CRA paperwork for a fee impact on "hobbyist" status
CRA paperwork for a fee impact on "hobbyist" status
Posted Jun 6, 2025 12:27 UTC (Fri) by dottedmag (subscriber, #18590)In reply to: CRA paperwork for a fee impact on "hobbyist" status by Wol
Parent article: Open source and the Cyber Resilience Act
And can one provide CE mark only for paying customers?
Posted Jun 6, 2025 13:51 UTC (Fri)
by Wol (subscriber, #4433)
[Link] (15 responses)
You're missing the ENTIRE POINT of the CE mark system. ALL it does is provide a legal guarantee that you will stand behind your product.
If I make and sell something, I can't do it without a CE mark. There's nothing stopping me saying "I stand behind my product, I will self-issue my own CE mark". The point is, I'm providing a legal guarantee. And if I don't honour it, it's a breach of contract which can result in the regulator (NOT my customer) taking me to court.
So if my product includes your software, *I* need either (a) a support contract with you that says you WILL fix any bugs - which comes with your CE at which point you accepted *legal liability* for fixing any bugs, or (b) I take you at your word that you will fix bugs, but it's MY CE, and I'm on the hook if things go wrong. Which puts you in a strong position, you can just refuse to sign any contract unless I offer you £££ (to *your* satisfaction).
It's all about the BoM, and who is legally liable for any problems in any component. And from the FLOSS point of view, it's all about *stopping* companies copying random software off the internet and using the fact they didn't write it themselves, to disclaim responsibility when it breaks.
So it can all be summed up with the simple phrase "Issuing a CE means you accept legal liability for the product you *sell*". (And your supply chain accepts legal liability for the components they sold to you.)
Remember that Playstation 2 Linux debacle? A CE mark would probably have made that illegal - and Sony would have been in very hot water.
Cheers,
Posted Jun 6, 2025 14:22 UTC (Fri)
by dottedmag (subscriber, #18590)
[Link]
Posted Jun 6, 2025 14:26 UTC (Fri)
by dottedmag (subscriber, #18590)
[Link] (13 responses)
This ought to be "Issuing a CE means you accept legal liability for the product you sell, but only to the people you sell it to, not to the general public", right?
Posted Jun 6, 2025 15:08 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (12 responses)
With that said, there's nuance here. A CE mark is not a guarantee that it's up to standard for all possible uses someone might put it to, in all possible cases; rather, it's a promise that, within the scope of use that you could reasonably be expected to predict, it's up to standard. If you're selling a completed end-user product, then you're liable for all end-user type uses; if it's a component part, then you're liable for its quality when it's used for the purpose it's intended for, and integrated with reasonable care and attention to detail.
So, for example, my car's fuel filter is CE marked, and the manufacturer is liable for problems with the fuel filter being sub-standard, as long as it's been installed properly in a diesel-fuelled engine. It's a component part, so they're not liable for problems that occur if I misuse it to (say) filter cooking oil, instead of diesel, since that's using it for a purpose it wasn't intended for, nor are they responsible if I don't tighten it to spec, since that's a failure to integrate it with reasonable care and attention to detail. They are liable if I install it to specification, and because of a design or manufacturing flaw, it breaks apart and damages the engine it's attached to; however, even though it's integrated into my car, they're not liable for faults in other parts of the car unless I can show that they were caused by a fault in the fuel filter.
The CRA extends this line of thinking to digital goods; if your product is a completed product, then you're liable (to the world) for basic cybersecurity in your product. If it's a component, you're liable for flaws in the component when integrated correctly, but not (e.g.) for flaws caused by errors integrating it into the final product.
Posted Jun 6, 2025 15:20 UTC (Fri)
by dottedmag (subscriber, #18590)
[Link] (11 responses)
That's terrible.
Posted Jun 6, 2025 15:42 UTC (Fri)
by nim-nim (subscriber, #34454)
[Link] (1 responses)
And you can copy the non-CE code (provided the code licence allows it) and make it a CE product by taking up the maintenance obligations yourself (why you would want to do that instead of paying the original author is up to you).
So no you should not be liable to someone that has not signed a support contract with you. If he has signed this contract, and the contract says CE, you can not redefine your maintenance obligations lower than what the CE system requires.
Posted Jun 6, 2025 16:26 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
To the point that the law explicitly forbids you from saying "not my problem" if you didn't yourself pay for it.
So yes, you're spot on. A CE cannot exist without a contract explicitly saying who is liable for what.
Cheers,
Posted Jun 6, 2025 16:28 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (7 responses)
You're not on the hook for "all the future secure updates"; there's a timeout after you've been paid for a version, after which you're not liable, and you're not liable for updates to versions that you never "placed on the market" (a term of art, here).
Additionally, everyone demanding updates from you can only demand updates that apply to the component as integrated into your paying customer's product. You are entirely entitled to refuse to supply a security update that's not relevant to your paying customer's product, and you're entirely entitled to refuse to supply it in a form other than that needed to integrate with your paying customer's product.
However, if your paying customer doesn't care about an issue in your component, but their customers do care, you are liable for the issue, even though your paying customer isn't demanding an update - and this is transitive, so if your paying customer's product is a component, and I integrate that component into my product, my customers can demand a fix to your component from you directly, not just from me, or from your paying customer.
It's not terrible - it's setting up the same situation as exists for physical goods today; you are liable to everyone for issues with your component as integrated by your paying customer (and only if your customer's integration is done to an acceptable standard), but not for issues with your component when it's separated from your paying customer's product and used with something else.
And note that your fix to a security issue does not have to be acceptable to users who aren't paying; for example, if your paying customer's product only ever communicates over Unix sockets with your component, a fix to a security bug might be as simple as "completely remove IP support in this version". If that breaks my use case, well, that's my problem, because you fixed the security flaw that matters to the paying customer's product.
Posted Jun 6, 2025 23:13 UTC (Fri)
by dottedmag (subscriber, #18590)
[Link] (5 responses)
I am a mantainer of a small C library that parses ID3v1 tags (real case).
A local manufacturer of low-batch toys comes to me and asks me for a CE mark paperwork so that they can include this library into their new toy. they expect to produce 100 devices, and the the devices will play a fixed set of .mp3 files. We agree that the probability of the security issue in this device is low, and they pay me, say, €500 euro for CE mark paperwork for library version 1.0.
All is fine.
But at the same time Google engineer incorporates the same version 1.0 of my library into Android, marks it as "covered by CE mark by manufacturer" and ships it to all the ODMs, who produce 1 billion of headsets.
A vulnerability is discovered in this library. Google Android security team, security teams of 500 ODM manufacturers and 10 million security-conscious owners of headsets all come filling my inbox and demanding a security fix.
It might be a trivial security fix, but even handling all this amount of incoming email will bankrupt me, and I guess I also have to answer it all?
Still not terrible? Any open source maintainer taking any amount of money is on the hook to support the whole world, and basically can be held at the gunpoint by any large manufacturer who can threaten to incorporate the code into their product.
The alternatives are: 1) never take a cent of money; 2) tell first potential customer to boot the bill for supporting the whole world.
Am I incorrect somewhere?
Posted Jun 7, 2025 10:29 UTC (Sat)
by johill (subscriber, #25196)
[Link] (1 responses)
You'd never issue a CE mark to the general public to use for free for arbitrary purposes, that'd be silly. It's not even clear that you'd be _allowed_ to, as an "open-source software steward":
Although I guess the argument is that once you provided the mark, then you're no longer just an "open-source software steward" but actually on the hook.
If you just post code:
Now, that's not good for your local widget manufacturer, since they don't want to be on the hook for your software. So you have a contract with them and make available to them separately, as part of the contractual relationship, the same software bits with a different color. Now you're making it available on the market and need the CE mark, which implies maintenance, but that was the whole point of the contract. So the CE mark you issue in this case is for the specific integration into the local widget manufacturer's toy and part of your contractual relationship with them. It extends - to some extent - to their customers though, although they'd probably have a hard time figuring our your component is in there and, if they do, finding a way to repair it. Not your problem, though if they do get to all that then you might have to provide some security fixes that are actually applicable to this particular product.
As for Google doing whatever they do:
They only got the bits via your open source repository, which was never "made available on the market" (see above.) Now they're on the hook. Maybe they will send you email anyway, but there's /dev/null.
Now you could ask is all of that plausible?
The question I guess will come down to whether you can be both an "open-source software steward" and a "manufacturer", even when the text says
(14) ‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;
Worst case, you'd need a different legal person (company) to be the manufacturer, how it manufactures the thing is not all that interesting, so maybe it just pulls it from your personal (natural person) repository as the sole "manufacturing" step.
Anyway, that's just what I think, but given the level of discussion etc. I find it highly implausible that such a setup is or was intended to be prohibited.
Posted Jun 7, 2025 11:23 UTC (Sat)
by dottedmag (subscriber, #18590)
[Link]
Posted Jun 7, 2025 10:57 UTC (Sat)
by Wol (subscriber, #4433)
[Link]
Regardless of the meaning of "on the market", you SOLD one hundred copies of your widget, with 100 marks (one per toy), to the toy manufacturer.
Those are the only marks you have to worry about. As farnz said, despite the bits being the same, Google's widgets do not have your mark, and are therefore "not your problem".
Cheers,
Posted Jun 7, 2025 14:18 UTC (Sat)
by marcH (subscriber, #57642)
[Link]
Whatever the law says, that seems extreme and unrealistic.
- Google is likely to just go and fix the vulnerability itself to preserve the value of its brand.
PS: do ODMs have a security team? ;-)
Posted Jun 9, 2025 9:28 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
At that point, I can demand a security fix for the toy. I can't demand a security fix for other uses of the library; the CRA doesn't extend that far. If the toy is not exploitable, no liability for a fix. If the toy is exploitable, and you fix the toy use case, but not the more general case, no liability for a fix.
The fact that it's also been put in a huge number of phones is irrelevant to legal liability - they got the open source version, and liability ends with the entity that placed your library on the market (possibly Google, possibly the ODMs, possibly even the retailers), and they've got to find a way to negotiate with you that works for you as well as for them. And that applies even if their version is bit-for-bit identical to the CE marked version; it's the provenance that matters for liability, not the code itself.
Posted Jun 9, 2025 9:58 UTC (Mon)
by paulj (subscriber, #341)
[Link]
This is all part of a thing where the council doesn't like there being these quite visible homeless aid operations on central streets in Dublin, and so they're using every law and bylaw they can to try stop it - street vending laws, food safety, etc. But there can very easily be unintended consequences to broad sweeping "consumer protection" laws that put significant burdens on every little person trying to do stuff. And it all contributes to a socio-economic environment that ever more favours large corporates - big enough to be able to amortise the cost of managing red-tape and bureacracy over a larger number of operational activities - over individuals and small businesses.
Posted Jun 6, 2025 16:37 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
No! It's just like copying a physical good. If you copy someone else's physical good, and you copy their trademark/other marks too, then that's fraud. There's nothing stopping you copying their goods (well, there may be), but pretending they made that copy when they didn't is a serious offence. There's nothing stopping someone copying your software, but likewise copying your marks as well is a serious offence. The marks are only legal when they're attached to the original article, AND NOT UNAUTHORISED COPIES.
(Just because a copy is unauthorised, doesn't necessarily mean it's illegal. Just that the owner of the original didn't give you permission to make exact copies. And it doesn't fall foul of the GPL because you haven't lost any of your copyright rights, or your FSF freedoms. And the GPL obliges you to remove marks if so required.)
Cheers,
CRA paperwork for a fee impact on "hobbyist" status
Wol
CRA paperwork for a fee impact on "hobbyist" status
CRA paperwork for a fee impact on "hobbyist" status
This gets complicated fast, but no, issuing a CE mark means that you accept legal liability for the quality of the product or component you've so marked, no matter who's using it, or who it's sold to.
CRA paperwork for a fee impact on "hobbyist" status
CRA paperwork for a fee impact on "hobbyist" status
CRA paperwork for a fee impact on "hobbyist" status
CRA paperwork for a fee impact on "hobbyist" status
Wol
Like I said, there's nuance here.
CRA paperwork for a fee impact on "hobbyist" status
CRA paperwork for a fee impact on "hobbyist" status
Not really well-versed with this, but for all I've seen it is, as usual, the color of bits that matters, even if they're the same bits.
CRA paperwork for a fee impact on "hobbyist" status
Given that the light-touch and tailor-made regulatory regime does not subject those acting as open-source software stewards to the same obligations as those acting as manufacturers under this Regulation, they should not be permitted to affix the CE marking to the products with digital elements whose development they support.
The sole act of hosting products with digital elements on open repositories, including through package managers or on collaboration platforms, does not in itself constitute the making available on the market of a product with digital elements.
And if you aren't making it available on the market it doesn't need/have a CE Mark.
When integrating components sourced from third parties in products with digital elements during the design and development phase, manufacturers should, in order to ensure that the products are designed, developed and produced in accordance with the essential cybersecurity requirements set out in this Regulation, exercise due diligence with regard to those components, including free and open-source software components that have not been made available on the market.
(13) ‘manufacturer’ means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;
CRA paperwork for a fee impact on "hobbyist" status
CRA paperwork for a fee impact on "hobbyist" status
Wol
CRA paperwork for a fee impact on "hobbyist" status
- ODMs are more likely to first pressure the "bigger" fish with whom they already have a business relationship and contacts there, and who has more manpower and is more likely to get things done one way or the other.
- Good luck finding 10 million "security-conscious" users and good luck finding end users technical enough to understand the vulnerability is who is to blame. You could receive some email, granted. But not from 10 million people.
You did not make your library available on the market with a CE mark; you sold a CE-marked version to your low-batch toy manufacturer, for integration into that toy only (and your lawyer worked with you on the contract of sale to ensure that this version has restrictions that protect you).
CRA paperwork for a fee impact on "hobbyist" status
CRA paperwork for a fee impact on "hobbyist" status
CRA paperwork for a fee impact on "hobbyist" status
Wol