Proprietary software and the company that places it on the market can usefully be seen as the same target for those creating legislation. The software is constructed in secret, under the control of a single party, and the controlling party is responsible for both funding the work and monetising the result. However, the same cannot be said for open source software, which is created openly by a globally-distributed and unaffiliated community whose relationship with the larger work is “volunteer”. Using terminology associated with the worldview of proprietary software in legislation that affects open source is at best ambiguous and at worst extends consumer regulation to the domain of research and development.

Open source software is an artifact arising from the interactions of a community of contributors with no contractual binding between them beyond the open source license itself, which disclaims all warranties and has no conduit for funds. If there is an open source charity or trade association hosting the community, there will also be only a limited binding to to it and probably none that is a funding conduit. Many communities are unincorporated and don't even have this level of interconnection.

Because of this, those who place the artifact with digital elements on the market must be assumed to have no financial, organisational or indeed morally relevant relationship with any other party involved in the artifact's origination or use. There may be links, but it's best to start from the assumption there will be none because making them is an outside activity with no accommodation in open source licensing.

In many cases (sadly) those placing the artifact on the market have no connection at all with the community, not even at the level where it is appropriate to consider members of the community as suppliers. As one community member wrote:

I am not your supplier. So all your Software Supply Chain ideas? You are not buying from a supplier, you are a raccoon digging through dumpsters for free code.

The software and the community thus need to be considered separately when choosing language that applies regulation affecting open source. Some highlights to note:

• The software is made freely available under an OSI-approved license that ensures its consumer may do anything it wishes without needing any relationship with rights holders.
• The members of the community collaborate for many different reasons, and even when those reasons have commercial intent the commercial intents in play are likely to be unrelated both formally and informally.
• Many community members have a moral/ethical basis for their participation which can sometimes take priority over pragmatic convenience.
• Treating the software and the company placing it on the market as interchangeable is unsafe.
• As a consequence, it is unsafe to assume that because two parties are monetising a piece of open source software, that there is a flow of funds or even a relationship between them. Regulation should only apply to the party triggering the clause in the legislation, unlike with proprietary software where it is reasonable to assume a link.

Notes, Tags & Mentions

• See also “The comprehension error behind the CRA issue“
• The photograph is my own, of the Head of Saint Gereon in front of the Basilica of St. Gereon in Bonn, artist Iskender Yediler.
• #CRA #PLD #Policy #OpenSource #Software

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.

I wrote recently about the possible origin of a serious defect in terminology in the Impact Assessment of the Cyber Resilience Act (CRA). But this is not the only problem with the Impact Assessment. A crucial one appears in Annex 2 (on page 4 of the Part 2 pdf), where it becomes clear from sections 2-4 that no open source communities or community fiduciaries were consulted as stakeholders.

In the comments by the European Commission's policy officers given during a FOSDEM Main Stage panel it became clear they had been working on the language of the updates to the Public Liability Directive (PLD) and CRA for a significant time. When asked why they had not consulted the community until now (at 1:27:45 on the video), they replied it was the community's responsibility to find out about their work and show up to published consultations.

It is not enough to expect the open source ecosystem to spontaneously show up – it is not structured in a way that makes that likely. In any case the consultation process has no category for individuals who make economically significant works outside the role of “Company” or “Workforce”. In other words, there were no consultations aimed at the community. At best we will show up late in the process asking why no-one called, as we are now.

It is not unreasonable to ask to be treated in a way respectful of these realities; the process does so for SMEs. Section 4 of Annex 2 observes “However, it has been very difficult to get substantial input from SMEs.” As a result there was extensive, targeted outreach to SMEs resulting in significant inputs. No equivalent effort was made to reach out to open source charities like OSI, or to significant fiduciaries like Apache, Eclipse or Python.

There are some inputs all the same. It's great that companies in the open source ecosystem do show up in consultations, and I know of a number who have lobbyists in Brussels. But they cannot be relied on to explain or even consider the perspectives of the significant number of community participants either outside their interest area or even opposed to it.

It is very important to find ways to give a voice to the true community and not just its corporate members. Open source is a social movement with software artifacts and market consequences. Paying heed only to the latter (or even the latter two) is an inadequate approach. You can't proxy through SMEs, let alone multinationals and their lobbyists.

This is a serious and persistent issue with the Commission's work; they need to become aware that when proposals affect the open source ecosystem (of which the open source software market they value is a part but not the whole), it is essential for them to treat the members of that ecosystem as key stakeholders and make at least as much of an effort to reach out to them as they do to SMEs — possibly more.

#CRA #PLD #Policy #OpenSource #Community #4thSector

Follow @webmink@the.webm.ink to be informed of new posts. To discuss this post please reply from Mastodon etc. (search for the URL) & include @webmink@meshed.cloud as WriteFreely still doesn't display replies. More.