On Thu, Nov 23, 2023 at 10:30:01AM +0000, Luca Boccassi wrote: > On Wed, 22 Nov 2023 at 20:35, Bart Martens <ba...@debian.org> wrote: > > > > On Wed, Nov 22, 2023 at 06:46:06PM +0000, Luca Boccassi wrote: > > > On Wed, 22 Nov 2023 at 09:28, Bart Martens <ba...@debian.org> wrote: > > > > > > > > On Tue, Nov 21, 2023 at 09:14:05AM +0100, Thomas Goirand wrote: > > > > > I feel like we're getting trapped by big corp and their lobbying > > > > > power, and we need to use stronger words. > > > > > > > > Probably in a different way. I'd rather prefer Debian to defend the > > > > DFSG, > > > > including DFSG 6. If the EU were to draw a line for compulsory > > > > liability, then > > > > it should not be between commercial and nonprofit, but rather between > > > > FOSS and > > > > non-FOSS. For example, in my opinion "awscli" is FOSS, and the usual > > > > liability > > > > disclaimer in FOSS licenses should also be valid for "awscli". This is, > > > > in my > > > > understanding, a different opinion than discussed so far, right? > > > > > > That would not be a good outcome. Just because a smartphone ships open > > > source software, it doesn't mean its vendor should get away with not > > > providing security updates after a few months, causing the phone > > > owners to lose their data or worse. > > > > That is a different case. The user of a smartphone depends on the vendor for > > keeping the smarthpone safe for use during a reasonable time after purchase. > > I follow you on that. > > It's not really different, if you can get out of security maintenance > of some software just because of its license, then it affects any > product using software. That would be quite an obvious loophole to > take advantage of, and that's probably why the distinction in these > regulations is never on the license, but on whether it's a commercial > activity or not.
Well, I think that the CRA & PLD are meant to cover such loopholes. The CRA & PLD are useful when they introduce compulsory liability for closed products entirely, also when those products contain pieces of FOSS. The criterion is that the FOSS is embedded in a closed product, so the user of the product relies on the product manufacturer for updating that FOSS.