The European Cyber Resilience Act

Posted Sep 21, 2023 13:06 UTC (Thu) by farnz (subscriber, #17727)
In reply to: The European Cyber Resilience Act by pizza
Parent article: The European Cyber Resilience Act

Who approaches whom doesn't matter. It's commercial if there's an offer of products or services, followed by an exchange of money; at that point, you're in a commercial transaction, and you are liable for the products or services you've sold.

And you only have that status for products and services sold in a commercial setting. Say I accept €10,000 from you to fix a bug in Linux kernel PPPoE support that affects your ISP; that fix is done as a service (the end product is a patch that applies to a known git tree from Linus). That patch is commercial - I offered to make the fix, you paid me for it. If I then do a later patch to Linux kernel PPPoE support to fix a different bug that affects me, or that adds a feature to kernel PPPoE support, that patch is non-commercial, because I didn't have a commercial relationship with you for that patch.

It gets trickier with a follow-on patch to the one you paid me for - if I supply a second patch that fixes a bug introduced by the patch you paid me for, that patch is considered part of the service you paid for (since it's a follow-up to our previous commercial relationship). But this is something a judge should be able to resolve; was my later patch a part of our existing commercial relationship, or was it a separate non-commercial transaction? A system update from Apple to your iPhone is probably part of the existing commercial relationship you have with Apple; a new app from Apple that's not forcibly installed probably isn't.