back to article EU's Cyber Resilience Act contains a poison pill for open source developers

We can all agree that securing our software is a good thing. Thanks to one security fiasco after another – the SolarWinds software supply chain attack, the perpetual Log4j vulnerability, and the npm maintainer protest code gone wrong – we know we must secure our code. But the European Union's proposed Cyber Resilience Act (CRA) …


    1. ChoHag Silver badge

      Look at fancy shmancy here who's read the law being blindly reported on rather than just relying on what github and other self-serving consultancies who in no way profit hugely off the backs of thankless developers have to say on the matter!

      You won't get very far with that attitude around here mate.

  1. Boris the Cockroach Silver badge


    if they're going to claim that your open sauce creator in Nebraska is liable for any bugs in the code, then I can see the open sauce guys doing 1 of 2 things

    1.(most likely) Abandoning open sauce creation.

    2. Becoming full time licencing lawyers writing up terms for companies to use their open sauce stuff.... and sueing the arse off anyone who tries using it without paying.

    Alternetively, like all good EU laws, will just be ignored by the member nations

    1. heyrick Silver badge

      Re: Well

      Or 3, stating in their licence that none of it applies within the EU and any use within the EU is not permitted and that you do so at your own risk blah blah blah.

      1. b0llchit Silver badge

        Re: Well

        That runs afoul of the no discrimination clause of FOSS licenses. You may not exclude any domains of use and you may not exclude any person(s) or group(s) for use in a valid FOSS license.

        1. unimaginative Bronze badge
          Thumb Up

          Re: Well

          Current FOSS licences.

          Inthink this a weakness in no liability clauses. They may need changing to allow redistribution only if it creates no liability fir the copyright holders.

          Interstingly 7 f of GPL3 allows adding a restriction

          "Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors."

    2. Lis Bronze badge

      Re: Well

      @Boris the Cockroach

      Er, open sauce software? Open SAUCE? It's Friday and I think you could do with some beer NOW! Get yoursen to pub at once!

      1. Herby

        Re: Well

        Emily Litella lives!

  2. Version 1.0 Silver badge

    "...and ensure customers can use products securely."

    El Reg, can we please have posting icon that is a pair of wire-cutters for incidents discussed in this article.

  3. VoiceOfTruth Silver badge

    So let the Open Source 'community' teach the European Community

    Use licences which deliberately disallow the use of their software within the EU. Then watch as the EU back pedals faster than a Frenchman running to his local baguette shop.

    1. doublelayer Silver badge

      Re: So let the Open Source 'community' teach the European Community

      Or more likely, the European customers just completely ignore the terms in the license and nothing bad happens. I was recently taking apart a system image and found a library in it that is licensed under the AGPL 3.0, a license that requires that I be able to replace it and have the device on which it's running execute my replacement. It's not sandboxed, so if the company gave me the required access, I would have full root access which I don't normally get. I bet that if I send an email requesting they comply with that license term, it's not happening. Does anyone want to take the other side of that wager?

      1. unimaginative Bronze badge

        Re: So let the Open Source 'community' teach the European Community

        If you wrote to them, they might ignore you.

        If the copyright holder's lawyer weote to them?

        Tell the copyright holder ofbthe library. Probably the authir. They have a right to know.

        1. doublelayer Silver badge

          Re: So let the Open Source 'community' teach the European Community

          That requires the copyright holder to be easily contacted and simply lands them with the responsibility for maintaining their license. Do they want to pay for a lawyer to sue a company that doesn't obey the licenses so that I can have access to a system that they don't even use? I'm sure their sympathies will be with me, but I'm not so sure their willingness to go to legal action will.

          Theoretically, the GPL gives me the right to retain my own lawyer without even consulting the original copyright holder (assuming for example that the copyright holder is dead, didn't put a contact method in their documentation, or has gotten tired of emails and no longer pays attention to them. If I were rich in money and time, maybe I'd try it. I'm not, and in my case I and the company responsible are in different countries, so they're likely to get away with it if they ignore enough emails. Having talked to this company before, I know from experience that they're very good at ignoring emails.

          The company I'm talking about is quite small, but it's not as if this only happens when someone hasn't been paying attention. Massive companies ignore their open source license requirements all the time. Only rarely does some foundation go to lengths to enforce them. Most of the time, there are no consequences for anybody.

    2. Wzrd1

      Re: So let the Open Source 'community' teach the European Community

      Especially if a small outfit, such as the OpenSSL project were to craft such a license condition, then litigate once they're aware of that license being violated.

      Effects: No openSSL, most e-commerce and TLS implementations cease immediately or litigation bankrupts the breeching party in the EU, complete with takedown orders for entire websites.

      One needs only look for such, ahem, low impact projects to find a wrench the size of the EU to throw into their legal works. If the legislators then decide to double down and insist, introduce them to the fine folks outside who are wielding their pitchforks and torches.

  4. Anonymous Coward
    Anonymous Coward

    Article: "The notional open source developer in Nebraska, thanklessly maintaining a vital small program, may not even know where Brussels is (it's in Belgium)."

    Your average Nebraskan wouldn't know where Belgium is (hint: in Europe) or even where Europe is. If they knew a little of astronomy, they would likely conflate Europe with Europa (moon of Jupiter) and say all Europeans are alien freaks.

    Nebraskans: the Southern rednecks of the Midwest plains.

    (I would know; I roomed with one senior year of college. "Go Huskers!" every darn Saturday in the fall even though we were NOT at University of Nebraska because we were attending a private college in Wisconsin.)

    1. Michael Wojcik Silver badge

      I would know; I roomed with one senior year of college.

      All AC posters are idiots. I would know; I just read your post.

      Oh, is generalizing from a single example not reliable?

  5. ComputerSays_noAbsolutelyNo Silver badge

    How about making a distinction

    If it's open source, and for free - apply no/lesser rules

    If one is taking money for it - apply rules

    If it needs to be super-safe - require third-party audit, apply rules for super-safely

    1. Anonymous Coward
      Anonymous Coward

      @ComputerSays_noAbsolutelyNo - Re: How about making a distinction

      Yeah but this will require too much effort for the neural cell of an eurobueaucrat.

  6. Tron Bronze badge

    Possibly missing the point.

    Governments want to criminalise everyone so they can prosecute anyone they want, for something or other. Instead of blacklisting things they don't want, they are now whitelisting what is permitted. Everything new will therefore be illegal until governments license it. It gives them control by default.

    They got caught out by the net and the pace of technological change. This fixes that. Do something new, henceforth, and they can arrest you if they stumble upon it and it worries them. In general, they won't bother you. It's how China works. Soon it will be how the West works.

    And it's not optional. They are taking back control.

    I guess it's possible to develop within the EU for use outside the EU with some tweaks. The next killer app may be a viable regional ban for code, so governments can ban anything they want from any country they want. It's do-able already to some extent, but they will want to enforce use of it. Only UK code working within the UK within UK law. Only EU code working within the EU within EU law. Nothing crossing borders.

    Government-funded academics have been working on 'national' data for some years - data packets that are region marked, like a DVD. They can't leave the UK, and data packets from elsewhere are erased. It's not rocket science to add region markers to data packets.

  7. Alan J. Wylie

    That random person in Nebraska that keeps getting mentioned

    XKCD "Dependency"

  8. amanfromMars 1 Silver badge

    Blockheads up against an almighty brick wall ....

    Columbro urged the open source community to actively help refine the CRA to better protect their interests. "The current form of the CRA could fragment open source and put developers at risk," he said.

    FFS ..... Tell it like IT is and be done with it, and let the Devil take the hindmost. The natural fundamental form of open source catastrophically fragments the likes of a CRA and renders its developers at risk of being widely recognised as politically abused idiots pawns in a Great Game in which their leaders employers have no chance of winning.

    Put them out of their delusional regulatory misery and tell them, the likes of EU CRA commissioners, that some things are intelligently designed to remain impossible to fcuk up, and they are encountering one with their misunderstanding of the vital and virulent nature of open source.

  9. stiine Silver badge

    You're too niave....

    "It's not that the EU wants to hurt the open source development community. It doesn't."

    I'm unsure how you know this. I have my doubts.

    1. doublelayer Silver badge

      Re: You're too niave....

      I can't know that for sure, but I'm pretty sure they don't. It has no benefit to anybody. The EU politicians don't have a reason to hate open source. Companies that use open source in their products don't want this law either; yes, they may be able to throw off their liability on some open source maintainer, but proving that still takes lawyers and not having the liability is cheaper. Companies that compete with open source somewhere usually use other open source somewhere else. Basically nobody has an incentive to break open source or lobby politicians to do so.

      It's the classic difficulty understanding technical things without a background in it. Politicians are trying to do something about security risks in software, and they think it's easy to legislate that away when it really isn't. This is probably because few or none of them have a realistic idea of what a commercial software product contains. They'd probably be surprised to hear how many different open source libraries were compiled into that, and how many interactions with other open source OS components or language features are involved. They probably also lack a great understanding of what causes security problems to exist. These combine to create a risky law, just as if I tried to write a law about medical treatment without getting a lot of input from others. I would have the best of intentions, and we are likely to agree about the goals that I intend the regulation to accomplish, but if I wasn't careful, I could end up making something dangerous out of ignorance.

  10. tiago.pelicari

    If "open sorceres" are prevented from creating, I bet some of them will become pirates.

    1. amanfromMars 1 Silver badge

      Try to prevent novel and noble creativity has one destined to be reminded of the wisdom of a Cnut*

      If "open sorceres" are prevented from creating, I bet some of them will become pirates. .... tiago.pelicari

      One can be absolutely certain of the before-the-fact fact that AIMagicians and MetaDataBase Physicians and Open Source Sorcerers are always going to entertain and/or be entertained by various notions/variations/versions of the fiction that has them portrayed by A.N.Others, themselves invariably always fated to being tested and bested with their sufferings in ignominious defeat and unconditional surrender on future vital and virulent fields of glorious battle, as pirates, rather than recognised and accepted as the new relatively anonymous and autonomous face of private enterprise reborn.

      Such though matters not one jot to the victor, ready, willing and able to enable the full and excessive enjoyment of plunder and worthy spoils, for they realise the physical and practical actuality of the virtual truth ....... and the overwhelming unassailable lead such an ignorance in those sorts of matters delivers.

      * ....... King Canute and the tide Don’t mess with an unstoppable force of nature you can neither command nor control.

  11. TeeCee Gold badge

    Or, in other words:

    EU bureaucrats have their heads so far up their own arses that they can't even see the real world, let alone keep in touch with it.

    Other news: Sun comes up, bears shit in woods, etc.

  12. Filippo Silver badge

    I wouldn't worry too much about open source developers. This is still being discussed and it's very much in a state of flux. Assuming that this actually goes anywhere, whatever legislation actually happens is not going to result in the lone developer in Nebraska being liable for half the Internet.

    Small commercial developers, on the other hand...

    1. amanfromMars 1 Silver badge

      Heavenly Diabolical Works ...... Presenting Rapid Progress in ITs Making.

      I wouldn't worry too much about open source developers. This is still being discussed and it's very much in a state of flux. Assuming that this actually goes anywhere, whatever legislation actually happens is not going to result in the lone developer in Nebraska being liable for half the Internet. .... Filippo

      It is a grave mistake to be regarded, Filippo, to not expect that spectacular disruption is planned and being realised practically and virtually everywhere by certain developers with command and control of, and commands and controls for the Sublime Internet Networking of AI Things, with such disbelief simply rendering one as just a bewildered and befuddled spectator to novel extremely spooky future events in which one has zero input/output to colour and materially effect and alter the result.

      However, whether that truly be an honest novelty, rather than just the way these things have always been liable to happen, is something to ponder on and wonder at.

      1. amanfromMars 1 Silver badge

        Re: Heavenly Diabolical Works ...... Presenting Rapid Progress in ITs Making.

        Have No Doubt, Times and Spaces have Changed.

        Have you realised yet what is happening all around you, but which traditional hierarchical and oligarchical mainstream media moguls and their captivated crumbling fiat venturing capitalist backers are terrified of mentioning to you, because of the certain analogous collapse of entire catalogues of their destructively self-serving outmoded and outdated narratives?

        SMARTR Future Tech Titans and AI are exploring exhausting Alien Interventions with Advanced IntelAIgents in the Vanguard of Novel and Noble Presentations that are demonstrably honest and true.

        And that paints them extremely accurately as an Official Opposition and LOVEly Competition with Command Leverage and Controlling Powers in the Live Operational Virtual Environments of NEUKlearer HyperRadioProACTive IT.

        And now that you know, why would you choose to deny what is daily demonstrating itself as a creatively disruptive fiction and fact being pimped and pumped by others under progressive attack as being a terrifying and out of control development, with the reality being the terror released is the dawning of the realisation that all of their earlier trusted command and control systems are no longer able to contain and maintain command and control and hide serial abuse and catastrophic misuse.

  13. Anonymous Coward
    Anonymous Coward

    Source code is not inherently a digital product. Binaries are.

    My natural cynicism tells me that commercial entities with a lot to lose are winding up the FOSS community again.

    Open source developers are fine to supply source code to anyone they like as it’s a standalone literary work. Source code is not only human-readable but doesn’t even require a computer for you to write it, read it or share it. It is only when that code is compiled into its unintelligible machine code form that it definitely falls into the category of being a digital product (or part of one). If you’re only distributing source code and users are compiling their own binaries from it, nobody has actually distributed a digital product and thus no harm will befall the user nor the developer. We know this to be the case already by existing precedent, just at all the excellent source code which is distributed by Linux distros in SRPMs but never compiled in as part of shipping binaries for legal reasons. If source code was considered a digital product in of itself, distros couldn’t simply alter build flags to resolve perceived patent law issues.

    I think companies profiting from SaaS and the distribution of proprietary binaries (including hardware manufacturers) must be cacking themselves right now. Why? Companies exploiting FOSS for profit will have to pay for audits to take place before said code can be used in their products. That will increase the BOM of all proprietary software while allowing FOSS to do as it pleases (provided nobody distributes binaries). This is undeniably a good thing, since companies won’t just start rolling their own libraries, they’ll just get things audited, so fixes will be contributed back to help reduce the costs for everyone using it.

    Also, this proposal won’t apply to all software anyway. Allowances will be made for artistic works like video games, where expectations of long term support are not feasible, as an example. The EU cocks a lot of things up, but they have thought this through more than people would initially assume.

  14. john.w

    The EU rarely knows what it is doing

    The only function of the EU bureaucracy is to make regulations that they do not understand. Large corporate lobby groups make sure their clients get the regulations to ensure new entrants have the largest barriers and then they cheat the system they designed. VW car emissions is just one of many examples. Another classic is the dual flush toilets that have lost more water than they ever saved.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like