This is the opportunity to write a wish list

Posted Jan 9, 2026 11:03 UTC (Fri) by paulj (subscriber, #341)
In reply to: This is the opportunity to write a wish list by raven667
Parent article: European Commission issues call for evidence on open source

To the extent the CRA obligations are basically turning the job that good Free Software maintainers do into something that is legally required by commercial operators, it may well be a very good thing for said maintainers. Previously, commercial operators attached little to /no/ value to Free Software maintenance, and it was a thankless task and difficult to get funding for. If the CRA attaches a value to it, then that may change that situation for the better.

to post comments

This is the opportunity to write a wish list

Posted Jan 9, 2026 11:21 UTC (Fri) by alx.manpages (subscriber, #145117) [Link] (2 responses)

The thing is, programmers have fun programming. They might not have so much fun doing bureaucracy. In some cases, they might, and that's fine for those. But maintainers shouldn't be discriminated because of that.

Maintainers should be funded by what they do already, which is valuable and should be paid.

If some maintainers are happy to take more work for some extra money, that's great, and more money could be paid to those. Some maintainers may also be interested in consulting about their projects for extra money.

But programmers that just want to maintain their projects should still be funded, as long as their projects are depended upon, as they're doing valuable work.

Also, consider that the bureaucracy might take time from other maintenance tasks, so you may want to have more people. Some dedicated to programming, and others that will help with the bureaucracy and other tasks.

Consider for example kernel maintainers. They usually work for companies, to implement features, which uses time that they could otherwise use to improve robustness and safety of the source code.

This is the opportunity to write a wish list

Posted Jan 9, 2026 15:21 UTC (Fri) by raven667 (subscriber, #5198) [Link] (1 responses)

As i understand it donations don't trigger obligations from the CRA, only commercial sales and contracts, so a hobbiest volunteer who isn't maintaining a software project in a commercial professional capacity should be clear of liability to whoever finds it on the internet and decides to integrate it into a commercial product. That's why I tried to be clear that this may be an opportunity for those developers who _want_ to commercialize their software maintenance activity, by prodding their downstream commercial integrator to put more value on it and maybe be willing to pay to exchange the liability. European insurance providers should research what a cyber-insurance policy should look like for a small FOSS maintainer who makes this kind of business arrangement, what's the risk and what's the liability, because an actuary can probably put some solid numbers around that, so a FOSS maintainer knows what they need to charge to continue maintenance and make their downstream whole if they make a mistake. The real-world cost of a CVE in some library is not generally infinite.

This is the opportunity to write a wish list

Posted Jan 9, 2026 16:17 UTC (Fri) by paulj (subscriber, #341) [Link]

To be honest, many (most?) Free Software projects would be at little risk from the CRA, even if they fell under its obligations. Given those obligations appear generally to be "Follow good development practices" which many Free Software projects do anyway. The most onerous obligations would be the requirements to provide security reports and updates for X years (is it 10?!!!).

There's been much discussion about the CRA here on LWN, but I'm still unclear as to exactly what the worst-case/hardest to meet obligations are, for any project that happened to be swept up in it somehow.