The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Posted Apr 22, 2023 3:03 UTC (Sat) by dvrabel (subscriber, #9500)In reply to: The Python Software Foundation on European cybersecurity by pbonzini
Parent article: The Python Software Foundation on European cybersecurity
As an analogue, the Raspberry Pi Foundation is a UK charity, and it can't avoid compliance with various EU regulations (e.g., RoHS and EMC compatibility) for their Raspberry Pi hardware.
Posted Apr 22, 2023 11:30 UTC (Sat)
by pizza (subscriber, #46)
[Link] (6 responses)
So putting on conferences (thus having some transactional revenue sources) isn't "commercial activity"?
> The ISC looks commercial to me through its sale of support services (despite ISC Inc being a non-profit company), and thus their software would be covered.
By this logic, I, by virtue of having sold a couple hours of support services to an European client, am now (and possibly forever?) liable for any [mis-]use of my F/OSS in Europe.
Posted Apr 22, 2023 13:46 UTC (Sat)
by kleptog (subscriber, #1183)
[Link] (5 responses)
Commercial activity is scoped. Just because their conferences might be considered commercial, doesn't mean everything else they do is commercial.
> By this logic, I, by virtue of having sold a couple hours of support services to an European client, am now (and possibly forever?) liable for any [mis-]use of my F/OSS in Europe.
That is a clearly absurd conclusion. And not the intention either.
Posted Apr 22, 2023 14:51 UTC (Sat)
by pizza (subscriber, #46)
[Link] (4 responses)
I agree that it's _probably_ not the intention, but it's hardly an absurd conclusion to take based on the current/public text.
I learned a long time ago that one needs to write code assuming the worst possible (if not outright hostile/adversarial) interpretation of a spec if you want your code to not fall over when exposed to real world users. Experience has shown the same attitude needs to be taken with respect to proposed laws (be it at a neighborhood level, national, or anywhere in between), as even if the current group of political/judicial folks are "fair-minded and reasonable" [1], doesn't mean their successors will be.
[1] And that is by no means something that can be generally assumed.
Posted Apr 22, 2023 19:32 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (3 responses)
A previous post about the CRA referred to this, and while there can be some argument about the detail, it's clear that a lot of things people are worried about are clearly EXcluded from the definition.
Cheers,
Posted Apr 23, 2023 14:12 UTC (Sun)
by pizza (subscriber, #46)
[Link] (2 responses)
EXcluded from one definition, but INcluded in other places, sometimes explicitly, sometimes implicitly. It's the latter (perhaps unintentional) stuff that has everyone worried, and nobody wants to become the legal guinea pig to find out how the courts will ultimately rule on each member state's legislative interpretation of the CRA. (Again, it's not the _well intentioned_ folks I'm worried out, it's the "crap, we're facing down a metric f-ton of liability, how can we try to get out of this? I know, let's try to foist this onto our 'suppliers' by claiming they're responsible" folks. Or just plain malicious parties,)
For example, the use of the words "made available" instead of "sold" -- My software is written and hosted in the US, but it's "made available" to folks in the EU by virtue of being on the public internet, and plenty of EU-based folks download/use it -- and ask me for support, sometimes paying me for my efforts. That latter scenario explicitly makes me into a "manufacturer" conducting "commercial activity" (the ISC calls this out) thus promoting me into a category where I would have widespread responsibilities and liabilities under the CRA.
Meanwhile, there is plenty of EU precedent for regulations intentionally applying broadly and extra-trerritorially (see: GPDR), so it is quite plausible that the liabilities under the CRA don't just apply to EU-based persons/organizations, so long as the end-user/person-who-holds-the-digital-element-containing-widget-in-their-hands is an EU citizen.
Posted Apr 24, 2023 17:51 UTC (Mon)
by dvrabel (subscriber, #9500)
[Link] (1 responses)
Posted Apr 25, 2023 13:42 UTC (Tue)
by pizza (subscriber, #46)
[Link]
Uh... no. I'm not touching "self certification" with a 3.048-meter pole.
I have personally witnessed [incomplete&|erroneous] attempts to "do the right thing" be used as "proof" that violations of rules were intentional, resulting in _increased_ penalties (vs intentionally remaining ignorant/doing nothing).
We will need to see what text eventually passes (and gets enacted by member states' legislatures) but as things appear now, I am far better off simply refusing to do business with (and refusing to distribute my software to) anyone in Europe, because anything else would expose me to ruinous (if not effectively unlimited) liabilities.
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
Wol
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity
The Python Software Foundation on European cybersecurity