LWN: Comments on "F-Droid and Google's Developer Registration Decree"

Do we really want to continue?

Wol — Fri, 10 Oct 2025 18:59:50 +0000

But does the free GSheets itself *serve* ads?

And again, if Google is receiving money from the ad vendors, it is the VENDORS who are covered by the CRA, not users.

Cheers,
Wol

Do we really want to continue?

Wol — Fri, 10 Oct 2025 18:57:58 +0000

> "you're buying a Splunk service, the Splunk software itself is free and so no CRA". The basic principle is not complicated though.

Simply said, you're paying Splunk for a service. So everything Splunk says you need to access the service is covered. Take eg a mail-server.

If Splunk says "you can use the mail client of your choice to access our server", then the client isn't covered. BUT.

If Splunk says "you can only access our server if you're using Outlook", then Splunk is on the hook for security problems with Outlook. Sounds unfair? Well, if you can't access the service you've paid for, without using dodgy insecure software, the CRA doesn't care. Splunk had better have a contract in place with Microsoft !!!

Cheers,
Wol

Do we really want to continue?

Cyberax — Fri, 10 Oct 2025 18:01:55 +0000

> Now, since Google probably doesn't feel like maintaining two different versions of Google Sheets, if you're using it for free you probably get the benefits of the CRA

I got a preliminary reply about that, and it's apparently a gray area. While Google is not getting money from you directly, it's still getting (significant) income from showing ads for the free GSheets version. So even it is likely to be covered by the CRA.

Do we really want to continue?

kleptog — Fri, 10 Oct 2025 16:15:02 +0000

> And because the mark is part of the maintenance contract, nobody else can come along and say "hey I'm going to use the same mark".

Right. This is the critically important thing I see many people missing here. The terms of the CRA do not apply to the product itself, they apply to the *contract between you and the customer*. They're basically standard Terms and Conditions.

Hence, statements like "is Google Sheets covered by the CRA?" are meaningless. The correct statement is "when I am using Google Sheets, does the CRA apply to our contractual relationship?". Now, since Google probably doesn't feel like maintaining two different versions of Google Sheets, if you're using it for free you probably get the benefits of the CRA, except Google doesn't actually owe you anything. Only the people who actually pay to use Google Sheets (Google Workspace users basically).

You're a non-profit holding some trademarks and keeping a website in the air? The CRA doesn't apply because you don't even know who is downloading stuff. Who are the parties to the contract it would apply to?

Someone clicked on your "donate" button and gave you some money? Again, you never offered them anything so there is no contract for the CRA to apply to.

The only people that need to care are people offering services to do things with free software. They need to make clear they're not actually selling the software, but the end-user is getting that from the original source. I'm sure FSF-Europe or similar have some standard verbiage for that. There are provisions to prevent companies saying things like "you're buying a Splunk service, the Splunk software itself is free and so no CRA". The basic principle is not complicated though.

Sidebar on the CRA, which was mentioned

Wol — Tue, 07 Oct 2025 17:39:28 +0000

I find it hard to believe that "giving stuff away with no strings attached" can in any way shape or form be described as "commercial activity".

In fact, that is often used by businesses to dispose of goods which would be illegal in a commercial activity - out-of-date, licenced, yada yada. I work for a supermarket ...

Cheers,
Wol

Sidebar on the CRA, which was mentioned

logical-per — Tue, 07 Oct 2025 17:06:34 +0000

You are missing the part that comes from the New Legislative Framework, Regulation 765/2008. That is where the EU defines "making available on the market". It says:

"any supply of a product for distribution, consumption or use on the Community market in the course of a commercial activity, whether in return for payment or free of charge."

EU law does not work by reading one regulation in isolation. The CRA depends on the definitions from the framework it belongs to.

Do we really want to continue?

Wol — Tue, 07 Oct 2025 13:58:39 +0000

Just remember, all EU tangible products *must* carry a CE mark. If there's a problem, the authorities will go after the "finished product" manufacturer, who will say "my components carry a CE mark, go after my supplier", all the way down to guy/firm who applied the CE mark to the faulty component. And because the finished product manufacturer presumably *bought* those components, there are contracts and paperwork all the way down the line.

The idea of the CRA is to apply *exactly* the same logic. A CRA mark *MUST* be applied to every digital component. In the case of a fault, the authorities will follow the chain, from the finished product manufacturer, all the way down to guys who applied the CRA mark to the faulty software.

And if Jo Bloggs Inc downloads your software, puts it into their product as a component, and has trouble with it, the authorities will go hunting for the guys who affixed the mark. If they find you, and you go "Huh? Who's Jo Bloggs Inc?" the authorities will go back to Jo Bloggs Inc and demand to know who affixed the mark. If you have no contract with Jo Bloggs Inc, they have absolutely NO evidence that a mark exists, therefore the authorities will say "You (Jo Bloggs) affixed your mark to your product. Because paulj's software had no mark, therefore Jo Bloggs applied the mark to paulj's software, therefore it's Jo Bloggs' problem".

So it's down to you whether you sell development services and don't affix a mark, or sell a maintenance contract which presumably will include a mark (your customer would be mad to accept a maintenance contract without it). And because the mark is part of the maintenance contract, nobody else can come along and say "hey I'm going to use the same mark".

Cheers,
Wol

Do we really want to continue?

paulj — Tue, 07 Oct 2025 12:24:30 +0000

> You're now a small company. You are providing services, for which you need to keep books.

That's fine. Throw X hundred per month at the accountants to whatever is necessary to maintain the necessary web portal for me to add whatever required records and them to take care of whatever else is necessary. They don't know anything about and aren't going to touch CRA stuff though. ;)

> Does your contract say you are a middle-man providing development services to your customers - in which case presumably they affix the mark and pay you extra to fix problems;

Aha. Ok... So, that avoids the issues. I just remain a "development services" firm/NPO, and the Free Software I/we publish is just the sample code of what I/we can provide services for?

I'd hate to think that I could get stuck with loads of red-tape obligations or, worse, must-do-free-work obligations (e.g. requiring me to handle security reports), just cause I/we put some code that we developed for a /paying/ "customer" on a consultancy / development services basis on whichever GitHub. ?

Do we really want to continue?

Wol — Tue, 07 Oct 2025 12:04:21 +0000

> From what you say, the technical stewards of such an effort, would need to start worrying about CRA at about that point.

Very much so. BUT. You're now a small company. You are providing services, for which you need to keep books. You just make it EXplicit in your contracts whether or not you are affixing the CE mark (or CRA equivalent) to your software.

The software needs a CRA mark. Does your contract say you are a middle-man providing development services to your customers - in which case presumably they affix the mark and pay you extra to fix problems; or are you providing them with the software as a product, in which case you affix the mark and need to budget for bug-fixing from your own budget.

Once you're a company your contracts will state who is liable.

I won't say that's simpler - as you know my position is "no contract no liability", but that seems to be a bit contentious ...

Cheers,
Wol

Do we really want to continue?

paulj — Tue, 07 Oct 2025 09:22:24 +0000

An institution that regularly engages lawyers would be a large one.

What if I, as part of this journey from a research project sponsored by donations towards a self-sustaining Free Software project that lives off both general sponsorship and specific contracts to continue the work, am at the stage where I want to setup a small company (non-profit[1]) to hold the assets and be the nexus for donations and allocating funds to the sponsored developers. Do I need to start worrying at that stage about CRA lawyers? That's an additional expense over the accountants fees to setup and maintain the company.

From what you say, the technical stewards of such an effort, would need to start worrying about CRA at about that point.

1. Non-profit, but not a charity. The whole 501(c)(3) thing in the USA for Free Software sponsorship foundations largely stinks - at least certainly is ripe for abuse (which I have seen, in the brief time I was with a small foundation). Thankfully, charitable status is much much harder to get over here in the Celtic Isles.

Sidebar on the CRA, which was mentioned

pizza — Mon, 06 Oct 2025 23:39:34 +0000

> I'd define it as "an activity that requires keeping records in pursuit of being sustainable"

How *you* define it doesn't matter one scintilla. What matters is what the IRS or HRMC (or the equivalent for your jurisdiction) says it is.

Sidebar on the CRA, which was mentioned

Wol — Mon, 06 Oct 2025 23:14:10 +0000

> WTF do the "Cardinal Principles of Free Software" have to do with the legal definition of commercial activity in your (or any other) jurisdiction?

If two things have no causal connection, they should not affect each other in any way. Be it Free Software (as required by DSG), or business activity. Certainly in the UK, one major point of subsidiaries in business is show the absence of causal connection between them.

> (BTW, in my jurisdiction, the threshold for "commercial activity" is _very_ low indeed)

How low? Kids collecting stamps and swapping them in the playground? I'd define it as "an activity that requires keeping records in pursuit of being sustainable". I didn't use the word "profit", because we have the concept of non-profits, but they have to avoid losing money in order to survive.

Cheers,
Wol

Sidebar on the CRA, which was mentioned

Wol — Mon, 06 Oct 2025 22:54:32 +0000

> What if someone approaches me and says "I could really use this feature, why don't you tell me how long it'd take you and how big a donation I should make to have you work on that exclusively?". Does the CRA kick in then?

> Where is the line?

Sorry Jon, but yes I would say this is at serious risk of crossing the line. You are entering into an agreement, a contract. "A donation in return for you committing to this feature" is not a donation. It's probably easy to avoid CRA liability - make the contract say you'll write the code, add it to the free software, and that's the end of your liability. But this is where I *would* get advice from a lawyer. One who SPECIALISES in the subject. After all, now you're being paid BY CONTRACT, you can pay for the lawyer :-)

Cheers,
Wol

Do we really want to continue?

farnz — Mon, 06 Oct 2025 17:16:02 +0000

A fair rule of thumb is that if you're doing the project as part of an institution, your institution's lawyers will handle the CRA for you - not least because if they're publishing it, they're the ones who face CRA liability, not you. If you're not trying to make a profit, and you're not making enough from the project in a year that paying for a lawyer to get you an answer backed by their professional insurance seems like a reasonable price to pay for peace of mind, then you're also not likely to be at risk.

The people who need to care are those who are making enough from a project outside of their employment that €1,000 for a lawyer is under a tenth of the annual income from their project, and those intending to make a profit (even if they're not making one now).

Do we really want to continue?

paulj — Mon, 06 Oct 2025 17:11:37 +0000

FWIW, I'm not debating. I see there are others debating, and I can't tell which positions seem the most reasonable. So I'm trying to give out example scenarios to the debaters to see which way they judge them.

Maybe it's already covered elsewhere in the debate, and I missed it.

I genuinely have no idea what the implications of the CRA are for me... By some accounts here, it's nothing. By others, fairly normal Free Software activities might tie conceivably me up in CRA obligations for years to come. I really don't know.

Sidebar on the CRA, which was mentioned

farnz — Mon, 06 Oct 2025 17:09:59 +0000

You're rapidly getting into "ask a lawyer" territory - there are exceptions for cases where it's a genuine multi-institution project with no one institution in control, as well as for cases where you're asking for donations and not covering your total costs.

Your downstream users, of course, may well still have CRA obligations; just because your supplier is exempt doesn't mean you are too.

Sidebar on the CRA, which was mentioned

farnz — Mon, 06 Oct 2025 17:08:32 +0000

This is definitely a case where you're applying your "common sense" ideas of what the law "should" be, and ought to talk to an actual lawyer.

The details are complex, and the reason it's set the way it is is that they want to stop you breaking into parts in order to escape a liability that you would otherwise incur; that's why the original CRA drafts had no exceptions at all (which would have been a disaster for open source), and why the exceptions to liability that now exist are non-trivial.

Do we really want to continue?

corbet — Mon, 06 Oct 2025 17:03:20 +0000

To all of the folks debating (again) this issue... do we really think that we are going to come to any sort of useful conclusion here? Please think twice before going around the circle yet again.

Sidebar on the CRA, which was mentioned

pizza — Mon, 06 Oct 2025 17:00:13 +0000

> Seriously, putting free fruit outside your door for other people can be classed as a business activity? It is a cardinal principle of Free Software, that whatever you do with one piece of software MUST NOT impact what you're allowed to do with a different piece of software.

WTF do the "Cardinal Principles of Free Software" have to do with the legal definition of commercial activity in your (or any other) jurisdiction?

(BTW, in my jurisdiction, the threshold for "commercial activity" is _very_ low indeed)

Sidebar on the CRA, which was mentioned

paulj — Mon, 06 Oct 2025 16:51:32 +0000

Ok, and what if that "consider donating to help with the development costs" thing goes well, and I'm making a nice living hacking on this Free Software, funded by generous donors? Fixing bugs, adding features, helping users.

Is there some line where this can cross over into the kind of commercial activity that brings the CRA down on my head?

What if someone approaches me and says "I could really use this feature, why don't you tell me how long it'd take you and how big a donation I should make to have you work on that exclusively?". Does the CRA kick in then?

Where is the line?

Sidebar on the CRA, which was mentioned

Wol — Mon, 06 Oct 2025 16:44:45 +0000

> and you have some kind of "If you found this useful, consider donating to help with the development costs" - does the CRA then kick in?

Read the CRA. The answer is "no". If you solicit donations with no INTENTION of making a profit, then whether you actually do or not is irrelevant.

I used to run the refreshment stall as a student rep, when the Uni had course choice open days. We put up a big sign saying "suggested donation ..." but we did NOT enforce it. It's illegal to sell alcohol without a licence. If anyone said "I haven't any money", we said "take it, you can always put extra in next time". We always made a profit, and the Revenue couldn't touch us. If we'd said "no donation, no drink ..." and been caught I think we'd have been in front of the beak in *very* short order.

Cheers,
Wol

Sidebar on the CRA, which was mentioned

Wol — Mon, 06 Oct 2025 16:38:40 +0000

And I hate to say it, most of my interactions have ended in me correcting the lawyer ...

My motto is "trust but verify" when dealing with "the professionals", because they're wrong more often than not. And that includes when I'm paying them! Lawyers especially, but we (as a family) have been badly hurt by doctors, too ...

Seriously, putting free fruit outside your door for other people can be classed as a business activity? It is a cardinal principle of Free Software, that whatever you do with one piece of software MUST NOT impact what you're allowed to do with a different piece of software.

Saying that your jam sugar business is affected - in any way whatsoever - by the fact that you leave surplus fruit outside your door (and vice versa), is a complete breach of Free Software principles. And it's almost certainly a breach of business principles too, otherwise what's the point of breaking a company up in to subsidiaries? One reason they do it is to prevent legal liabilities leaking between entities!!!

And I can't see a Judge buying the claim that leaving fruit outside your door in a "wing and a prayer" hope that they'll buy your sugar, connects the two activities in any legal way shape or form whatsoever.

Gedanken experiment again - if you have ABSOLUTELY NO RECORDS - how are the Revenue going to tax the free fruit you left outside? And if there are no records, how are they going to prove it was you? (There's a strong argument that other peoples' testimony is irrelevant, because if "I saw someone leaving fruit outside your door" is innocent for pretty much everyone, surely that "everyone" includes you!)

Cheers,
Wol

Sidebar on the CRA, which was mentioned

paulj — Mon, 06 Oct 2025 16:09:46 +0000

What about a case where you seek funding from various bodies (public and private) to research and implement a Free Software solution to some problem?

If the CRA doesn't put obligations on you there, and you can happily get people to fund you and put the ongoing code onto a public git without fear of CRA obligations: What if that code starts to become useful to others, see use, and you start to get bug reports and feature requests, and you try handle those where you can, and you have some kind of "If you found this useful, consider donating to help with the development costs" - does the CRA then kick in?

Sidebar on the CRA, which was mentioned

farnz — Mon, 06 Oct 2025 16:04:01 +0000

This is not legal advice - this is forwarding on conversations I've had with a lawyer.

Sidebar on the CRA, which was mentioned

zdzichu — Mon, 06 Oct 2025 16:00:20 +0000

Could you tell us what law credential do you have? Law degree from which university?
Because your post sounds like a speculation and applying "common sense" to law matters. Which helps noone but increase disinformation and noise on LWN.

Sidebar on the CRA, which was mentioned

farnz — Mon, 06 Oct 2025 15:14:10 +0000

No, a commercial activity does not require record keeping in the EU. Making a download available for free, or offering something that I can pick up for free, absolutely can be "making available in the market", if it's related (not tied to, but related to) something from which I expect to make money.

For example, a jam sugar vendor putting out a basket of free fruit suitable for jam making outside the store for anyone to pick from is making that fruit available in the market, because it's related to their commercial activities of selling jam sugar.

Given that, Google is absolutely unable to escape CRA liability for GSheets as long as it sells storage for use with GSheets (among other Google products). It can't say "we only do the storage as a commercial activity", precisely because if no Google product used Google storage, many fewer people would buy Google storage.

Sidebar on the CRA, which was mentioned

Wol — Mon, 06 Oct 2025 15:04:58 +0000

> The CRA says that unless one of two exceptions apply, placing the product on the market (which is what is done when you publish software, even for free) incurs liability for security support,

And in this case YOU DO NOT NEED AN EXCEPTION.

> (22) ‘making available on the market’ means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;

If I supply JAM in the course of a commercial activity, then I am making my JAM "available on the market". If I am placing software on my jam-business server as a favour to whoever wants to download, that is NOT in the course of a commercial activity, therefore is NOT "making available on the market".

Let's do a quick Gedanken experiment. As an *absolute* *minimum*, a commercial activity requires record keeping, no? So I turn off logging and have no records whatsoever about who downloads what. What impact will that have on my jam business? *None* *whatsoever*.

So simply making downloads available for free CANNOT be "in the course of a commercial activity" therefore cannot be "making available on the market", therefore cannot trigger CRA liability.

Google is under no legal obligation to keep track of who uses Gsheets. Therefore if they turned logs off, that would be the end of any possible CRA liability. (The CRA explicitly permits SOME logging and data collection that will not trigger liability - limited pretty much to data needed to improve the software.)

In order to trigger CRA liability, the supply of the software MUST be "in the course of commercial activity". That is why when I download my insurer's app, it DOES trigger the CRA, because my insurance requires me to use it. When a different customer downloads it, it DOESN'T trigger the CRA, because the insurer doesn't care whether they use it or not.

Cheers,
Wol

Sidebar on the CRA, which was mentioned

farnz — Mon, 06 Oct 2025 12:54:19 +0000

As I understand it, it'd count as income, and therefore if it exceeded your costs, or if you intended it to exceed your costs (noting that your costs include market rate for your labour), then it'd bring you into the CRA's liability regime for security issues.

Note that the only reason the CRA has direct and indirect income at all is to make clear that you can't say things like "I'm not charging for the app - I'm charging for extra storage", or "the app makes a loss; it's the car maintenance services that make a profit" to avoid security liability. Instead, if you're putting the app on the market as an attempt at making a profit, or if you're putting it on the market and actually making a profit, then you're liable for security fixes into the future.

Note, too, that the CRA only requires security fixes to be available at no extra cost; it does not impose other liabilities on suppliers (other liabilities, like fitness for purpose, are pre-existing, and have been around for decades).

Sidebar on the CRA, which was mentioned

pizza — Mon, 06 Oct 2025 12:12:31 +0000

> For the CRA to kick in, you need to place software on the market, and attempt to make a profit from it, either directly (by attaching it to an income stream that exceeds, or that you expect to exceed, your costs) or indirectly

...In this context, does "monetizing the software via embedded advertisements" count as direct income, indirect income, or not at all?

Sidebar on the CRA, which was mentioned

farnz — Mon, 06 Oct 2025 11:18:14 +0000

The CRA says that unless one of two exceptions apply, placing the product on the market (which is what is done when you publish software, even for free) incurs liability for security support, in addition to your pre-existing liability for fitness for purpose (which is independent of the CRA - the CRA doesn't mandate that the product works, or that it's useful for a purpose, because that's covered by existing EU law). The exceptions exist for the benefit of open source, so that we don't incur liability for placing open source on the market for free.

Exception one is for cases where you give away the product with digital elements for free, and do not have an income from the software or related services that exceeds your costs, or that is intended to exceed your costs. GSheets does not fall under this exception, because storage for my GSheets spreadsheets is part of my Google One account, and therefore this exception does not apply.

Exception two is for cases where use of the product with digital elements does not relate to your commercial activities, and thus the free application cannot be an incentive for the user to spend on your commercial activities. For GSheets, that's not true - GSheets uses my storage, and if I wasn't paying for a Google One account, I would currently be unable to use GSheets due to a lack of storage quota at Google. Thus, since one reason for me to pay for storage is to allow me to use GSheets, this exception can't apply either.

Once again, this is extremely deliberate; it's so easy to factor digital products into pieces, and so you want it to be very hard to factor out a "safe" product (cloud storage) from the high security risk products, as otherwise it becomes easy for the big players to avoid any CRA liability whatsoever.

Sidebar on the CRA, which was mentioned

farnz — Mon, 06 Oct 2025 10:58:56 +0000

Those are standard terms of art in EU law; they have a very clear meaning, and in the original drafts, where the exceptions to the CRA did not exist, would have resulted in liability for all software placed on the market in the EU.

This was not the intention of the Act's drafters, and they resolved this once it was brought to their attention - it would, however, have been a disaster for open source if the original wording had been intended, since it covered most software in the EU (MSDN samples would have been an exception, since they're not supplied as a product, but as documentation).

Sidebar on the CRA, which was mentioned

Wol — Mon, 06 Oct 2025 10:56:00 +0000

> The whole reason there's been such a fuss in open source circles around the CRA is that those exceptions didn't appear originally in the CRA,

Because of terms like "place on the market", and "commercial activity" weren't made clear in the act itself.

Saying "but if I sell jam, my software falls under the CRA" is *clearly* crying wolf. Supplying software clearly has nothing to with selling jam, and once you look up those terms, that's extremely clear. The issue was, is, and always has been companies who both sell and give away software - to what extent does selling software (or hardware that needs software) bleed over into giving stuff away.

How do we make sure that giving software away "no strings attached" does not trigger the CRA - I think you're far too eager to make it trigger when it shouldn't.

But if I can't use the hardware I paid you for, without software (free or not, provided by you or not), then the CRA needs to kick in (likewise if the software I paid you for requires other 3rd-part software to work, the CRA needs to kick in).

Cheers,
Wol

Sidebar on the CRA, which was mentioned

Wol — Mon, 06 Oct 2025 10:45:10 +0000

> This is very, very deliberate on the part of the drafters of the CRA, because otherwise it becomes too simple to escape liability by making a "no strings attached" offer for the security-relevant components, while charging for other things that are useless without the "free" bit attached.

Where do you draw the line? I think you're drawing it far too oppressively.

> while charging for other things that are useless without the "free" bit attached.

Couldn't agree more with this bit. But applying the CRA to Gsheets, because the customer is paying for disk space, is taking it too far ...

Cheers,
Wol

Sidebar on the CRA, which was mentioned

farnz — Mon, 06 Oct 2025 08:03:03 +0000

By your standard, all suppliers incur CRA liabilities, since all downloaders incur a liability towards the supplier on download to not breach the copyrights in the app.

That's not the CRA's standard, because the CRA has exceptions where the monetized product on the market is independent and unrelated to the product you're claiming incurs CRA liability, and where the monetization neither exceeds nor is intended to exceed the costs incurred in creating the product and putting it on the market.

The whole reason there's been such a fuss in open source circles around the CRA is that those exceptions didn't appear originally in the CRA, and that meant that it was completely impossible for an open source developer who makes a profit from some other activity (e.g. jam-making) to provide a product for free without incurring liability for security fixes in the future under the CRA. The exceptions have been added to protect people who are doing this "for the love of open source", while not providing wiggle room for someone like Google or Facebook to say "our products are provided for free, therefore we're not liable for keeping them secured".

Sidebar on the CRA, which was mentioned

farnz — Mon, 06 Oct 2025 07:52:59 +0000

The CRA applies because it is a product on the market, and none of the exceptions apply - it's something that Google does try to make money from it, and thus the CRA applies whether or not you are paying Google for GSheets specifically.

The exceptions that might apply are exceptions where the storage space cannot be used for GSheets (making it fully independent and unrelated), or where there is no profit or attempt to profit from monetization. Neither of those apply here, and thus the fact that Google sells "Google One" subscriptions, which benefit you if you use GSheets, is enough to bring CRA liability into play.

If we take my car dealership hypothetical from earlier a step further; once the dealership stops selling Kias and switches to selling Fords, if it still offers its Kia app for free, it no longer incurs CRA liability for future downloads of the app; because the app is now unrelated to any commercial activity on the dealership's part, its CRA liability ends the appropriate amount of time after the last download of the app that preceded them stopping selling Kias.

This is very, very deliberate on the part of the drafters of the CRA, because otherwise it becomes too simple to escape liability by making a "no strings attached" offer for the security-relevant components, while charging for other things that are useless without the "free" bit attached.

Sidebar on the CRA, which was mentioned

Wol — Sun, 05 Oct 2025 20:05:19 +0000

From the text of the CRA itself ...

> (21) ‘placing on the market’ means the first making available of a product with digital elements on the Union market;

Okay, I agree that clause 22 could be clearer, but as I read it, it is "the act of supply", which means that whether it is commercial activity or not can depend on the supplier charging for it, or on the relationship of the recipient to the supplier.

As such, if the supplier makes it available for download for free no strings attached, that is clearly NOT commercial activity. If the supplier makes a charge for it, it is clearly commercial activity. If you can pay for a code that makes your copy ad-free, that makes a non-commercial download into a commercial transaction.

So the SAME software, from the SAME site, can be both commercial, or non-commercial, depending on the status of the downloader.

As I see it, it is extremely clear. If the downloader incurs no liabilities towards the supplier on download, likewise the supplier incurs no liabilities (including the CRA) towards the downloader.

Cheers,
Wol

Sidebar on the CRA, which was mentioned

Wol — Sun, 05 Oct 2025 19:25:19 +0000

> indirectly (by using the software to drive sales of something else, such as hardware you sell under your own brand, or hardware you resell).

Where does it say that? Trying to drive sales is perfectly okay, and doesn't trigger the CRA as far as I can tell (why should it?).

It's the inverse that's the problem - driving downloads by making that a requirement for the correct functioning of products you sell. That's a clear example of trying to do an end run around the CRA, and you'll get slammed for it.

Cheers,
Wol

Sidebar on the CRA, which was mentioned

Wol — Sun, 05 Oct 2025 19:18:23 +0000

There's no consideration. There is (presumably) no contract. Therefore there is no commercial activity and the CRA shouldn't (doesn't) apply.

As soon as you sell SOMETHING ELSE and say "you need to download this app to make it work", you have commercial activity, you have a contract, and you're on the hook. Even if it's not your software!

Cheers,
Wol

Sidebar on the CRA, which was mentioned

Wol — Sun, 05 Oct 2025 19:04:08 +0000

Thing is, for your typical *personal* user, Gsheets et al is a "take it or leave it, no warranty" proposition. So the CRA should not apply, and is not meant to apply.

My company has a support contract in place with Google, we pay for Google Suite, so the CRA most definitely DOES apply.

> Google give away GSheets access for free, but the CRA liability for security flaws comes in because it's given away for free in order to encourage you to spend money on other things Google sells.

I would disagree very strongly. Just because you take advantage of Google's "for free" offer, this does not, and is not meant to, bring the CRA into it. As soon as you *spend* that money, and Google Suite (or whatever else) is even *mentioned* in some sort of "for consideration" agreement, then the CRA kicks in for that product and customer, but not before. The whole point of the "Free Software" part of the CRA is to make sure that a "no strings attached" offer cannot invoke CRA liability. Whether it's a lone developer or billion-dollar company. As soon as strings are attached, it's no longer classed as being offered for free, and is "on the market" (ie offered *for*sale*), and the CRA does kick in. That's the point about my insurance. The software is offered to everyone for free. There are contractual strings attached to MY use of it, therefore *I* can invoke the CRA.

(I get your point about Google selling "Google One" disk space, but that was very much in the forefront of the minds of the Free Software people getting the rules clarified. Selling one service should not have any impact on how an unrelated service is treated. Selling on-line disk space should not have any impact on how making software available online or for download is treated. Debian / FSF guidelines explicitly forbid allowing terms that impact on unrelated software, do they not? Making that clear was a major part of the changes to CRA.)

That's why I said the CRA doesn't apply to MSDN - part of the terms of having an MSDN subscription is you shouldn't be using it where it can be a security risk. (Plus the subscription entitles you to the latest version extant at the time of your subscription - all rights explicitly die with the subscription.)

Cheers,
Wol

Sidebar on the CRA, which was mentioned

farnz — Sun, 05 Oct 2025 17:57:05 +0000

Google is a dangerous example here, because the CRA is also meant to stop Google claiming that your "Google One" subscription is just for storage, and thus they cannot be liable to you for security issues in GSheets.

This is a lot of what makes the CRA a challenge to interpret; it's trying to prevent you avoiding liability for your security flaws by saying "we don't sell software, we sell storage" and things of that nature. Instead, stuff that you're giving away in order to make money elsewhere also comes into scope - sure, Google give away GSheets access for free, but the CRA liability for security flaws comes in because it's given away for free in order to encourage you to spend money on other things Google sells.