back to article EU's Cyber Resilience Act contains a poison pill for open source developers

We can all agree that securing our software is a good thing. Thanks to one security fiasco after another – the SolarWinds software supply chain attack, the perpetual Log4j vulnerability, and the npm maintainer protest code gone wrong – we know we must secure our code. But the European Union's proposed Cyber Resilience Act (CRA) …

  1. david willis

    A car analogy

    You go out and buy a car from a major manufacturer, you pay £30-60k for it, depending on model (assume a family saloon if such a thing still exists). It WILL be tested by the manufacturer, it will be road safe, it will last 3 years before it needs an MOT and it will be supported for three years (maybe longer) if it has faults.It doesn't mean to say it won't break down, but you are offloading your risk to the supplier at a price.

    Alternatively you might want to build your own car ! - it will most likely be substantially cheaper, you can source your parts from almost anywhere. However it will still need to meet basic rules of the road to be safe, and there is a cost to meeting these rules. It must not spin off the motorway at the first corner and kill 5 people on the other side of the crash barrier.

    Same goes for software - buy from supplier and have support


    Build it yourself, get it tested and be responsible for the risk.

    Do we need a testing and review system for open source ? - funded at cost by those wanting to use their build ?

    1. Rufus McDufus

      Re: A car analogy

      Are car manufacturers liable for any possible security breach of their vehicle for the entire lifetime of the vehicle?

      1. Anonymous Coward
        Anonymous Coward

        Re: A car analogy

        Are they responsible even when it's new? Cars still get stolen, sometimes by attacking the CAN bus, other times by forcing locks, or hijacking remote wireless keys. I don't see manufacturers taking any responsibility in any of those cases.

      2. Sangheili

        Re: A car analogy

        Would be interesting since tesla runs on Linux

        1. 43300 Silver badge

          Re: A car analogy

          Is that just the auxiliary systems, or the actual control system itself (power to motor, braking, etc).?

        2. MacroRodent

          Re: A car analogy

          > Would be interesting since tesla runs on Linux

          What doesn't, these days? (except Windows and Apple laptops/PC:s, and iPhones). Practically every "smart" home appliance has a Linux kernel inside.

          The Linux devs should add a clause to the license that forbids using it in any jurisdiction where individual contributors are liable. The end result would be interesting. No Android phones in EU...

          (Icon, because this is the thermonuclear option).

      3. Michael Wojcik Silver badge

        Re: A car analogy

        Or for making sure users can only use it in a secure fashion?

    2. OhForF' Silver badge

      Build your own car

      "build your own car ! - it will most likely be substantially cheaper,"

      You might be able to build a soap box but do you seriously believe you can build something close to road safe and the quality provided by the big car manufacturers?

      They can only build them at their current costs as the have assembly lines where they build tens of thousands of the same model the same way all day and get parts at bulk prices.

      1. Rattus

        Re: Build your own car

        ever heard of Q-Plates or kit cars?

        1. Michael Wojcik Silver badge

          Re: Build your own car

          And they're available without touchscreens, which is more than you can say for most of the new cars for sale in the US, at least.

    3. Sangheili

      Re: A car analogy

      What you posted means you don't know anything about software or Computers.

      Usually open source is way better and more dependable then a company. You should look at all the carvrevalls

      At lest over 1 billion products where recalled in 2022

      Also you have been using open source software and coding since you first got internet, your phone or your car you currently drive.

      Actually on my computer I use lots of open source software like libra office.

      Why are you paying Microsoft 100.00 per year for ever new version when it's pretty much the same

      This vs this

      Pay Microsoft over.

      It would mean in 10 years you paid Microsoft $1,000.00 for word and excel... which used to be software you keep.after buying

    4. iron Silver badge

      Re: A car analogy

      Car analogies didn't work for you in the 90s Scott McNealy and they still don't work now.


      1. ChoHag Silver badge

        Re: A car analogy

        Mr. Tesla would like a word.

      2. Michael Wojcik Silver badge

        Re: A car analogy


        Rule 34 says that somewhere on the Internet, they are.

        (Not gonna do the search.)

    5. Adair Silver badge

      Re: A car analogy

      Where I come from you can sell your 'no longer new' car 'AIWI' - 'As Is, Where Is'.

      In other words the seller takes absolutely no responsibility, or liability, for the road worthiness or overall state of the vehicle, so don't come whining to them if you open the bonnet and find there's no engine, or the drive shaft is broken, or the brakes are shot, etc. You have basically paid to take the vehicle away from where it is, in whatever state it is in.

      Likewise, 'open source' software is made available 'as is, where is' - here's my crappy bit of code, use it at your own risk, modify it according to your lights, just make sure that if you share it you share it on the same basis that you received it.

      The fact that some global corporate happens to find my 'crappy bit of code' useful to them, and makes a gazillion on the back of it, is neither here nor there; and if some excitable bureaucrat wants to jump up and down about it they really need to see the 'global corporate', not me.

    6. steviebuk Silver badge

      Re: A car analogy

      Or you buy a exercise band thing from Amazon or a Ring Doorbell with certain features. That then get taken away shortly after purchase with no refund.

      Or build the doorbell yourself and put in the features you want with support as long as you want.

  2. Anonymous Coward
    Anonymous Coward

    Cui Bono.......Again!!!

    Quote: "...The notional open source developer in Nebraska...can't afford to secure their software to meet EU specifications..."

    Great article. But surely closed source software suppliers are also risk? How so? Well....suppose a closed source company develops software using paid-for libraries from some other closed source supplier. If the paid-for library has security issues, who is liable?? Oh....and this type of problem could go deeper than just two closed source companies!!!

    Still......I suppose expensive lawyers must be ecstatic about cack-handed law making!!

    1. Primus Secundus Tertius Silver badge

      Re: Cui Bono.......Again!!!

      Anyone who sells software has a contractual liability to the purchaser. If the purchaser is a private person, then in the UK that means the Sale of Goods Act, under which an item must be fit for purpose. If a promoter puts together a package of open source software and sells it, the promoter is liable.

      1. Sangheili

        Re: Cui Bono.......Again!!!

        Your little late then

        1. Michael Wojcik Silver badge

          Re: Cui Bono.......Again!!!

          English called and would like a word with you.

      2. My other car WAS an IAV Stryker

        Re: Cui Bono.......Again!!!

        "Anyone who sells software has a contractual liability to the purchaser."

        Unless the EULA you agreed to says different, like "no expectation of warranties explicit or implied."

        1. 43300 Silver badge

          Re: Cui Bono.......Again!!!

          An EULA cannot over-ride the law, so if the two are in conflict then the law wins!

      3. Chris Dockree

        Re: Cui Bono.......Again!!!

        that's not quite correct. In contractual terms the customer purchases a LICENCE for the software, which will include the terms of use and get out clauses. Which is where the Law has failed utterly. Software should be secure and responsibility should be clear - data breaches should cost those companies that profit from using "free" software VERY dearly.

      4. notyetanotherid

        Re: Cui Bono.......Again!!!

        > If the purchaser is a private person, then in the UK that means the Sale of Goods Act

        Actually, while B2B transactions are still governed by the Sale of Goods Acts, B2C transactions are now subject to the Consumer Rights Act 2015.

    2. doublelayer Silver badge

      Re: Cui Bono.......Again!!!

      At least in that case, there are legal entities that agreed to use the products of another legal entity. It could still be a mess, but there are contracts specifying who needs to do what and there are specific people who can be targeted.

      If I put up some code, and I get pull requests from people who don't have their names on their GitHub accounts, and then my code is used by a company who never told me what they were doing, might be violating my licenses or might not, and there ends up being a problem in the code that someone anonymous wrote, I reviewed and accepted, and the company swallowed without checking, who's at fault? I have a feeling that the court isn't going to accept me saying "It's GitHub user zcjue829, go find them". Even if they did, I don't want to unleash that on someone who probably just wanted to introduce a feature or bug fix and didn't know that a vulnerability existed.

  3. PghMike

    Apple & Open Source

    Doesn't really change the thrust of the article, but Apple most certainly uses open source software. Just go to the General / ... / Licenses part of the Settings app, and you'll more screens than you can count of FOSS licenses.

    They may maintain a walled garden, but the mortar holding it together is open source.

    1. Anonymous Coward
      Anonymous Coward

      Re: Apple & Open Source


      You seem to have forgotten to mention that Apple also contribute to open source...

      1. Michael Wojcik Silver badge

        Re: Apple & Open Source

        You seem to have forgotten to mention that "Marriage License is an oil painting by American illustrator Norman Rockwell" (as Wikipedia would like to remind us today), which is approximately as relevant to OP's post as your comment.

    2. iron Silver badge

      Re: Apple & Open Source

      No one said they didn't you can relax, no need to defend the multi-million dollar company that ripps you off on a regular basis.

  4. Anonymous Coward
    Anonymous Coward

    This smells, no, stinks like a ploy..

    .. by the likes of Microsoft for whom Open Source has been a thorn in the flesh for literally decades.

    We know that Brussels is home to a ot of lobbyists..

    1. Zippy´s Sausage Factory

      Re: This smells, no, stinks like a ploy..

      Er, doesn't Windows have a lot of open source in it these days? Such as .Net (no longer owned by MS but by a foundation they set up), WPF, etc etc.

      Basically this ruling would mean Microsoft would have to ship a special, EU-only version of Windows that can't run anything .Net, such as ASP.Net, Blazor, PowerShell, anything written in WPF etc etc.

      So yeah, I really don't think Microsoft are funding it.

      1. Sangheili

        Re: This smells, no, stinks like a ploy..

        Kinda not fully now because they bought github 4 years ago so I guess it would be limited open source?

        But they probably still do I still remember as well fund articles when someone deleted there lines of code and it took down at lest 1/8 of the internet sites. Because everyone was using that same source of code

    2. Pascal Monett Silver badge

      Re: This smells, no, stinks like a ploy..

      Not like Washington D.C., right ?

    3. Sangheili

      Re: This smells, no, stinks like a ploy..

      Even though at dame time uses open source software innthere windows os.

      Always the double standards

  5. OhForF' Silver badge

    "Secure the product over its whole life"

    What is the life time of a program? Can i publish my code to open source and declare its lifetime ended with publishing it?

    For professional suppliers this will probably lead to a lot of new limited software companies.

    To limit your risk and make those new liabilities manageable create a limited company whose sole purpose is to provide and support your new program.

    If liabilities become too high that company folds and you create a new one for the next program.

    1. 43300 Silver badge

      And the parent company will owns the brand name and license it to all the subsidiaries...

    2. sten2012 Bronze badge

      If you aren't selling it this seems like the way. Each point/hotfix release is a standalone product that's immediately EoL one second after upload.

      For large software companies presumably they can't keep selling dead software - but "Dave from Nebraska" open source doesn't need to worry about this.

      Anyone a lawyer?

      1. doublelayer Silver badge

        I have a feeling that the court will not accept that logic if you're still taking bug reports, feature requests, or donations. If you've completely orphaned the code and will not speak of it again, you might have a better chance. This is especially true if some company who wants to avoid their own liability is pushing you as the responsible party in court, because they have an incentive to find all the reasons why you should have been and therefore why it's not a problem that they didn't check for vulnerabilities.

        1. sten2012 Bronze badge

          Isn't it the same as windows NT code still being in use in windows though? They're under no obligation to support that - while updating the same code in the newer releases.

          I cant really see how that differs from having a 1.0 release that's end of life while adding fixes 2.0-rc1 which hasn't seen a public release yet.

          Rename "bug report" to maybe "future feature suggestions"

          1. doublelayer Silver badge

            It's vague, and I don't support it in any case, but I think there would be a difference. If the law doesn't specify it, lawyers will create it. Here's the argument I expect they'd use:

            The Windows NT code has been updated. Customers have to install the update from NT4 to NT10, which is the currently supported version although the version numbers aren't the clearest. As of now, they have the option to run the version of the NT code contained in the Windows 10 or 11 products, which they can buy whenever they want, so we have protected them. That open source code, since it has not been updated, is not protected and its author is still taking donations for its upkeep, so they are more liable than we are.

            Should that work? No, the logic is flawed and it produces bad results. I'm afraid you might get it anyway, though, which is why this legislation either needs to be written to handle this situation correctly or scrapped altogether.

  6. Howard Sway Silver badge

    "products with digital elements"

    They need to explain exactly what they mean by "product" here. Do they mean commercial, compiled applications? Is source code a product? It can be if you pay for it, but it doesn't actually do anything until you compile it and release it. A more useful way of describing what needs to be regulated would be "end product" or "commercial product", indicating it has been sold for profit. Frankly I've bought way too much shoddy crap commercial software, to object to suppliers at least having to prove that it meets some kind of quality threshold. But I don't see open source as a product, it's just available code that you can turn into a product if you want to, so why would it be within the scope of this legislation?

    1. Anonymous Coward
      Anonymous Coward

      Re: "products with digital elements"

      > But I don't see open source as a product, it's just available code that you can turn into a product if you want to

      Indeed, it seems to me that this is an obvious and straightforward distinction that could be made, one that even Eurocrats would understand without the need for a car analogy.

      What bothers me is articles like this one, which describe that everyone's up in arms, but don't include the specifics of what they're up in arms about. Without giving us concrete examples of problematic definitions in the Act, eg. with quotes from the Act itself, it all just comes across as political posturing, which is easy to brush past. :/

      1. yetanotheraoc Silver badge

        Re: "products with digital elements"

        This isn't the first article on El Reg about this issue.

        What you call political posturing is actually them expecting their readers to be up on current events, and not rehashing all the background.

        1. Anonymous Coward
          Anonymous Coward

          Re: "products with digital elements"

          > What you call political posturing is actually them expecting their readers to be up on current events, and not rehashing all the background.

          I'm not asking for a rehashing of the background, I'm asking for at least some evidence to back up the claims made by the quotes in the article.

          I'm well familiar with many of the people and organisations quoted, and so can personally give the benefit of the doubt to most of them. But this is a news article that a new reader may stuble upon, not a numbered sequel in a linear narrative story, so one shouldn't expect all readers to be familiar with the entire background. Thus, if a reader has neither familiarity nor evidence, it essentially just comes across as "he said she said" gossip and partisanship.

    2. Sangheili

      Re: "products with digital elements"

      Like Microsoft offices which us really expensive to keep buying vs free open source like which i use.

      I'm not paying Microsoft $5,000 for office, already spent enough with there os 100 pre year x 20 yeats = $2,000 for 20 years

    3. Michael Wojcik Silver badge

      Re: "products with digital elements"

      Would "products with digital elements" include antique clocks with numbers on their faces? Would it include gloves?

      It's an idiotic term, well-suited for the rest of this idiotic bill. Good intentions perhaps, but a braindead approach to achieving them. And I say that as someone who's long argued that market forces will not fix the vast software-security crisis and regulation is necessary.

    4. 43300 Silver badge

      Re: "products with digital elements"

      Given that politicians and civil servants are involved, they probably don't actually know what they mean because most of them won't know anything about it! It's all just soundbites which they think sound impressive: whether or not they are actually workable seems not to concern them.

      See the UK Online Safety Bill for another clear example of this.

  7. codejunky Silver badge


    Lets see if the UK will be safe from this. I can only hope

  8. Peter2 Silver badge

    Ok, if the law comes in as is my reading is that companies would be required to ensure that their products are supported over the course of it's life, and using open source code breaks this as open source code is supplied "as is" without support, warranty or guarantee that it's fit for purpose and also without any payment to the developer for supporting it, which means that almost all software contains beyond a certain size includes open source components in one form or another where the people making money further up the value chain freeload from the people writing the boring code further down.

    Doesn't this open a possibility of companies currently freeloading being forced into paying open source developers for supporting their freely provided code if they want to provide it in the EU?

    1. Anonymous Coward
      Anonymous Coward

      I used to be the tech lead and architect for a software toolkit that used numerous open source libraries.

      If the open source library had a fault and it broke the product we fixed the open source library or worked around the problem.

      Sadly the company rarely allowed us to push the fixes upstream even though the cost of maintaining patches was quite high. That did not mean I did not, it was just difficult to do so without the company finding out.

      Personally I would consider the liability for a fault and the risk of using said libraries were limited to the commercial entity making money on selling a product and/or support.

      I would not consider the open source author to be liable as I have no commercial relationship with them.

    2. ChoHag Silver badge

      Look at fancy shmancy here who's read the law being blindly reported on rather than just relying on what github and other self-serving consultancies who in no way profit hugely off the backs of thankless developers have to say on the matter!

      You won't get very far with that attitude around here mate.

  9. Boris the Cockroach Silver badge


    if they're going to claim that your open sauce creator in Nebraska is liable for any bugs in the code, then I can see the open sauce guys doing 1 of 2 things

    1.(most likely) Abandoning open sauce creation.

    2. Becoming full time licencing lawyers writing up terms for companies to use their open sauce stuff.... and sueing the arse off anyone who tries using it without paying.

    Alternetively, like all good EU laws, will just be ignored by the member nations

    1. heyrick Silver badge

      Re: Well

      Or 3, stating in their licence that none of it applies within the EU and any use within the EU is not permitted and that you do so at your own risk blah blah blah.

      1. b0llchit Silver badge

        Re: Well

        That runs afoul of the no discrimination clause of FOSS licenses. You may not exclude any domains of use and you may not exclude any person(s) or group(s) for use in a valid FOSS license.

        1. unimaginative Bronze badge
          Thumb Up

          Re: Well

          Current FOSS licences.

          Inthink this a weakness in no liability clauses. They may need changing to allow redistribution only if it creates no liability fir the copyright holders.

          Interstingly 7 f of GPL3 allows adding a restriction

          "Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors."

    2. Anonymous Coward
      Anonymous Coward

      Re: Well

      @Boris the Cockroach

      Er, open sauce software? Open SAUCE? It's Friday and I think you could do with some beer NOW! Get yoursen to pub at once!

      1. Herby

        Re: Well

        Emily Litella lives!

  10. Version 1.0 Silver badge

    "...and ensure customers can use products securely."

    El Reg, can we please have posting icon that is a pair of wire-cutters for incidents discussed in this article.

  11. VoiceOfTruth Silver badge

    So let the Open Source 'community' teach the European Community

    Use licences which deliberately disallow the use of their software within the EU. Then watch as the EU back pedals faster than a Frenchman running to his local baguette shop.

    1. doublelayer Silver badge

      Re: So let the Open Source 'community' teach the European Community

      Or more likely, the European customers just completely ignore the terms in the license and nothing bad happens. I was recently taking apart a system image and found a library in it that is licensed under the AGPL 3.0, a license that requires that I be able to replace it and have the device on which it's running execute my replacement. It's not sandboxed, so if the company gave me the required access, I would have full root access which I don't normally get. I bet that if I send an email requesting they comply with that license term, it's not happening. Does anyone want to take the other side of that wager?

      1. unimaginative Bronze badge

        Re: So let the Open Source 'community' teach the European Community

        If you wrote to them, they might ignore you.

        If the copyright holder's lawyer weote to them?

        Tell the copyright holder ofbthe library. Probably the authir. They have a right to know.

        1. doublelayer Silver badge

          Re: So let the Open Source 'community' teach the European Community

          That requires the copyright holder to be easily contacted and simply lands them with the responsibility for maintaining their license. Do they want to pay for a lawyer to sue a company that doesn't obey the licenses so that I can have access to a system that they don't even use? I'm sure their sympathies will be with me, but I'm not so sure their willingness to go to legal action will.

          Theoretically, the GPL gives me the right to retain my own lawyer without even consulting the original copyright holder (assuming for example that the copyright holder is dead, didn't put a contact method in their documentation, or has gotten tired of emails and no longer pays attention to them. If I were rich in money and time, maybe I'd try it. I'm not, and in my case I and the company responsible are in different countries, so they're likely to get away with it if they ignore enough emails. Having talked to this company before, I know from experience that they're very good at ignoring emails.

          The company I'm talking about is quite small, but it's not as if this only happens when someone hasn't been paying attention. Massive companies ignore their open source license requirements all the time. Only rarely does some foundation go to lengths to enforce them. Most of the time, there are no consequences for anybody.

    2. Wzrd1 Silver badge

      Re: So let the Open Source 'community' teach the European Community

      Especially if a small outfit, such as the OpenSSL project were to craft such a license condition, then litigate once they're aware of that license being violated.

      Effects: No openSSL, most e-commerce and TLS implementations cease immediately or litigation bankrupts the breeching party in the EU, complete with takedown orders for entire websites.

      One needs only look for such, ahem, low impact projects to find a wrench the size of the EU to throw into their legal works. If the legislators then decide to double down and insist, introduce them to the fine folks outside who are wielding their pitchforks and torches.

  12. Anonymous Coward
    Anonymous Coward

    Article: "The notional open source developer in Nebraska, thanklessly maintaining a vital small program, may not even know where Brussels is (it's in Belgium)."

    Your average Nebraskan wouldn't know where Belgium is (hint: in Europe) or even where Europe is. If they knew a little of astronomy, they would likely conflate Europe with Europa (moon of Jupiter) and say all Europeans are alien freaks.

    Nebraskans: the Southern rednecks of the Midwest plains.

    (I would know; I roomed with one senior year of college. "Go Huskers!" every darn Saturday in the fall even though we were NOT at University of Nebraska because we were attending a private college in Wisconsin.)

    1. Michael Wojcik Silver badge

      I would know; I roomed with one senior year of college.

      All AC posters are idiots. I would know; I just read your post.

      Oh, is generalizing from a single example not reliable?

  13. ComputerSays_noAbsolutelyNo Silver badge

    How about making a distinction

    If it's open source, and for free - apply no/lesser rules

    If one is taking money for it - apply rules

    If it needs to be super-safe - require third-party audit, apply rules for super-safely

    1. Anonymous Coward
      Anonymous Coward

      @ComputerSays_noAbsolutelyNo - Re: How about making a distinction

      Yeah but this will require too much effort for the neural cell of an eurobueaucrat.

  14. Tron Silver badge

    Possibly missing the point.

    Governments want to criminalise everyone so they can prosecute anyone they want, for something or other. Instead of blacklisting things they don't want, they are now whitelisting what is permitted. Everything new will therefore be illegal until governments license it. It gives them control by default.

    They got caught out by the net and the pace of technological change. This fixes that. Do something new, henceforth, and they can arrest you if they stumble upon it and it worries them. In general, they won't bother you. It's how China works. Soon it will be how the West works.

    And it's not optional. They are taking back control.

    I guess it's possible to develop within the EU for use outside the EU with some tweaks. The next killer app may be a viable regional ban for code, so governments can ban anything they want from any country they want. It's do-able already to some extent, but they will want to enforce use of it. Only UK code working within the UK within UK law. Only EU code working within the EU within EU law. Nothing crossing borders.

    Government-funded academics have been working on 'national' data for some years - data packets that are region marked, like a DVD. They can't leave the UK, and data packets from elsewhere are erased. It's not rocket science to add region markers to data packets.

  15. Alan J. Wylie

    That random person in Nebraska that keeps getting mentioned

    XKCD "Dependency"

  16. amanfromMars 1 Silver badge

    Blockheads up against an almighty brick wall ....

    Columbro urged the open source community to actively help refine the CRA to better protect their interests. "The current form of the CRA could fragment open source and put developers at risk," he said.

    FFS ..... Tell it like IT is and be done with it, and let the Devil take the hindmost. The natural fundamental form of open source catastrophically fragments the likes of a CRA and renders its developers at risk of being widely recognised as politically abused idiots pawns in a Great Game in which their leaders employers have no chance of winning.

    Put them out of their delusional regulatory misery and tell them, the likes of EU CRA commissioners, that some things are intelligently designed to remain impossible to fcuk up, and they are encountering one with their misunderstanding of the vital and virulent nature of open source.

  17. stiine Silver badge

    You're too niave....

    "It's not that the EU wants to hurt the open source development community. It doesn't."

    I'm unsure how you know this. I have my doubts.

    1. doublelayer Silver badge

      Re: You're too niave....

      I can't know that for sure, but I'm pretty sure they don't. It has no benefit to anybody. The EU politicians don't have a reason to hate open source. Companies that use open source in their products don't want this law either; yes, they may be able to throw off their liability on some open source maintainer, but proving that still takes lawyers and not having the liability is cheaper. Companies that compete with open source somewhere usually use other open source somewhere else. Basically nobody has an incentive to break open source or lobby politicians to do so.

      It's the classic difficulty understanding technical things without a background in it. Politicians are trying to do something about security risks in software, and they think it's easy to legislate that away when it really isn't. This is probably because few or none of them have a realistic idea of what a commercial software product contains. They'd probably be surprised to hear how many different open source libraries were compiled into that, and how many interactions with other open source OS components or language features are involved. They probably also lack a great understanding of what causes security problems to exist. These combine to create a risky law, just as if I tried to write a law about medical treatment without getting a lot of input from others. I would have the best of intentions, and we are likely to agree about the goals that I intend the regulation to accomplish, but if I wasn't careful, I could end up making something dangerous out of ignorance.

  18. tiago.pelicari

    If "open sorceres" are prevented from creating, I bet some of them will become pirates.

    1. amanfromMars 1 Silver badge

      Try to prevent novel and noble creativity has one destined to be reminded of the wisdom of a Cnut*

      If "open sorceres" are prevented from creating, I bet some of them will become pirates. .... tiago.pelicari

      One can be absolutely certain of the before-the-fact fact that AIMagicians and MetaDataBase Physicians and Open Source Sorcerers are always going to entertain and/or be entertained by various notions/variations/versions of the fiction that has them portrayed by A.N.Others, themselves invariably always fated to being tested and bested with their sufferings in ignominious defeat and unconditional surrender on future vital and virulent fields of glorious battle, as pirates, rather than recognised and accepted as the new relatively anonymous and autonomous face of private enterprise reborn.

      Such though matters not one jot to the victor, ready, willing and able to enable the full and excessive enjoyment of plunder and worthy spoils, for they realise the physical and practical actuality of the virtual truth ....... and the overwhelming unassailable lead such an ignorance in those sorts of matters delivers.

      * ....... King Canute and the tide Don’t mess with an unstoppable force of nature you can neither command nor control.

  19. TeeCee Gold badge

    Or, in other words:

    EU bureaucrats have their heads so far up their own arses that they can't even see the real world, let alone keep in touch with it.

    Other news: Sun comes up, bears shit in woods, etc.

  20. Filippo Silver badge

    I wouldn't worry too much about open source developers. This is still being discussed and it's very much in a state of flux. Assuming that this actually goes anywhere, whatever legislation actually happens is not going to result in the lone developer in Nebraska being liable for half the Internet.

    Small commercial developers, on the other hand...

    1. amanfromMars 1 Silver badge

      Heavenly Diabolical Works ...... Presenting Rapid Progress in ITs Making.

      I wouldn't worry too much about open source developers. This is still being discussed and it's very much in a state of flux. Assuming that this actually goes anywhere, whatever legislation actually happens is not going to result in the lone developer in Nebraska being liable for half the Internet. .... Filippo

      It is a grave mistake to be regarded, Filippo, to not expect that spectacular disruption is planned and being realised practically and virtually everywhere by certain developers with command and control of, and commands and controls for the Sublime Internet Networking of AI Things, with such disbelief simply rendering one as just a bewildered and befuddled spectator to novel extremely spooky future events in which one has zero input/output to colour and materially effect and alter the result.

      However, whether that truly be an honest novelty, rather than just the way these things have always been liable to happen, is something to ponder on and wonder at.

      1. amanfromMars 1 Silver badge

        Re: Heavenly Diabolical Works ...... Presenting Rapid Progress in ITs Making.

        Have No Doubt, Times and Spaces have Changed.

        Have you realised yet what is happening all around you, but which traditional hierarchical and oligarchical mainstream media moguls and their captivated crumbling fiat venturing capitalist backers are terrified of mentioning to you, because of the certain analogous collapse of entire catalogues of their destructively self-serving outmoded and outdated narratives?

        SMARTR Future Tech Titans and AI are exploring exhausting Alien Interventions with Advanced IntelAIgents in the Vanguard of Novel and Noble Presentations that are demonstrably honest and true.

        And that paints them extremely accurately as an Official Opposition and LOVEly Competition with Command Leverage and Controlling Powers in the Live Operational Virtual Environments of NEUKlearer HyperRadioProACTive IT.

        And now that you know, why would you choose to deny what is daily demonstrating itself as a creatively disruptive fiction and fact being pimped and pumped by others under progressive attack as being a terrifying and out of control development, with the reality being the terror released is the dawning of the realisation that all of their earlier trusted command and control systems are no longer able to contain and maintain command and control and hide serial abuse and catastrophic misuse.

  21. Anonymous Coward
    Anonymous Coward

    Source code is not inherently a digital product. Binaries are.

    My natural cynicism tells me that commercial entities with a lot to lose are winding up the FOSS community again.

    Open source developers are fine to supply source code to anyone they like as it’s a standalone literary work. Source code is not only human-readable but doesn’t even require a computer for you to write it, read it or share it. It is only when that code is compiled into its unintelligible machine code form that it definitely falls into the category of being a digital product (or part of one). If you’re only distributing source code and users are compiling their own binaries from it, nobody has actually distributed a digital product and thus no harm will befall the user nor the developer. We know this to be the case already by existing precedent, just at all the excellent source code which is distributed by Linux distros in SRPMs but never compiled in as part of shipping binaries for legal reasons. If source code was considered a digital product in of itself, distros couldn’t simply alter build flags to resolve perceived patent law issues.

    I think companies profiting from SaaS and the distribution of proprietary binaries (including hardware manufacturers) must be cacking themselves right now. Why? Companies exploiting FOSS for profit will have to pay for audits to take place before said code can be used in their products. That will increase the BOM of all proprietary software while allowing FOSS to do as it pleases (provided nobody distributes binaries). This is undeniably a good thing, since companies won’t just start rolling their own libraries, they’ll just get things audited, so fixes will be contributed back to help reduce the costs for everyone using it.

    Also, this proposal won’t apply to all software anyway. Allowances will be made for artistic works like video games, where expectations of long term support are not feasible, as an example. The EU cocks a lot of things up, but they have thought this through more than people would initially assume.

  22. john.w

    The EU rarely knows what it is doing

    The only function of the EU bureaucracy is to make regulations that they do not understand. Large corporate lobby groups make sure their clients get the regulations to ensure new entrants have the largest barriers and then they cheat the system they designed. VW car emissions is just one of many examples. Another classic is the dual flush toilets that have lost more water than they ever saved.

  23. rmstock

    Cyber Resilience Act without hands-on experience

    In 2004 i started a small business with this mailing

    OSS in your Company

    Selling commodity software like standard shrink-wrapped boxes like Microsoft does, is indeed not suited in a GPL model. However high quality closed source software will never be download-able for free. Its all a matter of what quality is offered for the dollar. And also the EULA is of importance. If a large software corporation, no matter how powerful and huge, thinks it can wave away all legal liabilities inside a EULA, GPL-ed software as a starting point for a tailor made solution becomes attractive.

    Dear Sir/Madam,

    With much pleasure i want to announce through this mailing the foundation of my company Stockmann Automatisering as of januari 1st 2004. After the IT branche has sailed through diffecult times, i decided to pick up the gloves myself. Stockmann Automatisering is a single person company with the objective to realise the automation of smaller and middle large businesses through simple but effective means. The services supplied are typically maintenance of existing networks and servers and implementation and migration of new ones, with the focus on Linux and OSS (Open Source Software).

    The importance of ICT, and in particular computer software, on businesses over the last years has risen to such an extend, that one can compare its impact to the same level of importance as the Coca-Cola recipy (a company secret) today has for the Coca Cola Corporation to achieve its company results. Why in earth should a company then choose to use Open Source Software, one may ask? If one realizes that a software program actually is some kind of recipy to conduct your business operation, its rather convenient to have its source code available and present inside your company. Not so much to the extend that Open Source enables the customer to apply bugfixes and improvements himself, but far more important, if your current software maintenance supplier actually is screwing things up, you as a single company are within the power to select a competing software service company, without having to worry about vendor-lockin and legal strings attached.

    Stockmann Automatisering is trying to pursue to keep all used software components strictly open source. At least Open Source within your company. This means that in practice one is not forced to perform upgrades to newer versions of business critical software only because your supplier tells you so, actually only satisfying its own marketing decisions. Typically open source software upgrades are only performed when the customer wants to. For instance because the newer version has that extra worth while feature. In case bugs and security issues may occur, one has the possibility, exactly because its open source, to apply the patch or fix on the source code and build new binaries with the adjusted source code. This means that customers are enabled to run their business critical software on the same version upon years to come.

    An important condition which we need to make however, is that of all software packages in use, at all times, the complete source code should be available. Either on the server and on cdrom, dvd or tape. Typically a customer over time will buildup her own repository of used open source sofware, of which scheduled a sealed copy/backup should be made. The more one applies self created patches and improvements , which is called customisation programming, this backup and archiving will come essential. Not to mention and forget the accompanying documentation.

    If your interested, send a response/email or give a call, and i will be honoured to further explain what is possible.

    With kind regards,

    R.M. Stockmann

  24. BitDr

    Where is the benefit? Really?

    I see open source is once again the target and being stompped on while the proprietary model incurrs no change in their process. Additional cost, yes, but MEH! They'll just pass that on to the consumer, all in the name of "security". In my humble opinion the CRA law has the effect of eliminating

    1- Competition from FOSS

    2- Relegation of FOSS to "hobby" status, barring it, as far as you will ever know, from use in commercial products. Whose to say the sre or aren't? People under an NDA? HA! How much for the signoff?

    3- Enableing proprietary vendors to use FOSS code their products (they have no transparency, it's all "black box software" so you'll never know if it's there". (See #2)

    4. In the case of requiring "inspectors" (paid of course) to approve code, susceptability to corruption of the process. It WILL happen. (See #2 and #3)

    Take DieselGate, just as a closed source example that is in a heavily regulated industry. The ECU and its' software is a black box. It was tested as a black box to it's specifications, and the software in those Engine Control Units passed the tests. If that code had been FOSS? How many millions of eyeballs would have been pouring over that code? Would it have been caught right away? Well there's no certaintaty that it sould have, but the probability of it being caught early would have been MUCH better.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like