back to article Python head hisses at looming Euro cybersecurity rules

The Python Software Foundation (PSF) is concerned that proposed EU cybersecurity laws will leave open source organizations and individuals unfairly liable for distributing incorrect code. "If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility …

  1. ChoHag Silver badge

    Open Sores Idiots.

    You are not responsible for somebody else taking your freely-available code and selling it. You are not responsible for somebody else not reading your freely-available code before selling it to their unwitting customers. You do not need permission from a lawyer to do mathematics. Let Ubuntu or IBM take the rap. That's what they're for.

    You do not owe the people who use your code anything. You don't owe them updates, you don't owe them support, you don't even owe them the middle finger although they probably deserve ir.

    You do not need permission from a lawyer to do mathematics.

    1. Phones Sheridan Silver badge
      Facepalm

      And yet we have a whole article about a proposed law that will result in exactly that if it passes into law unchanged.......

      You do not need permission from a lawyer to RTFA!

      1. Anonymous Coward
        Anonymous Coward

        No the article is about some people fearing that it will do that... the key seems to be

        "free and open-source software developed or supplied outside the course of a commercial activity"

        and whether some open source developers who sell small bits of merchandise will qualify as 'commercially active'.....

        1. Anonymous Coward
          Anonymous Coward

          > No the article is about some people fearing that it will do that...

          We are seeing the same scaremongering, FUD and nonsense, which surrounded the debates on EU copyright and how that was supposedly going to end the internet as we know it. Everything is "may", "could" or "might" with not one explanation as to why the EU would fuck themselves over by doing such a thing.

          1. Brewster's Angle Grinder Silver badge

            The concerns seems genuine. It wouldn't hurt law makers to say what they mean, rather than hope the courts correctly infer what they meant after everybody has spent a lot of money on lawyers (assuming people can afford the lawyers and individuals and open source organisations don't go bankrupt because they can't).

            1. vtcodger Silver badge

              It wouldn't hurt law makers to say what they mean

              That's probably a good idea. If memory serves one of our US legislators actually proposed a few decades ago that new laws should be accompanied by a short essay describing legislative intent. And I think that was even done a few times. Needless to say, the idea did not catch on.

              1. fairwinds

                While a good idea, I suspect the problem is in terms of the legal interpretation. If there’s even a hint of ambiguity between the terse text and the explanation, you have an issue (IANAL, BTW). So they tend to add text which states the terse version is the One True Version which means the descriptive interpretation information becomes next to useless as you again need lawyers and courts to decide exactly what was meant. I’m sure our ChatGPT overlords will come up with a far better system anyway, and all we need to do is wait…

            2. ChoHag Silver badge

              Say what they mean eh?

              Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on liability for defective products, Chapter 1, Article 4 "Definitions", paragraph 9 (page 25):

              ‘making available on the market’ means any supply of a product for distribution,

              consumption or use on the Union market in the course of a commercial activity,

              whether in return for payment or free of charge;

              The lawyers can argue over Oxford commas if they like but I'm bored of this rabbit hole already. Given the general verbosity of the EU I'm going to go out on a limb and suggest that "supply" and "commercial activity" are extensively defined somewhere.

              You're welcome. You have my permission to do mathematics.

              1. Doctor Syntax Silver badge

                I'm going to go out on a limb and suggest that "supply" and "commercial activity" are extensively defined somewhere

                P16 paragraph 10 in full, my emphasis:

                "In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software."

              2. Anonymous Coward
                Anonymous Coward

                ..keep digging that hole you're in...

                And your ignorance of EU law / regulation is total too.

                This is the reference version. And always has been under EU law when it comes to precise legal definitions of EU law / regulations.

                https://eur-lex.europa.eu/legal-content/FR/TXT/HTML/?uri=CELEX:52022PC0495&from=EN

                >>«mise à disposition sur le marché»: toute fourniture d’un produit destiné à être distribué, consommé ou utilisé sur le marché de l’Union dans le cadre d’une activité commerciale, à titre onéreux ou gratuit;<<

                Now if you were familiar with French business law and legal terms you would know that that is a catch term for all activities in which software passes in any way shape or form from one legally distinct entity to another. Be they individual or corporate.

                The actual wording of the regs is stupid beyond belief and shows a total ignorance of software. As written it makes *all* software written in all forms liable to utterly unreasonable liability, everything, and if applied I would expect all non EU software companies who have nt bough off the right EU regulators to pull out of the EU market. Which is a large part of the intent. To drive out non EU software companies so that a very small number EU companies with great lobbyists can try to clean up. The French and Germans have a very long tradition of this type of stunt. They tried it back in the 1980's in the early days of PC software. And we know how successful that was.

                To give you an idea of just how stupid the EU regs are as written. If someone is playing a game written by a small game studio (or even an individual) on a PC and the game crashes due to a bug in say the the Windows video driver and it wipes the harddrive the small game studio is fully financial liable under these regs for any damages and can be sued by the individual. Read the regs, its all in there.

                And you thought software patents were stupid.

                For those who thing this might actually improve software quality, well, there is no limit to some peoples gullibility. It will be just like the GDPR. Where your "EU data protection" is enforced by a small bunch of underpaid unqualified civil servants who are mostly based out of an office over a supermarket is a small town in the arse hole of Ireland. Thats your "rights"...

                1. ChoHag Silver badge

                  Re: ..keep digging that hole you're in...

                  «d’une activité commerciale»

            3. Snake Silver badge
              Mushroom

              RE: Parliament and Congress

              "It wouldn't hurt law makers to say what they mean...

              The problem is that law makers don't know what they mean to say, because they don't understand the complexities of the systems they mean to legislate. Therefore, they either:

              a) dither along blindly, constructing rules without a full comprehension of their full effects, or

              b) ask for 'advice' from industry lobbyists or corporate experts, who then provide said law makers with just enough information to construct a law in the exact manner that the corporations prefer

              In short, for the most part, we're all screwed.

              1. Brewster's Angle Grinder Silver badge

                Re: RE: Parliament and Congress

                I don't know why the downvotes.

                Legislatures have to write laws on a vast array of subjects and there's just no way all law makers can be subject experts with intimate knowledge on every topic, or have time time to make themselves into experts. So, while there are undoubtedly a few who have a clue, most will fall into your two categories or (c) are following their party line. And there's a good chance industry has bent the ear of the party. Hence open source groups having to bash a few cymbals and try and get law makers' attention.That's democracy!

                1. Anonymous Coward
                  Anonymous Coward

                  Re: RE: Parliament and Congress

                  I seem to remember an MP in the UK getting a lot of bad press because he actually asked for time to read the proposed legislation and check it did what was expected.

            4. Doctor Syntax Silver badge

              "It wouldn't hurt law makers to say what they mean, rather than hope the courts correctly infer what they meant"

              It's not quite as simple as that.

              Legislators generally do say what they mean. but when legislation is written it's impossible for the legislators to anticipate every situation in which it will be applied. The courts have to interpret it in the circumstances of a particular case. In order for the system to work properly the legislation, however detailed, still needs to take into account that they can't revisit it every time an unanticipated situation is met or that circumstances have changed. It will probably be at least a few years before they get a second chance.

              1. Robin Bradshaw
                Boffin

                s/code/legislation/g

                Perhaps with a simple search and replace the same law they are proposing could be applied to the process of making legislation where those failing to anticipate every corner case of their legislation could be held liable for the damages.

                That would, im sure, lead to the same improvements they are expecting this legislation to lead to.

          2. John H Woods

            FUD

            That "scaremongering" resulted in valid concerns being raised that resulted in amendments to the legislation before it was presented. Much better to challenge this stuff before it becomes law than to have to rely on the courts to fix it afterwards.

          3. Mark 65

            Everything is "may", "could" or "might" with not one explanation as to why the EU would fuck themselves over by doing such a thing.

            This is not scaremongering. You should not concern yourself so much with what they intend to do with the law (the road to hell is paved with good intentions) but what someone in future could do under the law as written. That is why every poorly written law should be nuked from orbit, because of what a malicious actor could do with it in future. It is also why Governments generally write shitty laws - they convince you of their honourable intentions but write the to give leeway to act like c*nts in future.

    2. Anonymous Coward
      Anonymous Coward

      ..so yet another subject on which your ignorance is total...

      So you have no clue about statute law. Product liability established by statute, no matter how inadvertently. Or it seems any facet of how the software business actually works. Or has worked for the last 5 plus decades.

      Get back to us in a few years time when you have finished secondary school, maybe get a few pass grades in GCSE's, and hopefully actually start getting a clue. Like not spouting off about subjects you obviously know nothing about. Leave that to the grown ups in the room. You might actually learn something if you kept your mouth shut and listened.

  2. Mishak Silver badge

    Something needs to be done to protect consumers

    But this isn't it, and open-source authors should not be covered.

    However, any company that uses open-source within a commercial product should be responsible for ensuring that it is appropriate for the job - which means ensuring* that it does not introduce security or safety vulnerabilities into any product that they place on the market.

    * "ensuring" does not mean that it will be defect free, as it is generally impossible to show that is the case. What is required (from a legal perspective) is evidence to show that the chance of a failure is as low as is reasonably practicable (which depends on the the cost/value of the product and costs/risks associated with failure) - which basically comes down to ensuring that development complies with a standard and that artefacts are produced to demonstrate how compliance with that standard has been achieved.

    I'm sure there will be a lot of "but that slows us down" and "that stifles innovation", but it doesn't have to. Sure, it will have an impact up front, but it does not have a negative impact on timescales if appropriate processes are used.

    1. BlokeInTejas

      Re: Something needs to be done to protect consumers

      I would agree that if you write and publish some source code, then someone who chooses to use your source (rather than write their own) and include it in a product sold to 'the public' owns the liability for the product.

      If they choose to give away the resulting product, then they should have no liability for errors in the product. It was free, they gained no revenue from it. Folk who use that product use it at their own risk.

      So llvm, for example, used as is, should not impose liability on the authors (even if they sell tee-shirts and mugs) even if it generates stupendously evil code

      The Linux authors are also exempt from liability, even if there's no inter-process protection or the file systems does horrible things to disk drives.

      Fred's OK Software Company, however, who sell a data base or a financial package or whatever should be liable for damage arising from the use of their product. Since the product uses Linux to perform some tasks, Fred is liable even for errors in Linux that cause his software to misfunction. He's also liable for such misfunction caused by errors in llvm. And its libraries.

      Similarly, Ford is liable for misfunction caused by (I make this up) the steel alloy they use to construct vehicles being out of spec. In general the vendor of the product, should be liable for any and all misfunctions that are attributed to the thing you're selling. True, perhaps the supplier who sold you the imperfect steel needs to make good that problem; but that should be an issue between Ford and the supplier.

      When you build a software product on top of or through the use of free (in the "it costs no dollars" sense) then you can't go sue the providers. They're not in business; they **published** the source; you're the one who chose to use it.

      1. Spazturtle Silver badge

        Re: Something needs to be done to protect consumers

        "If they choose to give away the resulting product, then they should have no liability for errors in the product. It was free, they gained no revenue from it. Folk who use that product use it at their own risk."

        Just playing devils advocate here.

        If I bake some cakes and give them away on the street for free and people get sick because I didn't follow hygiene laws then I would be prosecuted.

        Why should software be treated differently?

        1. Charlie Clark Silver badge

          Re: Something needs to be done to protect consumers

          Software is generally treated differently. Indeed, in the US it is explicitly exempted from much product liability law. But, to your example, it's more like someone who left some cakes around. If someone finds them becomes ill then there is no comeback. But everyone still has a duty of care which is why producers of malicious software can still be taken to court.

        2. MangoGroove

          Re: Something needs to be done to protect consumers

          Fred's OK Computer business opens a bakery. Instead of baking their own cookies, they get them from the guy giving it away for free on the street.

          1. Jimmy2Cows Silver badge

            Re: Something needs to be done to protect consumers

            Then, assuming Fred's OK Computer business is selling rather than giving away the cookies, FOC gets financial gain from that transaction and should therefore rightly be liable for any bad outcome. Due dilligence. Duty of care.

            On the other hand if FOC is giving the cookies away for free, caveat emptor.

        3. doublelayer Silver badge

          Re: Something needs to be done to protect consumers

          Things like the cake example can still apply to open-source contributors if they do something that's explicitly illegal, such as making code that automatically attacks and installs malware on other computers. That's still a crime and they can go after that person. The problem comes when they have done something that causes problems unintentionally. Drawing the line between these and an analogy to food is difficult, but the best example I can come up with is giving cakes away without checking whether everyone who accepted one wasn't allergic to the ingredients. If someone eats one and has a reaction, that doesn't make the baker responsible.

          If I were to draw a legal distinction, I'd say that the hygiene requirements can be known in advance and followed to the letter, which makes it more reasonable to require that they be followed. The security requirements are vague and there is no way to verify that they have been followed without a court decision.

          1. Anonymous Coward
            Anonymous Coward

            Re: Something needs to be done to protect consumers

            "... without checking whether everyone who accepted one wasn't allergic to the ingredients."

            No. Not providing a list of the ingredients would be a problem, because then no one could check for themselves, and you are implicitly saying *no one* could possibly have any problems eating this cake.

            Provide an accurate list of ingredients and the burden of fault lies with the consumer.

            BTW: it took decades for me to realize I was allergic to black pepper. It was cross-referencing ingredient lists that finally confirmed the suspicion. Was I supposed to go back and sue all those food manufacturers when *I* previously chose those foods, repeatedly?

            1. doublelayer Silver badge

              Re: Something needs to be done to protect consumers

              This is why I thought it was a bad analogy, but I couldn't come up with anything closer. However, if a colleague brought in stuff they baked, they usually don't post a list of ingredients alongside it, and people with allergies tend to ask questions or avoid eating it if it looks likely to contain something they're allergic to. I'm not sure if you could legally sue that person if you had an allergic reaction, but I am pretty sure that few would sympathize even if it is allowed. Software isn't very aligned to the food example, though.

        4. Yet Another Anonymous coward Silver badge

          Re: Something needs to be done to protect consumers

          >If I bake some cakes and give them away on the street for free and people get sick because I didn't follow hygiene laws then I would be prosecuted.

          >Why should software be treated differently?

          Because software is more like "I publish a recipe for cakes, that doesn't mention to wash the ingredients" should I get prosecuted?

        5. BobTheIntern

          Re: Something needs to be done to protect consumers

          Barring intentional poisoning if that can be proven, under exactly what law(s) do you expect such a case would be prosecuted? Health department regulations don't tend to apply to individuals cooking in their own kitchens for non-commercial purposes.

      2. BOFH in Training

        Re: Something needs to be done to protect consumers

        Fred is liable even for errors in Linux that cause his software to misfunction. He's also liable for such misfunction caused by errors in llvm. And its libraries.

        -----

        You sure you don't want anyone to use OSS at all in any commercial product cos they will be liable if something happens in the OSS component?

        There goes all the home routers running Linux. Or many IOT products for that matter.

        On another note ....

        Doesn't Windows provide Windows Subsystem for Linux to run Linux and stuff? I think it has open source components as well.

        So if there is a bug in the open source component, how much is MS going to be liable for? Maybe MS should put a hard stop to interoperating with open source software. I think even the build in ftp client in Windows is OSS.

        Isn't Apple using BSD based software for it's kernel or something?

        This can get interesting.

      3. Anonymous Coward
        Anonymous Coward

        Re: Something needs to be done to protect consumers

        "It was free, they gained no revenue from it. Folk who use that product use it at their own risk."

        This on the face of it sounds like a good idea, but it's really more risky than it sound. FLOSS is everywhere those days, as is free stuff, and regular consumers are in no way able to determine if there are risks, or what they could be.

        Let's put it differently: would an individual be responsible for giving out spoiled candies during Halloween? Would a supermarket be liable for those free samples they offer to taste? What about swag, say that free T shirt you got at a conference gives you a rash, who's responsible? What if it's worse than a rash?

        "It's free so you can't complain if whatever happens" can't apply to regular people, because "whatever" really covers a lot of bad stuff, even for software.

        As the conclusion of the article says, it's all too easy to imagine how this could be abused by megacorps to be even less liable for their crap.

        Also, because it seems programmers often forget how society works: laws are not software. They're not applied mechanically. There are human beings involved in the judicial process, that actually decide whether a law has been broken or not, and what amount is required for a fine. Unpaid FLOSS contributors are not going to be mechanically fined 15,000,000€ every time they forget a comma in their code that leads to the wrong file being deleted.

        1. Mark 65

          Re: Something needs to be done to protect consumers

          FLOSS is everywhere those days, as is free stuff, and regular consumers are in no way able to determine if there are risks, or what they could be.

          I think that is where you draw the line between bad luck with best endeavours undertaken and the couldn't care less end of the spectrum. Even if I sell a software library that I have thoroughly tested but happens to contain some bizarre edge case that causes someone using it in ways I may have not even perceived to really f*ck up then I don't think I should be held liable. After all I have done as much as could reasonably be expected. If, on the other hand, I just wrote it, sold it, and didn't give a sh*t whether it was fit for purpose then that's a different story.

      4. Charlie Clark Silver badge

        Re: Something needs to be done to protect consumers

        You provide a reasonable argument for how things could be done in the future. What's missing is the contracts between suppliers and vendors which help apportion blame and share liability and costs. Open source software comes with disclaimers against any such liability. Still, it would be nice to see commercial suppliers of software having to take their liability more seriously. Over time, this could indeed help create the infrastructure necessary to help deal with the thorny nature of liability in an open source context.

      5. Anonymous Coward
        Anonymous Coward

        Re: Something needs to be done to protect consumers

        Similarly, Ford is liable for misfunction caused by (I make this up) the steel alloy they use to construct vehicles being out of spec.

        Why "I make this up" ? Because if (for example) they had a bad batch and it caused cars to break and crash, then they would (or could) be liable. But it's somewhat more complicated really.

        As a defence, they could show that they had in good faith used material that wasn't up to spec and they couldn't reasonably know about that. That's hard to show, unless you have policies in place in your supply chain to actually police your suppliers. So if you had a policy in place that involved members of the buying team actually going and checking on suppliers production processes, their quality processes, etc. and that they similarly police their supply chain and you could demonstrate (from your documented records) that you had applied reasonable oversight of your supplier but they still "got it wrong" then you may be off the hook. But if you simply accept the suppliers pinky promises without any verification then you would be very much on the hook.

      6. Alistair
        Windows

        Re: Something needs to be done to protect consumers

        perhaps the supplier who sold you the imperfect steel needs to make good that problem; but that should be an issue between Ford and the supplier.

        Essentially the *entire* point of PSF (and other open source publisher/management foundations) arguments on this law.

        I suspect a good perspective would be to look at this issue as follows: (utterly hypothetical situation)

        MS incorporates a library that draws icons on a desktop from an OSS developer, and over several years becomes reliant on that library, the OSS developer adds a new function that allows that library to publish the icons not only on the desktop, but allows users to share the icons on a public forum/website/sharing tool. MS continues to use it, and 3rd party software vendors who have unique icons and copyright and trademark on their side sue the crap out of MS because those icons are now in the public domain that the library created. MS then sues the crap out of the OSS developer. The OSS library developer has not received one red cent from *either* MS or the third party vendor, but sells Tshirts with snippets of their code as a way to put coin in their purse.

        Effectively, MS, having incorporated the library should have been aware of the new feature and done such that the feature was disabled in their deployment? The third party software vendors should have found a way to block that function in *their* code?

    2. Doctor Syntax Silver badge

      Re: Something needs to be done to protect consumers

      There's a difference between not being defect free and being out-and-out malware. There seem to have been plenty of reports here about software repositories such as Pypi being subverted to introduce malware into the supply chain. Should these be treated as a "product", even if not commercial, whose providers "should be responsible for ensuring that it is appropriate for the job"?

      It's easy to say that those who use the repositories should each be responsible for vetting everything they use, tracking every new version and re-vetting all changes. Easier said than done - the overall cost would be huge when given that every user would be duplicating the work. The likely outcome would be that companies would simply stop using them or else there would be a second tier of commercial repositories who would vet new additions before adding them.

      1. Doctor Syntax Silver badge

        Re: Something needs to be done to protect consumers

        "or else there would be a second tier of commercial repositories who would vet new additions before adding them"

        In fact, this sounds to be the sort of thing I had in mind: https://it.slashdot.org/story/23/04/12/1623201/googles-free-assured-open-source-software-service-hits-general-availability

      2. Michael Wojcik Silver badge

        Re: Something needs to be done to protect consumers

        The likely outcome would be that companies would simply stop using them

        This would also be the preferred outcome. Public code repositories are toxic, and software vendors should not be pulling from them – particularly not as part of the build process. If there's justification for using an Open Source component (and often there isn't), pull a version, put it in your own internal repository, check its provenance as much as possible, perform due diligence (static and dynamic analysis and so on), and if it was updated recently wait a while before using it to see if any issues are reported.

        This business of "oh, CI just pulls the latest from npm and puts it in the release build", or pulling Javascript directly from external sites into a production app, is unprofessional and ludicrously dangerous.

    3. abend0c4 Silver badge

      Re: Something needs to be done to protect consumers

      The thing is, it's not just about products that consumers buy. Or indeed corporations. The log4j bug caused significant cost, risks to personal data and all sorts of unpleasantness without it being sold as part of a product - it was enough for the faulty component simply to be used in internal BAU processes.

      There's clearly a need for software security and reliability to be taken more seriously and in the modern environment where a significant part of the attack surface is open source you can't simply ignore that chunk of potential risk on the grounds it was provided gratis. Assuming commercial organisations so desperately wanted some open source component they were willing to assume the financial risk and also to employ the people necessary to analyse and maintain it, they're each going to freeze it and make only those changes that are necessary for their product: they're not going to adopt new versions or accept changes in modules they don't use. There'd soon be a myriad incompatible versions with different fixes applied, so this clearly isn't the answer either.

      This is, in many ways, the other side of the "no-one wants to pay for software" coin: no-one wants to be responsible for it either, not even the authors. This can't persist. We wouldn't accept bridges being built by unpaid engineers accepting no liability for their failure. Equally, payment in itself is no guarantee of a better outcome. I don't think you can tackle only one facet of this issue - it can't be resolved without looking at how the development costs are covered and devising some scheme in which either developers or the users of their software (or both) can be insured so that liability and responsibility are separately attributed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Something needs to be done to protect consumers

        It seems obvious to me you use log4j at your own risk. There was, I believe, some silly functionality included in the problem versions that gave a few people a WTF moment. However you are free to use earlier versions which may or may not come with their own caveats. I don't believe you should be absolved of responsibility if you choose to use a library you didn't write. I also think a greater. responsibility may stop people upgrading on a whim the versions they use. I tend to look for what is fixed in later versions rather than what new shiny feature got added.

  3. The Central Scrutinizer

    Ahh you gotta love the EU

    They seem absolutely determined to legislate every business possible into total obscurity.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ahh you gotta love the EU

      Sure and Biden's a nation wrecker.

      I read it in a QAnon pamphlet so it must be true.

      1. The Central Scrutinizer

        Re: Ahh you gotta love the EU

        And that has precisely nothing to do with the topic at hand.

  4. codejunky Silver badge

    Erm

    "adding such risk would make it impossible for the foundation to continue to provide Python and PyPI (the Python Package Index) in Europe."

    Not all of Europe is in the EU. Hopefully this idea stays within the EU borders

    1. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    The "Enforcement" Pantomine.......

    Quote: "....proposed EU cybersecurity laws will leave open source organizations...."

    Huh...."laws".....forgive me if I point out that this is just lawmaker window dressing...."we are doing something".....and so on.

    There's NO SIGN AT ALL that lawmakers give a flying f**k about enforcement.

    Take GDPR. Link: https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act

    So....1.6 million medical records handed over by the Royal Free Trust to Google/DeepMind. No consent....and no penalties nearly six years later.

    ....and that's one instance that we know about!!!

    Take the 30mph speed limit on my suburban street. AMG Mercs and M-Series BMWs regularly do 70+mph. Someone will be killed. No enforcement.

    ....and so it goes.....cybersecurity "laws".......a pantomime for the TV news......

    1. Doctor Syntax Silver badge

      Re: The "Enforcement" Pantomine.......

      Making laws is one task. Bringing offenders to book is another; it might be the police or a regulator but it might be an individual, business or whatever if it's a civil matter. Interpreting them on a case by case basis to determine if they have been broken is a third task. Keeping the performance of those tasks separate is a Good Idea. It's probably essential if you want to have a free society.

    2. An_Old_Dog Silver badge

      Re: The "Enforcement" Pantomine.......

      It's a "pantomime", true, but it also has great mal-use potential. Selective enforcement is a real thing.

    3. Zippy´s Sausage Factory

      Re: The "Enforcement" Pantomine.......

      If there's no talk of enforcement, is this intended to give people more standing to bring civil actions against software companies for liabilities?

      I haven't read the proposed legislation so I'm not sure but perhaps that's the intention?

  6. 7teven 4ect

    All industries are not the same

    Pharmaceutical manufacturing : "We cannot have amateurs making drugs for free" to which the government responds by banning all legal markets for popular recreational drugs and gifting the huge market to criminal gangs, who are total amateurs at growing weed, according to GW Pharma.

    Yoga Business "We cannot have amateurs teaching yoga for free" You can think what you like about this.

    Software Business ""We MUST have amateurs writing code for free" Because?...

  7. Right Angles

    To pay or not to pay

    I can see where the FOSS people are coming from, but it often doesn't matter in terms of legal liability whether someone gets paid or not for what they are doing. For example, if I were driving a car carelessly and injured someone as a result, I'd have legal liability whether or not I was being paid to drive the car at the time. Similarly, if I as a private individual were directly distributing software to end users that caused (financial) injury, shouldn't I by the same argument have legal liability for that?

    However, if, say, I just wrote a library that was being used by a company in a commercial product without any compensation to me, it only seems fair that the company should be liable in the first instance as they should have performed due diligence on my library before selling their product.

    1. Doctor Syntax Silver badge

      Re: To pay or not to pay

      What if you wrote a library which was disguised malware? You should have liability for that.

    2. Yet Another Anonymous coward Silver badge

      Re: To pay or not to pay

      >but it often doesn't matter in terms of legal liability whether someone gets paid or not for what they are doing.

      Except the publisher of the software isn't responsible for what is done with it.

      If i answer a question on reddit about car maintenance am I responsible for the crash ?

      1. Right Angles

        Re: To pay or not to pay

        That's more complicated. If you deliberately answered with information you knew to be incorrect and liable to cause death or injury then maybe you could be held liable, but if you gave genuine advice that someone else didn't follow exactly and that caused a crash then surely you aren't. But in neither case is Reddit responsible because they aren't a publisher.

        1. Yet Another Anonymous coward Silver badge

          Re: To pay or not to pay

          >but if you gave genuine advice that someone else didn't follow exactly and that caused a crash then surely you aren't.

          Over here in lawyer land it's more complicated if you're a 'professional'

          If I was an engineer rather than a mere physicist and I gave some advice, even if I wasn't being paid, I could be liable.

          I would be liable even if I saw something and DIDN'T give advice, eg. I walked past a dangerous construction site.

          Fortunately software (mostly) isn't counted as engineering - but if that changed then anyone with a software engineering degree could be liable for 'negligence' for open source contributions

    3. Ben 56

      Re: To pay or not to pay

      What if I install Linux and accidentally nuke my Windows partition and all the data - should I sue the devs?

      The creator of the tool is not responsible for the usage.

      The car Vs distribution example is a poor analogy since when you distribute software you are not driving, you are selling (or rather giving) the car.

      Any reasonable person would sandbox, have antivirus, and backups just like a driver should have a licence and insurance to guard against negligence and accidents.

  8. Tron Silver badge

    Haven't you twigged yet?

    Governments don't want just anyone writing code. They can't control it. They want software to be written, licensed and produced by a small number of companies that they can oversee and control.

    1. Yet Another Anonymous coward Silver badge

      Re: Haven't you twigged yet?

      >Governments don't want just anyone writing code.

      Governments don't care

      Politicians do what special interests tell them to do / what special interests tell the media that the voters want them to do (depending on how advanced your democracy is)

      Who is funding politicians to stop opensource ?

  9. claudiu

    Software bugs vs malware

    I think there is a lot of misconception here about intentional damage / malware introduced by a developer, paid or not.

    There are many EXISTING laws dealing with that and it's not the purpose of this regulation. Nor discussion.

    1. cosmodrome

      Re: Software bugs vs malware

      I really wonder why nobody else seems to notice. It's not that you could distribute malware nowadays without legal concequences. Not only does criminal law deal with it, you'll also have to pay for the damage.

  10. Anonymous Coward
    Anonymous Coward

    Consequences

    As an open source developer who receives barely any (<£300) voluntary contributions in 5 years I can honestly say this would probably lead to open source projects being terminated or left unmaintained. I write code for my enjoyment and hope that it may be useful to others. There are no guarantees, I do not have the resources to spend vast amounts on testing. Usually the users are sufficiently technical that they report or even fix issues themselves and submit upstream. So if there is even a hint I could be liable the project would, without doubt die.

    Software would become prohibitively expensive as only those with the deepest pockets and a full time legal department would dare to publish software.

    Another wonderful law by EU law makers that really don't understand the consequences of their proposed actions.

  11. Anonymous Coward
    Anonymous Coward

    "The maximum fines under the law can reach €15 million or up to 2.5 percent of annual turnover, whichever is greater. The CRA has yet to be adopted by the European Parliament and Council."

    Cool, so the small guys get harder than the big boys...got it.

    Looks like we're going underground boys. Clandestine USB drive swaps down dark alleyways behind trendy coffee shops at the nerdy side of town.

  12. t98907
    Facepalm

    By enforcing this law, European lawmakers are trying to prevent the hegemony of AI platforms from being taken outside the EU. Thus, only EU citizens will be inconvenienced. The proposal may eventually be scrapped.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like