Correct. And I agree with that effect: * a company paying salary of a developer that contributes to an open source project outside of the commercial activity of the company does *not* expose the company to extra requirements * a company taking *any* software, including open source software, and selling a product based on that or related to that, to EU customers, *will* be required to think more about safety (regardless of who it employs and for what)
The *one* negative impact I can see of this legislation is impact on small integrators that were used to being able to go to a client company, install a bunch of Ubuntu Desktop workstations, set up a Ubuntu Server for SMB and also to serve the website of the company, take one-time fee for their work and be gone. Now it would have to be made clear - who will be maintaining those machines over time, ensuring they are patched with security updates in time, upgraded to new OS releases when old ones are no longer supported and so on. This, over time, will reduce the number of forgotten and bit-rotting systems on the networks that provide tons of known security holes for attackers. Who will take the responsibility is still open - would that be the end customer itself, would that be the system integrator that installed the systems for them, can they maybe have a contract with Canonical for such support or some other company providing such services specifically for the EU. How much would that cost? How would that cost compare to similar agreements on the Windows side? Lots of interesting questions. But at no point does any responsibility get automatically assigned to, for example, Debian or individual open source developers. On Mon, 13 Nov 2023 at 14:03, Luca Boccassi <bl...@debian.org> wrote: > On Mon, 13 Nov 2023 at 12:57, Aigars Mahinovs <aigar...@gmail.com> wrote: > > > > True, the employment status is irrelevant. However, in this example > Microsoft will actually have the liability of > > providing the security assurances and support for systemd and related > systems, because they are providing > > images of such systems as part of their commercial offering on the Azure > cloud platforms. And that will be > > true regardless of the employment status of a few developers. > > > > A company that does not provide any Linux system services to EU > customers, like some integrator operating > > just in Canada, would not have such exposure and thus would not incur > any such obligations. > > Yes, but they have to do that *as part of that commercial product*, > which is not systemd, it's whatever product uses it, together with the > Linux kernel, glibc, gcc, etc. That's a good thing, and it applies to > any corporation that ships any open source software as part of their > products. The corporation is responsible for security aspects of said > product and its part as shipped in that product, which is great. > > It doesn't mean that the upstream open source project is now suddenly > encumbered as a commercial product out of the blue - which is what the > person I was replying to concluded - because it's plainly and > obviously not developed solely and exclusively for that commercial > offering, given it's used everywhere on any Linux image from any > vendor that you can get your hands on by any means. > -- Best regards, Aigars Mahinovs