It seems the author is refering to the EU Cybersecurity Act that should be voted early 2024.

The last draft clearly excludes open source software as long as there is no commercial activity associated. If voted in this state, it won't affect the vast majority of developers releasing some code under an Open Source license. But it will wipe out all small businesses: if you're a solo company selling support or feature development on some Open Source software you wrote, paperwork and liability are just not worth it.

And good luck selling anything relying on existing Open Source libraries, because you're now liable for them too. Given the cost of a security audit, you may as well stop trying and just sell SaaS (which is explicitely excluded from the bill, funny).

Larger companies of course won't care and will continue shipping buggy software riddled with security holes because they can afford the paperwork and absorb the legal risk.

> as long as there is no commercial activity associated

My recollection, from previous discussion on HN, is that the definition of "commercial activity" is far more broad than the open source community would like it to be. And by "open source community", I mean the people that run various foundations and non-profits and things like that.

I don't think that throwing up a virtual tip jar on your Github page counts, but offering paid support would. If you collect telemetry and then sell "usage insights" that would also count as commercial activity. Advertising on the download page is commercial activity. If you have a Patreon account? I actually don't know about that. Anyone know?

Correct. I would be perfectly fine with some amount of control and liability proportional to the size of the company, excluding tiny ones as it is often the case.

With this new act, even selling 100€/month of support for a piece of software you are contributing to makes you subject to the full force of the bill (and the full force includes scary numbers, millions, with zero information on how precise amounts will be calculated).

We can only hope that it is not voted in this sorry state.

Yes, proportionality, or at the very least some sort of clarity on where the line is drawn. Nobody wants to be the test case that determines if something is commercial or not.

An acknowledgment that it costs some small amount of money to host a website for the code, or that you may from time to time want to hire someone to do something specialized (design a logo?) and need to raise some amount of money for that to happen.

By world-wide standards (though not necessarily by Silicon Valley standards) I am fairly wealthy and thus could afford to support a completely commercial-free open-source project out of my professional salary. And this would make my project liability-free in the EU. But someone else, who didn't grow up in the USA at a time when university tuition was cheap, would not be able to do the same and their otherwise-identical project is subject to legal liability.

How is that fair? Isn't this just going to further concentrate open source contribution and leadership in a handful of rich countries (that are mostly not in the EU)?

He’s probably talking about the Product Liability Directive reform.

This seems a bit extreme, it isn't even a law yet (or anywhere close).

That being said, if you don't audit your open source libraries, you should be held liable. I've seen open source encryption libraries do some really dumb things that I wouldn't touch with a ten foot pole. Yet they are some of the more popular ones.

People are just npm installing whatever without even checking the github stars or usage; not that that says anything but not even that. As a bare minimum devs should check if their libraries have robust testing, are maintained by people who have the time to do so etc. A lot of open source libraries are really bad and if you are building commercial (packaged / saas, doesn't matter) software on top of that, you definitely should be held liable if that causes harm. This lazy behaviour should end as it indeed does cause horrible messes.

This over the top article is, I guess, pointing to open source software that's used by an individual directly from the source as an enduser and then causes harm, not to parts of commercial software that includes open source software when they talk about holding open source devs liable.

Why should I be held accountable if you just run some code you found on GitHub? Am I reliable when I sell hammers and you bash your face in?

/e: let me clarify, I agree with the three comments under me. You, the commercial entity using my code, is accountable. I am not liable if you as a private person run my shitty code. I was thinking of private persons and being on the hook for my GitHub repos.

I think you might be misreading it. The person who ships the product commercially is liable. If you sell them your code, you'd be liable but if they just use your open source code, they are liable for any potential issues in their program caused by your code (instead of you being liable).

Basically they can't just brush off responsibility for using FOSS code by saying "well I didn't write it, it's not my fault" unless you as the FOSS developer are selling them a support contract for any potential issues in your code.

No no, you should be held accountable if _you_ run some code you found on GitHub in your product that I pay you for.

I don't think it's like that.

Perhaps less pitchfork brandishing, more reading the article?

> all blame/liability should lie with ... the provider of commercial software

Is precisely what the EU intend to do (according to the article - no idea how accurate it is), not put the liability on open source devs.

From the article:

> So, how is open-source software implicated? If a commercial software product causes harm, whoever put the software on the market will soon be strictly liable. You will need to prove that your code wasn’t to blame to escape the costs. But what if you’ve embedded open-source code, used open-source tools, or called open-source APIs? Under the pending rules, you’d be liable for any errors in those sources as well, regardless of whether you directly contributed or not. A license like the one Apache provides won’t help, since state-imposed strict liability isn’t a harm that can be licensed away by private actors. The user must be made whole, and that’s on you. Worse still, how will you in turn identify or sue the collaborator or collaboration that actually wrote the faulty open-source code to recoup your costs? In that case, the license you signed likely insulates your open-source partners from your claims.

What does it mean if you publish your open source android application on the play store (with no ads or monetary compensation, simply just to make it easier for users to use?).

Seems to me that you'll be liable for any issues.

Why would you be? Did you sell the user the app? If not I can't see how it would be commercial