|
|
Log in / Subscribe / Register

This is the opportunity to write a wish list

This is the opportunity to write a wish list

Posted Jan 8, 2026 18:06 UTC (Thu) by paulj (subscriber, #341)
In reply to: This is the opportunity to write a wish list by alx.manpages
Parent article: European Commission issues call for evidence on open source

The entity offering the best-effort support "make corp processes easy" thing (and whatever else) could be a separate entity from the project, couldn't it?

If there is no way to supply software on corporates on a commercial basis without becoming encumbered by the CRA (can you not have a contract that says "this is supplied on R&D terms, and CRA obligations wrt any product on the market are yours"?), I guess then dealing with those becomes part of the offering (with whatever costs you need to add).

to post comments

This is the opportunity to write a wish list

Posted Jan 8, 2026 23:58 UTC (Thu) by Wol (subscriber, #4433) [Link] (2 responses)

> can you not have a contract that says "this is supplied on R&D terms, and CRA obligations wrt any product on the market are yours"?

Of course you can! Everything is down to what the contract says! And if the contract says you work on an hourly R&D basis or whatever, and don't provide CRA guarantees, then the regulator will look at that and say to your customer "your supplier explicitly disclaims responsibility, it's down to you to sort it". If that means they have to throw money at you or get their own staff to do it, well if the contract says those are the terms then the regulator will enforce those terms!

Chances are your customer won't accept those terms, but that's down to them ...

Cheers,
Wol

This is the opportunity to write a wish list

Posted Jan 9, 2026 0:14 UTC (Fri) by alx.manpages (subscriber, #145117) [Link]

> Chances are your customer won't accept those terms, but that's down to them ...

That's the problem. I hope the EU --the customer here-- realizes that free software is essentially beekeeping. You need to make sure the bees are happy, giving them flowers and forest; in return, the bees will give you honey and even pollinate your vegetables. You can't sign a contract with them trying to regulate the amount of honey they must produce, or negotiate how many flowers you are willing to provide them. Of course, if the bees don't produce honey after some time, you may consider finding other bees; but as long as the bees do their job, one should just keep them.

Of course, the EU needs to make sure which projects it should protect, to not waste taxpayer money.

This is the opportunity to write a wish list

Posted Jan 9, 2026 14:26 UTC (Fri) by paulj (subscriber, #341) [Link]

> Of course you can! Everything is down to what the contract says! And if the contract says you work on an hourly R&D basis or whatever, and don't provide CRA guarantees, then the regulator will look at that and say to your customer

Ok, then if that's the case, and the CRA obligations can be kept devolved to your commercial customer by contractual agreement, then... that's a pretty simple option for a developer/maintainer who wants to provide a procurement-process-friendly "it's a purchase, not a donation, see" best-effort support option that doesn't entangle said dev in CRA obligations.

Perfect.

(Course, handling CRA obligations for customers may be a good way to get more customers).

This is the opportunity to write a wish list

Posted Jan 9, 2026 0:42 UTC (Fri) by raven667 (subscriber, #5198) [Link] (4 responses)

I think in some cases the CRA could provide the motivation for an ambitious developer to start a small company around their software and accept contracts with downstream companies which use their code in commercial products, accepting the liability with proper insurance as well, if the downstream companies are willing to pay. Maybe a number of developers could come together and share overhead costs. The liability of the CRA might make companies selling products chock full of FOSS more likely to open up their wallets and negotiate with _all_ the developers which make their products work, since they are going to have to put more resources into maintenance in any case.

This is the opportunity to write a wish list

Posted Jan 9, 2026 11:03 UTC (Fri) by paulj (subscriber, #341) [Link] (3 responses)

To the extent the CRA obligations are basically turning the job that good Free Software maintainers do into something that is legally required by commercial operators, it may well be a very good thing for said maintainers. Previously, commercial operators attached little to /no/ value to Free Software maintenance, and it was a thankless task and difficult to get funding for. If the CRA attaches a value to it, then that may change that situation for the better.

This is the opportunity to write a wish list

Posted Jan 9, 2026 11:21 UTC (Fri) by alx.manpages (subscriber, #145117) [Link] (2 responses)

The thing is, programmers have fun programming. They might not have so much fun doing bureaucracy. In some cases, they might, and that's fine for those. But maintainers shouldn't be discriminated because of that.

Maintainers should be funded by what they do already, which is valuable and should be paid.

If some maintainers are happy to take more work for some extra money, that's great, and more money could be paid to those. Some maintainers may also be interested in consulting about their projects for extra money.

But programmers that just want to maintain their projects should still be funded, as long as their projects are depended upon, as they're doing valuable work.

Also, consider that the bureaucracy might take time from other maintenance tasks, so you may want to have more people. Some dedicated to programming, and others that will help with the bureaucracy and other tasks.

Consider for example kernel maintainers. They usually work for companies, to implement features, which uses time that they could otherwise use to improve robustness and safety of the source code.

This is the opportunity to write a wish list

Posted Jan 9, 2026 15:21 UTC (Fri) by raven667 (subscriber, #5198) [Link] (1 responses)

As i understand it donations don't trigger obligations from the CRA, only commercial sales and contracts, so a hobbiest volunteer who isn't maintaining a software project in a commercial professional capacity should be clear of liability to whoever finds it on the internet and decides to integrate it into a commercial product. That's why I tried to be clear that this may be an opportunity for those developers who _want_ to commercialize their software maintenance activity, by prodding their downstream commercial integrator to put more value on it and maybe be willing to pay to exchange the liability. European insurance providers should research what a cyber-insurance policy should look like for a small FOSS maintainer who makes this kind of business arrangement, what's the risk and what's the liability, because an actuary can probably put some solid numbers around that, so a FOSS maintainer knows what they need to charge to continue maintenance and make their downstream whole if they make a mistake. The real-world cost of a CVE in some library is not generally infinite.

This is the opportunity to write a wish list

Posted Jan 9, 2026 16:17 UTC (Fri) by paulj (subscriber, #341) [Link]

To be honest, many (most?) Free Software projects would be at little risk from the CRA, even if they fell under its obligations. Given those obligations appear generally to be "Follow good development practices" which many Free Software projects do anyway. The most onerous obligations would be the requirements to provide security reports and updates for X years (is it 10?!!!).

There's been much discussion about the CRA here on LWN, but I'm still unclear as to exactly what the worst-case/hardest to meet obligations are, for any project that happened to be swept up in it somehow.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds