[ripe-list] Community feedback on EU Cyber Resilience Act proposal

Suzanne Taylor <staylor at ripe.net> wrote:
    > While the European technical community has welcomed the exception for
    > open-source software provided by the proposed text, the exemption
    > applies only to open-source software that is “developed or supplied
    > outside the course of a commercial activity”. This wording leaves a lot
    > of room for interpretation as to what, precisely, constitutes
    > commercial activity, especially when taking into consideration the fact
    > that charging for technical support services is considered commercial
    > activity, as is the monetisation of other services provided via a
    > software-sharing platform.

Thank you for capturing my concerns very well.

I think that the EC would do well to ignore exemptions by the license of the
software.  GPL, MIT, Apache, etc. are still just *copy*-rights, and they are
really indistuighable by courts from other kinds of contracts.

I think that the EC would do better to consider who are deploying and
operating software, and to put the onus there.
The Deutsche Bundesbank has a different set of responsabilities when
deploying KeePass to keep track of router passwords than I, indivisual
operator of a single-site AS has doing exactly the same thing.

It seems that the best result is that many big operations, who have for a
long long time benefitted from open source, ought to, under the CRA, begin to
contributing to more maintainance for the systems they depend upon.


--
Michael Richardson <mcr+IETF at sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 515 bytes
Desc: not available
URL: </ripe/mail/archives/ripe-list/attachments/20230117/d421cda8/attachment.sig>