Five Eyes and Microsoft accuse China of attacking US infrastructure again

Source code is not a product with digital elements

Executable machine code is what is being regulated here, just putting some FLOSS source code on GitHub would not make the developer liable for anything. The EU has made it abundantly clear their legislation applies to "products with digital elements" which source code alone isn't (it can be written, modified and shared using pen and paper, just like any other ordinary literary work). The legislation also exempts open-source software which doesn't have commercial activity associated with it, meaning ArchLinux, Slackware, Gentoo would be completely unaffected, as well as all the critically underfunded upstream projects being exploited and uncompensated by big technology firms. At the moment, distros like Ubuntu will likely be negatively impacted, but I am very confident the EU will find a way to allow legitimate exemptions to cater for that (e.g. no liability for indefinite evaluation use, or hobbyist/enthusiast versions of what would be a covered product) since not doing so would bugger frozen SDKs.

What the EU is doing is closing the loophole where commercial ventures disclaim liability for pre-existing defects in their digital goods, forcing them to repair said defects for 5 years from the date of sale, consistent with laws governing any other type of good. It will also make cloud providers like Amazon more liable, since they'd be on the hook for maintenance if projects they depended upon ceased maintenance. So far it's looking pretty good.