The Python Software Foundation on European cybersecurity
Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products. The risk of huge potential costs would make it impossible in practice for us to continue to provide Python and PyPI to the European public.
The Internet Systems Consortium has also recently put out
a statement on the proposal.
Posted Apr 21, 2023 21:17 UTC (Fri)
by pbonzini (subscriber, #60935)
[Link] (51 responses)
Second, "a natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements shall be considered a manufacturer for the purposes of this Regulation" should refer to downstream modifications. Making modifications upstream of products (which is what happens in Python or Debian) is not a modification of the product, it is a modification of something else.
Finally, the other quoted sentence, "providing a software platform through which the manufacturer monetises other services", is not complete and thus hard to interpret. Still the interpretation of the PSF only seems to work if the PSF is considered a manufacturer, which it should not be since it's not operating for-profit.
In fact, the European Parliament Research Service's briefing on the CRA (https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/7...) says that they consider open source software to be "less exposed to cybersecurity risks. This is because when many programmers are involved in the
While this is only a footnote, it is clear that the intention of the EU is not (as the PSF says) to make "hobbyists, individuals and other under-resourced entities who host packages on free public repositories like PyPI" liable, even if they authored software that is used in what the CRA defines as a "critical product" such as a router or a password manager. In fact the spirit of the law is the opposite, i.e. to make sure *manufacturers* do their due diligence, both when they source external packages and to ensure that their products remain secure.
Posted Apr 21, 2023 22:15 UTC (Fri)
by pizza (subscriber, #46)
[Link] (11 responses)
> The text of CRA appears to deviate from the Blue Guide creating significant uncertainty about scope of application.
>Although we set out our observations above using the multiple factors provided by the Blue Book explaining why we believe our organisations and similarly situated entities should not be treated as supplying software as part of a “commercial activity” in a “business related context,” the text of the proposed laws under discussion seems to drag us away from that analysis.
When pretty much every established F/OSS foundation/organization that operates in Europe thinks there's a problem with the text _as it is currently written_ then it seems prudent to listen to them, instead of reassurances from random folks posting on various internet forums.
(Especially as history has shown us repeatedly which way the kudgel falls)
Posted Apr 21, 2023 22:31 UTC (Fri)
by pbonzini (subscriber, #60935)
[Link] (10 responses)
In the case of the PSF, their second point is similar but explained worse, while the first point mangles the meaning of the letter of the law.
Posted Apr 21, 2023 23:57 UTC (Fri)
by pizza (subscriber, #46)
[Link] (9 responses)
Posted Apr 22, 2023 13:58 UTC (Sat)
by kleptog (subscriber, #1183)
[Link] (8 responses)
In any case, for those following along, this is the current timetable:
Consideration of draft opinion 24-25 April 2023
So in a few days we should see the list of proposed amendments, then we'll have something new to talk about.
Maybe they were trying to get their response in before the deadline?
Posted Apr 23, 2023 8:00 UTC (Sun)
by coriordan (guest, #7544)
[Link] (7 responses)
This week is absolutely crucial. We need good amendments to be tabled. Otherwise, there's nothing good for the MEPs to vote for. It would still be possible to get existing amendments changed during negotiation of the compromise amendments, and technically there can be amendments tabled at the plenary stage, but that's way more difficult. And it's particularly difficult in the final year of the legislature because there's a rush to finish everything before next year's elections. Some people think the CRA is no problem because it's for "manufacturers" and because "non-commercial" free software gets an exemption, but "manufacturers" is a legal term that can include software developers and distributing something at zero-cost can be "commercial" (it's in the Blue Guide). Also, free software businesses are essential, so we need to think about keeping them safe from (what could be) an absurdly massive amount of compliance work, or even a medium or small amount of compliance work which could tip things in favour of "nah, contributing would be too much hassle". (Minor note: The meeting agenda for the 24-25 ITRE debate gives "27" April as the amendment tabling deadline. But I also heard 26 in the EP, so it could be 26.)
Posted Apr 24, 2023 14:23 UTC (Mon)
by kleptog (subscriber, #1183)
[Link] (6 responses)
The suggestion that business can give away their source code as an alternative to managing it all themselves (amendment 20). Amendments 107/108 alters the "shall not be sold with vulnerabilities" that I've seen worries about. Amendment 55 clearly pushes responsibility of open-source components onto the integrators. Amendment 78 obliges the Commission to clarify which the impacts are on various types of businesses.
Unfortunately, no references to definition of open-source itself. Not surprising though, since no open-source organisations submitted any feedback. (The list of organisations that responded to the committees is listed at the end of the documents). Hopefully some of the parties have submitted relevant amendments (they should be published next week).
[1] https://www.europarl.europa.eu/doceo/document/ITRE-PR-745...
Posted Apr 24, 2023 15:04 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
> Unfortunately, no references to definition of open-source itself. Not surprising though, since no open-source organisations submitted any feedback. (The list of organisations that responded to the committees is listed at the end of the documents). Hopefully some of the parties have submitted relevant amendments (they should be published next week).
Not read the amendments, but if it's the open source integrators' responsibility, then the manufacturer cannot implement "technical protection measures". As an absolute minimum, open source should guarantee that both the customer, and the *business* with legal liability, should have access and freedom to all the tools required to keep the software up-to-date.
That's forcing an open-source toolchain onto the manufacturer, if they want to offload responsibility - you don't want them to say "you're free to update your own software, but you need to spend Euros XK on a custom toolchain ..."
Cheers,
Posted Apr 25, 2023 5:11 UTC (Tue)
by coriordan (guest, #7544)
[Link] (4 responses)
We're there (as "Open Forum Europe"), along with FSFE and Wikimedia.
I've been in contact with 70+ policy makers in the EP and Council and I hosted a workshop yesterday with 12 policy makers and 6 representatives from free software organisations (foundations and companies).
We're working on it.
Recital 10 kinda defines free software: "free and open-source software (...) This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable." (It's not exactly a definition, but all the elements are there.)
Important to remember that the ITRE document is the rapporteur's amendments. This week is the deadline for the other committee members to submit amendments, and then there's discussions and a vote to decide what the final ITRE amendments will be.
Posted Apr 25, 2023 9:04 UTC (Tue)
by kleptog (subscriber, #1183)
[Link] (3 responses)
Posted Apr 25, 2023 9:29 UTC (Tue)
by coriordan (guest, #7544)
[Link] (2 responses)
Posted Apr 25, 2023 12:50 UTC (Tue)
by zdzichu (subscriber, #17118)
[Link]
Posted Apr 26, 2023 7:37 UTC (Wed)
by kleptog (subscriber, #1183)
[Link]
I mean, I could send pizza money but I'm hoping that's not where the difficulties lie.
Posted Apr 22, 2023 2:42 UTC (Sat)
by Vipketsh (guest, #134480)
[Link] (29 responses)
Point 2 usually means that EU regulations amount to "as long as the two parties agree". Which sounds great, full of freedom and all sorts of warm fuzzies, but when there is a huge disparity between the parties (e.g. individual v.s. multi-billion conglomerate) every agreement turns into "the smaller entity does what the large one says". Not great for individuals at all.
Point 3, the more important one, pretty much means small entities will have little motivation to setup a business because there is such a huge risk in doing so. And then the EU wonders why it has an ever decreasing share of global trade and why pretty much no-one takes it seriously anymore.
Two examples of what I mean with the three points above:
This "great" regulation that online stores (even outside of the EU) need to pay VAT directly. This makes sense because it doesn't give businesses abroad unfair advantage of skipping VAT payments. This could also be wonderful for the individual because less bureaucracy when receiving a package. However in great EU wisdom custom duties are not covered. The end result is that smaller (mostly individuals) simply refuse to sell stuff to the EU because they don't want to take part in EU bureaucracy (who can blame them?) and you, the individual, you can keep filing paperwork and paying customs agents just like you always did. It doesn't help that when the seller doesn't do the paperwork correctly (or at all) I am told that I can not correct it, only the seller. Leaving two options open: either pay the VAT twice (technically against the law) or give up on the item. Wonderful.
Posted Apr 22, 2023 3:18 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link] (8 responses)
Those are two different laws that work in two different ways, but I will focus on GDPR because it is the more comprehensive and important of the two. GDPR *expressly forbids* what you describe. Consent can be a valid basis for data processing under GDPR, but it must be "voluntary" within the meaning of the law - a rather narrow exception that's frankly quite hard to fit into. You can't say to the user "click agree or else you can't use our service" and call that "consent."[1] You would instead have to investigate one of the other valid bases for data processing, and every single one of them has strings attached.[2] There is, quite intentionally, no straightforward way to force a user to provide arbitrary PII in exchange for some arbitrary service - that is simply not a transaction you can enter into in the EU. Anyone who claims they can do this is either lying or unknowingly violating the law.
[1]: https://gdpr-info.eu/art-7-gdpr/
Posted Apr 22, 2023 9:47 UTC (Sat)
by Wol (subscriber, #4433)
[Link]
Compare that to American arbitration. Can't speak for Europe, but in the UK arbitration is never binding on the individual. Companies don't get to write their own law. And the UK definition forbids a conflict of interest for the arbitrator. Companies don't get to appoint their own judges to interpret their own laws.
Cheers,
Posted Apr 24, 2023 3:37 UTC (Mon)
by Vipketsh (guest, #134480)
[Link] (4 responses)
Let me tell you a little story. Whenever we have government elections candidates need to show some minimal support to be put onto the ballot, which comes in the form of collecting peoples signatures -- personal data that falls under GDPR (or so they claim). So, they make everyone who signs the support thing also sign some GDPR thing, allowing them to handle your data. It's all voluntary of course. What then happened then is that half the country started receiving some weird SMS's relating to the election they definitely didn't want. Turns out:
This is what I meant by "practically" and "coax": no-one forced any of these people to sign anything -- it was all voluntary and no pressure was applied, yet I'm sure you can understand that it is not a very life-like scene that in an underpass hundreds of people are standing around the booth of some political party meticulously going through dozens of pages of dense legalese. Also realise how the enterprise was setup to make it as difficult and expensive as possible to try to get any sense of justice.
This is why I say that any law which allows "voluntary consent" to nullify parts or all of it (pretty much all EU things) just means that those parts are, in practice, nullified by default.
Posted Apr 24, 2023 9:57 UTC (Mon)
by edeloget (subscriber, #88392)
[Link] (2 responses)
That should ne be the case. All the various uses of your PII should be stated in a clear and understable language.
> 2, The "data controller" turned out to be some foreign entity on the other side of the EU
This is not relevant. The data controller must follow the rules, whereever it is, as long as it is handling PII from European citizens.
> 3, To do anything, in a legal sense, you would need lawyers and courts in that small foreign country
This is not true. You have to signal the problem to your local authorities (in France, this is the CNIL; in Gerrmany, the BfDI; all European countries have a similar authority). They will act on your behalf. The GDPR never expected individuals to start legal challenges against large companies.
Posted Apr 24, 2023 11:14 UTC (Mon)
by Vipketsh (guest, #134480)
[Link] (1 responses)
> That should ne be the case. All the various uses of your PII should be stated in a clear and understable language.
We are talking politics here and in politics there is always lots of money and legal expertise on how to screw your opponent over any sliver of wrongdoing. Yet despite the high-profile scandal, *nothing happened* and because of the political angle I can only presume because there was no case. Tell me all legal theory you want but the fact remains that quarter to half a country's worth of people had their data used in a way they did not want and the GDPR did nothing to prevent it. This is a failure however I try to look at it.
>> 2, The "data controller" turned out to be some foreign entity on the other side of the EU
> This is not relevant. The data controller must follow the rules, whereever it is, as long as it is handling PII from European citizens.
In theory maybe not, in practice it very much is. If you believe they are doing something wrong, your first point of contact to even try to figure out what it is, is the entity itself. You may complain to your local authorities but they won't do anything without any evidence (they definitely don't have the capacity to investigate everyone's feelings) -- and one place to even try to get it is that entity you can't communicate with.
Posted Apr 24, 2023 14:47 UTC (Mon)
by edeloget (subscriber, #88392)
[Link]
I think you lack some important knowledge about how the GDPR works and how it's enforced by local authorities. The procedure is only two steps:
1/ send a letter stating the issue at hand to the data controller; most national authorities will provide you templates and/or tools to adapt the template to your needs.
2/ if you do not receive any answer after the legal delay (1 month IIRC) you can mandate your local national authority to handle the issue. Of course, it won't be as fast as you want it to be. The point is: if it's difficult or near impossible to discuss with the data controller, they are the ones who are at risk.
Of course, you can have your own grudge against the GDPR. But maybe you can test the procedure before telling the world that it does not work. See https://www.enforcementtracker.com/ for further references.
Posted Apr 24, 2023 13:47 UTC (Mon)
by kleptog (subscriber, #1183)
[Link]
With bigger companies like telcos, energy providers, ISPs, etc their terms of service are generally lodged with the chamber of commerce and consumer organisations are all over them making sure there's nothing crazy in there.
In your story, if all they were doing was collecting signatures to be able to demonstrate support, then they wouldn't need to ask permission under GDPR, because you only need to ask permission for processing that is not required for the service being provided. So the fact they're asking permission is a big red flag saying they're going to do dodgy stuff with your info.
So really, we need to teach people that if someone on the street is trying to get you to read pages of legalese, WALK AWAY! If you're at the checkout of a supermarket and suddenly they pop-up a form agreeing for them to use your payment info, that's a big fat red flag.
With respect for enforcement, I think the EU Small Claims procedure[1] would be appropriate here. It's a purely written procedure, though might get a bit cumbersome if translations are required.
[1] https://europa.eu/youreurope/business/dealing-with-custom...
Posted May 2, 2023 18:50 UTC (Tue)
by immibis (subscriber, #105511)
[Link]
It would be neat if, like, every website with only an "I agree" button and no "I disagree" could get a $1000 fine (commercial sites) or $50 (personal sites) with just a few minutes of paperwork, let's say, upon report and maximum once a week. I suspect that would fall afoul of some rules against summary punishment. Now, no Apple or Netflix is going to care about a $1000 fine, but those ones can be fed through the big lumbering bureaucracy... meanwhile, say, Stack Exchange's CEO having to personally respond to a court order every week would be a significant motivation to fix the problem. (just an example - Stack Exchange recently fixed this problem)
Posted May 10, 2023 23:05 UTC (Wed)
by callegar (guest, #16148)
[Link]
Apparently, at least to some extent, cookiewalls are legal and you can say "click agree or else you can't use our service unless you buy a long term subscription to it", because as long as you are offering an alternative, that is consent (even if the alternative is not really equivalent. Maybe you want to use the service just once and not in continuity for a long time as the cost of a subscription assumes). Many online newspapers in Europe use this business model, see https://www.repubblica.it/tecnologia/blog/cyber-law/2022/... (in Italian, Google translate works well enough with it) and https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/... (in French). Key document appears to be the Conseil d’État decision taken on June 2020 https://www.cnil.fr/fr/cookies-et-autres-traceurs-le-cons...
Posted Apr 22, 2023 10:37 UTC (Sat)
by tialaramex (subscriber, #21167)
[Link] (15 responses)
It's like when you break apart a C program and find all the linked lists. Is this a sophisticated concurrent data structure which has been optimised to hell? Nope, it's just the first growable data structure this C programmer learned so they've used it everywhere. The answer to far more questions than you expect is "I don't know, I just copied what everybody else was doing".
Posted Apr 22, 2023 19:28 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (8 responses)
Which is why nearly all my C programs simply malloc'd an array ... :-)
Cheers,
Posted Apr 23, 2023 4:49 UTC (Sun)
by adobriyan (subscriber, #30858)
[Link] (7 responses)
Posted Apr 23, 2023 8:52 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (5 responses)
It may sound weird to you, but I have yet to come across a problem where I need a linked list.
What on earth is "stbds_arrput()"? A google search threw up precisely NO hits, although there were several libraries mentioned that probably contained it. No documentation whatsoever. And the libraries looked like a key-hash library, with which I am VERY familiar - I could write one pretty easy I suspect.
Maybe the problem domain I was working in was different to you, but the only problem I had with C arrays is you can't malloc a 2-dimensional one. Why do I want something super-complicated, to solve a simple problem? I don't subscribe to the "ooh! Shiny!" philosophy that seems to pervade so much tech :-(
Cheers,
Posted Apr 23, 2023 9:14 UTC (Sun)
by adobriyan (subscriber, #30858)
[Link] (4 responses)
> but I have yet to come across a problem where I need a linked list.
They are somewhat cool, Linux is full of linked lists:
Observable C programmer quickly learns that allocating memory and dealing with errors is painful and unergonomic,
Until... he learns that the fastest way to process data is to put it in memory contiguously.
Posted Apr 23, 2023 9:15 UTC (Sun)
by adobriyan (subscriber, #30858)
[Link] (1 responses)
ehh, in the sense that linked lists are less prone to allocation failures on fragmented systems.
Posted Apr 24, 2023 9:40 UTC (Mon)
by geert (subscriber, #98403)
[Link]
Posted Apr 23, 2023 12:54 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (1 responses)
Observable C programmer quickly learns that - PROVIDED you are careful about object lifetimes! alloca is the way to go. :-)
Cheers,
Posted Apr 23, 2023 15:24 UTC (Sun)
by adobriyan (subscriber, #30858)
[Link]
They took it from us, VLAs too.
Posted May 2, 2023 18:51 UTC (Tue)
by immibis (subscriber, #105511)
[Link]
Posted Apr 24, 2023 3:55 UTC (Mon)
by Vipketsh (guest, #134480)
[Link] (5 responses)
I'm not so sure. My impression is more that they are doing things in a way that abides by the letter of the law but still applies as much psychology as possible to increase the chances of you just hitting the "Agree to all" button, which is what the operator would generally like, instead of unchecking any of the unnecessary stuff. Just a few observations:
1, When you first visit, they pop up some box where you must agree to *something* before being able to use the site. There is seldom a button saying "I don't allow anything" (I have mostly seen such an option only on government run sites, but there are some others).
This is why any legislation that allows "voluntary consent" simply changes the game, as it were, such that the bigger party tries as hard as they can to make you "voluntarily consent". Usually it is successful.
Posted Apr 24, 2023 5:45 UTC (Mon)
by mathstuf (subscriber, #69389)
[Link] (2 responses)
You didn't agree to the cookie that stores your preferences to not store data. It's probably toggle number 23 (today; it probably moves around).
Posted Apr 25, 2023 16:42 UTC (Tue)
by NYKevin (subscriber, #129325)
[Link]
Posted May 2, 2023 18:52 UTC (Tue)
by immibis (subscriber, #105511)
[Link]
Posted Apr 24, 2023 15:12 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
> I'm not so sure. My impression is more that they are doing things in a way that abides by the letter of the law but still applies as much psychology as possible to increase the chances of you just hitting the "Agree to all" button, which is what the operator would generally like, instead of unchecking any of the unnecessary stuff. Just a few observations:
Which is a pretty blatant breach of "informed consent". If the website is deceptive, which shouldn't be too hard to prove, then legal consent was not obtained. I've never come across websites like that. (Not nowadays. A lot of the shareware sites were like that, demanding to install PUPs, I still see the odd site which looks - shall we say - "wrong".)
The other thing is, UK legislation in particular often mandates what information is "most prominent". You're allowed to make other stuff equally prominent, but hiding the "minimal consent" button will probably fall foul of that sort of legislation ...
Cheers,
Posted Apr 27, 2023 8:46 UTC (Thu)
by anton (subscriber, #25547)
[Link]
* At least I think so. Even after several years with "material design", which replaced checkboxes (a staple in GUI design since its introduction in the 1980s) with something that takes more space and is much less intuitive, I am not sure whether a switch is on or off in material design.
Posted May 2, 2023 18:45 UTC (Tue)
by immibis (subscriber, #105511)
[Link] (3 responses)
I understand that the EU - de facto if not de jure - has separate bodies to represent the corporations and the people, and the corporate part seems to come up with most of the proposals which are quickly shot down by the actually democratic part.
Seems like a stupid system, but if this is really how the system works, then it's not the end of the world every time the corporate-money-making-ideas-machine spits out a really stupid idea. It's only the end of the world if the democracy-machine does not shoot down the stupid idea.
A similar effect can be observed with the fines (point 3). Sometimes the maximum possible fine is set very high to give significant room for the judge's discretion. Yet everyone expects the maximum possible fine to be given in all cases, possibly because previous laws had a maximum that was too low. I observe that the high maximum fine really makes a difference because corporations cannot just say: "we have enough money, we can absorb the maximum fine so let's keep doing the illegal thing forever." No, they have to negotiate, and possibly get the fine lowered if they stop doing the illegal thing, and lowered even more if they compensate previous victims.
Posted May 2, 2023 23:03 UTC (Tue)
by Wol (subscriber, #4433)
[Link]
Problem is, the American democracy-machine seems to have pretty crap aim under these circumstances.
> A similar effect can be observed with the fines (point 3). Sometimes the maximum possible fine is set very high to give significant room for the judge's discretion.
EU maximum fines aren't that high. For a first offence! Thing is, if it's not a first offence, the maximum fine has a habit of doubling every time ... that makes repeat offenders rare ...
Cheers,
Posted May 3, 2023 9:17 UTC (Wed)
by paulj (subscriber, #341)
[Link] (1 responses)
I guess you mean the Commission with the "corporate part" and the EP with the "democratic part". It's not de facto, it's de jure - the EU is constituted such that the Commission is the body that introduces proposals. The EP has no power to initiate legislation - though it can formally request the Commission to do so. There is talk of giving the EP the right to initiate.
Commission: The political executive of the EU's civil service; the formal point of introduction for new legislation - but this is in a facilitating role.
Posted May 4, 2023 12:48 UTC (Thu)
by kleptog (subscriber, #1183)
[Link]
Hence right from the beginning the process was that the Commission, which represents each member state equally, initiates the proposal on behalf of all the members of the Commission. It ensures a minimum level of support across the Union before committing significant resources.
Additionally, EU legislative instruments are severely limited in scope, bound by treaty. Someone has to decide whether something is a regulation or a directive. If you let MEPs submit something, does the Commission get to reject it on the basis of it being outside of the scope of the treaties? How do you handle the question of subsidiarity? Does this open up the possibility of an MEP taking the Commission to the ECJ because they disagree whether something should be a regulation or a directive? Is this something we want?
Finally, EU legislation is hard work, requiring lots of translations, explanitory memoranda, etc. The MEPs don't have the time to write all that, but the Commission has a civil service who job it is to do these things. So the current process where the EP asks the Commission to make a proposal on the topic, and the Commission directing the EU Civil Service to work with the relevant MEPs to create a proposal seems like a more efficient use of everyone's time. (There's a reason the MEPs are mostly in Brussels rather than Strasbourg).
I know there's a lot of people saying the EP must be able to submit legislative instruments directly otherwise it's not democratic (enough). My position is that it's not that simple and we need to think carefully before twiddling that knob. Sure, we could require proposals to come from EP committees, give the EP a shadow civil service branch and assign a branch of the ECJ to judging whether EP initiated proposals are within the bounds of the treaties, but you need to seriously think about whether this would actually improve the resulting legislation (and inter-institutional relations).
Posted Apr 22, 2023 3:03 UTC (Sat)
by dvrabel (subscriber, #9500)
[Link] (7 responses)
As an analogue, the Raspberry Pi Foundation is a UK charity, and it can't avoid compliance with various EU regulations (e.g., RoHS and EMC compatibility) for their Raspberry Pi hardware.
Posted Apr 22, 2023 11:30 UTC (Sat)
by pizza (subscriber, #46)
[Link] (6 responses)
So putting on conferences (thus having some transactional revenue sources) isn't "commercial activity"?
> The ISC looks commercial to me through its sale of support services (despite ISC Inc being a non-profit company), and thus their software would be covered.
By this logic, I, by virtue of having sold a couple hours of support services to an European client, am now (and possibly forever?) liable for any [mis-]use of my F/OSS in Europe.
Posted Apr 22, 2023 13:46 UTC (Sat)
by kleptog (subscriber, #1183)
[Link] (5 responses)
Commercial activity is scoped. Just because their conferences might be considered commercial, doesn't mean everything else they do is commercial.
> By this logic, I, by virtue of having sold a couple hours of support services to an European client, am now (and possibly forever?) liable for any [mis-]use of my F/OSS in Europe.
That is a clearly absurd conclusion. And not the intention either.
Posted Apr 22, 2023 14:51 UTC (Sat)
by pizza (subscriber, #46)
[Link] (4 responses)
I agree that it's _probably_ not the intention, but it's hardly an absurd conclusion to take based on the current/public text.
I learned a long time ago that one needs to write code assuming the worst possible (if not outright hostile/adversarial) interpretation of a spec if you want your code to not fall over when exposed to real world users. Experience has shown the same attitude needs to be taken with respect to proposed laws (be it at a neighborhood level, national, or anywhere in between), as even if the current group of political/judicial folks are "fair-minded and reasonable" [1], doesn't mean their successors will be.
[1] And that is by no means something that can be generally assumed.
Posted Apr 22, 2023 19:32 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (3 responses)
A previous post about the CRA referred to this, and while there can be some argument about the detail, it's clear that a lot of things people are worried about are clearly EXcluded from the definition.
Cheers,
Posted Apr 23, 2023 14:12 UTC (Sun)
by pizza (subscriber, #46)
[Link] (2 responses)
EXcluded from one definition, but INcluded in other places, sometimes explicitly, sometimes implicitly. It's the latter (perhaps unintentional) stuff that has everyone worried, and nobody wants to become the legal guinea pig to find out how the courts will ultimately rule on each member state's legislative interpretation of the CRA. (Again, it's not the _well intentioned_ folks I'm worried out, it's the "crap, we're facing down a metric f-ton of liability, how can we try to get out of this? I know, let's try to foist this onto our 'suppliers' by claiming they're responsible" folks. Or just plain malicious parties,)
For example, the use of the words "made available" instead of "sold" -- My software is written and hosted in the US, but it's "made available" to folks in the EU by virtue of being on the public internet, and plenty of EU-based folks download/use it -- and ask me for support, sometimes paying me for my efforts. That latter scenario explicitly makes me into a "manufacturer" conducting "commercial activity" (the ISC calls this out) thus promoting me into a category where I would have widespread responsibilities and liabilities under the CRA.
Meanwhile, there is plenty of EU precedent for regulations intentionally applying broadly and extra-trerritorially (see: GPDR), so it is quite plausible that the liabilities under the CRA don't just apply to EU-based persons/organizations, so long as the end-user/person-who-holds-the-digital-element-containing-widget-in-their-hands is an EU citizen.
Posted Apr 24, 2023 17:51 UTC (Mon)
by dvrabel (subscriber, #9500)
[Link] (1 responses)
Posted Apr 25, 2023 13:42 UTC (Tue)
by pizza (subscriber, #46)
[Link]
Uh... no. I'm not touching "self certification" with a 3.048-meter pole.
I have personally witnessed [incomplete&|erroneous] attempts to "do the right thing" be used as "proof" that violations of rules were intentional, resulting in _increased_ penalties (vs intentionally remaining ignorant/doing nothing).
We will need to see what text eventually passes (and gets enacted by member states' legislatures) but as things appear now, I am far better off simply refusing to do business with (and refusing to distribute my software to) anyone in Europe, because anything else would expose me to ruinous (if not effectively unlimited) liabilities.
Posted Apr 24, 2023 8:09 UTC (Mon)
by highvoltage (subscriber, #57465)
[Link]
Posted Apr 21, 2023 21:19 UTC (Fri)
by domdfcoding (guest, #159754)
[Link] (11 responses)
(heavy sarcasm)
Posted Apr 21, 2023 21:36 UTC (Fri)
by tao (subscriber, #17563)
[Link]
Or are you expecting British software vendors to stop selling their products to EU countries and British developers to stop participating in European software projects?
Posted Apr 21, 2023 21:39 UTC (Fri)
by flussence (guest, #85566)
[Link]
Posted Apr 22, 2023 7:36 UTC (Sat)
by beagnach (guest, #32987)
[Link] (8 responses)
Sovernity is a wonderful thing.
Posted Apr 22, 2023 8:30 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (7 responses)
How much British crap has been blamed on Europe, only for an investigation to show that the relevant Directive (an instruction to pass a national law) never required or wanted that.
Brexit lost us a wonderful scapegoat ...
Cheers,
Posted Apr 24, 2023 8:54 UTC (Mon)
by anselm (subscriber, #2796)
[Link] (6 responses)
Not just that, but that the UK contingent in Brussels was heavily in favour of the directive in question, or even the driving force behind introducing it in the first place.
(Between the 1990s and Brexit, the UK voted in favour of more than 95% of measures put forward in the EU parliament. The idea that, in the EU, Britain was chafing under the yoke of an oppressive Continental hegemony is pure myth.)
Posted Apr 25, 2023 16:53 UTC (Tue)
by NYKevin (subscriber, #129325)
[Link] (5 responses)
(I suppose it wouldn't really make sense for France or Germany to blame the EU, because to a first approximation, they are the EU. But there are a bunch of other EU member states that could do it.)
Posted Apr 25, 2023 18:07 UTC (Tue)
by pizza (subscriber, #46)
[Link]
They have, and do use the EU as a scapegoat, when it's convenient.
But generally speaking those countries don't have a tradition of "noble isolationism" afforded by being surrounded entirely by water instead of neighbours one needs to play nice with.
Posted Apr 25, 2023 18:13 UTC (Tue)
by rschroev (subscriber, #4164)
[Link]
One thing I feel is missing is more comprehensive media coverage of the decision making at the European level. Newspapers and TV shows often talk about politics at the national and regional level; opinion makers write about the issues of the moment; politicians are interviewed and debate each other. None of that is perfect, but at least it exposes some of the decision making.
Almost none of that exists for issues on the European level. Reporters will cover European Summits and other big events, but there is almost no coverage of the day-to-day decision making. Sometimes politicians do sometimes get interviewed about European issues, almost always only local politicians; politicians from other countries (other than the obvious ones like Macron, Von Der Leyen etc.) almost never come in the picture. There is practically no debate in the public space with different viewpoints about the issues at the European level.
In my opinion, the mass media falls short in its function as fourth power in matters of European politics. At the same time it's very well possible people wouldn't like more coverage; it could very well be pretty dull.
Posted Apr 25, 2023 18:41 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
Other EU countries do blame the EU for any and all unpopular countries. The distinction is that in (at least) Spain, France, Germany, Ireland and Italy, people react to that by asking what the alternatives are, and whether the alternative choices are any better in practice, whereas the UK tends to assume that we can do our own thing and the rest of the world will fall into line.
Posted Apr 25, 2023 18:59 UTC (Tue)
by mpr22 (subscriber, #60784)
[Link]
There is a possibly apocryphal headline:
FOG IN CHANNEL – CONTINENT CUT OFF
that perfectly exemplifies the underlying English* mindset responsible for Britain taking it so much further than mainland European countries do.
* Yes, I specifically mean English, rather than British.
Posted Apr 28, 2023 15:28 UTC (Fri)
by jschrod (subscriber, #1646)
[Link]
Hungary is even worse -- I'd call it an authotarian regime by now, and not a democracy any more. Everything bad that happens, is caused by the EU.
Posted Apr 22, 2023 13:46 UTC (Sat)
by fanf (guest, #124752)
[Link] (3 responses)
(I work for ISC but I am not involved in the CRA discussions.)
Posted Apr 22, 2023 15:00 UTC (Sat)
by kleptog (subscriber, #1183)
[Link] (2 responses)
That blog post is very nice and makes many good points, including some I hadn't seen before. But near the end it makes some stumbles:
> The regulation will take effect in 24 months.
No it won't, it isn't anywhere near adoption, it's not even guaranteed to reach the finish line. This appears to misunderstand the legislative process.
> Consult with the open source community in developing a plan to regulate it. Perhaps this should have been my first suggestion?
That's what's been happening the last few months, isn't it? Before this no doubt several people associated with the open source community would have been consulted, but unless you have an actual draft text those conversations tend to be quite abstract and fuzzy. Now there is a draft text the conversions become much more productive.
This is no different from the process of writing software for a customer. You don't get any useful feedback before the first mock-up/proof of concept.
> Nothing in this regulation will improve the cybersecurity of open source.
That wasn't the goal, I think the authors wanted to exclude open source altogether and make cybersecurity the problem of businesses selling products/services to customers (since that's the area where the EU actually has a mandate). This cuts both ways, since it would free open source developers from regulation, but also mean no effort would be made to improve the security of open-source.
If the feedback over the last few months has demonstrated anything, it's that the boundary between open-source and commercial software is much more complicated and nuanced than the authors of the CRA expected. The solution is probably not to exclude open-source from consideration altogether, but to explicitly describe its role in the whole cybersecurity environment.
Posted Apr 22, 2023 20:32 UTC (Sat)
by kleptog (subscriber, #1183)
[Link] (1 responses)
> Consult with the open source community in developing a plan to regulate it. Perhaps this should have been my first suggestion?
There was first a public consultation 16 March 2022 - 25 May 2022 with 108 submissions.
Number of submissions from open-source organisations: zero
But ok, maybe it wasn't clear that open-source projects would be impacted here. Given this input it's clear why open-source projects weren't a major part of the proposal. However, in September the actual proposal was released and the second public consultation ran till 23 January 2023 with 131 submissions.
Number of submissions from open-source(-ish) organisations: OpenForum Europe, OSSF, TDF, OSI.
This kinda shocked me actually. The excellent ISC blog references a number of other excellent comments. How many of those made a submission as part of the public consultation? ZERO. (That I could recognise, I didn't actually open them all).
This indicates to me that as a community we're very good at talking to each other but very bad at dealing with the regulatory environment around us. Where are the submissions from Redhat and Suse? Why didn't the ISC paste their blog into a document and submit it? Hell, why didn't someone just copy and paste a whole bunch of the better blogs and submit it on their behalf. The Python Software Foundation writes about it, only 3 months too late.
It's good that some open-source organisations made the effort, but we really need to get better at this. Ignoring the rest of the world and hoping they ignore you isn't going to work forever.
Source: https://ec.europa.eu/info/law/better-regulation/have-your...
Posted Apr 23, 2023 23:26 UTC (Sun)
by comex (subscriber, #71521)
[Link]
Posted Apr 23, 2023 13:02 UTC (Sun)
by mat2 (guest, #100235)
[Link] (3 responses)
Posted Apr 24, 2023 10:12 UTC (Mon)
by edeloget (subscriber, #88392)
[Link] (2 responses)
Unless I'm mistaken, this is already the case. The (very) limited number of Android devices that allows you to be root and install your own updates seems to show that.
Anyway, the proposal does not mandate a vendor to lock the bootloader of his devices (although you have to admit that it makes sense for some vategory of devices) but it will have an impact on the way vendors distributes their updates and how the update process operates. Remember that one of the goal is to avoid having your firmware modified or replaced by a malicious actor. It's fortunately possible de develop solutions that forbid unauthorized updates while still allowing you to replace the firmware if you want to (as long as you agree that the vendor is no longer responsible for any security-related problems after that).
Posted Apr 24, 2023 19:46 UTC (Mon)
by mat2 (guest, #100235)
[Link] (1 responses)
While shopping wisely, it is possible to choose devices whose bootloader can be (easily) unlocked and are supported by LineageOS / Magisk.
The more important problem is that an increasing number of apps try to detect that the phone is modified and refuse to run if it is so. This includes some government and financial applications that are getting important in daily life. This is pure DRM (Digital Restrictions Management).
There is unfortunately little done to counter developers of these apps. For example, I haven't heard FSF and SFConservacy speak about this issue.
Posted Apr 25, 2023 5:07 UTC (Tue)
by pabs (subscriber, #43278)
[Link]
https://events19.linuxfoundation.org/wp-content/uploads/2...
Posted Apr 25, 2023 10:27 UTC (Tue)
by jafd (subscriber, #129642)
[Link] (15 responses)
I would like to have some simple answers then, using very few small words, to the following questions. I don't know the right answers, but I sure as hell know they don't start with "it depends".
1) I publish an open source thing with no expectation of profit whatsoever. A vendor picks it up without my knowledge or consent, puts it into smart fridges or whatnot, and later a hole is found in my thing. Who is going to be liable, the vendor or I? Can CRA hang it onto me as a "supplier"?
2) I publish an open source thing, and take donations. A vendor picks it up without my knowledge or consent, puts it into smart fridges, and later a hole is found in my thing. The donations, it's expressly stated, are there to support the development, but they don't imply any sort of contract with obligations. I don't know if the vendor has ever donated anything to me. Who is going to be liable? Can vendor successfully make me liable?
3) I run a software business. I publish parts or the entirety of what I produce as open source, free for anyone to use, but offer custom component development and support subject to a contract and hefty subscription fees. A business X picks up my software and uses it without my knowledge or consent. I don't have any kind of support contract with X. Later, X falls victim to a hole found to be in my software. Can they make me their "supplier" per CRA and successfully sue me/make me pay fines despite me not having received a single cent from them and being unaware of their existence until now?
For simplicity's sake, assume all parties are EU-based and thus squarely in CRA jurisdiction, with no buts or whatifs.
Posted Apr 25, 2023 16:57 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (14 responses)
Not a lawyer, so you'll need legal advice if this really matters to you (just as you would with any law), but my understanding is as follows, based on the text of the directive:
It's case (3) that has the big gotchas lurking in the current draft; if you supply premium cakes for office parties as well as supporting your open source software, then as the CRA is currently drafted, it's not clear whether being a supplier of cake to X implies that you are liable to X if your software has a hole in it. Hence the PSF and ISC worries; they supply conferences (PSF) and support contracts (ISC), and do not want a situation where, because you bought a conference ticket or support for one product, they're on the hook to you for all the software they make available.
This is a challenging one to draft well, since you don't want a loophole that lets a company avoid being the supplier of software if they include it in a bundle pack - for example, if I sell you a PC with pre-installed Ubuntu, and you use that PC with the pre-installed OS as part of a digital signage system, the intent of the CRA is that I am your supplier for Ubuntu, and it's up to me to manage that risk; but if the regulation is drafted badly, I could get away with only supplying (for CRA liability purposes) the PC and its firmware, but not Ubuntu).
Posted Apr 25, 2023 18:03 UTC (Tue)
by pizza (subscriber, #46)
[Link] (4 responses)
Worse yet, once you're considered a "manufacturer" (via the conference/support contract/etc "commercial activity" backdoor) if your digital elements are "made available" in the EU (eg via a public web site) then you're now potentially on the hook to *everyone* who obtains those digital elements, not just the folks who actually paid you money.
Posted Apr 25, 2023 19:41 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (3 responses)
That, at least, is not supported by the current text - to be on the hook to someone, you have to be their supplier of the digital elements.
The only sense in which you're on the hook to "everyone" is that the CRA allows you to pass liability backwards along supply chains; if I supply you with a product including a paid copy of Red Hat Enterprise Linux, and you're affected by an RHEL flaw, then you can follow the supply chain backwards and pursue Red Hat, instead of pursing me, and if you do pursue me, I can pursue Red Hat.
But, without the supply chain to follow backwards, I can't pass liability to you, even if you are a "manufacturer". You have to be my supplier (either directly, or transitively) before I can pursue you. So, if you fall through the "commercial activity" loophole and become someone's supplier, you're not at risk from me unless they are my supplier (or my supplier's supplier ad-infinitum) of those digital elements.
This is still a huge problem for something foundational like Python, since there's a very high chance that any given use of Python in an end-product involves someone in the supply chain who's supplied by the PSF in this sense, but it's not as bad as you're suggesting. In particular, if you become my supplier, but I don't supply anyone else, your liability risk stops there.
Posted Apr 26, 2023 12:29 UTC (Wed)
by ballombe (subscriber, #9523)
[Link] (2 responses)
Posted Apr 26, 2023 12:38 UTC (Wed)
by pizza (subscriber, #46)
[Link]
Wait, isn't that just another case of DISCLAIMING ALL WARRANTIES? I thought that's one of the things the CRA is supposed to be precluding?
(Or will "general purpose computing" become effectively illegal under this new regime?)
Posted Apr 26, 2023 15:15 UTC (Wed)
by farnz (subscriber, #17727)
[Link]
Red Hat can't do that, under the CRA - they have to refuse to supply me RHEL under commercial terms in order to not be my supplier.
Which leads to fun if we start thinking about Ubuntu, which is available from Canonical as both Open Source, and a commercial supported product; if I have Ubuntu, which variant do I have? Is Canonical my supplier (because I obtained Ubuntu from them under commercial terms), or not (because I picked it up as an Open Source gift)? Can I convert Canonical into a supplier when I realise I fouled up taking Ubuntu as Open Source? Can Canonical avoid supplying me somehow, while still getting revenue from me?
Posted Apr 25, 2023 22:16 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (8 responses)
Given the huge number of conglomerates where different parts of a business do different things (one just has to look at Sony's schizophrenia about whether they are a film company, a music company, or a games console company), you simply have to define it based on individual transactions.
If you "offer for sale" a product, and somebody buys it, then you are the supplier. If your bundle pack says it includes Ubuntu, then you are the supplier of Ubuntu. If the offer makes no mention of Ubuntu, and it just happens to be in the bundle as supplied (NOT as advertised), then you're not the supplier. But the customer may well get upset that the package is "not as advertised". Where this COULD get muddy is (as with my laptop) the situation where the supplier says "with or without Ubuntu" and it makes no difference to the price. I think there it is quite clearly a freebie thrown in, and the laptop supplier should not be considered the software supplier.
In other words, to be a supplier, imho you should have "offered for sale" the product, and taken some consideration in return for it. That clearly EXcludes "take it or leave it" freebies. And by basing the definition of "supplier" on the *product*, you avoid any argument as to whether someone is a supplier when there is a complex relationship between customer and supplier.
Cheers,
Posted Apr 26, 2023 8:12 UTC (Wed)
by nim-nim (subscriber, #34454)
[Link] (7 responses)
Designing legal exemptions a lot of crooks won’t transform instanteanously into massive loopholes is hard.
Posted Apr 26, 2023 9:44 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (6 responses)
Worse than that, if you define it in terms of transactions, I can just sell you the licence library, and "give away" the rest of my software pile. So I'm liable for bugs in the licence system, but not for bugs in the rest of the software I offer, because the only thing I've actually sold is the licence system. The fact that the rest of the software is useless without the licence library is beside the point - it's not part of a transaction, you can download it freely.
Underlying this is that the per-transaction cost of distributing digital assets is near-zero; you might be asked to pay as much as $0.20 per gigabyte for data transfer if you choose an expensive option, but it's possible to drive that down below $0.01 per gigabyte if you're transferring enough data. For a size context, the Debian archive (all of Debian) is 125 GB for sources, plus 612 GB for the largest architecture, while a complete Android system image for a Google Pixel 7 Pro is under 3 GB.
Given this pricing, it's reasonable for someone distributing software to give most of it away "for free", without including it in a transaction; the goal of the CRA, however, is to ensure that software is covered by the same sorts of rules on quality and liability for faults as physical goods are. Which leads to tension, because software's a place where the low incremental cost of another unit means that it's easier to disguise a software transaction as a gift (and gifts have lower standards for quality in physical goods).
Posted Apr 26, 2023 11:27 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (5 responses)
If you have to buy the licence library to use the software, then they're one "good". They're not "fit for purpose" without each other. Yes writing stuff that people can't try to find loopholes in is hard to impossible. But "Did you pay (cash, consideration, whatever) for the right/ability to use the software? Oh - you had to pay for the licence library, right? It's ONE transaction!" is hard to dodge.
Cheers,
Posted Apr 26, 2023 11:49 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (4 responses)
That implies that everyone who sells software that runs on an OS has combined the OS and the software into a single good, and is on the hook not just for their software package, but also the whole OS. After all, you can't run the software without the OS, so you must buy the OS to use the software, which means it's one "good", not two, even though you buy the OS separately from another company.
Posted Apr 26, 2023 12:14 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (1 responses)
But they've presumably solved that with things like car radios, Ford aren't liable for aftermarket replacement radios. Even though those radios are clearly designed only to work in cars.
(In that case, it's two separate transactions, with consideration going in two directions. In the library example, it's the same supplier and you have to buy the licence to activate the software. One payment, one supplier.)
Cheers,
Posted Apr 26, 2023 15:07 UTC (Wed)
by farnz (subscriber, #17727)
[Link]
The solution with aftermarket radios is standard interfaces, and an obligation to meet those interfaces whenever you sell a component - if a car uses a non-standard wiring setup, then it's on the car maker to document how you go from the non-standard version to the standard versions.
We could go for that solution with computing, where all APIs and ABIs must be standardised, and you must specify how to convert your internal stuff to the standard stuff, but that's got its own costs that we'd prefer not to pay; the only reason it works for in-car entertainment is that the interface was well-understood for a good 20 years before we insisted it be standardised, whereas if you look at ABIs from 20 years ago, we've changed all sorts of things.
And in the library example, it's also two suppliers - one payment to DodgySoft Limited to buy the core library that makes everything else work, with the software you need coming from DodgySoft Research for free. Two different sources, legally speaking, and DodgySoft Limited is only on the hook for the core library, not the bits you got from DodgySoft Research - even though the bits you want are from DodgySoft Research, and you're only buying the tiny core from DodgySoft Limited because without it, you can't use the bits from DodgySoft Research.
Fundamentally, we have two conflicting goals to reconcile:
The conflict is that we don't want to make people gifting code as Open Source liable, but we do want all commercial users of that code to have liability that they have to deal with somehow - whether through support contracts, insurance, or just being good at avoiding security issues. In turn, this means that we need to be careful to avoid loopholes that let you disguise commercial supply of code as an Open Source gift.
Posted Apr 26, 2023 12:32 UTC (Wed)
by geert (subscriber, #98403)
[Link]
Posted May 2, 2023 18:59 UTC (Tue)
by immibis (subscriber, #105511)
[Link]
For example, the GDPR does not precisely define what is considered consent. If the GDPR had said that clicking on "I agree" constituted consent, website operators would require you to click on "I agree" before viewing the site. Since the introduction of the GDPR, it was ruled that a shortcut "I agree" button does not constitute consent unless there is an equally prominent shortcut "I disagree" button.
The Python Software Foundation on European cybersecurity
continuous development of software, there is a higher chance that vulnerabilities are spotted by someone
throughout the development or update process".
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Deadline for tabling amendments 26 April 2023, 18:00
Consideration of AMs 22-23 May 2023
Consideration of CAMs 28-29 June 2023
Vote in IMCO 28-29 June 2023
Vote in ITRE September 2023 (tbc)
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
[2] https://www.europarl.europa.eu/doceo/document/IMCO-PA-742...
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
1, Take a real problem that is a real problem for EU citizens
2, Make some regulation that is the worst possible thing for the individual
3, Threaten with some ridiculous sky-high fines if regulation is broken
The GDPR/Cookie laws. A great idea and something pretty much everyone wants. The problem however is that in practice it seems to have become "do whatever you want with data, as long as you can coax the individual into clicking an 'I agree' button". In the end you have two choices: don't use the internet or agree to everything -- not much of a choice these days. We all know the huge threats of fines here.
The Python Software Foundation on European cybersecurity
[2]: https://gdpr-info.eu/art-6-gdpr/
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
1, That GDPR thing people signed contained a little more than they thought
2, The "data controller" turned out to be some foreign entity on the other side of the EU
3, To do anything, in a legal sense, you would need lawyers and courts in that small foreign country
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
https://github.com/nothings/stb/blob/master/stb_ds.h#L543
https://youtu.be/0woxSWjWsb8?list=PLU94OURih-CiP4WxKSMt3U...
* less memory fragmentation (not relevant to usespace, but very relevant to kernel)
* allocate object once, never realloc again. All references/pointers to the object are valid for the its lifetime.
Linked lists of never-moving objects is the simplest thing in the Universe.
therefore allocating and freeing something once is the way to go.
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
therefore allocating and freeing something once is the way to go.
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
2, The button saying "I agree to everything" is always the single most prominent. So much so that the "configure/choose" option often masquerades as an inconspicuous tiny hyperlink.
3, When/if you get to the configure window there are usually 10-30 individual options to uncheck. Again, seldom is a "nothing" option available. This takes a while and is a pain in the ass. In an extreme case I have witnessed 30+ options, each of which took you to some site where you had to click to disable and then again to confirm it. Quite un-user friendly.
4, In the selection window the "Confirm Choices" button is *never* where you would usually expect it. Instead that location is prominently occupied by a "Agree to all" button.
5, If you decide to take the pain of deselecting something a few weeks later the website makes you go through the same dance. Strange that when clicking the "Agree to everything" button you never get reminded again.
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
It's against the law to make it harder to only get the necessary cookies than to agree to everything. So many sites now have a button "Only necessary cookies". Even for those that don't, the usual experience is that I click on "configure" and get a page where all (typically 2-4) optional cookies are disabled*, and I just need to click on "confirm".
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
European Parliament: Generally a scrutineering body. Can take out the Commission, by 2/3 majority vote, can propose amendments to legislation, can block legislation the Council is trying to put through, but this requires an absolute majority.
Council: The governments. Here lies the power, tempered by the EP.
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
How much British crap has been blamed on Europe, only for an investigation to show that the relevant Directive (an instruction to pass a national law) never required or wanted that.
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
ISC’s earlier blog post on the CRA has many links to comments from others. The main topic is a longer statement with more analysis and nuance than would fit in the more recent letter.
More from ISC and others
More from ISC and others
More from ISC and others
Number of submissions businesses primarily earning money from open-source: zero
On the other hand, IBM, Huawei, Broadcom, Microsoft made submissions.
Number of submissions businesses primarily earning money from open-source: zero (didn't recognise any)
There were submissions from the Internet Infrastructure Coalition and RIPE.
And of course: Github, Apple, Blackberry, Huawei, Microsoft, IBM, Google all made submissions.
More from ISC and others
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
> Android phones, lightbulbs, etc. The manufacturers may be forced to (or have better excuses to) better "secure" these devices
> against "unauthorized" modifications.
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
And CD players could still be sold without CDs? And CDs without CD players...
The Python Software Foundation on European cybersecurity