Perhaps all the problems we are having with the Cyber Resilience Act (CRA) arise from a misunderstanding of specialist language used by an academic evolving into an imperfect use of the term “commercial” in the exclusion of open source from the CRA?
You're not going to fix Europe's proposed Cyber Resilience Act (CRA) by defining “commercial”. The problem is not a lack of clarity in the term; it is the act of triggering applicability of the regulations on an attribute of the work rather than on the act of deploying it in commerce.
While the Free Software/Open Source movement is based on an essential and timeless concept — that users of software should be self-sovereign in that software — the linguistic frame in which it was positioned long ago continues to have some unfortunate consequences that ironically distract from the very goals the frame sought to achieve.
One of the tragedies of platform lock-in is that its victims suffer from a kind of trauma bonding where, instead of blaming the proprietary software or walled-garden platform that's locked them in, they find fault with the thing that's actually going to liberate them. That's lock-in syndrome. We've seen a lot of it lately what with the waves of Twitter Migration.
I often hear about how open source is not sustainable because it is “made by volunteers”. But that's misunderstanding the nature of volunteering in open source projects. Volunteering is relative, not absolute and it is not a useful indicator of the sustainability of a project because in independent open source projects all contributors are volunteers.
The shadow may seem more real than the thing itself
Many of the arguments that turn up in the Free and Open Source Software movement(s) – between people who apparently should agree – are because of a difference of view over the appropriate degree of causality that applies to the situation. This conflict between degrees of causality actually powers many other human disagreements too.