Correct. And I agree with that effect:
* a company paying salary of a developer that contributes to an open source
project outside of the commercial activity of the company does *not* expose
the company to extra requirements
* a company taking *any* software, including open source software, and
selling a product based on that or related to that, to EU customers, *will*
be required to think more about safety (regardless of who it employs and
for what)
The *one* negative impact I can see of this legislation is impact on small
integrators that were used to being able to go to a
client company, install a bunch of Ubuntu Desktop workstations, set up a
Ubuntu Server for SMB and also to serve the website
of the company, take one-time fee for their work and be gone. Now it would
have to be made clear - who will be maintaining those
machines over time, ensuring they are patched with security updates in
time, upgraded to new OS releases when old ones are no
longer supported and so on. This, over time, will reduce the number of
forgotten and bit-rotting systems on the networks that provide
tons of known security holes for attackers. Who will take the
responsibility is still open - would that be the end customer itself, would
that be the system integrator that installed the systems for them, can they
maybe have a contract with Canonical for such support or
some other company providing such services specifically for the EU. How
much would that cost? How would that cost compare to
similar agreements on the Windows side?
Lots of interesting questions. But at no point does any responsibility get
automatically assigned to, for example, Debian or individual
open source developers.
On Mon, 13 Nov 2023 at 14:03, Luca Boccassi <bl...@debian.org> wrote:
> On Mon, 13 Nov 2023 at 12:57, Aigars Mahinovs <aigar...@gmail.com> wrote:
> >
> > True, the employment status is irrelevant. However, in this example
> Microsoft will actually have the liability of
> > providing the security assurances and support for systemd and related
> systems, because they are providing
> > images of such systems as part of their commercial offering on the Azure
> cloud platforms. And that will be
> > true regardless of the employment status of a few developers.
> >
> > A company that does not provide any Linux system services to EU
> customers, like some integrator operating
> > just in Canada, would not have such exposure and thus would not incur
> any such obligations.
>
> Yes, but they have to do that *as part of that commercial product*,
> which is not systemd, it's whatever product uses it, together with the
> Linux kernel, glibc, gcc, etc. That's a good thing, and it applies to
> any corporation that ships any open source software as part of their
> products. The corporation is responsible for security aspects of said
> product and its part as shipped in that product, which is great.
>
> It doesn't mean that the upstream open source project is now suddenly
> encumbered as a commercial product out of the blue - which is what the
> person I was replying to concluded - because it's plainly and
> obviously not developed solely and exclusively for that commercial
> offering, given it's used everywhere on any Linux image from any
> vendor that you can get your hands on by any means.
>
--
Best regards,
Aigars Mahinovs
