LWN: Comments on "The Python Software Foundation on European cybersecurity"

The Python Software Foundation on European cybersecurity

callegar — Wed, 10 May 2023 23:05:46 +0000

> You can't say to the user "click agree or else you can't use our service" and call that "consent".

Apparently, at least to some extent, cookiewalls are legal and you can say "click agree or else you can't use our service unless you buy a long term subscription to it", because as long as you are offering an alternative, that is consent (even if the alternative is not really equivalent. Maybe you want to use the service just once and not in continuity for a long time as the cost of a subscription assumes). Many online newspapers in Europe use this business model, see https://www.repubblica.it/tecnologia/blog/cyber-law/2022/... (in Italian, Google translate works well enough with it) and https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/... (in French). Key document appears to be the Conseil d’État decision taken on June 2020 https://www.cnil.fr/fr/cookies-et-autres-traceurs-le-cons...

The Python Software Foundation on European cybersecurity

kleptog — Thu, 04 May 2023 12:48:23 +0000

There a reason why it's setup that way though: it removes the scent of member state partiality from proposals. The EU isn't that old (~70 years) and if a legislative initiative was introduced by a member state X, or by an MEP from state X, the proposal will forever be tainted by the "proposal Y from member state X" which is completely counter-productive and directs away from the actual work.

Hence right from the beginning the process was that the Commission, which represents each member state equally, initiates the proposal on behalf of all the members of the Commission. It ensures a minimum level of support across the Union before committing significant resources.

Additionally, EU legislative instruments are severely limited in scope, bound by treaty. Someone has to decide whether something is a regulation or a directive. If you let MEPs submit something, does the Commission get to reject it on the basis of it being outside of the scope of the treaties? How do you handle the question of subsidiarity? Does this open up the possibility of an MEP taking the Commission to the ECJ because they disagree whether something should be a regulation or a directive? Is this something we want?

Finally, EU legislation is hard work, requiring lots of translations, explanitory memoranda, etc. The MEPs don't have the time to write all that, but the Commission has a civil service who job it is to do these things. So the current process where the EP asks the Commission to make a proposal on the topic, and the Commission directing the EU Civil Service to work with the relevant MEPs to create a proposal seems like a more efficient use of everyone's time. (There's a reason the MEPs are mostly in Brussels rather than Strasbourg).

I know there's a lot of people saying the EP must be able to submit legislative instruments directly otherwise it's not democratic (enough). My position is that it's not that simple and we need to think carefully before twiddling that knob. Sure, we could require proposals to come from EP committees, give the EP a shadow civil service branch and assign a branch of the ECJ to judging whether EP initiated proposals are within the bounds of the treaties, but you need to seriously think about whether this would actually improve the resulting legislation (and inter-institutional relations).

The Python Software Foundation on European cybersecurity

paulj — Wed, 03 May 2023 09:17:13 +0000

> I understand that the EU - de facto if not de jure - has separate bodies to represent the corporations and the people, and the corporate part seems to come up with most of the proposals which are quickly shot down by the actually democratic part.

I guess you mean the Commission with the "corporate part" and the EP with the "democratic part". It's not de facto, it's de jure - the EU is constituted such that the Commission is the body that introduces proposals. The EP has no power to initiate legislation - though it can formally request the Commission to do so. There is talk of giving the EP the right to initiate.

Commission: The political executive of the EU's civil service; the formal point of introduction for new legislation - but this is in a facilitating role.
European Parliament: Generally a scrutineering body. Can take out the Commission, by 2/3 majority vote, can propose amendments to legislation, can block legislation the Council is trying to put through, but this requires an absolute majority.
Council: The governments. Here lies the power, tempered by the EP.

The Python Software Foundation on European cybersecurity

Wol — Tue, 02 May 2023 23:03:30 +0000

> Seems like a stupid system, but if this is really how the system works, then it's not the end of the world every time the corporate-money-making-ideas-machine spits out a really stupid idea. It's only the end of the world if the democracy-machine does not shoot down the stupid idea.

Problem is, the American democracy-machine seems to have pretty crap aim under these circumstances.

> A similar effect can be observed with the fines (point 3). Sometimes the maximum possible fine is set very high to give significant room for the judge's discretion.

EU maximum fines aren't that high. For a first offence! Thing is, if it's not a first offence, the maximum fine has a habit of doubling every time ... that makes repeat offenders rare ...

Cheers,
Wol

The Python Software Foundation on European cybersecurity

immibis — Tue, 02 May 2023 18:59:13 +0000

One should note that law is to be interpreted by a judge, and a good law should not be written precisely to the smallest detail, but should give enough guidance that everyone knows what to expect, including judges, while also making it obvious and punishable when someone tries to exploit a loophole.

For example, the GDPR does not precisely define what is considered consent. If the GDPR had said that clicking on "I agree" constituted consent, website operators would require you to click on "I agree" before viewing the site. Since the introduction of the GDPR, it was ruled that a shortcut "I agree" button does not constitute consent unless there is an equally prominent shortcut "I disagree" button.

The Python Software Foundation on European cybersecurity

immibis — Tue, 02 May 2023 18:52:25 +0000

This cookie does not require user consent because, roughly speaking, it serves the user rather than serving shareholder profits.

The Python Software Foundation on European cybersecurity

immibis — Tue, 02 May 2023 18:51:12 +0000

or discovers C++ :)

The Python Software Foundation on European cybersecurity

immibis — Tue, 02 May 2023 18:50:07 +0000

And yet, every second website does just trick the user into clicking "I agree" and is never punished for it. It seems the great European bureaucracy only has the bandwidth to prosecute the Facebooks and Googles of the world.

It would be neat if, like, every website with only an "I agree" button and no "I disagree" could get a $1000 fine (commercial sites) or $50 (personal sites) with just a few minutes of paperwork, let's say, upon report and maximum once a week. I suspect that would fall afoul of some rules against summary punishment. Now, no Apple or Netflix is going to care about a $1000 fine, but those ones can be fed through the big lumbering bureaucracy... meanwhile, say, Stack Exchange's CEO having to personally respond to a court order every week would be a significant motivation to fix the problem. (just an example - Stack Exchange recently fixed this problem)

The Python Software Foundation on European cybersecurity

immibis — Tue, 02 May 2023 18:45:27 +0000

99% of the time this "some regulation that is the worst possible thing for the individual" seems to never be implemented because it was just some brainstorming from some politician whose job was to represent corporate interests, yet everyone treats it as if it's a law about to be passed tomorrow.

I understand that the EU - de facto if not de jure - has separate bodies to represent the corporations and the people, and the corporate part seems to come up with most of the proposals which are quickly shot down by the actually democratic part.

Seems like a stupid system, but if this is really how the system works, then it's not the end of the world every time the corporate-money-making-ideas-machine spits out a really stupid idea. It's only the end of the world if the democracy-machine does not shoot down the stupid idea.

A similar effect can be observed with the fines (point 3). Sometimes the maximum possible fine is set very high to give significant room for the judge's discretion. Yet everyone expects the maximum possible fine to be given in all cases, possibly because previous laws had a maximum that was too low. I observe that the high maximum fine really makes a difference because corporations cannot just say: "we have enough money, we can absorb the maximum fine so let's keep doing the illegal thing forever." No, they have to negotiate, and possibly get the fine lowered if they stop doing the illegal thing, and lowered even more if they compensate previous victims.

The Python Software Foundation on European cybersecurity

jschrod — Fri, 28 Apr 2023 15:28:34 +0000

Oh, some populist parties have figured it out. Poland's PIS is a prime example of it.

Hungary is even worse -- I'd call it an authotarian regime by now, and not a democracy any more. Everything bad that happens, is caused by the EU.

The Python Software Foundation on European cybersecurity

anton — Thu, 27 Apr 2023 08:46:32 +0000

It's against the law to make it harder to only get the necessary cookies than to agree to everything. So many sites now have a button "Only necessary cookies". Even for those that don't, the usual experience is that I click on "configure" and get a page where all (typically 2-4) optional cookies are disabled*, and I just need to click on "confirm".

* At least I think so. Even after several years with "material design", which replaced checkboxes (a staple in GUI design since its introduction in the 1980s) with something that takes more space and is much less intuitive, I am not sure whether a switch is on or off in material design.

The Python Software Foundation on European cybersecurity

farnz — Wed, 26 Apr 2023 15:15:32 +0000

Red Hat can't do that, under the CRA - they have to refuse to supply me RHEL under commercial terms in order to not be my supplier.

Which leads to fun if we start thinking about Ubuntu, which is available from Canonical as both Open Source, and a commercial supported product; if I have Ubuntu, which variant do I have? Is Canonical my supplier (because I obtained Ubuntu from them under commercial terms), or not (because I picked it up as an Open Source gift)? Can I convert Canonical into a supplier when I realise I fouled up taking Ubuntu as Open Source? Can Canonical avoid supplying me somehow, while still getting revenue from me?

The Python Software Foundation on European cybersecurity

farnz — Wed, 26 Apr 2023 15:07:27 +0000

The solution with aftermarket radios is standard interfaces, and an obligation to meet those interfaces whenever you sell a component - if a car uses a non-standard wiring setup, then it's on the car maker to document how you go from the non-standard version to the standard versions.

We could go for that solution with computing, where all APIs and ABIs must be standardised, and you must specify how to convert your internal stuff to the standard stuff, but that's got its own costs that we'd prefer not to pay; the only reason it works for in-car entertainment is that the interface was well-understood for a good 20 years before we insisted it be standardised, whereas if you look at ABIs from 20 years ago, we've changed all sorts of things.

And in the library example, it's also two suppliers - one payment to DodgySoft Limited to buy the core library that makes everything else work, with the software you need coming from DodgySoft Research for free. Two different sources, legally speaking, and DodgySoft Limited is only on the hook for the core library, not the bits you got from DodgySoft Research - even though the bits you want are from DodgySoft Research, and you're only buying the tiny core from DodgySoft Limited because without it, you can't use the bits from DodgySoft Research.

Fundamentally, we have two conflicting goals to reconcile:

Don't kill the Open Source goose - it should be possible to give away software for people to use for any purpose without incurring liability, since we've observed that good things happen when individuals can supply small drive-by improvements to code they care about.
Make the entire supply chain of any commercial product liable for the security flaws contained in the parts they supply. The goal here is that I'm only ultimately liable for my parts of the product, and my suppliers are responsible for the things I use.

The conflict is that we don't want to make people gifting code as Open Source liable, but we do want all commercial users of that code to have liability that they have to deal with somehow - whether through support contracts, insurance, or just being good at avoiding security issues. In turn, this means that we need to be careful to avoid loopholes that let you disguise commercial supply of code as an Open Source gift.

The Python Software Foundation on European cybersecurity

pizza — Wed, 26 Apr 2023 12:38:36 +0000

> ... and RedHat could premptively declare RHEL unsuitable for the purpose you intend, so as not to be your supplier.

Wait, isn't that just another case of DISCLAIMING ALL WARRANTIES? I thought that's one of the things the CRA is supposed to be precluding?

(Or will "general purpose computing" become effectively illegal under this new regime?)

The Python Software Foundation on European cybersecurity

geert — Wed, 26 Apr 2023 12:32:20 +0000

This reminds me of the excuses that were used before when bundling an OS (in particular MS Windows) with a PC: without an OS, the PC is non-functional, and "the EU forbids selling non-functional PCs".
And CD players could still be sold without CDs? And CDs without CD players...

The Python Software Foundation on European cybersecurity

ballombe — Wed, 26 Apr 2023 12:29:37 +0000

... and RedHat could premptively declare RHEL unsuitable for the purpose you intend, so as not to be your supplier.

The Python Software Foundation on European cybersecurity

Wol — Wed, 26 Apr 2023 12:14:24 +0000

Did I say it's hard to impossible?

But they've presumably solved that with things like car radios, Ford aren't liable for aftermarket replacement radios. Even though those radios are clearly designed only to work in cars.

(In that case, it's two separate transactions, with consideration going in two directions. In the library example, it's the same supplier and you have to buy the licence to activate the software. One payment, one supplier.)

Cheers,
Wol

The Python Software Foundation on European cybersecurity

farnz — Wed, 26 Apr 2023 11:49:31 +0000

That implies that everyone who sells software that runs on an OS has combined the OS and the software into a single good, and is on the hook not just for their software package, but also the whole OS. After all, you can't run the software without the OS, so you must buy the OS to use the software, which means it's one "good", not two, even though you buy the OS separately from another company.

The Python Software Foundation on European cybersecurity

Wol — Wed, 26 Apr 2023 11:27:21 +0000

> The fact that the rest of the software is useless without the licence library is beside the point - it's not part of a transaction, you can download it freely.

If you have to buy the licence library to use the software, then they're one "good". They're not "fit for purpose" without each other. Yes writing stuff that people can't try to find loopholes in is hard to impossible. But "Did you pay (cash, consideration, whatever) for the right/ability to use the software? Oh - you had to pay for the licence library, right? It's ONE transaction!" is hard to dodge.

Cheers,
Wol

The Python Software Foundation on European cybersecurity

farnz — Wed, 26 Apr 2023 09:44:31 +0000

Worse than that, if you define it in terms of transactions, I can just sell you the licence library, and "give away" the rest of my software pile. So I'm liable for bugs in the licence system, but not for bugs in the rest of the software I offer, because the only thing I've actually sold is the licence system. The fact that the rest of the software is useless without the licence library is beside the point - it's not part of a transaction, you can download it freely.

Underlying this is that the per-transaction cost of distributing digital assets is near-zero; you might be asked to pay as much as $0.20 per gigabyte for data transfer if you choose an expensive option, but it's possible to drive that down below $0.01 per gigabyte if you're transferring enough data. For a size context, the Debian archive (all of Debian) is 125 GB for sources, plus 612 GB for the largest architecture, while a complete Android system image for a Google Pixel 7 Pro is under 3 GB.

Given this pricing, it's reasonable for someone distributing software to give most of it away "for free", without including it in a transaction; the goal of the CRA, however, is to ensure that software is covered by the same sorts of rules on quality and liability for faults as physical goods are. Which leads to tension, because software's a place where the low incremental cost of another unit means that it's easier to disguise a software transaction as a gift (and gifts have lower standards for quality in physical goods).

The Python Software Foundation on European cybersecurity

nim-nim — Wed, 26 Apr 2023 08:12:13 +0000

Nah, most of the manufacturers of “smart” devices do not want you to know what pile of software they run, they won’t mention or advertise it, but you definitely want them to be liable for the result. Also sometimes software is given or even forced on customers because the generous donator monetises something else (data, clicks, whatever) without any care for the security of users carpet bombed with badware.

Designing legal exemptions a lot of crooks won’t transform instanteanously into massive loopholes is hard.

The Python Software Foundation on European cybersecurity

kleptog — Wed, 26 Apr 2023 07:37:21 +0000

Really. This is the kind of thing I find important and I would like to know how best to support these efforts. Is it just donating to the three organisations you mention, or is there something more specific I can do? There is this regulation, but also the AI Act, AI Liability Directive and the Data Act and probably more I don't know about.

I mean, I could send pizza money but I'm hoping that's not where the difficulties lie.

The Python Software Foundation on European cybersecurity

Wol — Tue, 25 Apr 2023 22:16:31 +0000

> This is a challenging one to draft well, since you don't want a loophole that lets a company avoid being the supplier of software if they include it in a bundle pack - for example, if I sell you a PC with pre-installed Ubuntu, and you use that PC with the pre-installed OS as part of a digital signage system, the intent of the CRA is that I am your supplier for Ubuntu, and it's up to me to manage that risk; but if the regulation is drafted badly, I could get away with only supplying (for CRA liability purposes) the PC and its firmware, but not Ubuntu).

Given the huge number of conglomerates where different parts of a business do different things (one just has to look at Sony's schizophrenia about whether they are a film company, a music company, or a games console company), you simply have to define it based on individual transactions.

If you "offer for sale" a product, and somebody buys it, then you are the supplier. If your bundle pack says it includes Ubuntu, then you are the supplier of Ubuntu. If the offer makes no mention of Ubuntu, and it just happens to be in the bundle as supplied (NOT as advertised), then you're not the supplier. But the customer may well get upset that the package is "not as advertised". Where this COULD get muddy is (as with my laptop) the situation where the supplier says "with or without Ubuntu" and it makes no difference to the price. I think there it is quite clearly a freebie thrown in, and the laptop supplier should not be considered the software supplier.

In other words, to be a supplier, imho you should have "offered for sale" the product, and taken some consideration in return for it. That clearly EXcludes "take it or leave it" freebies. And by basing the definition of "supplier" on the *product*, you avoid any argument as to whether someone is a supplier when there is a complex relationship between customer and supplier.

Cheers,
Wol

The Python Software Foundation on European cybersecurity

farnz — Tue, 25 Apr 2023 19:41:41 +0000

That, at least, is not supported by the current text - to be on the hook to someone, you have to be their supplier of the digital elements.

The only sense in which you're on the hook to "everyone" is that the CRA allows you to pass liability backwards along supply chains; if I supply you with a product including a paid copy of Red Hat Enterprise Linux, and you're affected by an RHEL flaw, then you can follow the supply chain backwards and pursue Red Hat, instead of pursing me, and if you do pursue me, I can pursue Red Hat.

But, without the supply chain to follow backwards, I can't pass liability to you, even if you are a "manufacturer". You have to be my supplier (either directly, or transitively) before I can pursue you. So, if you fall through the "commercial activity" loophole and become someone's supplier, you're not at risk from me unless they are my supplier (or my supplier's supplier ad-infinitum) of those digital elements.

This is still a huge problem for something foundational like Python, since there's a very high chance that any given use of Python in an end-product involves someone in the supply chain who's supplied by the PSF in this sense, but it's not as bad as you're suggesting. In particular, if you become my supplier, but I don't supply anyone else, your liability risk stops there.

The Python Software Foundation on European cybersecurity

mpr22 — Tue, 25 Apr 2023 18:59:53 +0000

> What I don't understand is why the politicians in other European countries never figured out that they could do the same.

There is a possibly apocryphal headline:

FOG IN CHANNEL – CONTINENT CUT OFF

that perfectly exemplifies the underlying English* mindset responsible for Britain taking it so much further than mainland European countries do.

* Yes, I specifically mean English, rather than British.

The Python Software Foundation on European cybersecurity

farnz — Tue, 25 Apr 2023 18:41:54 +0000

Other EU countries do blame the EU for any and all unpopular countries. The distinction is that in (at least) Spain, France, Germany, Ireland and Italy, people react to that by asking what the alternatives are, and whether the alternative choices are any better in practice, whereas the UK tends to assume that we can do our own thing and the rest of the world will fall into line.

The Python Software Foundation on European cybersecurity

rschroev — Tue, 25 Apr 2023 18:13:45 +0000

Some politicians here in Belgium certainly do use Europe as a scapegoat from time to time, luckily not to the same extent as what happened in the UK.

One thing I feel is missing is more comprehensive media coverage of the decision making at the European level. Newspapers and TV shows often talk about politics at the national and regional level; opinion makers write about the issues of the moment; politicians are interviewed and debate each other. None of that is perfect, but at least it exposes some of the decision making.

Almost none of that exists for issues on the European level. Reporters will cover European Summits and other big events, but there is almost no coverage of the day-to-day decision making. Sometimes politicians do sometimes get interviewed about European issues, almost always only local politicians; politicians from other countries (other than the obvious ones like Macron, Von Der Leyen etc.) almost never come in the picture. There is practically no debate in the public space with different viewpoints about the issues at the European level.

In my opinion, the mass media falls short in its function as fourth power in matters of European politics. At the same time it's very well possible people wouldn't like more coverage; it could very well be pretty dull.

The Python Software Foundation on European cybersecurity

pizza — Tue, 25 Apr 2023 18:07:22 +0000

> What I don't understand is why the politicians in other European countries never figured out that they could do the same.

They have, and do use the EU as a scapegoat, when it's convenient.

But generally speaking those countries don't have a tradition of "noble isolationism" afforded by being surrounded entirely by water instead of neighbours one needs to play nice with.

The Python Software Foundation on European cybersecurity

pizza — Tue, 25 Apr 2023 18:03:49 +0000

> [...] and do not want a situation where, because you bought a conference ticket or support for one product, they're on the hook to you for all the software they make available.

Worse yet, once you're considered a "manufacturer" (via the conference/support contract/etc "commercial activity" backdoor) if your digital elements are "made available" in the EU (eg via a public web site) then you're now potentially on the hook to *everyone* who obtains those digital elements, not just the folks who actually paid you money.

The Python Software Foundation on European cybersecurity

farnz — Tue, 25 Apr 2023 16:57:24 +0000

Not a lawyer, so you'll need legal advice if this really matters to you (just as you would with any law), but my understanding is as follows, based on the text of the directive:

No, you are not a supplier if you simply publish your thing as open-source, and a vendor picks it up; to become a supplier, you need a commercial relationship with the vendor, and you have nothing that can be construed as commercial.
Again, not a supplier - you aren't supplying anything in return for what the vendor gives you, and thus, while the donation relationship may be commercial, you're not supplying anything, and thus you're OK.
In this situation as described, you're not a supplier - you have no commercial relationship with X, and hence you're not a supplier.

It's case (3) that has the big gotchas lurking in the current draft; if you supply premium cakes for office parties as well as supporting your open source software, then as the CRA is currently drafted, it's not clear whether being a supplier of cake to X implies that you are liable to X if your software has a hole in it. Hence the PSF and ISC worries; they supply conferences (PSF) and support contracts (ISC), and do not want a situation where, because you bought a conference ticket or support for one product, they're on the hook to you for all the software they make available.

This is a challenging one to draft well, since you don't want a loophole that lets a company avoid being the supplier of software if they include it in a bundle pack - for example, if I sell you a PC with pre-installed Ubuntu, and you use that PC with the pre-installed OS as part of a digital signage system, the intent of the CRA is that I am your supplier for Ubuntu, and it's up to me to manage that risk; but if the regulation is drafted badly, I could get away with only supplying (for CRA liability purposes) the PC and its firmware, but not Ubuntu).

The Python Software Foundation on European cybersecurity

NYKevin — Tue, 25 Apr 2023 16:53:47 +0000

I get the sense that the EU provided a convenient scapegoat for British politicians, who could just blame it for any and all unpopular policies that nevertheless needed to be passed. What I don't understand is why the politicians in other European countries never figured out that they could do the same.

(I suppose it wouldn't really make sense for France or Germany to blame the EU, because to a first approximation, they are the EU. But there are a bunch of other EU member states that could do it.)

The Python Software Foundation on European cybersecurity

NYKevin — Tue, 25 Apr 2023 16:42:17 +0000

That cookie can (and should) be labeled as a "necessary" cookie and excluded from the selection entirely (provided, of course, that it is *only* used for storing opt-outs and not for any other kind of tracking).

The Python Software Foundation on European cybersecurity

pizza — Tue, 25 Apr 2023 13:42:51 +0000

> You should probably just do the self-certification paperwork. The bulk of the work will be preparing the necessary technical documentation which you should have anyway as it's basic "best practice" stuff (high-level architecture/design, threat modelling, documented update process, test results, etc.).

Uh... no. I'm not touching "self certification" with a 3.048-meter pole.

I have personally witnessed [incomplete&|erroneous] attempts to "do the right thing" be used as "proof" that violations of rules were intentional, resulting in _increased_ penalties (vs intentionally remaining ignorant/doing nothing).

We will need to see what text eventually passes (and gets enacted by member states' legislatures) but as things appear now, I am far better off simply refusing to do business with (and refusing to distribute my software to) anyone in Europe, because anything else would expose me to ruinous (if not effectively unlimited) liabilities.

The Python Software Foundation on European cybersecurity

zdzichu — Tue, 25 Apr 2023 12:50:32 +0000

Why not 👍🏻?

The Python Software Foundation on European cybersecurity

jafd — Tue, 25 Apr 2023 10:27:52 +0000

I can see that the comments are brimming with experts who say there is nothing to worry about, and how it's all simple, really.

I would like to have some simple answers then, using very few small words, to the following questions. I don't know the right answers, but I sure as hell know they don't start with "it depends".

1) I publish an open source thing with no expectation of profit whatsoever. A vendor picks it up without my knowledge or consent, puts it into smart fridges or whatnot, and later a hole is found in my thing. Who is going to be liable, the vendor or I? Can CRA hang it onto me as a "supplier"?

2) I publish an open source thing, and take donations. A vendor picks it up without my knowledge or consent, puts it into smart fridges, and later a hole is found in my thing. The donations, it's expressly stated, are there to support the development, but they don't imply any sort of contract with obligations. I don't know if the vendor has ever donated anything to me. Who is going to be liable? Can vendor successfully make me liable?

3) I run a software business. I publish parts or the entirety of what I produce as open source, free for anyone to use, but offer custom component development and support subject to a contract and hefty subscription fees. A business X picks up my software and uses it without my knowledge or consent. I don't have any kind of support contract with X. Later, X falls victim to a hole found to be in my software. Can they make me their "supplier" per CRA and successfully sue me/make me pay fines despite me not having received a single cent from them and being unaware of their existence until now?

For simplicity's sake, assume all parties are EU-based and thus squarely in CRA jurisdiction, with no buts or whatifs.

The Python Software Foundation on European cybersecurity

coriordan — Tue, 25 Apr 2023 09:29:51 +0000

*thumbs up emoji*

The Python Software Foundation on European cybersecurity

kleptog — Tue, 25 Apr 2023 09:04:29 +0000

Thank you for your hard work. I was getting worried there for a moment.

The Python Software Foundation on European cybersecurity

coriordan — Tue, 25 Apr 2023 05:11:11 +0000

> no open-source organisations submitted any feedback. (The list of organisations that responded to the committees is listed at the end of the documents)

We're there (as "Open Forum Europe"), along with FSFE and Wikimedia.

I've been in contact with 70+ policy makers in the EP and Council and I hosted a workshop yesterday with 12 policy makers and 6 representatives from free software organisations (foundations and companies).

We're working on it.

Recital 10 kinda defines free software: "free and open-source software (...) This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable." (It's not exactly a definition, but all the elements are there.)

Important to remember that the ITRE document is the rapporteur's amendments. This week is the deadline for the other committee members to submit amendments, and then there's discussions and a vote to decide what the final ITRE amendments will be.

The Python Software Foundation on European cybersecurity

pabs — Tue, 25 Apr 2023 05:07:13 +0000

The app problem you mention is exactly what TiVo did; deliberately breaking proprietary software when it runs on top of modified GPL software. Bradley Kuhn had a talk related to this, mostly in the context of GPL usage in cars. I believe the summary is that this is allowed by both GPLv2 and GPLv3. Its arguable whether this is a good thing or a bad thing; for eg it incentivises the reverse engineering of those proprietary apps and their replacement with new libre implementations, but it makes it a lot harder for non-technical users to switch from a locked down system to a libre one.

https://events19.linuxfoundation.org/wp-content/uploads/2...

The Python Software Foundation on European cybersecurity

mat2 — Mon, 24 Apr 2023 19:46:15 +0000

> Unless I'm mistaken, this is already the case. The (very) limited number of Android devices that allows you to be root and install your own updates seems to show that.

While shopping wisely, it is possible to choose devices whose bootloader can be (easily) unlocked and are supported by LineageOS / Magisk.

The more important problem is that an increasing number of apps try to detect that the phone is modified and refuse to run if it is so. This includes some government and financial applications that are getting important in daily life. This is pure DRM (Digital Restrictions Management).

There is unfortunately little done to counter developers of these apps. For example, I haven't heard FSF and SFConservacy speak about this issue.