|
|
Subscribe / Log in / New account

The European Cyber Resilience Act

The European Cyber Resilience Act

Posted Sep 19, 2023 22:10 UTC (Tue) by pizza (subscriber, #46)
In reply to: The European Cyber Resilience Act by dullfire
Parent article: The European Cyber Resilience Act

> That being the case, I wonder if that would effectively make use of GPL'd projects that originate outside the EU (where these requirements do not exist), in works by parties inside the EU a breach of the GPL.

Why wouldn't this apply equally to GPL'd projects written from within the EU?

After all, it's not the national origin of the software that matters; it's whether nor not it comes with the necessary paperwork?

to post comments

The European Cyber Resilience Act

Posted Sep 19, 2023 22:25 UTC (Tue) by dullfire (guest, #111432) [Link] (5 responses)

Because for a project originating inside the EU, the law constrains the author before the copyright exists. Where as an "imported" works could only happen after, and under the terms of the GPL (since that defines the terms which the subject can use the works).

To put another way: The reason I don't think it would be a GPL violation for an in-EU author is the author would directly (potentially) be held liable. Where as an external project only has a nexus to the author via their GPL license.

Anyhow. Not a lawyer. Just musing that I think that goes against at least one part of the GPL's terms (the prohibition on adding terms)

The European Cyber Resilience Act

Posted Sep 20, 2023 13:43 UTC (Wed) by Wol (subscriber, #4433) [Link] (4 responses)

> Anyhow. Not a lawyer. Just musing that I think that goes against at least one part of the GPL's terms (the prohibition on adding terms)

Or it could be a simple case of "intersection of requirements". If the GPL imposes one set of requirements (that you pass on everything you receive) and the law imposes a different set of requirements (if you give a product to someone, you must provide a warranty), then there is not necessarily any conflict. Just because the GPL says "this software comes without warranty" doesn't mean it conflicts with "the law says you must provide a warranty". The legal warranty you provide is totally irrelevant to the fact that software has no warranty.

It's actually very similar to the copyright/patent situation. Just because patent law may say "you can't use this software", it has no impact on the GPL saying "you may freely share AND USE this software". The software authors have given you the right to use the software, the fact that the law says exercising that right is illegal under a different (patent) legal code is irrelevant to the GPL. v2 at least, v3 attempts to address this.

Even with ITAR and arms regulations etc etc, if the GPL allows you to freely distribute "illegal" software, you're in the clear as far as the authors of the software are concerned. Doesn't stop the government coming after you for distributing "illegal munitions", but it's nothing to do with the GPL.

Cheers,
Wol

The European Cyber Resilience Act

Posted Sep 20, 2023 13:44 UTC (Wed) by paulj (subscriber, #341) [Link] (3 responses)

You mean union of requirements, right?

The European Cyber Resilience Act

Posted Sep 20, 2023 14:05 UTC (Wed) by Wol (subscriber, #4433) [Link] (2 responses)

Union? Intersection?

I was thinking of the case where requirements collide.

Actually, I think I can now word it far better. The GPL places requirements on the GIVER. The law places restrictions on the RECIPIENT. Where this is the case there can be no GPL violation. And, in this particular case, I think this is the actual state of affairs.

Americans are free to distribute GPL software into Europe, CRA or no CRA. If it's not been advertised in Europe then there is no "placed on the market", and it's a grey import.

Europeans are then free to distribute it, provided they comply with the extra legal burden of the CRA. And the GPL has no say here, because the "additional requirement" of complying with the CRA is not being passed on by the giver, but is imposed (or not) by the law.

Cheers,
Wol

The European Cyber Resilience Act

Posted Sep 20, 2023 14:23 UTC (Wed) by pizza (subscriber, #46) [Link] (1 responses)

> Americans are free to distribute GPL software into Europe, CRA or no CRA. If it's not been advertised in Europe then there is no "placed on the market", and it's a grey import.

As currently drafted, simply being *made available* (even for zero cost) to an EU citizen is sufficient to be considered "placed on the market" for purposes of the CRA.

When the various proposed changes are reconciled together, we shall see what the new text says... But until then...

The European Cyber Resilience Act

Posted Sep 20, 2023 15:26 UTC (Wed) by Wol (subscriber, #4433) [Link]

> As currently drafted, simply being *made available* (even for zero cost) to an EU citizen is sufficient to be considered "placed on the market" for purposes of the CRA.

Hmmm ... that's scary.

Because as I understand it, "placed on the market" is a term of art defined elsewhere in other (consumer protection?) legislation, and if the CRA is re-defining it, then that is a massive change - far bigger than just cyber-security and what-not.

Cheers,
Wol


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds