The Commission MUST Consult The Open Source Community
Update: Graduated to the OSI Blog
I wrote recently about the possible origin of a serious defect in terminology in the Impact Assessment of the Cyber Resilience Act (CRA). But this is not the only problem with the Impact Assessment. A crucial one appears in Annex 2 (on page 4 of the Part 2 pdf), where it becomes clear from sections 2-4 that no open source communities or community fiduciaries were consulted as stakeholders.
In the comments by the European Commission's policy officers given during a FOSDEM Main Stage panel it became clear they had been working on the language of the updates to the Public Liability Directive (PLD) and CRA for a significant time. When asked why they had not consulted the community until now (at 1:27:45 on the video), they replied it was the community's responsibility to find out about their work and show up to published consultations.
It is not enough to expect the open source ecosystem to spontaneously show up – it is not structured in a way that makes that likely. In any case the consultation process has no category for individuals who make economically significant works outside the role of “Company” or “Workforce”. In other words, there were no consultations aimed at the community. At best we will show up late in the process asking why no-one called, as we are now.
It is not unreasonable to ask to be treated in a way respectful of these realities; the process does so for SMEs. Section 4 of Annex 2 observes “However, it has been very difficult to get substantial input from SMEs.” As a result there was extensive, targeted outreach to SMEs resulting in significant inputs. No equivalent effort was made to reach out to open source charities like OSI, or to significant fiduciaries like Apache, Eclipse or Python.
There are some inputs all the same. It's great that companies in the open source ecosystem do show up in consultations, and I know of a number who have lobbyists in Brussels. But they cannot be relied on to explain or even consider the perspectives of the significant number of community participants either outside their interest area or even opposed to it.
It is very important to find ways to give a voice to the true community and not just its corporate members. Open source is a social movement with software artifacts and market consequences. Paying heed only to the latter (or even the latter two) is an inadequate approach. You can't proxy through SMEs, let alone multinationals and their lobbyists.
This is a serious and persistent issue with the Commission's work; they need to become aware that when proposals affect the open source ecosystem (of which the open source software market they value is a part but not the whole), it is essential for them to treat the members of that ecosystem as key stakeholders and make at least as much of an effort to reach out to them as they do to SMEs — possibly more.