why?
why?
Posted Oct 1, 2025 21:56 UTC (Wed) by Wol (subscriber, #4433)In reply to: why? by daroc
Parent article: F-Droid and Google's Developer Registration Decree
But I'm rather fed up with this continually repeated FUD that merely offering software - FOR FREE - will trigger a liability under the CRA.
The CRA is very clear on this - the liability lies firmly with the RECIPIENT to have a FORMAL relationship with their supplier. If that isn't in place, then it's the RECIPIENT's responsibility to fix any problems.
Yes there are anti-evasion provisions in place, but they are quite clearly aimed at people where the "vendor" is providing some stuff alongside a separate contract for something else. But that's primarily aimed at people who are clearly vendors, but who also provide some stuff for free. Google would be a classic example - they provide paid-for software, and free software, so those regs distinguish between "stuff provided for free to anyone" and "stuff used to access a paid-for service but thrown in with the service at no cost for the stuff itself".
Cheers,
Wol
Posted Oct 1, 2025 23:52 UTC (Wed)
by pizza (subscriber, #46)
[Link] (3 responses)
In other words, the ONE COOL TRICK to avoid any sort of liabilities for the quality of your unabashedly-commercial software is to publish it for anyone to download for $0...
That seems quite suboptimal from a public policy perspective.
After all, why would anyone ever sell hardware with anything other than the bare minimum software (ie some sort of bootloader) to install install a free[1] operating system from someone else?
[1] gratis, not libre. Because development costs (and potentially significant profits) are covered by hoovering up data about everything you do, mining cryptocurrency on your hardware, forced advertisements, etc etc.
Posted Oct 2, 2025 7:18 UTC (Thu)
by johill (subscriber, #25196)
[Link] (2 responses)
>> Yes there are anti-evasion provisions in place
and if you sell hardware that's useless without (specific) software, you trivially trigger these. So you either don't have a business model (sell hardware that's actually useless) or you have the CRA (sell hardware and software in combination.)
Posted Oct 2, 2025 17:11 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
I can buy a operating-system-less PC from numerous vendors large and small, with the full expectation that I will install an operating system of my choice onto it.
Who is responsible for my chosen OS working (or not) on that hardware combination? The hardware manufacturer(s), the OS vendor, some random person in Nebraska, or me?
Posted Oct 2, 2025 17:50 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
The new liability the CRA adds is that they are also responsible for you being supplied with updates to security issues at no extra cost for the lifetime of the product, as long as they've done something to become responsible for your chosen software working. They can't say "well, we can persuade RHEL 7.5 to work, as long as you don't upgrade to a later RHEL version, so we're done"; they need to ensure that you can get security updates at no extra cost until the expected end of life of the hardware.
In turn, expected end of life is not defined by the vendor; for a high-end PC, it could well be 10 years, and so a system they sell that's designed to support RHEL 7 might also have to support RHEL 8 because you can't get the security fixes for RHEL 7 after 2028.
why?
why?
why?
In all cases, if you buy the hardware without software, you are responsible for your chosen OS working, unless the vendor you bought from explicitly represented to you that the hardware would work with your chosen OS - e.g. "yes, you can buy and install Windows 11 on here", or "we recommend Oracle Solaris for this hardware". That's long-established, and predates the CRA.
Anti-evasion provisions in the CRA