Bottomley: Solving the Looming Developer Liability Problem
Indemnification means one party, in particular circumstances, agreeing to be on the hook for the legal responsibilities of another party. This is actually a well known way not of avoiding liability but transferring it to where it belongs. As such, it’s easily sellable in the court of public opinion: we’re not looking to avoid liability, merely trying to make sure it lands on those who are making all the money from the code.
Posted Dec 12, 2023 8:05 UTC (Tue)
by rgb (subscriber, #57129)
[Link] (1 responses)
Posted Dec 12, 2023 11:06 UTC (Tue)
by paulj (subscriber, #341)
[Link]
There are big lumbering "bullshit jobs" machines dedicated to creating inefficiencies, through laws and regulations that are left as vague as possible, so can profit from them with consultancy work to interpret and advise on said vague regulations, and from the outsourcing the army of bureacracy needed to operate the solution the consulants advise is required by law (though you will never find that requirement detailed precisely in the law).
Such inefficiencies hurt small businesses more than larger. Society is pushed ever more to a monotone of mid and large corporates running everything.
Posted Dec 12, 2023 9:12 UTC (Tue)
by dottedmag (subscriber, #18590)
[Link] (42 responses)
Could somebody incorporate into their product a version of software from 2012 and thus make the developers liable, even if the project has changed the license?
Posted Dec 12, 2023 9:32 UTC (Tue)
by snajpa (subscriber, #73467)
[Link] (37 responses)
Posted Dec 12, 2023 9:36 UTC (Tue)
by dottedmag (subscriber, #18590)
[Link] (27 responses)
The new regulation says "you're liable, no matter what the license says".
Posted Dec 12, 2023 9:43 UTC (Tue)
by snajpa (subscriber, #73467)
[Link]
Posted Dec 12, 2023 9:49 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (25 responses)
Have you looked at the regulation? That's not what it says - it says that you're liable if you're supplying a product or service in return for money that's connected to the software you're supplying regardless of what the licence says.
If you're not selling anything, you're allowed to disclaim liability; if you're selling something, but you can show that the software you're supplying is completely unrelated to anything you're selling, you can disclaim liability, and there are even rules established that set a hard boundary where you're able to disclaim liability even if you also sell things (which would, for example, protect Google's contributions to the Linux kernel as a whole, while still making Google liable for the version of the Linux kernel on the Pixel devices).
Now, you can argue that the exemption is too broad (or too narrow), but please argue based on the actual regulations being proposed, and not on one person's strawman that they've put in place to set up a blog post (and therefore haven't hardened against criticism).
Posted Dec 12, 2023 13:13 UTC (Tue)
by jejb (subscriber, #6654)
[Link] (24 responses)
The current draft CRA text doesn't say that. The Article 3 section 18 definition actually says:
‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge;
I think the EU is trying to make sure that products you get for free (that Whatsapp app say) also comply with the CRA.
Posted Dec 12, 2023 14:03 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (23 responses)
The crucial words here are "and markets them". If you look up the definition of marketing, it does not include "making available for J Random Passerby to help themself". In other words, uploading to a download site is definitely not included.
If you're not marketing, you're not liable. If you're sharing stuff with no commercial interest in it, that's not marketing.
Cheers,
Posted Dec 12, 2023 14:22 UTC (Tue)
by jejb (subscriber, #6654)
[Link] (14 responses)
Well this is what Article 1 section 23 actually says:
‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
So J Random Passerby helping themselves absolutely is included. The problems for us all come from the ambiguity in that phrase "course of a commercial activity", which isn't defined. Lawyers have opined that simply getting paid to work on an open source project could be deemed commercial activity. The open source carve out (Recital 10 in the preamble) is phrased similarly:
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.
And then goes on to muddy the whole thing by saying:
In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
but that's not an exclusive definition, it's just a list of examples of what commercial activity might be.
Posted Dec 12, 2023 14:43 UTC (Tue)
by bluca (subscriber, #118303)
[Link] (13 responses)
No, it is most definitely not included, by any definition of the verb "market" as used by the EU.
There is a lot of FUD around this, mostly coming from anarcho-capitalist corners of society for which every regulation is bad and every bad business practice is sacred, but the intent and spirit of the law is extremely clear, as expressed by the legislators, for example:
"A number of stakeholders have submitted their views to the Commission, including arguments pointing to the necessity to correctly distinguish between commercial and non-commercial OSS, particularly in certain grey areas, where making such distinction would not be immediate.
The Commission is therefore fully aware of the characteristics and complexities of the OSS sector and attaches great importance to the issues brought to its attention in this regard."
https://www.europarl.europa.eu/doceo/document/E-9-2023-00...
Posted Dec 12, 2023 15:06 UTC (Tue)
by pizza (subscriber, #46)
[Link] (12 responses)
....Until those words are embodied in a new draft of the CRA, they're barely worth the pixels used to display them.
...We have to judge the CRA on what it actually says NOW, not what a future revision might hypothetically say.
Posted Dec 12, 2023 15:17 UTC (Tue)
by bluca (subscriber, #118303)
[Link] (11 responses)
Posted Dec 12, 2023 16:34 UTC (Tue)
by paulj (subscriber, #341)
[Link] (8 responses)
We will, for quite a while, have all kinds of differences between member states in precisely what "markets" means in different member states. Some may be very trivial differences, some may be more significant. There may be member states whose legislature and/or judiciary creates a law where "markets" has a meaning much wider than any of us here would like. Further, it may take a long time before a case ever gets to the European Court of Justice to decide whether or not that difference is worth addressing/fixing. Indeed, one member state's interpretation of the Directive, as expressed in its implementation may influence others and lead to there being no difference for the ECJ to have to rule on.
Posted Dec 12, 2023 17:27 UTC (Tue)
by pizza (subscriber, #46)
[Link] (3 responses)
That's a distinction without a meaningful difference. if every member state in the EU is required to effectively set fire to F/OSS activities, it doesn't make much of a difference how much (or what type) of accelerant each member state chooses to use.
> We will, for quite a while, have all kinds of differences between member states in precisely what "markets" means in different member states. Some may be very trivial differences, some may be more significant.
In other words, no matter what the CRA looks like when it finally passes, it's going to produce a massive mess that's going to take many, many years to coalesce into a meaningful set of rules that an individual [business] can use as a blueprint to stay out of trouble.
Posted Dec 12, 2023 17:44 UTC (Tue)
by paulj (subscriber, #341)
[Link] (1 responses)
It is not unusual to see a series of "first round" / "early adopter" implementations by a subset of member states, with differences, which then inform the interpretation, and lead to further implementations taking that into account (including some of the "early adopter" member states passing another law). I.e., there may be a legistlative convergence process that goes on, over 5+ years, across member states, where they all look at what each other are passing, with EU committees or industry bodies perhaps criticising some implementations for not meeting some intent.
Least, it is not unusual for the member state I live in to take a few goes at implementing a Directive. Also, it is not that unusual for there to be further Directives on the same matter, to deal with experience from implementations.
And even at the end of all that, there may still be differences, which may take another 5 to 10 years or more to sort out - e.g. cause a member state just disagrees, or didn't prioritise something, and it goes to the ECJ - and only then if there is enough of an issue for someone with standing (EU commission, a member state, or a member state's judicial system) to actually think it should sent to the ECJ.
So yes, it's going to take a good number of years for this to converge on settled and harmonised law across member states.
Posted Dec 21, 2023 16:55 UTC (Thu)
by jepsis (subscriber, #130218)
[Link]
Posted Dec 12, 2023 21:04 UTC (Tue)
by kleptog (subscriber, #1183)
[Link]
They wouldn't do it. No seriously. The EU Commission has no effective enforcement mechanism to ensure countries actually implement the directives faithfully. The whole point of the marathon trilogues and engagement of the Council and Parliament is to get a draft text the member states are actually willing to implement faithfully. If a member state at this point already feels that they'll get push back from their national parliament then they have to keep renegotiating until they get something that will work. (Note: it's up to the member state to organise this feedback loop properly.)
So every national parliament gets to give its own twist to this and no national government is going to "set fire to F/OSS activities" as you put it. This will lead to about a decade of discussion and negotiation while all the kinks get sorted out. The problem with this kind of pioneering legislation is that it's really hard to think of all the corner cases up front and you're better off just doing the best you can and keeping the enforcement light while all the kinks get worked out.
> In other words, no matter what the CRA looks like when it finally passes, it's going to produce a massive mess that's going to take many, many years to coalesce into a meaningful set of rules that an individual [business] can use as a blueprint to stay out of trouble.
Welcome to the EU. We don't want to be a federation, so we do everything the hard way. The alternative, where every state does their own thing without any coordination, would be much much worse.
Posted Dec 12, 2023 21:14 UTC (Tue)
by bluca (subscriber, #118303)
[Link] (3 responses)
Posted Dec 13, 2023 11:41 UTC (Wed)
by paulj (subscriber, #341)
[Link] (2 responses)
Reading the CRA, they appear to be exercising authority to regulate primarily based on Articles 173, and 322(2) (for budgetary things?) of the Treaty on the Functioning of the European Union:
https://www.legislation.gov.uk/eut/teec/article/173 (Industry Competitiveness)
Article 173 is worth reading carefully. Does the CRA follow the objectives of paragraph 1? Does it distort competition? Does it favour or disfavour small and medium-sized businesses?
Posted Dec 13, 2023 11:45 UTC (Wed)
by paulj (subscriber, #341)
[Link]
Posted Dec 13, 2023 16:26 UTC (Wed)
by kleptog (subscriber, #1183)
[Link]
The Act includes a section about why it is a regulation, every act has to specify why it is a directive or regulation and the legal basis for it. While in principle a regulation is effective everywhere at once, the actual enforcement is to be done by entities which don't exist yet and will need to be created by the member states. The entities will be underfunded (they always are) and will not have time to go after anything but the biggest companies.
Also note the fines are actually the sideshow. The primary goal is that the terms get included in B2B contracts and that businesses start holding each other to account. That's the only way to influence suppliers outside the EU.
Posted Dec 28, 2023 10:35 UTC (Thu)
by gfernandes (subscriber, #119910)
[Link] (1 responses)
Posted Dec 28, 2023 12:01 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
Spot on. I like the use of the word *INDIRECTLY*. Which means the legislation does *not* apply to developers.
Sure they have to take it into account - inasmuch as they have a *contractual* relationship with the people to whom the regulation *does* apply.
NO CONTRACT? NO LIABILITY!
As the Europeans here keep saying !!!
I know in America anybody can sue anybody else for any thing. And in America, it can be a business tactic for bankrupting the competition.
But in the UK, the Court's very first question is going to be "Where is the agreement between you? I want to read it". And if that agreement says "here's a freebie, if it breaks you can keep both pieces", the Court is going to be EXTREMELY upset with the plaintiff.
Cheers,
Posted Dec 12, 2023 15:26 UTC (Tue)
by khim (subscriber, #9252)
[Link] (7 responses)
When one discusses bills (that are not yet turned into law) the best way to understand what said bill is supposed to achieve is to… gasp… talk to lawmakers. And Apache foundation did precisely that! They meet these guys and have tried to explain that what they propose would make entities like Apache Foundation or Rust Foundation liable for that they make. And the answer they got was, of course: indeed, that was our intent, why do you think we don't understand that?? I think if people would understand the logic behind that decision instead of trying to glean it from actual preliminary text everyone would be much happier: even if today the text that we have doesn't align with goals lawmaker have it doesn't mean we should go with text. Text may be fixed or altered, intent would remain.
Posted Dec 12, 2023 15:47 UTC (Tue)
by pizza (subscriber, #46)
[Link]
Good intentions do not automatically result in good outcomes.
Posted Dec 12, 2023 17:17 UTC (Tue)
by pizza (subscriber, #46)
[Link] (5 responses)
To be honest, I found that Apache blog post pretty frightening.
Because it appears to show that what most of the doomsayers are saying about the effects of CRA-as-drafted is the actually its legistlated _intent_ , and not collateral damage that could be "fixed" -- in other words, the opposite of what I and many others thought.
...Either you're all-in and treated the same as a multibillion-euro megacorp, or you have to divest yourself of _any_ activities that could be remotely construed as commercially-adjacent -- which is a threshold so low that it's trivial to accidentally cross it.
Posted Dec 12, 2023 23:36 UTC (Tue)
by bluca (subscriber, #118303)
[Link] (4 responses)
Corporations like Google are terrified of this regulations. The Android market, that forms the core of its profit-making, will be decimated once vendors are no longer allowed to throw devices over the wall and forget about them. Good!
Posted Dec 13, 2023 2:19 UTC (Wed)
by pizza (subscriber, #46)
[Link] (3 responses)
Do you have an actual refutation of Apache's citations, or are you just going to spew more unsupported nonsense?
(Seriously. Your consistent position here is "the EU's efforts are well intentioned so it will all work out fine eventually, and any concerns are complete BS and could only possibly benefit the Googles of the world)
Posted Dec 13, 2023 10:39 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (2 responses)
Courts really do not like (thanks, PJ) legislation that completely redefines the legal landscape. That comes into a total vacuum. If things really are as bad as you say, European contract law will collapse, and the legislative panic will be the Eighth Wonder Of The World. If things really are as bad as you say, certainly in the UK the Judges will completely gut it, on the basis that it conflicts with other - long standing - legislation that it was never meant to overturn.
Cheers,
Posted Dec 13, 2023 13:06 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (1 responses)
Posted Dec 18, 2023 16:46 UTC (Mon)
by nim-nim (subscriber, #34454)
[Link]
Someone corp just mistakenly awarded the FUD-ing contract to its Washington lobbying office, forgetting Europe in in another continent. Had it been awarded to its Brussels office, the drivel would be different and better camouflaged.
That or the whole lobbying effect is targeted Washington-side, see, sir, time for a new commercial war, because the Brussels office already lost the first round.
Or else the corp could not figure how to influence US relays from Brussels using people who understood EU law.
There are lots of interpretations. The only sure thing is that it’s a publish-this-thing-we’ve-written-for-you lobbying run that does now reflect well on the ASF.
Posted Dec 12, 2023 9:43 UTC (Tue)
by coriordan (guest, #7544)
[Link] (5 responses)
Posted Dec 12, 2023 9:50 UTC (Tue)
by snajpa (subscriber, #73467)
[Link] (4 responses)
Posted Dec 12, 2023 11:11 UTC (Tue)
by coriordan (guest, #7544)
[Link] (3 responses)
Think it through. The legal system wouldn't work if licences and contracts could say that laws don't apply. It has to be the other way around, and it is.
Posted Dec 12, 2023 11:21 UTC (Tue)
by snajpa (subscriber, #73467)
[Link]
Posted Dec 12, 2023 11:48 UTC (Tue)
by james (subscriber, #1325)
[Link] (1 responses)
(1) Where a person has the use of a computer program under an agreement, any term or condition in the agreement shall be void in so far as it purports to prohibit or restrict—
(a)
the making of any back up copy of the program which it is necessary for him to have for the purposes of the agreed use;
(b) where the conditions in section 50B(2) are met, the decompiling of the program; or
(c) the observing, studying or testing of the functioning of the program in accordance with section 50BA.
(Extra terms apply: this is not legal advice; consult a real lawyer before relying on any of this!)
Posted Dec 12, 2023 12:19 UTC (Tue)
by snajpa (subscriber, #73467)
[Link]
My point is that the hobbyist developers aren't exactly begging the profit-makers to make profit specifically off of their code. The hobbyists mostly couldn't care less about users of their code who in most cases don't even bother contributing back, ever. I'd love to see an example of _this_, because this is the core of the FUD arising from the newest legislative "innovation" attempt in the EU. Shifting the blame for mishaps in commercial product to someone who is not in the profit chain of suppliers to make that product possible. Any example of that?
Being in the chain "by random chance" without any profit or even any engagement at all IMHO will always mean the shift-blaming attempts will turn out unsuccessful. The judicial power would have to get hijacked by the profit seeking entities ~completely for this to happen - and when that happens, we've got bigger problems, than a random FOSS contributor getting blamed for something they had no influence over.
Posted Dec 12, 2023 14:12 UTC (Tue)
by ballombe (subscriber, #9523)
[Link] (2 responses)
The apache 2.0
7. Disclaimer of Warranty. Unless required by applicable law or
the BSD disclaimer:
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
The two first explicitly allows for "applicable law". All three disclaims 'MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.' which is the key: they are not marketed.
Concretely that means that free software developers should probably not directly advertise their software since this is could be seen as an attempt at marketing.
Posted Dec 12, 2023 15:59 UTC (Tue)
by khim (subscriber, #9252)
[Link] (1 responses)
All three disclaims 'MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.' which is the key: they are not marketed. Yes. But if you are creating a GitHub page and write README there then now you are marketing something. The bar is pretty low. You may get away with a simple README file, especially if you would put disclaimers there in place of usual “I have created something wonderful” spiel. What you may see on Apache.org or rust-lang.org is definitely marketing. And that's by design.
Posted Dec 13, 2023 1:36 UTC (Wed)
by bluca (subscriber, #118303)
[Link]
Posted Dec 12, 2023 13:02 UTC (Tue)
by jejb (subscriber, #6654)
[Link] (3 responses)
Theoretically yes. However practically, to comply with the cybersecurity best practices mandated by the ERA you have to be on the latest stable revisions of the project.
Posted Dec 12, 2023 13:17 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (2 responses)
Note that the proposed rules do not "mandate" cybersecurity best practices; rather, they say that when a supplier offers an update to a piece of software you're using, that supplier is no longer liable to you if you fail to take the update and then fall foul of a defect in the software.
Basically, there's lots of places in the rules where liability is brought to a hard stop by the buyer's inaction, and this is one of them; if I tell you that there's an update that fixes bugs, and you don't take the update, I'm no longer liable to you for any bugs in the software I supplied, because you refused to update. You don't have to update, of course, it's just that I stop being liable to you if you don't update.
Posted Dec 12, 2023 13:33 UTC (Tue)
by jejb (subscriber, #6654)
[Link] (1 responses)
Well they try to. It's one of the explicit goals stated in Article 1:
This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
Posted Dec 12, 2023 14:57 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
It tries to set market conditions that will lead to people taking cybersecurity seriously, but it doesn't try to mandate any particular set of practices; part of the idea is that I now have to face up to the tradeoff of updating every week (because my vendor releases a required update weekly) versus being liable for cybersecurity issues for 3 weeks out of every month. Equally, as the vendor, I now have a tradeoff to make; do I release an update daily, and risk upsetting my customers (who have to keep up or take on the liability that used to be mine), or do I release monthly, increasing my window of risk, but making my customers happier?
Posted Dec 12, 2023 9:24 UTC (Tue)
by b7j0c (guest, #27559)
[Link] (62 responses)
Posted Dec 12, 2023 9:45 UTC (Tue)
by coriordan (guest, #7544)
[Link] (61 responses)
The EU regulation is also important because someone will have to comply with it for software "imported" from outside the EU.
We (free software projects/community) didn't ask for this regulation, so there will be a temptation to say "not my problem, let the EU deal with the problems they create". That strategy might not work well, particularly if other countries adopt similar laws and we end up with Canadian projects only being distributable in Canada, and UK projects in the UK, and EU projects in the EU.
These laws are not good, but it's probably in our interest to find an efficient way to work on compliance in a collaborative way that minimises the overall work required.
(I was part of the team that worked to fix the CRA. The final text is a lot better than the original proposal, but we weren't able to get everything we wanted.)
Posted Dec 12, 2023 10:14 UTC (Tue)
by b7j0c (guest, #27559)
[Link] (59 responses)
Posted Dec 12, 2023 11:09 UTC (Tue)
by kleptog (subscriber, #1183)
[Link] (52 responses)
That's easy: any *users* of software. Software developers want to push any risk onto the customers. The customers on the other hand are tired of being sold software that is rediculously insecure, and since the number of software consumers vastly exceeds the number of software developers, it's fairly obvious where these laws are coming from.
See for example the SolarWinds breach. That cost a lot of people a lot of money, and the company itself can simply wash their hands with "we didn't actually promise it was secure". I don't see why anyone considers that an acceptable state of affairs.
Posted Dec 12, 2023 16:08 UTC (Tue)
by khim (subscriber, #9252)
[Link] (51 responses)
I think it's the exact same story as with any other industry. Every industry complains that any safety regulations imposed on it would it kill (doesn't matter where we are talking about food producers, car makers or bridge builders), yet every industry is regulated in the end. I think it's “system working as intended”, BTW: while best security practices are good for the society as whole they are not profitable for any individual producer which means market forces couldn't induce them. And when market forces don't work it's time for the government to intervene. That's what is happening now.
Posted Dec 12, 2023 17:07 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (50 responses)
And worth noting that on the food producer side, the EU has a long history of regulations that scale with your business. As a keeper of 4 chickens, EU regulations on food safety say very little about the eggs I produce, beyond a requirement that I identify myself as the producer if I give away or sell those eggs. If I then scaled up my chicken count, I'd hit more and more regulations - ones on vaccination, on how the chickens are housed, on reporting disease in my flock and more.
One thing that we need to be cautious about is that in trying to push for software to be an exception to regulation, we may end up pushing regulators into a world where software is treated as a single blob where Joe in his basement giving away source only that he thinks is cool is treated identically to Amazon or Google selling products containing software, instead of carefully considering the relationship between the different entities and ensuring that the costs of regulation fall on the people who make money from software, not merely on a random person in Nebraska.
Posted Dec 12, 2023 17:36 UTC (Tue)
by pizza (subscriber, #46)
[Link] (49 responses)
Unfortunately, this appears to be what is currently happening, and intentionally so.
> instead of carefully considering the relationship between the different entities and ensuring that the costs of regulation fall on the people who make money from software, not merely on a random person in Nebraska.
I tend to agree that having regulations (and potential liabilities) scale with the size/scope of your commercial activities is an appropriate approach.
Posted Dec 12, 2023 17:42 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (48 responses)
So does the EU, normally - food safety regulations, for example, scale with the size of your operation, precisely because the danger you pose is limited if your operation is small. It's only big operations that are high risk, and that's where the pain falls as a result.
Posted Dec 12, 2023 17:59 UTC (Tue)
by khim (subscriber, #9252)
[Link] (47 responses)
The only issue is that software is different. If you have 4 chickens then you wouldn't be producing eggs which are then used by billions of people. Bit in a software world situation is ridiculous: of course when there are software used by trillion-dollar corporations which is supported only by unpaid 16 volunteers… there are bound to be trouble! In some very real sense open source software was too successful and too well-done. Many critical parts of the infrastructure is only supported by an insanely tiny group of volunteers and thus regulations are placed in these volunteers which are usually expected to be shouldered by huge corporations. There are no easy and simple answers here: ultimately we don't want to live in a world where two volunteers keep billions of devices going, but how may we go from point A (where such situations are the norm) to point B (where projects that are used by trillion dollar corporations are adequately funded as their scale would demand?). That is the issues which EU tries to crack.
Posted Dec 12, 2023 20:19 UTC (Tue)
by mfuzzey (subscriber, #57966)
[Link] (46 responses)
So if I publish some piece of open source code that then gets used by $COMPANY in their $GADGET the entity that should be liable for any bugs (security or otherwise) is $COMPANY, not me after all they are the ones deciding to use it and, more importantly, the context in which it is used whith has a great impact on the exploitability of any vulnerabilities. Perhaps $COMPANY could shift some of the liability to $OTHER_COMPANY if they had a commercial relation with them to provide some software for their product and $OTHER_COMPANY decided to use my code.
If I were providing prebuilt binaries for people to download (as pure software because an individual isn't likely to be shipping devices) then it's a bit muddier. But if I only ship source and let people build it not so much
Posted Dec 12, 2023 20:54 UTC (Tue)
by khim (subscriber, #9252)
[Link] (44 responses)
Yup. That's the idea that is explicitly and consciously rejected by lawmakers. Please read the article on the Apache's blog. Indeed. And that's what open-source advocates are missing. They all implicitly assume that there are some open-source hobbyists which couldn't and shouldn't be held responsible ever and there are large and evil $COMPANY that takes that work and can afford to indemnify it. But that's not how world works at all. Think MythTV. The company that produces DVR based in MythTV may include couple of hardware engineers, one software guys and few people in marketing. With actual manufacturing outsorced to some guys in the far away jurisdiction. And you want to make that one guy responsible for all the liabilities that may happen in millions lines of code which said guy got from MythTV project and these guys got from Linux Foundation, Debian and other large groups of people? Lawmakers, pretty reasonably, assume that it would just never work. This idea would just mean that the majority of EU software industry (which mostly includes tiny companies which take existing products from large US companies and open source guys and add small amount of glue code) would be wiped out. And you may bet pretty large sum on the desire of EU legislators to keep these small guys around. That, by necessity implies that large open source “forges”, if, maybe, not individual contributors, would have to deal with liabilities. And that's it. How would they stomach that cost is a different matter, and I don't think even EU legislators know how precisely this should be handled. Most likely the model adopted by x265 guys would be the end result: open source developers write the code and provide some instructions about how to build that thingie, but there are no instructions which explain how that code can be used and there are no binaries which make it possible to actually run that thingie. And there would be separate guys who would sell these binaries and these would include idemnification. You can be 100% sure that the first thing they would do is to attempt to shift the responsibility and put it on these guys who are providing binaries. Later, if that would fail, they may seek some $OTHER_COMPANY. All these things are pretty obvious if you try to look on the situation from outside of FOSS bubble, but for some reasons lots of FOSS advocates couldn't do that. They are looking on what's happening from their POV and ignore the desires of the majority, the people who are using software but never write or change it. In a democracy their opinion should be dominating and AFAICS that's precisely what is happening.
Posted Dec 12, 2023 22:12 UTC (Tue)
by snajpa (subscriber, #73467)
[Link] (1 responses)
> Although the IT industry is still small compared to other large industries and sectors, [...]
I mean it's really hard for me to take the whole article seriously after a statement like that. I've spent quite a bit of time today trying to uncover the actual evil in any of the drafts or existing relevant legislation, but 404 Not Found. All I see is FUD, which I have a strong feeling this pushback coming from the corporations _alone_, even if it's a foundation who's voice is being heard here. (where do the hundreds of millions $ in annual revenue come from, haha)
Posted Dec 12, 2023 22:25 UTC (Tue)
by snajpa (subscriber, #73467)
[Link]
Posted Dec 12, 2023 23:44 UTC (Tue)
by bluca (subscriber, #118303)
[Link] (10 responses)
Obviously not. MythTV, as a legal entity, is liable, not a random employee. How they arrange to fulfill that liability is their problem.
> This idea would just mean that the majority of EU software industry (which mostly includes tiny companies which take existing products from large US companies and open source guys and add small amount of glue code) would be wiped out.
Good! If they can't maintain secure software, they must be stopped form being in business. If you can't build a car that satisfies safety requirements, you go out of business. If you can't produce food that satisfies quality requirements, you go out of business. If you can't produce medicines that satisfy health requirements, you go out of business. Why on earth should it be any different for the electronics consumer market? It's mad that this no man's land was allowed to go on for as long as it did, and it's about time the adults stepped in and put some order in this absurd mess.
> That, by necessity implies that large open source “forges”, if, maybe, not individual contributors, would have to deal with liabilities.
This is an absurd, hallucinatory non-sequitur that has no basis in reality, laws or regulations. It's FUD of the highest order. The liability is with whoever puts the product on the market. It boggles the mind that it has to even be said.
Posted Dec 13, 2023 0:13 UTC (Wed)
by khim (subscriber, #9252)
[Link] (9 responses)
What legal entity? I'm not sure if Isaac Richards passed rights for mythtv.org to someone, but even if he did there are lots of projects out there which work as critical part of our digital infrastructure yet are still, formally, personal projects of someone. Nah, you get billions of government bailouts. Only if you couldn't fix things that you are required to fix even with government subsidies. Not before you would get money to fix the issues and recommendations to follow. Who said it's any different? EU does work to ensure businesses survive, electronics consumer market is not an exception. Yes, there are both stick (government makes sure there are requirements to follow) and carrot (government makes sure requirements are not too onerous and only affect the ones unwilling to follow the requirements). Electronics consumer marker is not treated any differently. Right now yes. And that's what EU is fixing. Yes. And EU, quite sensibly, says that these entities have well-known names: Apache Software Foundation, Linux Foundation, Debian and so on. Significant amount of code in Debian is created by huge corporations, after all. Critical pieces, without which Debian wouldn't exist: GCC, Clang, Linux kernel and lots of other software. Which is a fact. And, according to EU, the whole scheme with “noncommercial foundation which couldn't be held responsible” is just a thinly veiled scheme to shirk responsibility. Why should it be allowed to continue? Lawmakers are equally baffled. I mean: does a car dealer have a liability if car have defect? Only if said dealer tinkered with it and made it unsafe, right? Why then someone who sells you Debian or PostgreSQL should be held responsible if that's not their fault?
Posted Dec 13, 2023 1:32 UTC (Wed)
by bluca (subscriber, #118303)
[Link]
The one that sells the VCRs you were talking about, obviously, they are the ones putting a product on the market.
> I'm not sure if Isaac Richards passed rights for mythtv.org to someone
I have no idea who that is, but as long as they are not selling in the single market, there's nothing for them to do
> but even if he did there are lots of projects out there which work as critical part of our digital infrastructure yet are still, formally, personal projects of someone.
Projects don't end up as "critical infrastructure" by osmosis. Somebody puts them there. A repository on Github doesn't magically end up running a power plant all by itself.
> Nah
Very much yes. Try and go sell cars with non-working seat belts and refuse to recall them and fix them, and see how far you go before you are dragged in court.
> you get billions of government bailouts.
What bailouts? What are you on about?
> Only if you couldn't fix things that you are required to fix
Yes, exactly
> even with government subsidies.
What's this obsession with "government subsidies"? Are you American by any chance?
> Not before you would get money to fix the issues and recommendations to follow.
Receive money? From whom? Can I get some too?
> Who said it's any different?
You did
> EU does work to ensure businesses survive
No, it does work to ensure the _market_ survives, which crucially includes customers. Ever heard of the GDPR? Find me one business that liked that
> electronics consumer market is not an exception.
It very much is right now, before this regulation fixes it
> Yes, there are both stick (government makes sure there are requirements to follow) and carrot (government makes sure requirements are not too onerous and only affect the ones unwilling to follow the requirements).
Sticks were notably absent, until the CRA came along
> Electronics consumer marker is not treated any differently.
It's fundamentally different right now. Try selling cars with non-working brakes and refuse to recall them to fix them, and see how you fare. Now try selling phones with known security vulnerability and refuse to fix them - no need to use your imagination, this happens daily all over the European market.
> Right now yes.
That's weapons grade nonsense
> And that's what EU is fixing.
No, the EU is fixing a fundamentally broken market where corporations take advantage of a lack of rules and regulation to push out known broken products with no liability, putting customers at risk
> Yes.
Indeed
> And EU, quite sensibly, says that these entities have well-known names: Apache Software Foundation, Linux Foundation, Debian and so on.
The EU never said any such thing
> Significant amount of code in Debian is created by huge corporations, after all.
And nobody cares, since Debian is not a product, so it could be made by green men from Mars for all that it would matter
> Critical pieces, without which Debian wouldn't exist: GCC, Clang, Linux kernel and lots of other software. Which is a fact.
It also wouldn't exist without oxygen and electricity. Which is also a fact.
> And, according to EU, the whole scheme with “noncommercial foundation which couldn't be held responsible” is just a thinly veiled scheme to shirk responsibility.
Debian is not a foundation, so I have no idea what you are talking about at this point, but I suspect that you don't either
> Why should it be allowed to continue?
Because it's not a product on the market. We've been over this already, it's not that difficult.
> Lawmakers are equally baffled.
By posts such as yours and FUD blog posts by the ASF? Probably, assuming they ever came across them, they would be I imagine, yes
> I mean: does a car dealer have a liability if car have defect?
Obviously? Why would the shop of a car company that sells to the public not be liable?
> Only if said dealer tinkered with it and made it unsafe, right?
Uh? Why would a car company seller "tinker" with a car that they got from their employer and that they are selling on their behalf?
> Why then someone who sells you Debian or PostgreSQL should be held responsible if that's not their fault?
Because they are putting a product on the market. I really don't see what's so difficult about this, it seems really straightforward.
Posted Dec 13, 2023 10:24 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (7 responses)
This is not right. In fact, it's so bad it's not even wrong. IT'S TOTAL GARBAGE.
Europe's entire consumer protection legislation edifice is BUILT on the premise that the guy who SELLS the product IS LIABLE.
I've just bought myself a car. A brand new Volkswagen to be precise. And let's assume the engine fell out on the way home and the car was destroyed. THIS IS NOTHING TO DO WITH VOLKSWAGEN. The law places ALL responsibility on the dealer. (We'll forget that I have a legal liability to have insurance, and that will absorb a chunk of it.) It is the DEALER'S problem - he may - should - have backup contracts / liability sharing / what-have-you with Volkswagen, but that's down to him. As the consumer, I go to the dealer, and HE HAS TO FIX IT.
I've actually used that, with that big retailer who "is never knowingly undersold". A three month old phone broke, and I took it back. The crucial point here is I bought it end-of-line in a sale ... They said to me "We can't replace it, we have a deal with the manufacturer so we can't repair it, you can have a refund". Leaving me £20 out-of-pocket if I replaced it like-for-like. I just replied "It's got a warranty. Repair or Replace. Otherwise you're charging me for a warranty repair."
It still ended up costing me £20, but that's because I got an upgraded replacement, and that was the difference between like-for-like and what I walked off with.
Which is why people like pizza should have nothing to worry about.If he's uploading to some random forge, there is no "placing on the market" to trigger liability. To the best of my knowledge, forges have nothing to worry about either, because they provide a market place, they aren't placing anything on the market either. (And I think that might actually be explicit in the legislation.) And even if pizza's doing stuff for money, all he needs is for the contract to say either (a) that pizza will undertake best efforts and his employer will warrant to fix things if they break (probably by employing pizza again), or (b) pizza will include the cost of insurance in the invoice. And if the employer doesn't like it, well he's always (with Open Source) got a third choice - do it himself!
Cheers,
Posted Dec 13, 2023 11:03 UTC (Wed)
by khim (subscriber, #9252)
[Link] (5 responses)
Sure, but we are not talking about that. We are talking about the next step: what happens after. All car dealers that I have ever saw contacted manufacturer if that's their defect. Sure, if someone stole some screws while car was with dealer and manufacturer is not to blame and car dealer goes to court. But if car dealer can prove that he haven't touched anything and goods were defective when they left the factory then it's on manufacturer, 100%. The law applies the exact same tules to software. Why it's so hard to understand and accept? Sorry, but this couldn't be right. One of them have to be responsible. Like in retail: supermarket may be selling under their own name and then would be responsible, or may provide space for others to put their booth and then these others would be responsible, but someone have to be liable, or else why have the whole charade of a law if no one is responsible for anything? And that is why the law is shaped like it's shaped. It's completely inconceivable that one guy which you can find on freelancer.org and which knows how to combine LAMP with 100 lines of his own code should be responsible for the whole thing. Someone big enough must be responsible, or else the whole scheme wouldn't work. Even if some idiotic lawmaker would try that said guy simply have no means to review and support millions lines of code in LAMP. And yes, if that would mean that open source would disappear entirely and would be replaced by Microsoft and Oracle $$ offerings then lawmakers would accept that: in that world would always have someone who can be, reasonably, made liable for software.
Posted Dec 13, 2023 11:15 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (2 responses)
Legislatively, the liability stops with the car dealer. If the manufacturer says "nope, not going to fix it, your problem", that's the car dealer's problem to deal with.
In practice, as a result, car dealers refuse to sign contracts with manufacturers that permit manufacturers to say that - they instead require manufacturers to sign up to contracts that allow the dealer to pass liability backwards down the chain to the manufacturer.
But, for example, if the car dealer you bought your car from goes bankrupt, you have no legal claim against the manufacturer, only against the car dealer's remains. Manufacturers will usually intervene in this case, for the benefit of the brand, but they are under no legal obligation to do so.
The CRA, while not perfect, is an attempt to try and fit similar rules to software - it's just that because of the nature of software, it's a lot easier for vendors to sell you just one piece of the final product (a simple piece like a start-up script), and require you to assemble the rest of the software from other places, and the CRA wants to block off that sort of shenanigans. But this is new rules for software.
Posted Dec 13, 2023 11:38 UTC (Wed)
by khim (subscriber, #9252)
[Link] (1 responses)
You are talking about defect fixing. I'm talking about liability. And, of course, in case of accident your car maker may be found liable and that doesn't depend just on what contract between dealer and car maker says. Manufacturer can disclaim some liability, sure, but not everything. Lol. That loophole was closed years ago. I still remember times when law worked like that in Russia. Big companies just never sold anything, they created tiny dealers which sold good and then went disappeared after 3 or 6 months. And then your warranty was pretty much pointless and you companies could save money. That's a no-brainer scheme, really. Of course these loopholes were patched up and today law doesn't work like that. Whether manufacturer would be help liable or not is determined by a large body of law, but if car design defect leads to deaths it's almost always judged to be manufacturer's fault. Why defect in MySQL or Apache Web Server shouldn't be treated in the same way?
Posted Dec 13, 2023 12:07 UTC (Wed)
by farnz (subscriber, #17727)
[Link]
In the UK, it still works like that - the manufacturer can disclaim all liability and pass it onto the dealer. The dealer is the entity that cannot disclaim liability. A US lawyer talking about liability in the US is kinda irrelevant here - we're not (yet?) a state of the USA.
We closed the loophole differently; the liability for manufacturing defects is created at the time the sale happens, and is thus part of the company that you have to handle while you close the company down; if you've not done so, then the directors of the company that was closed down have committed a criminal offence, and can both be forced to pay out the liabilities personally (possibly making them bankrupt), and banned from ever running a UK company again. This makes the trick you describe effectively impossible - you need to find genuine directors for your new company (otherwise it's just a trading name of the manufacturer), and you will not be able to do so if you're burning through them every 3 months or so, and discarding them with huge liabilities that they agreed to.
Further, to close a company down requires you to transfer all of its assets and liabilities out - if you transfer assets out without transferring out liabilities, then the company becomes insolvent, and the asset transfers can be undone to make the company solvent again (since it's illegal to engage in any transfer that makes the company insolvent). The only way to leave liabilities behind is to go bankrupt, but in UK law, that requires you to prove that the company could not continue trading - and also opens up opportunities for the bankruptcy court to "pierce the corporate veil" and say that the company is merely a front for another entity, who thus is liable for everything the company did as-if they did it themselves. In the case of the scheme you describe, the company would be deemed (in bankruptcy) to be a front for the manufacturer, and thus the manufacturer becomes liable because they created the company purely to avoid liability.
And if you remember when it worked like this in Russia, then Russia had this problem a long time after the mechanisms I loosely describe above came into being in England & Wales; these mechanisms built up in the 18th and 19th centuries, and were fully in place by the beginning of the 20th century.
Posted Dec 13, 2023 13:18 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Sorry, but this is the "it's not my fault" fallacy. It's what frauds and conmen like to do - "it's your fault for falling for a scam". What if it's NOBODY'S fault? Certainly the moral position is quite clear - if you are actively benefiting, then you have to warranty what you're doing. And for the most part, the law agrees. If you're benefiting from actions that injure someone else, then you're responsible.
That's why it's "follow the contract". That's why when I purchase a car from a dealer it's the DEALER who is liable for EVERYTHING. That's why the DEALER will have a CONTRACT with Volkswagen to indemnify the dealer for faults in Volkswagen's products.
I dunno about the law where you live, but that's why, when we have a recall for faults, it's the DEALER who fixes everything. It may well be Volkswagen that actually pays for it, but that's between the dealer and Volkswagen - nothing to do with me! And that's why manufacturers don't like recalls - because it's the CONTRACT between them and the dealer that says they pay for it. How else would UK law get a German manufacturer to fix defects in cars (not in this case, but in others) made in the Far East? They push all the responsibility on the guy SELLING the PRODUCT, and expect them to cover their backs with contracts. And if those contracts are straw, then that's the dealer's tough luck.
As for your example of manufacturers setting up little dealerships and letting them go under - well we have "evasion" regulations. If the purpose of setting up the dealership is to let it go bust and evade liability, English law certainly will "pierce the veil" and say "this dealership is a fraud. For the purposes of the law it never existed and its supplier is on the hook instead". Actually invoking that may be tricky, but that's what the law says, that's how the law deals with it. The law doesn't say "the manufacturer is responsible", it says "the manufacturer is fraudulently dodging responsibility". J Random Hacker quite clearly isn't setting up legal shell distributors with the intention of evading responsibility, fraud clearly isn't on the table ... the customer is getting EXACTLY what he (didn't) paid for. (Likewise with J Random Forge - there's nothing that could remotely be described as fraudulent.)
Cheers,
Posted Dec 13, 2023 13:24 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
> But if car dealer can prove that he haven't touched anything and goods were defective when they left the factory then it's on manufacturer, 100%.
But that's down to the dealer's contract with the manufacturer. NOTHING TO DO WITH ME. If the manufacturer can't/refuses to honour their contract with the dealer, NOTHING TO DO WITH ME.
The car isn't fit for purpose. The dealer legally MUST refund me. If they can't get the money back from the manufacturer, NOT MY PROBLEM.
(Okay, in practice, I might have considerable difficulty in enforcing this - if the manufacturer refuses to bail out the dealer, the dealer may go bust and I lose my money, but that's not the law, that's the law in practice, a very different thing.) And in that case, the receiver SHOULD sue the manufacturer on my behalf, but is that ever going to happen?
Cheers,
Posted Dec 13, 2023 11:38 UTC (Wed)
by mb (subscriber, #50428)
[Link]
Well, that depends on whether it's a case for "Gewährleistung" or "Produkthaftung".
Posted Dec 13, 2023 9:57 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (29 responses)
> Yup. That's the idea that is explicitly and consciously rejected by lawmakers. Please read the article on the Apache's blog.
Then those lawmakers don't have a clue about law. This would up-end the entire world of commercial contracts, liability, everything. I'm all for treating the software industry like any other, and THIS ISN'T IT.
Cheers,
Posted Dec 13, 2023 10:47 UTC (Wed)
by khim (subscriber, #9252)
[Link] (28 responses)
Show me one jurisdiction, when manufacturing mistakes in a car are responsibility of a car dealer and actual manufacturer is exempt and we'll go from there. Why? It's like any other business, according to law: the guy who did the final packaging work is liable for everything, but if problem is with components (namely Debian or NPM module) then producer of said component is on the hook. And if Debian inherited bug from Linux Foundation then said Linux Foundation is responsible and so on. AFAIK that's how all other industries operate, too: except if you sell counterfeit you may easily send all these safety requests to manufacturer if you are just a box mover. Why should software be any different?
Posted Dec 13, 2023 11:24 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (8 responses)
England & Wales has been that way forever. A manufacturing fault in a car is the responsibility of the dealer in law, and the manufacturer doesn't come into it.
In practice, dealers are unwilling to take on liability for manufacturing defects without being able to pass it back to the manufacturer, and thus sign contracts that state that - and manufacturers include "warranties" as part of selling the car to the dealer that can be transferred to the final customer, but legally speaking, if I buy a brand new BMW from Park Lane Limited tomorrow, only Park Lane Limited are liable for manufacturing faults.
Posted Dec 13, 2023 15:25 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
So as I've said elsewhere, I deal with the DEALER. Any problems, as far as I'm concerned, are the DEALER'S problem. But because the dealer was the manufacturer's agent, if there are problems I can target the manufacturer as a backstop. But that's not always true.
And because this is almost invariably hidden from the customer, any attempt BY THE DEALER to HIDE behind this would pretty much instantly be slammed as fraud or deception. (It's not a problem in the normal course of events, because it's not used in the normal course of events to evade liability. It's just a convenient legal fiction.)
Cheers,
Posted Dec 14, 2023 0:06 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (6 responses)
What happens if you buy a BMW from Totally Honest Guys Inc. that gets bankrupt and liquidated tomorrow? I'm really curious.
Posted Dec 14, 2023 9:07 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (3 responses)
Which is why you should always look seriously askance at any (sales) company that says "we guarantee our own products". If the company goes bust, the guarantee goes with it.
As was mentioned elsewhere, typically BMW will provide a guarantee with the Mini, which the dealer then transfers to you. You now have a CONTRACT with BMW, mediated by the dealer, and if the dealer goes bust BMW will guarantee the contract. Likewise if the dealer was mere agent your contract is with BMW, not the dealer.
Elsewhere you should look for companies that say "we have an insurance contract that covers our guarantees" - you now have a CONTRACT with the INSURANCE COMPANY (or will have, when the receiver transfers it over to you, which they have no choice about). Or the supplier provides a warranty - that's more hassle and grief than going through the retailer, but it least it's a back-stop.
Cheers,
Posted Dec 14, 2023 9:55 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Dec 14, 2023 10:05 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (1 responses)
Cheers,
Posted Dec 14, 2023 10:46 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
Manufacturer recalls are slightly different; those exist because to get a V5C (registration document showing that the car is allowed on the road), you must first show that the car meets requirements.
There's two ways to do this:
This is entirely separate from general liability - it's part of having the rights to use type approval to get a V5C instead of having to use individual vehicle approval.
Posted Dec 14, 2023 9:31 UTC (Thu)
by geert (subscriber, #98403)
[Link]
Posted Dec 14, 2023 10:14 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
So, first two questions (since "Inc" is not a legally protected suffix in England & Wales); is "Totally Honest Guys" a limited company or not? Second, are the debts contractual (in which case, you're an ordinary creditor) or statutory (e.g. goods of merchantable quality, in which case you're a priority creditor)?
If they're not a limited company, then you're probably stuffed; you've been dealing with a trading name used by a single individual or group of individuals, and you're limited to what you can get out of them personally; if they've got insufficient assets to cover you, you're out of luck. If their liability to you is statutory, however, you get to "go first" when it comes to their remaining assets, before the ordinary creditors; but usual rules about money from nothing apply.
If they're a limited company (i.e. have a company registration at Companies House), it gets more complicated; the liquidation is supposed to put aside a "residual" of the company to cover potential liabilities to priority creditors, which pays out to ordinary creditors as the liabilities fail to materialize. If there's not enough left to put aside a full residual, the directors were trading while insolvent, which is a criminal matter in its own right, and also puts them on the hook personally for any liabilities the residual fails to cover; trading while insolvent (at a minimum) prevents you being a company director for a period of time, and can include a jail sentence. The residual will pay out the liabilities if they occur, or will pay the ordinary creditors if the liability fails to materialize (e.g. if 7 years after bankruptcy, your car has been fine, the money that was put aside to cover the risk that your car needed repair, replacement or partial refund due to merchantability issues will have gone to ordinary creditors in full).
In practice, BMW probably step in to protect their brand in either case, if it's a new car; "Totally Honest Guys" is, if selling new cars, almost certainly trading as "BMW New City" or similar, and BMW want you to be talking about how they stepped in to help you out, not about how you bought a new BMW and had a really bad experience when "BMW New City" went bankrupt.
Posted Dec 13, 2023 11:28 UTC (Wed)
by mb (subscriber, #50428)
[Link] (14 responses)
Under German law that is actually possible:
https://www.ihk.de/darmstadt/produktmarken/recht-und-fair...
>Händler sind aber immer dann unbeschränkt haftbar, wenn sie die fehlerhaften Produkte von einem Importeur gekauft haben, der aus einem Drittland importiert und dessen Name nicht feststellbar bzw. auffindbar ist. [..]
Deepl translation:
>However, retailers are always liable without limitation if they have purchased the defective products from an importer who imports from a third country and whose name cannot be determined or traced. [..]
Posted Dec 13, 2023 11:46 UTC (Wed)
by khim (subscriber, #9252)
[Link] (13 responses)
Thanks for being constructive and offering concrete evidence and not just your ideas about how world should work and not about how it works. Yes, if dealer imports something from abroad and court couldn't reach an actual manufacturer then importer may be held fully responsible, which makes perfect sense: court would love to make the actual guy who does “bad things” responsible, but if they are out of read… importer would have to shoulder that responsibility. Makes sense. I guess that idea would be applied to software, too. Hmm. This would mean that if forges would just leave EU they may avoid all the blame. I wonder what would be the next step, though. Make use of Debian or Gentoo, directly downloaded from outside of EU illegal? We'll see, I guess.
Posted Dec 13, 2023 13:01 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (12 responses)
Posted Dec 13, 2023 14:01 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (11 responses)
The difficulty is that Debian can be both a component supplier and a seller to consumers itself; for the purposes of the CRA, me downloading a binary ISO for personal use from debian.org can count as a sale of a product (this being how the CRA intends to prevent - for example - free trials of a proprietary product, or advertising-supported products that are also free at point of distribution from being exempt from the CRA). Whether or not it counts depends on the details of the CRA.
Now, me acting as an employee and downloading Debian is not guaranteed to be a purchase of a product for the purposes of the CRA, because my employer is not a private individual, and thus for business-to-business transactions like that, the contract terms matter.
Posted Dec 13, 2023 14:55 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (9 responses)
And any attempt to make Debian, or Gentoo, or Sourceforge ... liable to J Random Downloader will make a complete mockery of contract law. It's not going to happen.
Absent SOME sort of contractual relationship between the user of the software and developer or download site, nothing will be able to stick. All this angst about liability will only come to pass if there is some sort of fraud, or deception, or otherwise attempt to benefit without taking responsibility.
Writing software for pleasure and giving it away cannot in any way be construed as malicious, fraudulent, deceptive practice, or whatnot. Absent that, a contract is an absolute minimum for transfer of liability. Absent both of those, you're untouchable (well, maybe not, anybody can sue for anything, but European courts are far more likely to call that for what it is - a malicious plaintiff, and then they're not facing the wrath of their victim, they're facing the wrath of the court, which is NOT a nice place to be!)
Cheers,
Posted Dec 13, 2023 14:59 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (8 responses)
Offering a download to all comers is a contractual relationship, as to do so you need to grant permissions under copyright law. It's not a very strong relationship, but it exists - else by downloading it, you're breaking copyright law, and the offerer has acted to incite you to breach copyright.
Posted Dec 13, 2023 16:06 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (7 responses)
"Offering for download" is NOT "mutual consideration".
Cheers,
Posted Dec 13, 2023 16:07 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (6 responses)
There is a mutual exchange of consideration; Debian offers you a copyright licence, and you agree to be bound by its terms. It's not a big exchange, but it is an exchange of consideration, and enough to establish a contract.
Posted Dec 13, 2023 16:36 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (3 responses)
Posted Dec 13, 2023 16:42 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (2 responses)
It owns a copyright on the aggregation of the software into a single ISO image (the editorial choices about what to include and omit) - it can give you a licence to that. It can't give you a custom licence on the code inside the aggregation, though. And it's a licence for that aggregation that it's offering, in return for you accepting Debian's terms.
Posted Dec 13, 2023 17:17 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (1 responses)
Posted Dec 14, 2023 11:57 UTC (Thu)
by paulj (subscriber, #341)
[Link]
Without a clear and explicitly worded exception for things like Debian the CRA we may end up having to wait for cases to arise in a few member states. We do know the likes of ASF believe the CRA is /designed/ to apply to foundations like them, as they have directly engaged with relevant EU legislators on the issue. In the worst case, we may need to wait till a case goes to the ECJ to get clarity.
Posted Dec 13, 2023 21:00 UTC (Wed)
by xtifr (guest, #143)
[Link] (1 responses)
No. All Open Source licenses (or licenses which comply with the Debian Free Software Guidelines) are distributor licenses, not user licenses! The licenses grant Debian the right to give you the programs, but you are under no obligation to accept or comply with those licenses! Of course, without the permission granted by those licenses, you cannot make copies for others (or in the case of the AGPL, run the code on a public-facing server), but unless you want to make copies for others, that's a non-issue, and you can ignore the licenses rather than accept them. The GPL even explicitly states that you need not accept it and can instead choose to be bound by normal copyright law--which means no making copies. And if you do choose to accept the license terms and distribute the code, that's between you and the copyright holders! Aside from code Debian actually wrote (apt, dpkg, etc.), Debian didn't offer you any licenses! They merely passed along the license offers. There is no agreement between you and Debian regarding the kernel or the shell or python or X or anything. Debian merely exercised their rights under the license to give you a copy; their involvement basically ended when the download finished!
Posted Dec 13, 2023 21:24 UTC (Wed)
by farnz (subscriber, #17727)
[Link]
But Debian aren't just offering me the software; they're also offering me their arrangement of that software into a compilation, which itself has a form of copyright applying to it. The licence I accept from Debian may well be implied, rather than explicit, but I need some form of permission to allow me to copy that arrangement.
In EU law, there's certain licences that are granted automatically as a matter of law, but they're still enough to function in terms of the offer, consideration, acceptance set required to form a contract - Debian, in this case, is offering me a licence (which it presumably has permission to do) that permits me to download the installer image.
Posted Dec 13, 2023 16:21 UTC (Wed)
by bluca (subscriber, #118303)
[Link]
Those clauses are clearly and explicitly defined to catch freeware/lite/ad-free/platform/base versions given out in the course of a business venture. So it does not apply at all to Debian: there is no "full" or "ad-free" version of Debian that you can get if you sign a contract, there is no business to the side that benefits from giving away the images, there's nothing at all, it's all just there. It very clearly does not fall into that category.
Posted Dec 13, 2023 11:48 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (2 responses)
This is EXACTLY how box movers get clobbered for selling counterfeit goods. The box mover has a contract with their supplier, and passes the buck back up the chain. If the box mover tries to pass liability to the manufacturer, they just reply "counterfeit" AND THE BOX MOVER IS ON THE HOOK!
Cheers,
Posted Dec 13, 2023 11:56 UTC (Wed)
by khim (subscriber, #9252)
[Link] (1 responses)
Let us see if Debian would succeed in declaring that copies used in NAS boxes are counterfeit or not 🤪.
Posted Dec 13, 2023 14:57 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Dec 13, 2023 12:29 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Why is the producer of said components on the hook? NO CONTRACT - NO LIABILITY. END OF.
At the end of the day, if "the guy who did the final packaging" needs to pass liability onwards, then he needs a contract that allows him to do so. Without a contract, he's SOL.
Cheers,
Posted Dec 14, 2023 11:58 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
> Yup. That's the idea that is explicitly and consciously rejected by lawmakers. Please read the article on the Apache's blog.
And I've just realised where this misconception comes from, and why it's "deceiving by failing to tell the truth, the whole truth, and nothing but the truth".
The EU has no way to make $COMPANY liable, if said company is not based in the EU. The law is pragmatic. So it makes the people who *handle* $GADGET *inside* the EU liable.
Which means they make $COMPANY contractually liable, and if they don't consider $COMPANY trustworthy to honour the contract, they just don't do business with them and these unsafe and unreliable products have no official route into the EU.
Cheers,
Posted Dec 12, 2023 21:30 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
Reading your comment brings a compromise possibility to mind:
First, you cannot disclaim liability in a B2C supply situation; if this is otherwise recognised as a B2C supply, you've got to accept the liability that arises from your distribution of a product containing software. This protects many significant cases - WhatsApp, for example, is mostly under B2C distribution.
Second, where you meet the following conditions on distribution to a business (B2B trade, not B2C), you can limit your liability contractually to the amount paid to you by the entity you distributed to:
This means that I can't reduce my liability to zero if I charge for the software I supply - I'm always liable to give full refunds (at least) if I charge money; I can't treat the software I supply as containing any proprietary secret information without incurring liability, since I've given anyone who gets the software from me full permission to redistribute it and to examine it.
It does however, allow the random person in Nebraska whose code is critical to your product to protect themselves from liability, by saying that you have to pay them enough that they can afford to cover the liability if you get bitten by a bug in their code. If you're not willing to pay them that much, then the liability sticks with you.
Posted Dec 12, 2023 11:22 UTC (Tue)
by coriordan (guest, #7544)
[Link] (5 responses)
Small companies sometimes support the idea of these laws if they've only been told of the positives (you'll get software that's more secure) and haven't been told of the negatives (there'll be less software, and specifically less free software).
Same for consumer groups, if they've been told consumers will get software that's more secure but haven't been told that there will be less software, less choice, less competition and less ability for users to get involved in the direction in which software is being developed.
And companies who are competing against free software companies will like these laws if they're written in a way so that compliance is extra difficult if your development model is multi-stakeholder, available to the public at all times, and allows multiple companies to commercialise the same software.
(In the EU, when we saw the original proposal we thought "ha, no one will like this, we'll build a broad coalition and get it fixed". When we actually talked to other sectors, indeed, we were surprised to find organisations cheering for it - including ones who will actually be harmed by it.)
Posted Dec 12, 2023 11:35 UTC (Tue)
by bluca (subscriber, #118303)
[Link]
Posted Dec 12, 2023 13:02 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (3 responses)
Firstly, it's not at all obvious that less software is a negative in and of itself; being able to choose between 1,000,000 software packages, all of which are defective and thus do not solve the problem they purport to solve without creating more problems than it solves is not obviously better than a world in which I have 3 packages to choose from, all of which solve the problem in front of me without creating new problems for me to solve. I would prefer to be in the latter world rather than the former, and liability rules are how you move from the former to the latter in a market economy.
Secondly, implicit in the assertion that this will affect Free software more than it affects proprietary software is a claim that proprietary software is inherently (by virtue of being proprietary) less likely to be defective than Free software; can you back this claim up?
Posted Dec 12, 2023 16:23 UTC (Tue)
by khim (subscriber, #9252)
[Link] (2 responses)
No, the difference is not in number of defects. If it were that simple then Free software would have been less affected than proprietary software. Most studies show that free software has smaller number of defects. But proprietary software development process naturally involves formal agreements and lots of money! Debian gets maybe 1 million USD per year (or maybe even less?) while Google collects 40-50 billion USD from Google Play store yearly. That approximately five orders of mangnitude difference! Sure, Debian has many times smaller number of users, too… but difference is not 100'000 times!
Posted Dec 12, 2023 16:55 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (1 responses)
Right, but you only face liability if your software is defective; for the amount of Free software to fall by a higher proportion than the amount of proprietary software as a result of products containing software having liability, you'd have to have a world where the latest version of any piece of Free software is more likely to be defective than the latest version of any piece of proprietary software. And this limitation on liability (including to released versions that have not been superseded - so Debian could trivially say that the "latest" version requires you to have taken everything in stable-updates for Debian to even be in scope for liability) balances out the relative sizes of the two operations.
Posted Dec 12, 2023 17:00 UTC (Tue)
by khim (subscriber, #9252)
[Link]
This may work fine for Debian, but there are lots of spin-offs that don't follow “best practices” and don't update their distros for months or even years. Thus we may be pretty sure open source would be affected by these laws… but would that necessarily be negative influence? If all these distros-of-the day when someone collects some free software, slaps their name on the pile and publishes as “new OS”… if these would disappear, would that really be a bad thing?
Posted Dec 12, 2023 11:32 UTC (Tue)
by bluca (subscriber, #118303)
[Link]
Evidently, the "invisible hand of the market" is unable to fix this, it had two decades to do so and it spent them scratching its invisible rear end instead, so time for the adults to step in and fix this mess.
Posted Dec 12, 2023 10:03 UTC (Tue)
by dvrabel (subscriber, #9500)
[Link] (16 responses)
You can't sell a toaster that could electrocute the user.
Why do software developers think they should be able to produce something that causes harm to their users and accept no responsibility for this?
Posted Dec 12, 2023 10:26 UTC (Tue)
by b7j0c (guest, #27559)
[Link] (7 responses)
Posted Dec 12, 2023 11:04 UTC (Tue)
by farnz (subscriber, #17727)
[Link] (6 responses)
In many jurisdictions, though, that waiver is unenforceable if the vendor does not make the buyer aware of a deficiency that the vendor knew about, or should reasonably have known about. So you can disclaim a defect in the foundations that's developed since the house was built, but not a defect in the furnace that should have been visible the last time you had the furnace serviced.
And, as with other forms of liability, this form travels along a chain; if the vendor had the furnace serviced by a contractor who didn't report the defect to the vendor, then the contractor's liable to the vendor for the liability the vendor has to the buyer, plus the vendor's reasonable costs in handling that liability.
Posted Dec 12, 2023 14:09 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (3 responses)
Cheers,
Posted Dec 12, 2023 14:47 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
Even sold "as is" isn't enough to escape liability in my jurisdiction (England & Wales); to make an "as is" sale, you must accurately represent the state of the product, including the issues you know about, or should reasonably have known about. In addition, if you're selling as a business (and not as a private individual), you must also list any issues that would affect my decision to buy the product, even if you don't yet know about them.
However, you're allowed to get it wrong in my favour; for example, you can sell a car as "non-running, engine possibly failed, all parts possibly broken, only suitable for use as scrap metal" when the only thing that's wrong with it is that you haven't put fuel in the tank. If I then buy it, and determine that the only fault is lack of fuel, well, that's me in luck. If, on the other hand, it's rusted through and is just so much scrap metal, well, that's what you promised me, so it's fine.
Private sellers, on the other hand, just have to list what they know about, and what they reasonably should know about - but importantly don't have to tell me about things that might affect my decision otherwise. So a private seller can sell me the same car as "doesn't start", and not have to warn me about other things, unless it's unreasonable for them to not know about them - e.g. they might have to say "timing belt last changed at 135,000 miles, car now at 220,000 miles", since that's a reasonable thing to know about, but not tell me that the metal under the seats is beginning to rust, because who lifts the carpets to check?
Posted Dec 12, 2023 15:00 UTC (Tue)
by b7j0c (guest, #27559)
[Link] (1 responses)
Posted Dec 12, 2023 15:19 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
Waiving contingencies is not the same as "as-is"; it says that as the buyer, I am willing to first show that you had actual knowledge of, or should reasonably have known about, a problem I find before I can hold you liable for any part of it. This makes the sale simpler for the vendor, since in most cases, you don't have problems that you don't know about but reasonably should know about, so it limits the complexity of your disclosure requirements down to "what problems do I have with the house that I know about but haven't yet fixed?"
If you genuinely were selling the house "as-is", you wouldn't need to disclose anything other than the extent of the plot of land, and everything else is simply "as is", and not something you describe in the sale contract.
Posted Dec 12, 2023 14:50 UTC (Tue)
by b7j0c (guest, #27559)
[Link] (1 responses)
My point still stands imho...in the US there is a longstanding precedent for "caveat emptor" ("as-is" carries meaning).
Posted Dec 12, 2023 14:55 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
In many jurisdictions, however, "as-is" does not carry the meaning you're describing - it means "I have told you everything I know about, and everything that's reasonable for me to know about, and I'm not taking responsibility further", and not "caveat emptor", where even if I should know about a problem, it's still your problem when you buy something from me.
In general, you can't, even in the US, say simply "caveat emptor"; you have to first make a good-faith effort to disclose what you know about the product. The only thing that you can do is be wrong in the buyer's favour - you can say "I believe this lock is trivial for a lock picking expert to open" when in fact it's hard for an expert to open, or "I believe a thief could break this safe open in under 30 seconds" when it'd take them 30 minutes to break it open.
Posted Dec 12, 2023 10:27 UTC (Tue)
by snajpa (subscriber, #73467)
[Link] (7 responses)
IMHO, the license stated the software was provided "AS IS" and if you still put it in your product and it blows up due to a bug in the code you pulled, it is you who is liable for the mess, not the person who made the mistake in the code. They didn't force you to pull the code that says it comes without any guarantees. You could have written your own, for example :)
Posted Dec 12, 2023 10:33 UTC (Tue)
by snajpa (subscriber, #73467)
[Link]
Posted Dec 12, 2023 11:55 UTC (Tue)
by Lennie (subscriber, #49641)
[Link] (2 responses)
Posted Dec 12, 2023 12:40 UTC (Tue)
by snajpa (subscriber, #73467)
[Link] (1 responses)
Posted Dec 12, 2023 12:45 UTC (Tue)
by snajpa (subscriber, #73467)
[Link]
Posted Dec 12, 2023 21:53 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
For the bridge to be constructed, a licensed civil engineer has to sign off on the design, usually in exchange for a hefty sum of money. And they would be responsible if it falls. It fits perfectly into the proposed European framework.
Posted Dec 12, 2023 22:05 UTC (Tue)
by snajpa (subscriber, #73467)
[Link] (1 responses)
Posted Dec 13, 2023 10:29 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
On that basis, J Random Developer of Nebraska does not have any CUSTOMERs.
(Of course, it's more complicated in that it's meant to catch people who *pretend* not to have customers, but for J Random, it's pretty clear cut.)
Cheers,
Posted Dec 12, 2023 10:49 UTC (Tue)
by kleptog (subscriber, #1183)
[Link] (11 responses)
The idea that we could add some language to licences to indemnify developers is a non-starter: Microsoft could just add the same language to their licences to indemnify themselves.
The magical world where licences magically protected open source developers from lawsuits never existed. It was always other elements (primarily, since you're not selling a product, the whole discussion of product liability goes away). All the recent legal changes are merely clarifying that "merchantability" also covers "being reasonably secure".
Posted Dec 12, 2023 11:37 UTC (Tue)
by bluca (subscriber, #118303)
[Link] (4 responses)
Posted Dec 12, 2023 13:38 UTC (Tue)
by pizza (subscriber, #46)
[Link] (3 responses)
That is, until the law gets changed to effectively make "publishing" the same as "making available on the market".
...Along with broadening the definition of "commercial activity" to include stuff entirely unrelated to the production of said software.
...Along with making the potential liabilities wildly disproportionate to the amount of commercial gain.
This unholy trio of changes makes F/OSS work either into purely a hobby (ie donations or occasional commercial work to cover your costs!) or something that only large organizations can afford to create.
Posted Dec 12, 2023 13:52 UTC (Tue)
by snajpa (subscriber, #73467)
[Link]
Posted Dec 12, 2023 14:01 UTC (Tue)
by gspr (guest, #91542)
[Link]
Going the opposite direction: At some level of formal language, mathematics becomes code. Most mathematics is not done in such formal languages, but can be translated into one (with lots of work). Are mathematicians liable for damage done by our proofs?
Posted Dec 12, 2023 14:47 UTC (Tue)
by bluca (subscriber, #118303)
[Link]
Posted Dec 12, 2023 14:13 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (5 responses)
But if you're not involved in commerce, it doesn't apply. (Or I presume it doesn't.)
"Merchantability" means "fit to be sold". And if you're not selling it, where's the problem?
(Yes, you might be trying to get around the law, and deserve to be slammed, but you might not, too ...)
Cheers,
Posted Dec 12, 2023 15:10 UTC (Tue)
by pizza (subscriber, #46)
[Link] (4 responses)
The problem is that the [current draft] CRA says that it will apply to "Digital elements" whether or not they are sold or provided free of charge.
Posted Dec 12, 2023 15:20 UTC (Tue)
by bluca (subscriber, #118303)
[Link] (3 responses)
Posted Dec 12, 2023 15:45 UTC (Tue)
by pizza (subscriber, #46)
[Link] (2 responses)
And before I had a legal business registered, I was still "accepting recurring compensation" from EU-based entities for support/bugfix activities. AKA the primary mechanism that "hobby" F/OSS writers use to offset their F/OSS operational costs.
My business has booked a whopping $180 in revenue from European clients in the past 12 months. That's still enough to trigger the full weight of the (draft) CRA's compliance, reporting, and liability provisions, because the threshold is anything more than zero, and my liability extends to all possible users of my software, not just the ones for whom I have a business relationship.
You (and they) say this sort of outcome is not their intent. That's great! But good intentions are, while necessary, are no guarantee of a good outcome.
Posted Dec 12, 2023 20:42 UTC (Tue)
by kleptog (subscriber, #1183)
[Link]
Sounds to me like you're providing a bugfixing service, not selling a product. So I don't see how product liability is relevant in you're case. The Digital Services Act might be relevant though.
Posted Dec 12, 2023 23:32 UTC (Tue)
by bluca (subscriber, #118303)
[Link]
Posted Dec 12, 2023 14:10 UTC (Tue)
by karim (subscriber, #114)
[Link] (59 responses)
This is where I think it starts getting it wrong: "The point of the above isn’t to say whether this commercial influence is good or bad, it’s to say that the rise of the Foundations have changed the public perception of Open Source. No longer is Open Source seen as the home of scrappy volunteers battling for technological innovation against entrenched commercial interests, now Open Source is seen as one more development tool of the tech industry." I don't know that the PUBLIC knows anything about open source, really. The post then goes on to provide the example of Tulip Trading v. bitcoin developers. Well, Tulip Trading isn't the PUBLIC. It's a commercial entity.
The post somewhat corrects course later: "People are tired of endless cybersecurity breaches compromising their private information, or even their bank accounts, and want someone to be held responsible. Making corporations pay for breaches that damage individuals is enormously popular (and not just in the EU)." THIS is what the PUBLIC is interested in. But then the confusion seems to continue: "Trying to separate individual developer Open Source from corporate Open Source is too subtle a concept to introduce now, particularly when we, and the general public, have bought into the idea that they’re the same thing for so long." The PUBLIC knows nothing of open source. It knows about the products it buys and services it uses. There's no reason for it to care about licensing of software no more than it cares about silicon chips or PCBs.
From my standpoint there is a point where open source gets "reduced to practice" by the commercial entity that decides to package this for PUBLIC use, or even its own use. It is only when that decision is made that liability makes sense. Before that, an open source project is just a bunch of math someone published online. A commercial party's decision to take F=ma and make a product out of it puts any breakage of such a formula in that party's hands, not the person that wrote F=ma.
There is absolutely no reason to make "Common Cause". What the open source community should make clear, loud and clear, is that its publication of math formulas and maintenance of said math formulas on the internet is not in of itself conducive of liability -- nor is receiving funds for working on said math formulas, no more than a university researcher would be held responsible for the math formulas they publish by being funded by any entity, commercial or not. What is conducive of liability is reduction to practice of said math formulas.
Now, I'm not saying the legislator or the courts will get this right, albeit they should. But that's what seems to be missing from this analysis: reducing to practice math formulas and offering such reduced-to-practice-including products/services is where the liability lies. Exactly the same as if I create a non-tech product that relies on F=ma for a toy that ends up harming children.
Posted Dec 12, 2023 16:53 UTC (Tue)
by khim (subscriber, #9252)
[Link] (58 responses)
Nope. Not necessarily “commercial”. Any entity. Debian provides Linux distro that can be used to do commercial activity. Rust Foundation gives you a compiler. Heck, even GIMP website allows you to download pre-compiled binary and start using it! This all is in scope — by design. For that to work like that all distributions of all precompiled software have to cease. And no cheating, like with Gentoo: if POSITA may use your scripts to build something and use it without reading the code with the goal to enhance his understanding of the world the it's in scope. I guess free software may exist in such world: its publication of math formulas and maintenance of said math formulas on the internet is not in of itself conducive of liability… as long as Joe Average couldn't use said math formulas without special education by just following easy to find HOWTOs then there are no liability. But… would you want to live in the world where publication of HOWTO may lead to crazy payments of someone would misuse them? That's precisely how chemical formulas are treated after all: if you just teach people chemistry, then you are in the clear, but if you describe how one may create a bomb… you may be found liable even if you haven't made any bombs, personally!
Posted Dec 12, 2023 23:33 UTC (Tue)
by bluca (subscriber, #118303)
[Link] (54 responses)
Posted Dec 12, 2023 23:49 UTC (Tue)
by khim (subscriber, #9252)
[Link] (5 responses)
Let me open debian.org. “Why Debian”, “Our Philosophy”, “User Support”, download links… sure looks like a marketing to me. You may argue that Debian doesn't stuff you PC with bazillion of ads, but reaction of normal layman would be: “well, they probably should, if they couldn't earn enough money in any other way”.
Posted Dec 13, 2023 0:31 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (4 responses)
Posted Dec 13, 2023 9:59 UTC (Wed)
by gioele (subscriber, #61675)
[Link] (1 responses)
At least in certain jurisdictions (e.g., Germany) and in certain cases (e.g., consultants, digital goods) having a website is definitely marketing ("Werbung") as well as putting something on the market ("Inverkehrbringen"/"Bereitstellung auf dem Markt"). Court rulings have already interpreted such words in a very broad way, for example in the context of the (in)famous "Imprint"-page requirement.
Posted Dec 13, 2023 13:38 UTC (Wed)
by bluca (subscriber, #118303)
[Link]
Posted Dec 13, 2023 15:05 UTC (Wed)
by corbet (editor, #1)
[Link] (1 responses)
In general (for all participants) I suspect that further discussion on this topic is unlikely to be rewarding for anybody involved.
Posted Dec 13, 2023 21:32 UTC (Wed)
by bluca (subscriber, #118303)
[Link]
Posted Dec 13, 2023 2:47 UTC (Wed)
by pizza (subscriber, #46)
[Link] (47 responses)
Huh?
Debian is very much a (not-for-profit) business and they absolutely market Debian GNU/Linux and "make it available" in the EU. Other folks physically produce CDs and give portions of the proceeds to Debian. Sure sounds like commercial activity to me!
Gentoo also has two legal organizations (including one based in Germany!) which perform commercial activities like licensing their trademarks to folks selling merchandise and, yes, CDs with the Gentoo Linux distribution.
Posted Dec 13, 2023 4:01 UTC (Wed)
by pizza (subscriber, #46)
[Link] (45 responses)
Under what twisted reasoning would the CRA *not* apply to them?
Posted Dec 13, 2023 10:32 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (41 responses)
>Under what twisted reasoning would the CRA *not* apply to them?
The twisted reasoning that assumes "actively make available" means "place on the market"?
Those are two different phrases, one of which is written in plain English, the other in Legalese. The twisted reasoning is assuming that they mean the same thing.
Cheers,
Posted Dec 13, 2023 11:11 UTC (Wed)
by khim (subscriber, #9252)
[Link] (3 responses)
That would be very strange, isn't it? If they mean the same thing then why even have different sublanguages. That couldn't be right. Various companies give out simplified “personal” versions of their products for free all the time. Some even give their products completely free and just collect money from ads. That activity should be covered by law because otherwise it's obvious loophole to be exploited by megacorps… and I couldn't see where and how such activity would be separated from what Debian and Gentoo are doing. More: I don't even see the desire (on the lawmakers side) to try to create such separation. They are much more concerned about the fact that Google/Microsoft/etc may use AOSP, Debian and other such outlets as a means to shirk their responsibility than they concerned about the fact that this may destroy Debian, Gentoo or some other such group.
Posted Dec 13, 2023 13:33 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (2 responses)
And yet, that's exactly how the single market works, as it has been explained many times already.
> Various companies give out simplified “personal” versions of their products for free all the time. Some even give their products completely free and just collect money from ads.
Which are both part of a business activity consisting of placing products in the single market for EU customers.
> I couldn't see where and how such activity would be separated from what Debian and Gentoo are doing.
The separation is due to missing the fundamental first step: marketing products in the single market for EU customers.
Posted Dec 13, 2023 14:41 UTC (Wed)
by pizza (subscriber, #46)
[Link] (1 responses)
Genuinely curious. Am I correct in understanding that no formal registration is needed to place (some/many/most) products on the market? If so, what exactly entails "marketing" in this context?
Posted Dec 13, 2023 15:17 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Basically it's something like "making an open offer to treat", another bit of legalese. But that's effectively putting up a shop window, with a load of products, WITH PRICE TAGS, and saying to the world and his wife "come in, look around, and if you want to give me what I'm asking for we have a deal".
This is VERY different from shoving a load of products on a table at the end of your driveway, and sticking up a sign that says "help yourself. When they're gone they're gone".
The first is a contract - there is a two-way exchange of benefit between the parties to the contract. The second may well be to the benefit of the giver, but there is no guarantee of any benefit and the benefit may not come from the recipient.
All this nasty legalese is simply to prevent people disguising the first version as the second, with the intent of avoiding responsibility or benefiting unfairly.
(And where you are doing contract work for someone, you make them an "offer to treat" - pay you a decent wage for your work - and then you have a contract where you tell them either they guarantee your work, or if they want to offload liability onto you, they have to pay the insurance premium as part of your invoice. The "open offer" simply means anyone can walk in off the street and accept what's on the table, whereas an "offer" can be "please negotiate".)
Cheers,
Posted Dec 13, 2023 14:24 UTC (Wed)
by pizza (subscriber, #46)
[Link] (36 responses)
In other words, the "twisted reasoning" taken from the actual text of the CRA itself?
(Taken from the latest available marked-up version here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_12536_2023_INIT dated 2023-08-31)
"(10) This Regulation applies only to products with digital elements made available on the market, hence supplied for distribution or use on the Union market in the course of a commercial activity. The supply in the course of a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services when this does not serve only the recuperation of actual costs or pursues a profit or the intention to monetise, by providing a software platform through which the manufacturer monetises other services, or by requiring as a condition for use, the processing of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. The circumstances under which the product has been developed, or how the development
"(18) ‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge;"
"(22) ‘placing on the market’ means the first making available of a product with digital elements on the Union market;"
"(23) ‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;"
(Note paragraph 10, which only applies to F/OSS stuff if there is no commercial activity of any sort affiliated with it. My meager support business clearly qualifies. RHEL and SLES is of course covered; Fedora/OpenSUSE is probably completely screwed due to its connection with Red Hat/SUSE, and Ubuntu has numerous inseparable commercial sub-components that Canonical requires to be included. Debian and Gentoo may skate just under here if they don't charge more than cost recovery fees for the media they distribute, but their use of trademarks might, on its own, make their software distribution in the EU into a commercial activity. It certainly would in the US.)
Posted Dec 13, 2023 15:03 UTC (Wed)
by khim (subscriber, #9252)
[Link] (34 responses)
I don't think so. In fact precisely that connection may easily save them. Because for them it's easy to argue that what they are offering is personal-use-only or development-only limited version (similar to Windows Home or these Phone devkits that you may use before final hardware is available) which is explicitly not suitable for use as base of any commercial offering. You have RHEL and SLES for that. Which would, of course, include insurance and all other such things. And the same can be said about “Android AOSP” vs “Certified Android”, “Chromium OS” vs “ChromeOS” and so on: in all these cases open source variant may be easily portrayed as something similar to a “development board” and everyone who may want to develop something on top of it may be directed to $$ variant. In fact I find it amusing how free software zealots are looking forward to see how this law would crush Google and Microsoft and make them pay: Google and Microsoft already have well-defined structure to adjust and include these money needed to cover insurance into their offers for the commercial entities while their free offerings can easily be framed as “test sample”. It's entities that don't have commercial $$ offerings that are in trouble. Significantly more problematic, from EU comission POV, is the fact that there are no $$, indemnified, alternative. I think eventually Debian would be forced to create some kind of Debian Corporation which would handle commercial support and indemnification. Because that's the obvious goal that EU is seeking: to create an entity which would be responsible for that codebase. They certainly don't plan to make someone to do that work for free, this would be, most likely, $$ version, but right now it doesn't exist… and that is the problem CRA tries to solve.
Posted Dec 13, 2023 16:44 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (33 responses)
The text could not possibly be any clearer, plus it has been explained many times what it means, and yet you keep willingly misreading it, and hallucinating the most outrageous nonsense out of it. Read this again:
> this Regulation should only apply to free and open-source software that is supplied in the course of a commercial activity
Debian did not, does not and will not engage in any kind of commercial activity in the EU single market.
> Because that's the obvious goal that EU is seeking: to create an entity which would be responsible for that codebase.
No. You misunderstand - again - the intent, purpose and spirit of the law. It is abundantly clear: to ensure customers buying products that contain software are covered. The EU couldn't give two fucks about any codebase, unless and until it makes its way into a product on the market. The supplier of said product is then liable.
Posted Dec 13, 2023 17:38 UTC (Wed)
by pizza (subscriber, #46)
[Link] (32 responses)
....What magic incantation is needed in order for something to be "placed on the market"
(Every definition I've seen actually cited refers to physical goods, in some sort of defined store front)
I don't think anyone would try to claim Google Chrome is not "commercial". But what about the Firefox browser? Mozilla has offices located in the EU, and a lot of money changes hands, indirectly (==donations) and directly (==people paying for Firefox add-ons, like Pocket and their VPN). These activities appear to be explicitly counted as commercial by the CRA text. But what if you download Firefox from mirrors.fedoraproject.org instead of Mozilla.com? Does this make Fedora the manufacturer/importer instead? Or is "Firefox from Fedora" not technically "placed on the market" by anyone? (After all, Mozilla only provided bare source code the world, and Fedora customized the build in some small way, and at no point did money change hands) What if this was part of RHEL instead, where clearly there is a commercial relationship between the user and Red Hat? Is Red Hat the manufacturer of "Firefox" as embodied in RHEL? Or is RHEL a "Service" and not a "product"? Whatever that answer, why wouldn't it also apply to Chrome?
Meanwhile, most $big_tech doesn't "sell" anything to consumers in the EU; the products cost $0 for most users. Does this mean they're not "placing a product on the market?" If not, what's the gating factor, since clearly it's not price? Advertising and data mining? How can Google be held liable for "Android" when they're not actually *selling* it or placing it onto the market via any mechanism other than their line of Pixel phones? (Android is provided to the world as "a bare codebase" after all, and Google supports their Pixel phones longer/better than anything not made by Apple!)
These are the sorts of questions we're trying to get answered; not because we are trying to find loopholes and carry out nefarious plans, but because we are trying to understand the scope of the likely-considerable impact these rules will have on our professional lives.
Your responses to peoples' concerns (many citing chapter and verse of the proposals) are essentially "You're reading it wrong" deflections that appear to be contradicted by the literal plain text of the proposals themselves. I get you can't answer anything conclusively (indeed, nobody other than EU legislators/bureaucrats can) but when you're taking a position that is on the opposite side of literally everyone else (in a profession that is built on identifying and rooting out inconsistencies!) we need _something_ more to go on...
Posted Dec 13, 2023 23:23 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (31 responses)
In general, where the sources come from doesn't really matter. This is said explicitly in the regulation. Because what matters is who gives you a product that contains said software, and if that qualifies as a commercial activity or not. Assuming Mozilla has employees working on releasing and distributing said software directly to users via mozilla.org, which I'm sure it happens, and assuming they get more money the more users are running Firefox, which is plausible given the multi-millior dollars contract they have with Google w.r.t. being the default search engine, which is ads-based and thus impression-based (more users -> more cash), it's possible that it could be enough to meet the threshold - I don't know for sure, as it gets complicated at this point, with lots of money moving around and whatnot. The important question though is, would it matter? Does anybody believe that Mozilla wouldn't take full responsibility in delivering timely security fixes for their flagship product delivered from their direct distribution channels? Of course not. So, even if, what difference would it make, for anybody, if Mozilla had to do what it already does anyway because of a regulation?
So where does it make a difference? You cited Android and Google. Of course the law can't make Google liable if shoddy Android manufacturers ship known-broken devices with glaring, unpatched security holes, and refuse to do anything about it. Liability is with the phone vendor, if they sell directly, or the shop if there's an intermediary. So how would it happen that, in the end, the buck stops with Google and it's them who pays? Supply contracts. By forcing the seller to be responsible, and unable to disclaim liability, the regulation forces the seller to cover its back - this is normal practice, otherwise customer-facing sellers would be out of business a month after opening up shop. So one of the two things would happen: either J. Random Android Vendor goes out of business, and Google loses precious ads revenue that they need to survive, or J Random Android Vendor and Google get their act together and comply with the CRA and supply security updates for their products. Substitute Android and Google for any consumer product using software sold in the EU, and you get the idea of where the CRA is coming from and what it wants to address.
Posted Dec 13, 2023 23:39 UTC (Wed)
by pizza (subscriber, #46)
[Link] (30 responses)
My question has to do with Firefox obtained through channels other than Mozilla, and how that changes *who is responsible* for delivering timely updates when, say, it was obtained through through Debian.
Especially when Debian's release has changes versus what Mozilla ships. And might even have security flaws not present in what Mozilla ships (there have been some high profile cases of this happening). Since it can't be Mozilla, who becomes the responsible party under the CRA in this scenario, if not "Debian" ? The mirror operators? The package maintainers? Or the caveat-emptor end-user who chose to install it?
(And what if Debian is pre-installed on a, say, Lenovo laptop? Does Lenovo now bear the full responsibility of ensuring Firefox-and-everything-else-in-Debian is kept up to date?)
Yes, this is all VERY messy, and that's why we're trying to figure out how this is supposed to work.
Posted Dec 14, 2023 8:58 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (28 responses)
Was it a commercial transaction? Did you download it off a website, and Debian has no idea you've done so? In the NORMAL COURSE OF EVENTS would they go through their logs digging for downloads to see who downloaded what? I think the answer here is clearly "no", which means it's not commercial.
So it's not commercial, there is no contract, no liability, and Debian is on the hook for nothing. Meanwhile, Firefox the organisation does not have any involvement in this transaction whatsoever, so also has no liability.
If it breaks, you get to keep the pieces ... :-)
Cheers,
Posted Dec 14, 2023 9:58 UTC (Thu)
by bluca (subscriber, #118303)
[Link] (7 responses)
> (And what if Debian is pre-installed on a, say, Lenovo laptop? Does Lenovo now bear the full responsibility of ensuring Firefox-and-everything-else-in-Debian is kept up to date?)
Yes, Lenovo is responsible in that case, and they need to ensure you can get updates. It doesn't mean Lenovo has to send you the updates directly though. In practice, again, there would be little difference: Lenovo's Linux laptop ship with a vanilla Fedora IIRC, which is perfectly able to deliver security updates out of the box and has always done so, so the only thing Lenovo has to ensure is that it doesn't sell laptops with EOL versions of Fedora pre-installed. That's a good thing!
Same applies to Dell and their Ubuntu-based laptops.
Posted Dec 14, 2023 13:24 UTC (Thu)
by pizza (subscriber, #46)
[Link] (6 responses)
They don't have to do it directly, but they are legally obligated to ensure that _someone_ will provide those updates. Which means either doing it themselves, or (far more likely) entering into a binding contract with an entity that will.
> In practice, again, there would be little difference: Lenovo's Linux laptop ship with a vanilla Fedora IIRC, which is perfectly able to deliver security updates out of the box and has always done so, so the only thing Lenovo has to ensure is that it
It's not as simple as "don't sell laptops with EOL software" -- Fedora's EOL is 13 months after initial release. IIRC in the EU 24-month warranties are the minimum, and that applies from date of _sale_. That's a (minumum) 11-month coverage gap that Lenovo, not Fedora, not Firefox, will be on the hook for.
I'm afraid that "In practice" will result in one or two companies [1] utterly dominating the market, because they'll be the only ones with the resources to provide those guarantees.
Meanwhile. Given that warranty/support periods _do_ expire, and the tendency for folks to use "digital elements" long after said warranty/etc has expired, I can't help but wonder if this is going to make any practical security difference in the end.
[1] I was originally going to say someone like Red Hat, but it's more likely to be someone like Microsoft and Amazon.
Posted Dec 14, 2023 13:59 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (5 responses)
There's no coverage gap for the CRA; if I supply a laptop with Fedora 52 installed, and a month later, the laptop offers the buyer an update to Fedora 53, my liability ends if the user doesn't take the Fedora 53 update - they were offered an update, and chose not to take it. I'm only on the hook if you keep taking the updates that you're offered.
Posted Dec 14, 2023 15:09 UTC (Thu)
by pizza (subscriber, #46)
[Link] (4 responses)
That presumes Fedora 53 is a strict superset of the software and functionality contained within Fedora 52. That is almost never the case.
If you sell a system with F52, you're on the hook to support it in its entirety; you don't get to say "to get security updates for package/feature Y you have to agree to lose package/feature Z"
(There's already legal precedent for this; Sony had to pay out a large amount of money because their "necessary update" took away advertised-on-the-tin functionality)
Posted Dec 14, 2023 15:29 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (2 responses)
That is a separate issue; the CRA says you can take away functionality in an update and lose liability that way, but does not protect you from being sued for taking away functionality.
And, in any case, you wouldn't be on the hook for all of the software in Fedora - only the bits you preinstalled. You could install a minimal Fedora 52, and that's what you're on the hook for.
Posted Dec 14, 2023 16:03 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
In that case, why bother with installing Minimal Anything? Just ship FreeDOS as part of the system firmware and let the buyer assume all responsibility.
Posted Dec 14, 2023 16:08 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
That works for a PC or laptop (albeit that you can't, under other consumer laws, claim the system has functionality that doesn't work under FreeDOS - so you can say that the device has an Intel AX201 WiFi chipset, but not that it has WiFi 6 support), but not for the vast market of IoT devices where the S in IoT stands for their commitment to security, where people don't care about the software, they care about the function.
Posted Dec 14, 2023 16:37 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
That presumes the system is supplied "With Fedora *52*". Suppliers will rapidly learn. It will be supplied "With Fedora".
As far as Sony were concerned they actively advertised the PS/2 could run Linux. A lot of people bought it BECAUSE of the advertising. That was a blatant bait-n-switch. If Dell or Lenovo advertise "with Fedora", and Fedora drop a load of functionality between 52 and 53, that's not Dell or Lenovo's problem.
Cheers,
Posted Dec 14, 2023 13:02 UTC (Thu)
by pizza (subscriber, #46)
[Link] (19 responses)
By this logic, Google Chrome is not commercial either.
> If it breaks, you get to keep the pieces ... :-)
In other words, a whole lot of additional regulation to ... accomplish nothing. Heck, if anyhting, it will make it _easier_ for pure software "products" to avoid liability.
Posted Dec 14, 2023 13:29 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (17 responses)
> By this logic, Google Chrome is not commercial either.
AND THAT IS THE POINT!
If you download Chrome from Google's website, then you are responsible for keeping it up to date. YOU imported it into the EU (or whatever ...), YOU are liable.
If, on the other hand, you bought a phone with Chrome pre-installed, then the SHOP you bought it from is liable for making sure you have access to updates. If they can't pass that liability onto Google, or Samsung, or Apple, then they will simply refuse to stock that phone. Which will mean either (a) you will be forced to buy direct from the manufacturer's own distribution system in the EU, and it'll be the manufacturer on the hook because they're the shop you bought it from, or (b) you will have to buy it from China or wherever and just accept the fact that you have no comeback whatsoever if your £1000 i-phone or Pixel-8 or whatever dies the day after it arrives.
Not many customers will accept option (b), and it only takes one manufacturer to say "we're happy with the CRA", and the rest of them will be forced into line as that first manufacturer basically cleans up in the European market.
So no, it's not that Google Chrome is commercial or not, it's whether Google Chrome is part of a commercial product. As others have repeatedly said, it all depends on HOW you acquire whatever digital product it is. And manufacturers will be forced to provide security updates yada yada because it they don't their distribution channels will go "toooo risky, mate!", and slam the doors shut.
You're not in the EU. Your customers (to the best of my knowledge) are not in the EU. The CRA will not, CAN not, apply to you. At an absolute maximum, you may be asked to certify for the purposes of the CRA that your products are kept up to date and all known security bugs are fixed, but that's a contract matter between you and your customers. And if you have a problem with that, you're exactly the sort of supplier who shouldn't be going anywhere near anything remotely security-sensitive. Which again is the point. And if you do have a problem with that, any of your customers who supply to the EU will either have to certify it themselves (which is okay), or find another supplier who will certify their *component* products.
Cheers,
Posted Dec 14, 2023 13:47 UTC (Thu)
by pizza (subscriber, #46)
[Link] (12 responses)
So all you have to do to avoid liability under the CRA is to require the user to install software themselves (and perhaps downloaded from a server not physically within the EU?)
I'm sorry, but that's... completely absurd. I'm not _disagreeing_ with your assessment, but if accurate, it provides an Ever-Given-sized loophole for "obviously commercial" concerns to escape liability for security flaws in software they provide to folks in the EU. And it's a loophole so large that it makes this whole CRA exercise into a complete farce.
Posted Dec 14, 2023 13:59 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (1 responses)
You have to require the user to obtain and install the software themselves, and you cannot direct them to the software to install - they've got to find it themselves.
It means (for example) that if you sell a laptop with no OS installed, you're not on the hook for anything other than the firmware; if you sell the laptop with ChromeOS preinstalled, you're on the hook for ChromeOS. Sell a bare phone with no software at all (not even a bootloader), and you're not on the hook under the CRA: pre-install Android, and you're on the hook for the entire pre-installed OS and all its parts. Tell the user how to install Android on the phone, and now you're on the hook for the variant on Android you tell them to install.
And yes, this is a loophole; the point is that a device with software is more valuable to the end user than a device without software, and you're not (for example) going to sell a car that needs software and tell the user "yep, you've got the hardware, go build or find the software elsewhere". Even if you do, many people will then buy the software themselves, and if they buy from an EU supplier, that supplier is on the hook.
Posted Dec 14, 2023 14:39 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
And importantly, if the user installs gentoo over the top of ChromeOS - never mind the fact that ChromeOS is gentoo "under the bonnet" - you're not on the hook for gentoo. You're on the hook for whatever you supplied, and that's it.
Oh - and I guess if you try and avoid liability by saying "Oh, you'll need to install ChromeOS on this in order to make it work" - so you're not telling them exactly what they need - you've now dropped your distributor completely in it because if they mess up installing ChromeOS they can return the device as "not fit for purpose". That really will upset your distributors.
Cheers,
Posted Dec 14, 2023 14:33 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (9 responses)
But by FORCING the customer to FIND the software themselves, you're making it clear to the customer that you are dodging liability.
As was pointed out, if you tell them where to find the software, you are accepting liability for that software.
By FORCING them to download from OUTSIDE the EU, you're making it clear that you are dodging liability.
If you try and hide that fact from your customers, it's a pretty open-and-shut case of fraud.
And your distributors will very rapidly cease to be distributors because they will be sick to death of explaining to customers "no your hardware may have a warranty, but it's the software that's the problem and that's nothing to do with us".
And lastly, supply of software is a SERVICE that customers are willing to PAY FOR. If you're not prepared to let an EU-based supplier supply (AND WARRANTY) your software, some other manufacturer will, and you'll very rapidly find yourself frozen out of the EU. Nobody will want to buy your product, because they will just not trust it.
And there's no come back under things like GATT, because the regulations aren't discriminatory - "If you're not prepared to provide a warranty for your goods, your customers won't want to buy your goods".
Cheers,
Posted Dec 14, 2023 14:59 UTC (Thu)
by pizza (subscriber, #46)
[Link] (3 responses)
I don't follow.
Is a PC maker selling an OS-less PC "dodging liability"? Or providing "consumer choice"?
After all, the PC maker will stand behind _their_ product; if there's a manufacturing or safety defect, they'll fix it right up. The OS (or any of the application) is a product of a different company, after all.
Posted Dec 14, 2023 15:38 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (2 responses)
And you're being obtuse.
An OS-less PC is still a PC. If that's how it's described, there's no problem.
A smart doorbell with no software to make it smart is (in all likelihood) not even a functional doorbell!
If you sell it for what it is, what's the problem? If it needs software to "function as described", but the software isn't supplied with it, then it's dodgy. If it's sold as "A PC" and it comes without software, well the customer might be surprised, but it is as described. If it comes as "A Windows PC", and the customer is told "well, you'll have to get and install Windows yourself", then it's NOT as described (which is a whole 'nother fraud entirely ...).
At the end of the day, the current situation is that stuff is being sold fraudulently, because it's not as described, and the customer has no recourse because everybody is passing the buck. What's worse is that everybody knows this is happening, and nothing is done about it.
The whole point of the CRA is to force manufacturers - be it smart TVs, mobile phones, cars, doorbells, whatever - to provide guarantees that their kit will work "as described" out of the box, and more to the point CONTINUE to work as described. And given that one of the requirements for mobile phones (and many other devices) is security, that's rather important.
THAT is why my phone has no security - and nothing worth securing! I simply don't trust it to keep my secrets safe ...
Cheers,
Posted Dec 14, 2023 15:40 UTC (Thu)
by corbet (editor, #1)
[Link] (1 responses)
In general, this topic is approaching 200 comments, and I suspect most readers have long since tuned it out. We're clearly not going to resolve this here; can we try to wind it down?
Posted Dec 14, 2023 17:08 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
Time to walk away.
Cheers,
Posted Dec 14, 2023 15:13 UTC (Thu)
by pizza (subscriber, #46)
[Link]
*laughs*
The entire bruhaha over RHEL rebuilders would beg to differ with you.
Heck, the entire F/OSS ecosystem would beg to differ with you.
Folks will only pay for software if forced to.
Posted Dec 14, 2023 15:15 UTC (Thu)
by khim (subscriber, #9252)
[Link] (3 responses)
Would it kill you to just do some fact-checking? You may find hundreds of offers of devices with FreeDOS and this number doesn't go down, as economy craters it only goes up. Because they are cheaper. If you really believe these sellers are expecting that you would stay with FreeDOS in these devices I have nice bridge to sell you. You may call it by any name you want but this is what's happening and what would continue to happen. It would be interesting to see how quickly trend would become like in some other countries outside of EU where the majority of devices are sold in that fashion, but as users would be squeezed more and more it would happen with certain inevitability. Your crazy idea to force all these sellers to indemnify Debian via CRA just wouldn't work, sorry.
Posted Dec 14, 2023 15:45 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (2 responses)
Right, but people are choosing those systems because they're cheaper, not because they're better.
And the bigger deal that's triggered action now is all the Internet-connected devices that aren't PCs; can you find me hundreds of offers of cars with ERA-GLONASS (or similar IP-connected system) hardware, but no software pre-installed on any of the many devices that interconnect to the ERA-GLONASS (or eCall, or other mobile IP gateway)? Or home WiFi routers sold without any software or firmware? Or washing machines, dishwashers, fridge-freezers and other "smart home" devices sold without software.
Posted Dec 14, 2023 16:06 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
No -- They're choosing those systems because cheaper *is* better.
(As the saying goes: "fast, good, cheap; pick two" -- the choice made is by definition the "better" choice here, because "better" is relative to the person making the choice)
Posted Dec 14, 2023 16:09 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
The majority of people I know are choosing more expensive systems with a pre-installed OS; the only people I know who are choosing FreeDOS systems already have an OS they want to install separately. Mostly, people are willing to pay a bit more money to avoid spending a lot of time getting frustrated by an OS installer (installing any OS is not trivial for non-technical people).
Posted Dec 14, 2023 14:53 UTC (Thu)
by pizza (subscriber, #46)
[Link] (3 responses)
I am not physically located in the EU, but I have some EU clients to whom I provide support and consulting services [1] related to the F/OSS that I freely provide online. The plain text of the CRA [2] explicitly lists this as an example of a commercial activity, and as such, strips me of the blanket exemptions the CRA provides for F/OSS authors.
> At an absolute maximum, you may be asked to certify for the purposes of the CRA that your products are kept up to date and all known security bugs are fixed.
It's more than that -- Individually, each of these requirements probably isn't that big of a deal, but they add up to a substantial increase in overhead [3]. Worse yet, tasks that used to be directly billable were themselves turned into overhead that I will now be expected to provide as a matter of course. Then there's the matter of potential liability; I'm going to need a more substantial insurance policy that reflects the greater risks which further increases my overhead.
(Or I can just stop doing business with EU entities altogether, not because I'm a shady operator, but because the cost/benefit curve is shifting firmly into "just not worth the effort for a part time side gig" territory. Which will result in less F/OSS for everyone, not just the EU)
[1] Which I provide with a profit (as opposed to cost recovery) motive.
Posted Dec 14, 2023 16:02 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (2 responses)
Which does not describe your consulting services, because they do not fit the definition of "available on the market", as far as I can tell. Do you publish your work on the internet, with a "come and buy it!" notice? Or do you do custom work for your clients AND THEY PUT IT IN THEIR PRODUCTS?
I get they may want more, but it's THEIR actions that incur liability, and if your contract says "here is the source you need, supplied under an Open Source licence, with Open Source disclaimers", then it's down to them to warrant that bugs will be fixed and fixes will be applied. And if they've got the source, they don't *NEED* you to do that. And you're free to publish your source on the internet, as a drive-by download, with no fear of the CRA.
And actually, I had a thought an hour or so ago. What happened to those American regs about a software Bill Of Materials? All the doom-mongers saying it would be the end of Open Source? Just because it was mandating that people HAD to know what software was in their products! As far as I can tell, that doom hasn't arrived. What has HOPEFULLY arrived is that it's now a lot harder for people to argue "we didn't mean to" when they're discovered to be in blatant breach of copyright - "we didn't realise that was in there" simply lands them in trouble with the BoM regs instead of (or in addition to) copyright.
The CRA is going to be an EQUALLY damn squib, as people begin to realise that all it is doing, is forcing them to do what they SHOULD be doing already - ie supplying products that are "secure by design" and "work as advertised". And if products DON'T fit that description, well, I'm a European who will be only too glad to see such shoddy crap forced off the market!
Cheers,
Posted Dec 14, 2023 16:41 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
If "product" is limited exclusively to some sort of "physical good" then I retract my statements.
(However, if "product" can be pure software not supplied as part of a physical good, such as, say, Chrome, LibreOffice or Firefox) then I qualify just as much as they do; despite my several-orders-of-magnitude smaller operation.)
> What happened to those American regs about a software Bill Of Materials? All the doom-mongers saying it would be the end of Open Source? Just because it was mandating that people HAD to know what software was in their products!
(BTW, I'm on the record here many, many times saying BoMs are a _very good_ thing, but the CRA goes far beyond that)
Yes, the doomsayers over here screamed bloody murder over some of the proposals for the same reasons as the earlier CRA drafts -- invalidating "as-is, no warranties whatsoever" clauses suddenly makes individuals on the hook for effectively unlimited liabilities for activities beyond their knowledge, much less control.
IIRC the extent of the "American Regs" so far are executive orders that set requirements for upcoming federal contracts.
> The CRA is going to be an EQUALLY damn squib, as people begin to realise that all it is doing, is forcing them to do what they SHOULD be doing already - ie supplying products that are "secure by design" and "work as advertised".
The reason they don't already do these things is because it increases their costs considerably, which means they'd have to charge more. Potentially a _lot_ more.
I think the net practical effect of this is that domestic EU manufacturers (and importers of stuff manufactured elsewhere) will drastically cut back their advertised functionality/features while also significantly increasing their prices. It will lead to a round of industry consolidation as manufactures struggle to get to the scale where they have a chance of competing with already-established $megatech/$megacorp players that can easily eat a percent or two higher internal overhead.
> And if products DON'T fit that description, well, I'm a European who will be only too glad to see such shoddy crap forced off the market!
I thought you were British, and thus no longer part of the European Market? (Sorry, couldn't resist)
Posted Dec 14, 2023 17:17 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
> I thought you were British, and thus no longer part of the European Market? (Sorry, couldn't resist)
That's what it says on my passport. That's not who I am. On my mother's side I'm Jamaican/German/(Scottish). I have very little connection with my father's side of the family (he died young), and while he may have been English my wife despairs I do not associate myself with that public persona - inward looking, petty minded, snobbishly superior ...
I'm more the Scot, proud of my heritage, proud of who I am, and eager to respect other people for being proud of who they are. NOT how I would describe the English (the gutter press lot, at any rate ...)
Cheers,
Posted Dec 14, 2023 13:53 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
Only if the supplier is not benefitting from the supply. So if I go and buy Microsoft Word from Currys, then Currys will make sure Microsoft signs a contract indemnifying Currys from CRA liability - because there most definitely is liability.
But if I download a load of games I don't pay for onto my phone from the Apple or Google store, then Apple or Google have a CRA obligation to "fix any known bugs" BECAUSE THEY BENEFIT FROM THE ADVERTISING. In practice, this will mean that they then demand from their suppliers (the games writers) that the games are secure, on pain of being kicked off the store.
This actually is probably a good analogy to forges - think of a market or a boot fair. If the market place is charging stall holders for the privilege of having a stall, then they have an obligation to make sure the stall holders are legal and above board. A boot fair charging £10 a pitch to any and everybody who turns up has a far lower duty of care, although they can't turn a blind eye to something illegal.
Plus "pure software products" don't seem to be the target of the CRA anyway. If it's a "pure software product", the CUSTOMER can choose whether they want it or not - if they don't they just don't buy it. But if I buy a smart doorbell, I don't have a choice about the quality of the software that comes with it. The purpose of the CRA is to make sure I don't face a choice of "insecure crap, insecure crap or insecure crap", because I want a physical item called a doorbell.
The whole point of this legislation is to TURN OFF COMMERCIAL DISTRIBUTION CHANNELS to suppliers who aren't prepared to stand by their product. And if those channels are non-commercial, run by volunteers, don't charge, whatever whatever then they are outside the scope of the CRA. And even if those channels ARE RUN by a commercial entity, if they are run as a public service and there is no easily traceable source of income to said commercial entity, then that's still outside the scope of the CRA. Which is why downloading Chrome from Google's own servers is exempt. If the recipient doesn't click on ads, if the recipient runs ad-blockers, heck if the recipient even JUST IGNORES ads, then Google don't benefit from that download.
As for "lots of additional regulation", how does that describe one line in a contract "I will make sure that my products are kept up to date with all known security fixes, and will be made available to you to pass on to anyone who bought it from you".
Cheers,
Posted Dec 14, 2023 10:31 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
In all other product cases, liability sticks with the last entity to touch the product before it was sold to the consumer, but that entity may have a claim on the previous entity in the chain; I don't believe that the CRA intends to change that.
So, taking the Lenovo laptop example; Lenovo are responsible for the pre-installed software, but not the rest of Debian, since they supplied the pre-installed software to you. If that includes Firefox, Lenovo are liable (to the limits of the CRA) for the pre-installed Firefox, and it's on Lenovo to ensure that you get offered updates to that in a timely fashion (noting that if you don't take the update, the CRA says Lenovo's liability has ended).
In turn, Lenovo may (and will, if they're sane) contract with someone to keep Debian up to date with a secure Firefox, and to pay for the liability if the latest version on offer to you incurs CRA liability. That entity may pay another entity, and so on, establishing a chain potentially all the way back to Mozilla as the original source of Firefox.
Posted Dec 13, 2023 15:47 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Except it most definitely does NOT clearly qualify. It sounds like (and from what I remember) it is a *service* business. You supply a *service* to your customer, it is he who is making (manufacturing?) the multiple copies, and it is HE who is liable by ADVERTISING FOR SALE the results in the EU.
You have a B2B contract for services outside of the EU. There's no way that can qualify as "a manufacture or digital service made available on the EU market". You just make sure that your contract says you supply all your services in good faith, and you warrant to fix any problems for a reasonable fee (including maybe fixing your own mistakes for free?) as soon as is practicable once brought to your attention. Actually, that wording in the contract would probably get both you and your employer off the hook for any liability claims. A breach of that contract, on the other hand, all hell would probably break loose ...
Don't forget, unlike America, the EU tends to prioritise making sure history doesn't repeat itself. Demonstrate good faith, and you'll get away with a lot. The American system, on the other hand, tends to emphasise the letter of the law and encourages people trying to game it.
Cheers,
Posted Dec 13, 2023 11:17 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (1 responses)
A charitable entity can hold trademarks without placing any products on the market. Heck, a company can make money selling components that are not considered to be "products on the market", since they are not, per the definition of "product" for the purposes of EU acquis, selling a product - they're selling a component of a product, and are thus exempted from most product safety regulations (as an example).
So, for example, I can sell a seatbelt tensioner in the EU market without "putting a product on the market", since the seatbelt tensioner is not considered a product; it's considered a "component of a product". If Volkswagen AG buy my component and integrate it into a product, they take on liability if my component fails to perform as promised; they almost certainly push that liability back onto me contractually, since they don't want to pay the penalties if I deliver crap.
Now, some EU states take different views on this to others; Germany, for example, makes it very difficult to sell something without "putting a product on the market". But the core principle is already present; when something is transferred to another business in a sufficiently incomplete state, it's no longer a "product", but a "component of a product", and liability can be disclaimed in the contract governing that transfer. Once you assemble a product (and everything sold to consumers is a product), you've got liability to worry about.
Posted Dec 13, 2023 11:53 UTC (Wed)
by khim (subscriber, #9252)
[Link]
Yeah, that's similar to CRA's exceptions for hobbyists. But software is different from cars: “seatbelt tensioner” can not be picked up on some random backyard of some random person, while code produced by someone “just for fun” may become a basis for billions of devices. That's why their tried to lower the bar for liabilities as much as feasible: otherwise the whole law would become a moot point: so much software would have no “owner” which may be held liable that it just wouldn't work.
Posted Dec 13, 2023 15:49 UTC (Wed)
by kleptog (subscriber, #1183)
[Link]
Debian isn't actually selling software though. You can buy CDs/DVDs with free software on it. The pricing obviously does not relate to the value of the software being delivered. The licence for said software comes directly from the author, not Debian (the GPL is quite explicit in this).
Interestingly, I remember this argument in the past mostly being used with shareware. As in you would buy CDs full of shareware and it clearly stated on the packaging you were paying for the CD and the shipping to you, but not for anything actually on the CD (mostly because shareware forbade being sold for money).
Posted Dec 13, 2023 13:27 UTC (Wed)
by bluca (subscriber, #118303)
[Link]
Moreover, it does not make any products available on the single market. Having a website by itself is not enough to constitute a commercial activity.
Posted Dec 12, 2023 23:50 UTC (Tue)
by karim (subscriber, #114)
[Link] (2 responses)
No different that opening a legal discussion by saying that "I'm not a lawyer and this isn't legal advice" or a medical discussion by saying "this is my personal experience, speak to a doctor to get professional advice." etc.
In other words, documentation that's worth doing anything meaningful has always benefited from the proper disclaimer. And, honestly, I don't buy the nefarious example you're mentioning. 99.9% of open source documentation goes nowhere near that sort of territory and I'm not reading that the legislator views code for the conduct of business operations on the same footing as something that can easily be misused to intentionally cause harm.
You *may* have a point about distribution of binaries or hosting a free service. But then, even if you're right, the disclaimer of liability belongs on that binary or free service, not the sources. Distribution of those binaries and services are a separate act from contributing code. And for those distributing such binaries/services then the liability disclaimer could be easily affixed to the "end product/service", with possibly even required explicit ack'ing for download/use, with zero repercussion on the developers that wrote the code. That's with a big IF on the courts viewing someone making a Linux distro as part of community effort on the same footing as, say, a bank offering online service to its for-charge users.
Posted Dec 13, 2023 0:30 UTC (Wed)
by khim (subscriber, #9252)
[Link] (1 responses)
Not in today's world. Only tiny number of projects only distribute sources and send you to look for the binaries in some other place. Heck, modern forges are designed to make it easy for the developers to publish binaries — and very often it's not that easy to even find sources of many Python packages. Since legislators explicitly say that it's the goal… that would happen, sooner or later. And yes, I agree that if, eventually, most open-source projects would stop publishing binaries directly and it would stop being possible to just blindly add millions of lines of code to your project from npmjs.org… in that world developers would be out of danger. But we far from being in that world. The companies that pull millions of lines of code from npmjs.org assume it's not their responsibility to review all that code: they haven't touched it, thus, naturally, someone else would be held responsible is something would go wrong. Just like it would happen if car dealer would sell you defective car. And open source developers are blissfully unware about what happens with what they have developed, because hey, they are not selling anything, how can they be held liable? In a world where no one may be held liable… bad things happen. Who exactly would be held responsible, in the end, would be interesting to know. But you may be 100% sure that idea that if I take few millions of freely available lines of code in the form of Debian and npmjs.org and then add 1000 lines script on freelancer.com, then I, suddenly, is responsible not just for my 1000 lines but also for all these millions of code that I downloaded… that idea wouldn't fly. Someone else would be held responsible. Who and how? That remains to be seen.
Posted Dec 13, 2023 0:39 UTC (Wed)
by bluca (subscriber, #118303)
[Link]
Posted Dec 12, 2023 14:19 UTC (Tue)
by domdfcoding (guest, #159754)
[Link] (4 responses)
Posted Dec 12, 2023 15:15 UTC (Tue)
by willy (subscriber, #9762)
[Link] (1 responses)
Posted Dec 12, 2023 23:48 UTC (Tue)
by bluca (subscriber, #118303)
[Link]
Posted Dec 12, 2023 16:04 UTC (Tue)
by fenncruz (subscriber, #81417)
[Link]
Posted Dec 18, 2023 2:16 UTC (Mon)
by jschrod (subscriber, #1646)
[Link]
I pitty you.
But, you seem to be slow in understanding, why.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
It has immediate and direct effect.
Bottomley: Solving the Looming Developer Liability Problem
https://www.legislation.gov.uk/eut/teec/article/322 (Common Provisions)
Bottomley: Solving the Looming Developer Liability Problem
Just one last comment (just saw corbet's note).
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Law trumps licence clauses.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
If you want examples of laws over-riding clear terms in software licenses, look at Britain's Copyright, Designs and Patents Act 1988:
Bottomley: Solving the Looming Developer Liability Problem
296A Avoidance of certain terms.
Sections 50A, 50B and 50BA make it clear that these things don't breach copyright, either.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
> I don't see why anyone considers that an acceptable state of affairs.
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
> So if I publish some piece of open source code that then gets used by $COMPANY in their $GADGET the entity that should be liable for any bugs (security or otherwise) is $COMPANY
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
> MythTV, as a legal entity, is liable, not a random employee.
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
> As the consumer, I go to the dealer, and HE HAS TO FIX IT.
EU situation should be looked at by everyone
EU situation should be looked at by everyone
> Legislatively, the liability stops with the car dealer. If the manufacturer says "nope, not going to fix it, your problem", that's the car dealer's problem to deal with.
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
In the case of "Produkthaftung", which basically means persons have been injured or *other* things have been destroyed, the dealer is only liable in a couple of special cases. (Basically, only if the dealer can't point at manufacturer)
EU situation should be looked at by everyone
> > (security or otherwise) is $COMPANY
Wol
> I'm all for treating the software industry like any other, and THIS ISN'T IT.
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
UK liabilities during bankruptcy
EU situation should be looked at by everyone
>Der Händler haftet natürlich auch immer dann, wenn er selbst Importeur aus einem Drittland ist und die Ware vertreibt.
>Of course, the retailer is also always liable if he himself is the importer from a third country and sells the goods.
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Debian offers you a copyright licence, and you agree to be bound by its terms.
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Debian would have to start selling access to Debian++ "now built with -O4 for extra speed!!11" and using the "slow" version to entice new customers to fall afoul of those rules.
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
Wol
EU situation should be looked at by everyone
Who would support bad legislation?
Who would support bad legislation?
Who would support bad legislation?
> Secondly, implicit in the assertion that this will affect Free software more than it affects proprietary software is a claim that proprietary software is inherently (by virtue of being proprietary) less likely to be defective than Free software; can you back this claim up?
Who would support bad legislation?
Who would support bad legislation?
Who would support bad legislation?
EU situation should be looked at by everyone
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
> From my standpoint there is a point where open source gets "reduced to practice" by the commercial entity that decides to package this for PUBLIC use, or even its own use.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
We get that you have little respect for people who see this issue differently than you do, but you can still engage in polite conversation, please? We don't need name-calling here.
Calm down?
Calm down?
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
> The twisted reasoning is assuming that they mean the same thing.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
has been financed should not be taken into account when determining the commercial or non-commercial nature of that activity. A package manager, code host or collaboration platform that facilitates the development and supply of software is only considered to be a distributor if they make this software available on the market and hence supply it for distribution or use on the Union market in the course of a commercial activity. Taking account of the above-mentioned elements determining the commercial nature of an activity, this Regulation should only apply to free and open-source software that is supplied in the course of a commercial activity."
> Fedora/OpenSUSE is probably completely screwed due to its connection with Red Hat/SUSE
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
doesn't sell laptops with EOL versions of Fedora pre-installed.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
> If you download Chrome from Google's website, then you are responsible for keeping it up to date. YOU imported it into the EU (or whatever ...), YOU are liable.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
We don't need to be throwing insults at each other, please stop.
Let's slow this down
Let's slow this down
Wol
Bottomley: Solving the Looming Developer Liability Problem
> And lastly, supply of software is a SERVICE that customers are willing to PAY FOR. If you're not prepared to let an EU-based supplier supply (AND WARRANTY) your software, some other manufacturer will, and you'll very rapidly find yourself frozen out of the EU. Nobody will want to buy your product, because they will just not trust it.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
[2] Paragraph 10 of the latest marked-up version, which I quoted verbatim earlier in this thread in a reply to you. [4]
[3] I don't have a citation for this, but I read that official estimates were that compliance with the CRA would lead to an approximately 25% increase in overhead.
[4] https://lwn.net/Articles/954874/
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
frankly While there are "recommended best practices" there's nothing that mandates them for general B2B or B2C activities.
(IMO, insurance carriers are going to be the ones pushing this stuff forward, but forced arbitration clauses in EULAs have removed the main lever non-legislators have to drive change...)
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Wol
Bottomley: Solving the Looming Developer Liability Problem
> But the core principle is already present; when something is transferred to another business in a sufficiently incomplete state, it's no longer a "product", but a "component of a product", and liability can be disclaimed in the contract governing that transfer.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
"While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein."
> Distribution of those binaries and services are a separate act from contributing code.
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Bottomley: Solving the Looming Developer Liability Problem
Well, each to their own, as they say in UK.