During the discussions around European digital agenda legislation, I have frequently heard people proposing to define “open source” within a draft instrument. But that's a surprisingly difficult thing to do – it turns out that despite being a globally-understood term-of-art, capturing the whole thing in a phrase simple enough to use in a recital requires a great deal of thought and experience.
So people mostly defer to the OSI Open Source Definition, which is not designed for that purpose. This post considers three different ways to consider open source — knowing it when you see it, knowing it by its goals and knowing it by summarising its mechanism — and includes a recital-ready definition of open source for use in legislation that embodies the global consensus of its meaning.
No, open source advocates are not engaged in “special pleading” to try to get open source given an unreasonable artificial market advantage in Europe, as some are alleging. From the very beginning I have heard people claiming that open source advocates are trying to get open source software per se excluded from the scope of regulation by the Cyber Resilience Act (CRA). Even now it seems people are still hearing this.
Perhaps all the problems we are having with the Cyber Resilience Act (CRA) arise from a misunderstanding of specialist language used by an academic evolving into an imperfect use of the term “commercial” in the exclusion of open source from the CRA?
You're not going to fix Europe's proposed Cyber Resilience Act (CRA) by defining “commercial”. The problem is not a lack of clarity in the term; it is the act of triggering applicability of the regulations on an attribute of the work rather than on the act of deploying it in commerce.