Whom to ask?

Posted Jun 6, 2025 16:24 UTC (Fri) by hailfinger (subscriber, #76962)
In reply to: Whom to ask? by dottedmag
Parent article: Open source and the Cyber Resilience Act

Ask the European Commission. (Yes, really. They attend a lot of F/OSS events and are willing to answer questions.)

The European Commission was at FOSDEM 2023, 2024 and 2025, participated in panel discussions, held excellent talks and answered questions from the audience. Those talks had FOSDEM attendees as target audience, and the speakers excelled at presenting the topics at hand in a way that could be easily understood by a technical audience.

If you're interested in the interaction between CRA, PLD and F/OSS, I highly recommend listening to the recordings of the various FOSDEM CRA talks in 2023 (some of those statements may be outdated), 2024 and 2025. A really good starting point is https://archive.fosdem.org/2024/schedule/event/fosdem-202... . Please make sure to listen to the video and not just read the slides, the interesting content is what is being said.

IMHO the CRA is a really well-written law which goes to great lengths to shield hobbyist F/OSS developers from responsibilities and instead places those obligations on the companies earning money with code they didn't write. I think that's entirely fair. Oh, and the law also is pretty easy to read and understand, so each time someone tells you "CRA is bad for open source / consumers / whatever", you can challenge people to back up that claim with a quote from the law. So far, in personal discussions I have watched all of those fearmongering claims collapse.

@daroc maybe LWN.net can cover the FOSDEM CRA talks. They might be interesting and relevant for the LWN.net audience even if those talks are a few months old.

Whom to ask?

Posted Jun 6, 2025 17:33 UTC (Fri) by daroc (editor, #160859) [Link]

That's a good idea; I'll add it to our list of topics.

Whom to ask?

Posted Jun 6, 2025 20:47 UTC (Fri) by pbonzini (subscriber, #60935) [Link] (1 responses)

I think it's more likely to be members of the European Parliament than the Commission (which in national government terms would be the ministries/secretaries)? I remember seeing a MEP (and former engineer at Red Hat) present at FOSDEM about app stores.

Whom to ask?

Posted Jun 6, 2025 20:54 UTC (Fri) by johill (subscriber, #25196) [Link]

"Omar Ennaji is a Legal and Policy Officer in the Unit for the Digital Transformation of the Industry, European Commission."

"Mr Benjamin Bögel is Head of Sector for Product Security and Certification Policy at the European Commission."

Whom to ask?

Posted Jun 9, 2025 7:07 UTC (Mon) by iabervon (subscriber, #722) [Link] (8 responses)

What I heard was that the first draft of the CRA didn't really address the case of hobbyist F/OSS developers, and sounded bad, but the feedback led to explicit statements in the next draft that it didn't assign them any responsibilities. It's a little hard to tell whether it was always supposed to not apply to hobbyist developers and they just made this more explicit, or they hadn't considered it at all, or they had wanted to have it assign responsibilities to all developers until the got the feedback, but I remember the people who were initially worried about it being pleased by the changes that were made to the text before it was passed.

So another reason to ask for a quote from the law is that they may actually have a quote from what didn't end up becoming the law, and be glad to find out that their concerns were actually addressed since they last looked into it.

Whom to ask?

Posted Jun 9, 2025 8:07 UTC (Mon) by kleptog (subscriber, #1183) [Link] (3 responses)

People can also just read the law itself [1]. The article says it would put you to sleep but it's not that bad. Perhaps a bit verbose.

You should remember that it's largely written by non-lawyers. Only a third of MEPs have legal training. For most English is a second language. They're not going to be making complicated phrases which difficult meanings. There are a few terms of art like "putting on the market" but by and large it means what it says in plain English.

There's actually a running debate about whether it's a problem having laws written by non-lawyers. Some countries like NL require it to be written by people with specific training and it leads to compact and concise though tricky to read laws. I think the EU approach isn't too bad, especially since the specific tekst isn't important, as long the intent is clear.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2847

Whom to ask?

Posted Jun 9, 2025 8:15 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Sidenote: European bureaucracy is awesome. The laws are usually well-structured, easy to read, and pretty exhaustive.

If you want another great example, check these documents that outline the repairability scoring criteria: https://susproc.jrc.ec.europa.eu/product-bureau/product-g...

Whom to ask?

Posted Jun 9, 2025 21:59 UTC (Mon) by iabervon (subscriber, #722) [Link]

I think the issue is that people did look at the first draft [1] and don't realize that it's not what actually became law. It's less a question of understanding the text as of looking at the correct version.

[1] https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-34e9-11ed-9c68-01aa75ed71a1.0001.02/DOC_1&format=PDF

Whom to ask?

Posted Jun 10, 2025 8:40 UTC (Tue) by Wol (subscriber, #4433) [Link]

> You should remember that it's largely written by non-lawyers. Only a third of MEPs have legal training. For most English is a second language.

Bear in mind they also have a very good translation unit. Dunno about today, but you can thank my Granddad for its tradition of excellence. He was the head of the Directorate in the EC days, and the stories are legion about his ability as a linguist and his insistence on "getting it right". He retired months after Britain joined and it went from 9 to 12.

Cheers,
Wol

Whom to ask?

Posted Jun 11, 2025 15:35 UTC (Wed) by raven667 (subscriber, #5198) [Link] (1 responses)

In late with a small axe to grind ;-) tldr; just because someone is an expert in one thing, or in a position of authority/leadership doesn't mean they have super-human intelligence or omniscience, no one knows everything and everyone makes mistakes, so when questioning authority the _dumbest_ answer is most likely the correct one. Just put yourself in their shoes and think of the mistakes you'd make in their position.

> It's a little hard to tell whether it was always supposed to not apply to hobbyist developers and they just made this more explicit, or they hadn't considered it at all

These laws appear to be written in good faith, unlike a lot of US law written by some industry group for private advantage sneaking a fast one past the other legislators, and the people who write them _aren't_ _any_ _smarter_ than anyone else, they may have specific experience and training in the law but they are not omniscient gods. Kind of like the tendency to anthropomorphize LLMs, even well-meaning savvy people tend toward an underlying assumption that legislators and people at top of government know vastly more than they do and are making some sort of 9-dimentional chess moves that we can barely understand or interpret without the help of a priesthood of media pundits, when the fact is they probably just didn't think of it. In this case the draft law was put together with what they knew and had experience in and they relied on good-faith feedback to, loudly, tell them all the detail they missed, all the effects they forgot when drafting. Does anyone really thing that a human person could mentally keep track of all the effects and second-order consequences of even a 5-10 page law, it takes teams of people and the public reviewing it form their subject-matter-expert perspective to find the bad feedback loops and holes to shave off the worst of the potential negative consequences when changing societies rules.

Whom to ask?

Posted Jun 12, 2025 7:10 UTC (Thu) by Wol (subscriber, #4433) [Link]

> so when questioning authority the _dumbest_ answer is most likely the correct one. Just put yourself in their shoes and think of the mistakes you'd make in their position.

The cleverest person is usually the person who can recognise they are out of their depth, and asks for help. Which is why women tend to make good GPs (as someone who interacts with the medical fraternity far too much ...)

Cheers,
Wol

Whom to ask?

Posted Jun 11, 2025 17:06 UTC (Wed) by farnz (subscriber, #17727) [Link] (1 responses)

It's a little hard to tell whether it was always supposed to not apply to hobbyist developers

Even the very first draft I can find consistently refers to "placing on the market", which is a term of art that would have excluded hobbyist developers, since a hobbyist, by definition, does not place anything on the market (at most, they offer gifts to interested parties).

I'd therefore expect that it was never intended to apply to hobbyists, and the clarification we've seen is because "placing on the market" is a term of art that most of us aren't familiar with.

This isn't helped by the CRA trying to carefully balance allowing companies to contribute - or even run - open source projects without opening themselves up to liability, while not wanting companies to be able to escape liability for security flaws in products they sell by open sourcing some, or all, of the code (or, indeed, using ancient versions of open source stuff that's full of known flaws).

Whom to ask?

Posted Jun 12, 2025 15:33 UTC (Thu) by kleptog (subscriber, #1183) [Link]

In the very first draft just searching for "open-source" would have lead anyone to the recital:

> (10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. [...]

This is a fairly clear and straightforward statement. The intent was clear, though it was the only reference to open-source. Now, plenty of people pointed out that "commercial activity" could do with some clarification since we want open-source developers to eat too and not everything involving money is commercial. The draft attracted hundreds of amendments and unlike in some legal systems where there's a speaker who chooses which amendments get voted on, in the EP they vote on all of them. The result is many more recitals and clarifications which I think are real improvements. Possibly even overkill, but this is lawmaking by non-lawyers for you.

The "placed on the (single) market" is a term of art which is related directly to the authority the EU has to make regulations in the first place. I hope this whole process has given people a little better understanding as to what it means.