And I agree with that effect:

* a company paying salary of a developer that contributes to an open source project outside of the commercial activity of the company does *not* expose the company to extra requirements

* a company taking *any* software, including open source software, and selling a product based on that or related to that, to EU customers, *will* be required to think more about safety (regardless of who it employs and for what)

The *one* negative impact I can see of this legislation is impact on small integrators that were used to being able to go to a

client company, install a bunch of Ubuntu Desktop workstations, set up a Ubuntu Server for SMB and also to serve the website

of the company, take one-time fee for their work and be gone. Now it would have to be made clear - who will be maintaining those

machines over time, ensuring they are patched with security updates in time, upgraded to new OS releases when old ones are no

longer supported and so on. This, over time, will reduce the number of forgotten and bit-rotting systems on the networks that provide

tons of known security holes for attackers. Who will take the responsibility is still open - would that be the end customer itself, would

that be the system integrator that installed the systems for them, can they maybe have a contract with Canonical for such support or

some other company providing such services specifically for the EU. How much would that cost? How would that cost compare to

similar agreements on the Windows side?

Lots of interesting questions. But at no point does any responsibility get automatically assigned to, for example, Debian or individual

open source developers.

On Mon, 13 Nov 2023 at 14:03, Luca Boccassi <bluca@debian.org> wrote:

On Mon, 13 Nov 2023 at 12:57, Aigars Mahinovs <aigarius@gmail.com> wrote:
>
> True, the employment status is irrelevant. However, in this example Microsoft will actually have the liability of
> providing the security assurances and support for systemd and related systems, because they are providing
> images of such systems as part of their commercial offering on the Azure cloud platforms. And that will be
> true regardless of the employment status of a few developers.
>
> A company that does not provide any Linux system services to EU customers, like some integrator operating
> just in Canada, would not have such exposure and thus would not incur any such obligations.

Yes, but they have to do that *as part of that commercial product*,
which is not systemd, it's whatever product uses it, together with the
Linux kernel, glibc, gcc, etc. That's a good thing, and it applies to
any corporation that ships any open source software as part of their
products. The corporation is responsible for security aspects of said
product and its part as shipped in that product, which is great.

It doesn't mean that the upstream open source project is now suddenly
encumbered as a commercial product out of the blue - which is what the
person I was replying to concluded - because it's plainly and
obviously not developed solely and exclusively for that commercial
offering, given it's used everywhere on any Linux image from any
vendor that you can get your hands on by any means.