EU situation should be looked at by everyone [LWN.net]

EU situation should be looked at by everyone

Posted Dec 12, 2023 20:54 UTC (Tue) by khim (subscriber, #9252)
In reply to: EU situation should be looked at by everyone by mfuzzey
Parent article: Bottomley: Solving the Looming Developer Liability Problem

> So if I publish some piece of open source code that then gets used by $COMPANY in their $GADGET the entity that should be liable for any bugs (security or otherwise) is $COMPANY

Yup. That's the idea that is explicitly and consciously rejected by lawmakers. Please read the article on the Apache's blog.

> the context in which it is used whith has a great impact on the exploitability of any vulnerabilities

Indeed. And that's what open-source advocates are missing. They all implicitly assume that there are some open-source hobbyists which couldn't and shouldn't be held responsible ever and there are large and evil $COMPANY that takes that work and can afford to indemnify it.

But that's not how world works at all. Think MythTV. The company that produces DVR based in MythTV may include couple of hardware engineers, one software guys and few people in marketing. With actual manufacturing outsorced to some guys in the far away jurisdiction.

And you want to make that one guy responsible for all the liabilities that may happen in millions lines of code which said guy got from MythTV project and these guys got from Linux Foundation, Debian and other large groups of people?

Lawmakers, pretty reasonably, assume that it would just never work. This idea would just mean that the majority of EU software industry (which mostly includes tiny companies which take existing products from large US companies and open source guys and add small amount of glue code) would be wiped out.

And you may bet pretty large sum on the desire of EU legislators to keep these small guys around.

That, by necessity implies that large open source “forges”, if, maybe, not individual contributors, would have to deal with liabilities.

And that's it. How would they stomach that cost is a different matter, and I don't think even EU legislators know how precisely this should be handled.

Most likely the model adopted by x265 guys would be the end result: open source developers write the code and provide some instructions about how to build that thingie, but there are no instructions which explain how that code can be used and there are no binaries which make it possible to actually run that thingie. And there would be separate guys who would sell these binaries and these would include idemnification.

> Perhaps $COMPANY could shift some of the liability to $OTHER_COMPANY if they had a commercial relation with them to provide some software for their product and $OTHER_COMPANY decided to use my code.

You can be 100% sure that the first thing they would do is to attempt to shift the responsibility and put it on these guys who are providing binaries. Later, if that would fail, they may seek some $OTHER_COMPANY.

All these things are pretty obvious if you try to look on the situation from outside of FOSS bubble, but for some reasons lots of FOSS advocates couldn't do that.

They are looking on what's happening from their POV and ignore the desires of the majority, the people who are using software but never write or change it.

In a democracy their opinion should be dominating and AFAICS that's precisely what is happening.

to post comments

EU situation should be looked at by everyone

Posted Dec 12, 2023 22:12 UTC (Tue) by snajpa (subscriber, #73467) [Link] (1 responses)

From the Apache article:

> Although the IT industry is still small compared to other large industries and sectors, [...]

I mean it's really hard for me to take the whole article seriously after a statement like that. I've spent quite a bit of time today trying to uncover the actual evil in any of the drafts or existing relevant legislation, but 404 Not Found. All I see is FUD, which I have a strong feeling this pushback coming from the corporations _alone_, even if it's a foundation who's voice is being heard here. (where do the hundreds of millions $ in annual revenue come from, haha)

EU situation should be looked at by everyone

Posted Dec 12, 2023 22:25 UTC (Tue) by snajpa (subscriber, #73467) [Link]

disclaimer: that is not to say there 100.0% is none evil hidden, only that I'm not seeing it: a major fault in GDPR and the right to be forgotten has become a backdoor how to shoot down scientific works years after them being published, that's not an outcome I expected, I was a GDPR supporter but I would love to see a few changes now if I could, sadly the debate is over and we've moved on to this one...

EU situation should be looked at by everyone

Posted Dec 12, 2023 23:44 UTC (Tue) by bluca (subscriber, #118303) [Link] (10 responses)

> And you want to make that one guy responsible for all the liabilities that may happen in millions lines of code which said guy got from MythTV project

Obviously not. MythTV, as a legal entity, is liable, not a random employee. How they arrange to fulfill that liability is their problem.

> This idea would just mean that the majority of EU software industry (which mostly includes tiny companies which take existing products from large US companies and open source guys and add small amount of glue code) would be wiped out.

Good! If they can't maintain secure software, they must be stopped form being in business. If you can't build a car that satisfies safety requirements, you go out of business. If you can't produce food that satisfies quality requirements, you go out of business. If you can't produce medicines that satisfy health requirements, you go out of business. Why on earth should it be any different for the electronics consumer market? It's mad that this no man's land was allowed to go on for as long as it did, and it's about time the adults stepped in and put some order in this absurd mess.

> That, by necessity implies that large open source “forges”, if, maybe, not individual contributors, would have to deal with liabilities.

This is an absurd, hallucinatory non-sequitur that has no basis in reality, laws or regulations. It's FUD of the highest order. The liability is with whoever puts the product on the market. It boggles the mind that it has to even be said.

EU situation should be looked at by everyone

Posted Dec 13, 2023 0:13 UTC (Wed) by khim (subscriber, #9252) [Link] (9 responses)

> MythTV, as a legal entity, is liable, not a random employee.

What legal entity? I'm not sure if Isaac Richards passed rights for mythtv.org to someone, but even if he did there are lots of projects out there which work as critical part of our digital infrastructure yet are still, formally, personal projects of someone.

> If you can't build a car that satisfies safety requirements, you go out of business.

Nah, you get billions of government bailouts.

> If you can't produce food that satisfies quality requirements, you go out of business.

Only if you couldn't fix things that you are required to fix even with government subsidies.

> If you can't produce medicines that satisfy health requirements, you go out of business.

Not before you would get money to fix the issues and recommendations to follow.

> Why on earth should it be any different for the electronics consumer market?

Who said it's any different? EU does work to ensure businesses survive, electronics consumer market is not an exception. Yes, there are both stick (government makes sure there are requirements to follow) and carrot (government makes sure requirements are not too onerous and only affect the ones unwilling to follow the requirements).

Electronics consumer marker is not treated any differently.

> This is an absurd, hallucinatory non-sequitur that has no basis in reality, laws or regulations.

Right now yes. And that's what EU is fixing.

> The liability is with whoever puts the product on the market.

Yes. And EU, quite sensibly, says that these entities have well-known names: Apache Software Foundation, Linux Foundation, Debian and so on.

Significant amount of code in Debian is created by huge corporations, after all. Critical pieces, without which Debian wouldn't exist: GCC, Clang, Linux kernel and lots of other software. Which is a fact. And, according to EU, the whole scheme with “noncommercial foundation which couldn't be held responsible” is just a thinly veiled scheme to shirk responsibility. Why should it be allowed to continue?

> It boggles the mind that it has to even be said.

Lawmakers are equally baffled. I mean: does a car dealer have a liability if car have defect? Only if said dealer tinkered with it and made it unsafe, right? Why then someone who sells you Debian or PostgreSQL should be held responsible if that's not their fault?

EU situation should be looked at by everyone

Posted Dec 13, 2023 1:32 UTC (Wed) by bluca (subscriber, #118303) [Link]

> What legal entity?

The one that sells the VCRs you were talking about, obviously, they are the ones putting a product on the market.

> I'm not sure if Isaac Richards passed rights for mythtv.org to someone

I have no idea who that is, but as long as they are not selling in the single market, there's nothing for them to do

> but even if he did there are lots of projects out there which work as critical part of our digital infrastructure yet are still, formally, personal projects of someone.

Projects don't end up as "critical infrastructure" by osmosis. Somebody puts them there. A repository on Github doesn't magically end up running a power plant all by itself.

> Nah

Very much yes. Try and go sell cars with non-working seat belts and refuse to recall them and fix them, and see how far you go before you are dragged in court.

> you get billions of government bailouts.

What bailouts? What are you on about?

> Only if you couldn't fix things that you are required to fix

Yes, exactly

> even with government subsidies.

What's this obsession with "government subsidies"? Are you American by any chance?

> Not before you would get money to fix the issues and recommendations to follow.

Receive money? From whom? Can I get some too?

> Who said it's any different?

You did

> EU does work to ensure businesses survive

No, it does work to ensure the _market_ survives, which crucially includes customers. Ever heard of the GDPR? Find me one business that liked that

> electronics consumer market is not an exception.

It very much is right now, before this regulation fixes it

> Yes, there are both stick (government makes sure there are requirements to follow) and carrot (government makes sure requirements are not too onerous and only affect the ones unwilling to follow the requirements).

Sticks were notably absent, until the CRA came along

> Electronics consumer marker is not treated any differently.

It's fundamentally different right now. Try selling cars with non-working brakes and refuse to recall them to fix them, and see how you fare. Now try selling phones with known security vulnerability and refuse to fix them - no need to use your imagination, this happens daily all over the European market.

> Right now yes.

That's weapons grade nonsense

> And that's what EU is fixing.

No, the EU is fixing a fundamentally broken market where corporations take advantage of a lack of rules and regulation to push out known broken products with no liability, putting customers at risk

> Yes.

Indeed

> And EU, quite sensibly, says that these entities have well-known names: Apache Software Foundation, Linux Foundation, Debian and so on.

The EU never said any such thing

> Significant amount of code in Debian is created by huge corporations, after all.

And nobody cares, since Debian is not a product, so it could be made by green men from Mars for all that it would matter

> Critical pieces, without which Debian wouldn't exist: GCC, Clang, Linux kernel and lots of other software. Which is a fact.

It also wouldn't exist without oxygen and electricity. Which is also a fact.

> And, according to EU, the whole scheme with “noncommercial foundation which couldn't be held responsible” is just a thinly veiled scheme to shirk responsibility.

Debian is not a foundation, so I have no idea what you are talking about at this point, but I suspect that you don't either

> Why should it be allowed to continue?

Because it's not a product on the market. We've been over this already, it's not that difficult.

> Lawmakers are equally baffled.

By posts such as yours and FUD blog posts by the ASF? Probably, assuming they ever came across them, they would be I imagine, yes

> I mean: does a car dealer have a liability if car have defect?

Obviously? Why would the shop of a car company that sells to the public not be liable?

> Only if said dealer tinkered with it and made it unsafe, right?

Uh? Why would a car company seller "tinker" with a car that they got from their employer and that they are selling on their behalf?

> Why then someone who sells you Debian or PostgreSQL should be held responsible if that's not their fault?

Because they are putting a product on the market. I really don't see what's so difficult about this, it seems really straightforward.

EU situation should be looked at by everyone

Posted Dec 13, 2023 10:24 UTC (Wed) by Wol (subscriber, #4433) [Link] (7 responses)

> I mean: does a car dealer have a liability if car have defect? Only if said dealer tinkered with it and made it unsafe, right? Why then someone who sells you Debian or PostgreSQL should be held responsible if that's not their fault?

This is not right. In fact, it's so bad it's not even wrong. IT'S TOTAL GARBAGE.

Europe's entire consumer protection legislation edifice is BUILT on the premise that the guy who SELLS the product IS LIABLE.

I've just bought myself a car. A brand new Volkswagen to be precise. And let's assume the engine fell out on the way home and the car was destroyed. THIS IS NOTHING TO DO WITH VOLKSWAGEN. The law places ALL responsibility on the dealer. (We'll forget that I have a legal liability to have insurance, and that will absorb a chunk of it.) It is the DEALER'S problem - he may - should - have backup contracts / liability sharing / what-have-you with Volkswagen, but that's down to him. As the consumer, I go to the dealer, and HE HAS TO FIX IT.

I've actually used that, with that big retailer who "is never knowingly undersold". A three month old phone broke, and I took it back. The crucial point here is I bought it end-of-line in a sale ... They said to me "We can't replace it, we have a deal with the manufacturer so we can't repair it, you can have a refund". Leaving me £20 out-of-pocket if I replaced it like-for-like. I just replied "It's got a warranty. Repair or Replace. Otherwise you're charging me for a warranty repair."

It still ended up costing me £20, but that's because I got an upgraded replacement, and that was the difference between like-for-like and what I walked off with.

Which is why people like pizza should have nothing to worry about.If he's uploading to some random forge, there is no "placing on the market" to trigger liability. To the best of my knowledge, forges have nothing to worry about either, because they provide a market place, they aren't placing anything on the market either. (And I think that might actually be explicit in the legislation.) And even if pizza's doing stuff for money, all he needs is for the contract to say either (a) that pizza will undertake best efforts and his employer will warrant to fix things if they break (probably by employing pizza again), or (b) pizza will include the cost of insurance in the invoice. And if the employer doesn't like it, well he's always (with Open Source) got a third choice - do it himself!

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 13, 2023 11:03 UTC (Wed) by khim (subscriber, #9252) [Link] (5 responses)

> As the consumer, I go to the dealer, and HE HAS TO FIX IT.

Sure, but we are not talking about that. We are talking about the next step: what happens after.

All car dealers that I have ever saw contacted manufacturer if that's their defect. Sure, if someone stole some screws while car was with dealer and manufacturer is not to blame and car dealer goes to court.

But if car dealer can prove that he haven't touched anything and goods were defective when they left the factory then it's on manufacturer, 100%.

The law applies the exact same tules to software. Why it's so hard to understand and accept?

> Which is why people like pizza should have nothing to worry about.If he's uploading to some random forge, there is no "placing on the market" to trigger liability. To the best of my knowledge, forges have nothing to worry about either, because they provide a market place, they aren't placing anything on the market either.

Sorry, but this couldn't be right. One of them have to be responsible. Like in retail: supermarket may be selling under their own name and then would be responsible, or may provide space for others to put their booth and then these others would be responsible, but someone have to be liable, or else why have the whole charade of a law if no one is responsible for anything?

> And if the employer doesn't like it, well he's always (with Open Source) got a third choice - do it himself!

And that is why the law is shaped like it's shaped. It's completely inconceivable that one guy which you can find on freelancer.org and which knows how to combine LAMP with 100 lines of his own code should be responsible for the whole thing. Someone big enough must be responsible, or else the whole scheme wouldn't work. Even if some idiotic lawmaker would try that said guy simply have no means to review and support millions lines of code in LAMP.

And yes, if that would mean that open source would disappear entirely and would be replaced by Microsoft and Oracle $$ offerings then lawmakers would accept that: in that world would always have someone who can be, reasonably, made liable for software.

EU situation should be looked at by everyone

Posted Dec 13, 2023 11:15 UTC (Wed) by farnz (subscriber, #17727) [Link] (2 responses)

Legislatively, the liability stops with the car dealer. If the manufacturer says "nope, not going to fix it, your problem", that's the car dealer's problem to deal with.

In practice, as a result, car dealers refuse to sign contracts with manufacturers that permit manufacturers to say that - they instead require manufacturers to sign up to contracts that allow the dealer to pass liability backwards down the chain to the manufacturer.

But, for example, if the car dealer you bought your car from goes bankrupt, you have no legal claim against the manufacturer, only against the car dealer's remains. Manufacturers will usually intervene in this case, for the benefit of the brand, but they are under no legal obligation to do so.

The CRA, while not perfect, is an attempt to try and fit similar rules to software - it's just that because of the nature of software, it's a lot easier for vendors to sell you just one piece of the final product (a simple piece like a start-up script), and require you to assemble the rest of the software from other places, and the CRA wants to block off that sort of shenanigans. But this is new rules for software.

EU situation should be looked at by everyone

Posted Dec 13, 2023 11:38 UTC (Wed) by khim (subscriber, #9252) [Link] (1 responses)

> Legislatively, the liability stops with the car dealer. If the manufacturer says "nope, not going to fix it, your problem", that's the car dealer's problem to deal with.

You are talking about defect fixing. I'm talking about liability. And, of course, in case of accident your car maker may be found liable and that doesn't depend just on what contract between dealer and car maker says.

Manufacturer can disclaim some liability, sure, but not everything.

> But, for example, if the car dealer you bought your car from goes bankrupt, you have no legal claim against the manufacturer, only against the car dealer's remains. Manufacturers will usually intervene in this case, for the benefit of the brand, but they are under no legal obligation to do so.

Lol. That loophole was closed years ago. I still remember times when law worked like that in Russia. Big companies just never sold anything, they created tiny dealers which sold good and then went disappeared after 3 or 6 months. And then your warranty was pretty much pointless and you companies could save money. That's a no-brainer scheme, really.

Of course these loopholes were patched up and today law doesn't work like that. Whether manufacturer would be help liable or not is determined by a large body of law, but if car design defect leads to deaths it's almost always judged to be manufacturer's fault.

Why defect in MySQL or Apache Web Server shouldn't be treated in the same way?

EU situation should be looked at by everyone

Posted Dec 13, 2023 12:07 UTC (Wed) by farnz (subscriber, #17727) [Link]

In the UK, it still works like that - the manufacturer can disclaim all liability and pass it onto the dealer. The dealer is the entity that cannot disclaim liability. A US lawyer talking about liability in the US is kinda irrelevant here - we're not (yet?) a state of the USA.

We closed the loophole differently; the liability for manufacturing defects is created at the time the sale happens, and is thus part of the company that you have to handle while you close the company down; if you've not done so, then the directors of the company that was closed down have committed a criminal offence, and can both be forced to pay out the liabilities personally (possibly making them bankrupt), and banned from ever running a UK company again. This makes the trick you describe effectively impossible - you need to find genuine directors for your new company (otherwise it's just a trading name of the manufacturer), and you will not be able to do so if you're burning through them every 3 months or so, and discarding them with huge liabilities that they agreed to.

Further, to close a company down requires you to transfer all of its assets and liabilities out - if you transfer assets out without transferring out liabilities, then the company becomes insolvent, and the asset transfers can be undone to make the company solvent again (since it's illegal to engage in any transfer that makes the company insolvent). The only way to leave liabilities behind is to go bankrupt, but in UK law, that requires you to prove that the company could not continue trading - and also opens up opportunities for the bankruptcy court to "pierce the corporate veil" and say that the company is merely a front for another entity, who thus is liable for everything the company did as-if they did it themselves. In the case of the scheme you describe, the company would be deemed (in bankruptcy) to be a front for the manufacturer, and thus the manufacturer becomes liable because they created the company purely to avoid liability.

And if you remember when it worked like this in Russia, then Russia had this problem a long time after the mechanisms I loosely describe above came into being in England & Wales; these mechanisms built up in the 18th and 19th centuries, and were fully in place by the beginning of the 20th century.

EU situation should be looked at by everyone

Posted Dec 13, 2023 13:18 UTC (Wed) by Wol (subscriber, #4433) [Link]

> Sorry, but this couldn't be right. One of them have to be responsible. Like in retail: supermarket may be selling under their own name and then would be responsible, or may provide space for others to put their booth and then these others would be responsible, but someone have to be liable, or else why have the whole charade of a law if no one is responsible for anything?

Sorry, but this is the "it's not my fault" fallacy. It's what frauds and conmen like to do - "it's your fault for falling for a scam". What if it's NOBODY'S fault? Certainly the moral position is quite clear - if you are actively benefiting, then you have to warranty what you're doing. And for the most part, the law agrees. If you're benefiting from actions that injure someone else, then you're responsible.

That's why it's "follow the contract". That's why when I purchase a car from a dealer it's the DEALER who is liable for EVERYTHING. That's why the DEALER will have a CONTRACT with Volkswagen to indemnify the dealer for faults in Volkswagen's products.

I dunno about the law where you live, but that's why, when we have a recall for faults, it's the DEALER who fixes everything. It may well be Volkswagen that actually pays for it, but that's between the dealer and Volkswagen - nothing to do with me! And that's why manufacturers don't like recalls - because it's the CONTRACT between them and the dealer that says they pay for it. How else would UK law get a German manufacturer to fix defects in cars (not in this case, but in others) made in the Far East? They push all the responsibility on the guy SELLING the PRODUCT, and expect them to cover their backs with contracts. And if those contracts are straw, then that's the dealer's tough luck.

As for your example of manufacturers setting up little dealerships and letting them go under - well we have "evasion" regulations. If the purpose of setting up the dealership is to let it go bust and evade liability, English law certainly will "pierce the veil" and say "this dealership is a fraud. For the purposes of the law it never existed and its supplier is on the hook instead". Actually invoking that may be tricky, but that's what the law says, that's how the law deals with it. The law doesn't say "the manufacturer is responsible", it says "the manufacturer is fraudulently dodging responsibility". J Random Hacker quite clearly isn't setting up legal shell distributors with the intention of evading responsibility, fraud clearly isn't on the table ... the customer is getting EXACTLY what he (didn't) paid for. (Likewise with J Random Forge - there's nothing that could remotely be described as fraudulent.)

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 13, 2023 13:24 UTC (Wed) by Wol (subscriber, #4433) [Link]

> All car dealers that I have ever saw contacted manufacturer if that's their defect. Sure, if someone stole some screws while car was with dealer and manufacturer is not to blame and car dealer goes to court.

> But if car dealer can prove that he haven't touched anything and goods were defective when they left the factory then it's on manufacturer, 100%.

But that's down to the dealer's contract with the manufacturer. NOTHING TO DO WITH ME. If the manufacturer can't/refuses to honour their contract with the dealer, NOTHING TO DO WITH ME.

The car isn't fit for purpose. The dealer legally MUST refund me. If they can't get the money back from the manufacturer, NOT MY PROBLEM.

(Okay, in practice, I might have considerable difficulty in enforcing this - if the manufacturer refuses to bail out the dealer, the dealer may go bust and I lose my money, but that's not the law, that's the law in practice, a very different thing.) And in that case, the receiver SHOULD sue the manufacturer on my behalf, but is that ever going to happen?

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 13, 2023 11:38 UTC (Wed) by mb (subscriber, #50428) [Link]

>I've just bought myself a car. A brand new Volkswagen to be precise. And let's assume the engine fell out on the way home and the car was destroyed. THIS IS NOTHING TO DO WITH VOLKSWAGEN.

Well, that depends on whether it's a case for "Gewährleistung" or "Produkthaftung".
In the case of "Produkthaftung", which basically means persons have been injured or *other* things have been destroyed, the dealer is only liable in a couple of special cases. (Basically, only if the dealer can't point at manufacturer)

EU situation should be looked at by everyone

Posted Dec 13, 2023 9:57 UTC (Wed) by Wol (subscriber, #4433) [Link] (29 responses)

> > So if I publish some piece of open source code that then gets used by $COMPANY in their $GADGET the entity that should be liable for any bugs
> > (security or otherwise) is $COMPANY

> Yup. That's the idea that is explicitly and consciously rejected by lawmakers. Please read the article on the Apache's blog.

Then those lawmakers don't have a clue about law. This would up-end the entire world of commercial contracts, liability, everything. I'm all for treating the software industry like any other, and THIS ISN'T IT.

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 13, 2023 10:47 UTC (Wed) by khim (subscriber, #9252) [Link] (28 responses)

> I'm all for treating the software industry like any other, and THIS ISN'T IT.

Show me one jurisdiction, when manufacturing mistakes in a car are responsibility of a car dealer and actual manufacturer is exempt and we'll go from there.

> This would up-end the entire world of commercial contracts, liability, everything.

Why? It's like any other business, according to law: the guy who did the final packaging work is liable for everything, but if problem is with components (namely Debian or NPM module) then producer of said component is on the hook. And if Debian inherited bug from Linux Foundation then said Linux Foundation is responsible and so on.

AFAIK that's how all other industries operate, too: except if you sell counterfeit you may easily send all these safety requests to manufacturer if you are just a box mover.

Why should software be any different?

EU situation should be looked at by everyone

Posted Dec 13, 2023 11:24 UTC (Wed) by farnz (subscriber, #17727) [Link] (8 responses)

England & Wales has been that way forever. A manufacturing fault in a car is the responsibility of the dealer in law, and the manufacturer doesn't come into it.

In practice, dealers are unwilling to take on liability for manufacturing defects without being able to pass it back to the manufacturer, and thus sign contracts that state that - and manufacturers include "warranties" as part of selling the car to the dealer that can be transferred to the final customer, but legally speaking, if I buy a brand new BMW from Park Lane Limited tomorrow, only Park Lane Limited are liable for manufacturing faults.

EU situation should be looked at by everyone

Posted Dec 13, 2023 15:25 UTC (Wed) by Wol (subscriber, #4433) [Link]

The other thing here, is that dealers are often agents. So it may be the case that it's the manufacturer selling to the customer, but then the agent is JOINTLY LIABLE.

So as I've said elsewhere, I deal with the DEALER. Any problems, as far as I'm concerned, are the DEALER'S problem. But because the dealer was the manufacturer's agent, if there are problems I can target the manufacturer as a backstop. But that's not always true.

And because this is almost invariably hidden from the customer, any attempt BY THE DEALER to HIDE behind this would pretty much instantly be slammed as fraud or deception. (It's not a problem in the normal course of events, because it's not used in the normal course of events to evade liability. It's just a convenient legal fiction.)

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 14, 2023 0:06 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (6 responses)

> if I buy a brand new BMW from Park Lane Limited tomorrow, only Park Lane Limited are liable for manufacturing faults.

What happens if you buy a BMW from Totally Honest Guys Inc. that gets bankrupt and liquidated tomorrow? I'm really curious.

EU situation should be looked at by everyone

Posted Dec 14, 2023 9:07 UTC (Thu) by Wol (subscriber, #4433) [Link] (3 responses)

You're stuffed! Simple as!

Which is why you should always look seriously askance at any (sales) company that says "we guarantee our own products". If the company goes bust, the guarantee goes with it.

As was mentioned elsewhere, typically BMW will provide a guarantee with the Mini, which the dealer then transfers to you. You now have a CONTRACT with BMW, mediated by the dealer, and if the dealer goes bust BMW will guarantee the contract. Likewise if the dealer was mere agent your contract is with BMW, not the dealer.

Elsewhere you should look for companies that say "we have an insurance contract that covers our guarantees" - you now have a CONTRACT with the INSURANCE COMPANY (or will have, when the receiver transfers it over to you, which they have no choice about). Or the supplier provides a warranty - that's more hassle and grief than going through the retailer, but it least it's a back-stop.

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 14, 2023 9:55 UTC (Thu) by Wol (subscriber, #4433) [Link]

Whoops - "supplier warranty" should have read "manufacturer warranty".

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 14, 2023 10:05 UTC (Thu) by Wol (subscriber, #4433) [Link] (1 responses)

Oh, and to add, in the case of a manufacturer recall, in practice it works that you can always return your car to ANY dealer. Because BMW's contract with the dealer says that "ANY car you provide warranty/recall/stuff-like-that work on, you bill to BMW". Which is why you can't go to a non-BMW dealer, because there's no contract.

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 14, 2023 10:46 UTC (Thu) by farnz (subscriber, #17727) [Link]

Manufacturer recalls are slightly different; those exist because to get a V5C (registration document showing that the car is allowed on the road), you must first show that the car meets requirements.

There's two ways to do this:

The expensive way; get individual vehicle approval from DVSA. If this is the case, then there's no recall mechanism available, since the actual vehicle being registered is inspected and confirmed to be OK. However, it costs more per vehicle, and carries the risk that the vehicle will fail and need remedial work before it can be registered.
The cheap way; get type approval via the Vehicle Certification Agency. Type approval does not involve inspection, necessarily (just paperwork), but the flip-side of type approval is that if you (or the authorities) discover that your vehicle does not meet the paperwork, you have to pay to fix it via the recall mechanism.

This is entirely separate from general liability - it's part of having the rights to use type approval to get a V5C instead of having to use individual vehicle approval.

EU situation should be looked at by everyone

Posted Dec 14, 2023 9:31 UTC (Thu) by geert (subscriber, #98403) [Link]

You contact your local consumer protection group, who will make such a fuss about it that BMW will fix the issue?

UK liabilities during bankruptcy

Posted Dec 14, 2023 10:14 UTC (Thu) by farnz (subscriber, #17727) [Link]

So, first two questions (since "Inc" is not a legally protected suffix in England & Wales); is "Totally Honest Guys" a limited company or not? Second, are the debts contractual (in which case, you're an ordinary creditor) or statutory (e.g. goods of merchantable quality, in which case you're a priority creditor)?

If they're not a limited company, then you're probably stuffed; you've been dealing with a trading name used by a single individual or group of individuals, and you're limited to what you can get out of them personally; if they've got insufficient assets to cover you, you're out of luck. If their liability to you is statutory, however, you get to "go first" when it comes to their remaining assets, before the ordinary creditors; but usual rules about money from nothing apply.

If they're a limited company (i.e. have a company registration at Companies House), it gets more complicated; the liquidation is supposed to put aside a "residual" of the company to cover potential liabilities to priority creditors, which pays out to ordinary creditors as the liabilities fail to materialize. If there's not enough left to put aside a full residual, the directors were trading while insolvent, which is a criminal matter in its own right, and also puts them on the hook personally for any liabilities the residual fails to cover; trading while insolvent (at a minimum) prevents you being a company director for a period of time, and can include a jail sentence. The residual will pay out the liabilities if they occur, or will pay the ordinary creditors if the liability fails to materialize (e.g. if 7 years after bankruptcy, your car has been fine, the money that was put aside to cover the risk that your car needed repair, replacement or partial refund due to merchantability issues will have gone to ordinary creditors in full).

In practice, BMW probably step in to protect their brand in either case, if it's a new car; "Totally Honest Guys" is, if selling new cars, almost certainly trading as "BMW New City" or similar, and BMW want you to be talking about how they stepped in to help you out, not about how you bought a new BMW and had a really bad experience when "BMW New City" went bankrupt.

EU situation should be looked at by everyone

Posted Dec 13, 2023 11:28 UTC (Wed) by mb (subscriber, #50428) [Link] (14 responses)

>Show me one jurisdiction, when manufacturing mistakes in a car are responsibility of a car dealer and actual manufacturer is exempt and we'll go from there.

Under German law that is actually possible:

https://www.ihk.de/darmstadt/produktmarken/recht-und-fair...

>Händler sind aber immer dann unbeschränkt haftbar, wenn sie die fehlerhaften Produkte von einem Importeur gekauft haben, der aus einem Drittland importiert und dessen Name nicht feststellbar bzw. auffindbar ist. [..]
>Der Händler haftet natürlich auch immer dann, wenn er selbst Importeur aus einem Drittland ist und die Ware vertreibt.

Deepl translation:

>However, retailers are always liable without limitation if they have purchased the defective products from an importer who imports from a third country and whose name cannot be determined or traced. [..]
>Of course, the retailer is also always liable if he himself is the importer from a third country and sells the goods.

EU situation should be looked at by everyone

Posted Dec 13, 2023 11:46 UTC (Wed) by khim (subscriber, #9252) [Link] (13 responses)

Thanks for being constructive and offering concrete evidence and not just your ideas about how world should work and not about how it works.

Yes, if dealer imports something from abroad and court couldn't reach an actual manufacturer then importer may be held fully responsible, which makes perfect sense: court would love to make the actual guy who does “bad things” responsible, but if they are out of read… importer would have to shoulder that responsibility. Makes sense.

I guess that idea would be applied to software, too. Hmm.

This would mean that if forges would just leave EU they may avoid all the blame.

I wonder what would be the next step, though. Make use of Debian or Gentoo, directly downloaded from outside of EU illegal? We'll see, I guess.

EU situation should be looked at by everyone

Posted Dec 13, 2023 13:01 UTC (Wed) by bluca (subscriber, #118303) [Link] (12 responses)

For the millionth time: in the EU, it's the seller that is responsible to its customers, period. Sellers need private, mutually agreed contracts with their suppliers to share or offload customer liability. Debian and Gentoo are not sellers, and do not have any such contracts. Downloading is not buying a product or signing a contract. This has been explained to you by at least 3 or 4 people already, independently. Yet you still insist with this nonsense. What's the part that you are struggling to grasp, precisely?

EU situation should be looked at by everyone

Posted Dec 13, 2023 14:01 UTC (Wed) by farnz (subscriber, #17727) [Link] (11 responses)

The difficulty is that Debian can be both a component supplier and a seller to consumers itself; for the purposes of the CRA, me downloading a binary ISO for personal use from debian.org can count as a sale of a product (this being how the CRA intends to prevent - for example - free trials of a proprietary product, or advertising-supported products that are also free at point of distribution from being exempt from the CRA). Whether or not it counts depends on the details of the CRA.

Now, me acting as an employee and downloading Debian is not guaranteed to be a purchase of a product for the purposes of the CRA, because my employer is not a private individual, and thus for business-to-business transactions like that, the contract terms matter.

EU situation should be looked at by everyone

Posted Dec 13, 2023 14:55 UTC (Wed) by Wol (subscriber, #4433) [Link] (9 responses)

> Whether or not it counts depends on the details of the CRA.

And any attempt to make Debian, or Gentoo, or Sourceforge ... liable to J Random Downloader will make a complete mockery of contract law. It's not going to happen.

Absent SOME sort of contractual relationship between the user of the software and developer or download site, nothing will be able to stick. All this angst about liability will only come to pass if there is some sort of fraud, or deception, or otherwise attempt to benefit without taking responsibility.

Writing software for pleasure and giving it away cannot in any way be construed as malicious, fraudulent, deceptive practice, or whatnot. Absent that, a contract is an absolute minimum for transfer of liability. Absent both of those, you're untouchable (well, maybe not, anybody can sue for anything, but European courts are far more likely to call that for what it is - a malicious plaintiff, and then they're not facing the wrath of their victim, they're facing the wrath of the court, which is NOT a nice place to be!)

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 13, 2023 14:59 UTC (Wed) by farnz (subscriber, #17727) [Link] (8 responses)

Offering a download to all comers is a contractual relationship, as to do so you need to grant permissions under copyright law. It's not a very strong relationship, but it exists - else by downloading it, you're breaking copyright law, and the offerer has acted to incite you to breach copyright.

EU situation should be looked at by everyone

Posted Dec 13, 2023 16:06 UTC (Wed) by Wol (subscriber, #4433) [Link] (7 responses)

But it's not "placing on the EU market". Yes it's a bare contract, a licence, but absent a MUTUAL exchange of consideration, there can be no sale, no market, yada yada.

"Offering for download" is NOT "mutual consideration".

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 13, 2023 16:07 UTC (Wed) by farnz (subscriber, #17727) [Link] (6 responses)

There is a mutual exchange of consideration; Debian offers you a copyright licence, and you agree to be bound by its terms. It's not a big exchange, but it is an exchange of consideration, and enough to establish a contract.

EU situation should be looked at by everyone

Posted Dec 13, 2023 16:36 UTC (Wed) by bluca (subscriber, #118303) [Link] (3 responses)

Debian doesn't own the copyright of any software included in an image, so it can't give you a custom copyright license - it can only copy verbatim the original licenses of anything that is included, which cannot be changed as per terms of the various copyleft licenses like GPL and friends.

EU situation should be looked at by everyone

Posted Dec 13, 2023 16:42 UTC (Wed) by farnz (subscriber, #17727) [Link] (2 responses)

It owns a copyright on the aggregation of the software into a single ISO image (the editorial choices about what to include and omit) - it can give you a licence to that. It can't give you a custom licence on the code inside the aggregation, though. And it's a licence for that aggregation that it's offering, in return for you accepting Debian's terms.

EU situation should be looked at by everyone

Posted Dec 13, 2023 17:17 UTC (Wed) by bluca (subscriber, #118303) [Link] (1 responses)

I don't think even that is really the case though. Images are put together by volunteers, and there is no copyright assignment (how could there be? there's no legal entity to assign it to), so the copyright and license belongs to those authors. Given there is no trace of a commercial activity anywhere tied to any of this, I am extremely skeptical this can possibly constitute as marketing a product under any interpretation of the single market regulations.

EU situation should be looked at by everyone

Posted Dec 14, 2023 11:57 UTC (Thu) by paulj (subscriber, #341) [Link]

Well therein lies the rub. You have one opinion, others have another. The definition of "to bring to market" apparently differs between member states according to other comments in this thread, with it claimed that Germany has a very wide ranging definition of such.

Without a clear and explicitly worded exception for things like Debian the CRA we may end up having to wait for cases to arise in a few member states. We do know the likes of ASF believe the CRA is /designed/ to apply to foundations like them, as they have directly engaged with relevant EU legislators on the issue. In the worst case, we may need to wait till a case goes to the ECJ to get clarity.

EU situation should be looked at by everyone

Posted Dec 13, 2023 21:00 UTC (Wed) by xtifr (guest, #143) [Link] (1 responses)

Debian offers you a copyright licence, and you agree to be bound by its terms.

No. All Open Source licenses (or licenses which comply with the Debian Free Software Guidelines) are distributor licenses, not user licenses! The licenses grant Debian the right to give you the programs, but you are under no obligation to accept or comply with those licenses!

Of course, without the permission granted by those licenses, you cannot make copies for others (or in the case of the AGPL, run the code on a public-facing server), but unless you want to make copies for others, that's a non-issue, and you can ignore the licenses rather than accept them. The GPL even explicitly states that you need not accept it and can instead choose to be bound by normal copyright law--which means no making copies.

And if you do choose to accept the license terms and distribute the code, that's between you and the copyright holders! Aside from code Debian actually wrote (apt, dpkg, etc.), Debian didn't offer you any licenses! They merely passed along the license offers. There is no agreement between you and Debian regarding the kernel or the shell or python or X or anything. Debian merely exercised their rights under the license to give you a copy; their involvement basically ended when the download finished!

EU situation should be looked at by everyone

Posted Dec 13, 2023 21:24 UTC (Wed) by farnz (subscriber, #17727) [Link]

But Debian aren't just offering me the software; they're also offering me their arrangement of that software into a compilation, which itself has a form of copyright applying to it. The licence I accept from Debian may well be implied, rather than explicit, but I need some form of permission to allow me to copy that arrangement.

In EU law, there's certain licences that are granted automatically as a matter of law, but they're still enough to function in terms of the offer, consideration, acceptance set required to form a contract - Debian, in this case, is offering me a licence (which it presumably has permission to do) that permits me to download the installer image.

EU situation should be looked at by everyone

Posted Dec 13, 2023 16:21 UTC (Wed) by bluca (subscriber, #118303) [Link]

> The difficulty is that Debian can be both a component supplier and a seller to consumers itself; for the purposes of the CRA, me downloading a binary ISO for personal use from debian.org can count as a sale of a product (this being how the CRA intends to prevent - for example - free trials of a proprietary product, or advertising-supported products that are also free at point of distribution from being exempt from the CRA). Whether or not it counts depends on the details of the CRA.

Those clauses are clearly and explicitly defined to catch freeware/lite/ad-free/platform/base versions given out in the course of a business venture. So it does not apply at all to Debian: there is no "full" or "ad-free" version of Debian that you can get if you sign a contract, there is no business to the side that benefits from giving away the images, there's nothing at all, it's all just there. It very clearly does not fall into that category.
Debian would have to start selling access to Debian++ "now built with -O4 for extra speed!!11" and using the "slow" version to entice new customers to fall afoul of those rules.

EU situation should be looked at by everyone

Posted Dec 13, 2023 11:48 UTC (Wed) by Wol (subscriber, #4433) [Link] (2 responses)

> AFAIK that's how all other industries operate, too: except if you sell counterfeit you may easily send all these safety requests to manufacturer if you are just a box mover.

This is EXACTLY how box movers get clobbered for selling counterfeit goods. The box mover has a contract with their supplier, and passes the buck back up the chain. If the box mover tries to pass liability to the manufacturer, they just reply "counterfeit" AND THE BOX MOVER IS ON THE HOOK!

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 13, 2023 11:56 UTC (Wed) by khim (subscriber, #9252) [Link] (1 responses)

Let us see if Debian would succeed in declaring that copies used in NAS boxes are counterfeit or not 🤪.

EU situation should be looked at by everyone

Posted Dec 13, 2023 14:57 UTC (Wed) by Wol (subscriber, #4433) [Link]

What part of "The box mover has a contract with their supplier" did you miss?

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 13, 2023 12:29 UTC (Wed) by Wol (subscriber, #4433) [Link]

> Why? It's like any other business, according to law: the guy who did the final packaging work is liable for everything, but if problem is with components (namely Debian or NPM module) then producer of said component is on the hook. And if Debian inherited bug from Linux Foundation then said Linux Foundation is responsible and so on.

Why is the producer of said components on the hook? NO CONTRACT - NO LIABILITY. END OF.

At the end of the day, if "the guy who did the final packaging" needs to pass liability onwards, then he needs a contract that allows him to do so. Without a contract, he's SOL.

Cheers,
Wol

EU situation should be looked at by everyone

Posted Dec 14, 2023 11:58 UTC (Thu) by Wol (subscriber, #4433) [Link]

> > So if I publish some piece of open source code that then gets used by $COMPANY in their $GADGET the entity that should be liable for any bugs (security or otherwise) is $COMPANY

> Yup. That's the idea that is explicitly and consciously rejected by lawmakers. Please read the article on the Apache's blog.

And I've just realised where this misconception comes from, and why it's "deceiving by failing to tell the truth, the whole truth, and nothing but the truth".

The EU has no way to make $COMPANY liable, if said company is not based in the EU. The law is pragmatic. So it makes the people who *handle* $GADGET *inside* the EU liable.

Which means they make $COMPANY contractually liable, and if they don't consider $COMPANY trustworthy to honour the contract, they just don't do business with them and these unsafe and unreliable products have no official route into the EU.

Cheers,
Wol