Comply or Withdraw?
Update: This has now graduated to the OSI Blog.
What might happen if the uncertainty about who has responsibilities under the Cyber Resilience Act (CRA) is allowed to persist? The global open source community are averse to legal risks and generally lack access to counsel so will very possibly simply withdraw their offers of source code rather than resolve the uncertainty.
The CRA rightly addresses the need for commercial suppliers to protect their customers from exploits and cyber attacks. But by incorrectly assuming that Dirk Riehle's terminology calling single-company projects “commercial open source” means it's possible to use the “commerciality” of an application to distinguish single-company activity from community projects, and by using the concepts of proprietary software to then define boundaries, legislators have exposed the open development of software itself to the regulations rather than just the for-profit use of open source artifacts in the marketplace.
There will be no escape from this for European projects like the Eclipse Foundation, but projects outside Europe — especially smaller projects — may just decide to erect geo-blocks and not deliver their work to European IP addresses. CRA-motivated geo-blocks start with not being able to know what to do without seeking legal advice, and even then being told “maybe” and still left to decide yourself.
One response when I raised this was to say that the European Union is a massive and valuable market and projects would not risk being excluded from it by geo-blocking. But this argument ignores the fact that just because Alice deploys some code profitably in Europe, it doesn't mean Bob in Nebraska will share in the profit even though he wrote it, whether he's in business or not where he lives. Open source licenses do not create a relationship over which financial reward is guaranteed.
Geo-blocks have happened before. Many small global publications block access from the EU rather than resolve legal uncertainties with GDPR, but the risk of CRA-related geoblocks is much more consequential because reading those sites is optional whereas much open source software maintained internationally is woven into the fabric of Europe's infrastructure.
In addition, those avoiding evaluating their GDPR responsibilities (or evading them after evaluating them) are likely to fear compliance will impact the benefit they gain from surveillance advertising, while for open source developers the perceived risk is of being the target of a punitive bureaucracy for failing to complete paperwork that adds nothing to their work.
If the confusion persists, open source projects will need to thoughtfully consider how to proceed. Disentangling dependencies that choose to pragmatically block Europe will be traumatic; should they be forked or substituted? Things could get very messy. Let's hope the co-legislators see sense, finally talk to the open source community and address the issues.
Notes, Tags and Mentions
To discuss this post please reply from Mastodon etc. (search for the URL) & include
@firstname.lastname@example.org as WriteFreely still doesn't display replies. More.