Hi Adam,
I'm not sure if we can come up with a completely novel analysis of the
Act compared to what other foundations have already been done, but
looking around the various resources and analysis, this is very
worrisome if the text would pass in its current form (especially the one
of the EU Parliament. Apparently the version of the EU Council would be
better for open source). The open source exemption is really just for
"hobby open source" projects.
Most OSGeo projects would be in scope:
- because of what they do: "This Regulation applies to products with
digital elementswhoseintended orreasonably foreseeable use includes a
direct or indirectlogical or physicaldata connectionto a device or
network.".
- due to how they are developed: projects who receive contributions from
sponsored/corporate contributors, are in scope since those are
considered as commercial activities.
Like all legalese, fully understanding the implications is hard, but my
understanding is that for OSGeo projects, OSGeo could potentially be
considered as the ‘manufacturer’ for its graduated projects ("means any
natural or legal person who develops or manufactures products with
digital elementsor has products with digital elementsdesigned, developed
or manufactured, and markets them under his or her name or trademark,
whether for payment or free of charge;") and be subject to the various
obligations of the text
- CE Marking (the analysis of the Eclipse Foundation goes to "all open
source foundations should be responsible for CE Mark conformance: cf
https://youtu.be/AmsM5_5QO5A?t=1577)
- active look up of vulnerabilities and associated obligations of
declaring them to ENISA (the EU body that will be in charge of that),
- making sure to not deliver products with exploitable vulnerabilities
(nice idea, but when combining lots of software, definitely an effort to
put)
- specific documentation obligations
- constraints in the design
-etc etc..
Or perhaps the manufacturer could be each sponsored/corporate
contributor, in particular the ones that would qualify as main
contributors ?
The real novel aspect of the text is that it places tons of obligations
to open source software (whose license mention it is delivered "as it",
and which is generally distributed free of charge) that would fall in
the scope of the regulation, for which neither the way projects/their
supporting organization operate or their economics is prepared.
Perhaps a minimum form of support from OSGeo could be to add its
signature to public positions already taken by well known open source
foundations such as Mozilla, Apache, Eclipse, etc
github publised amendments for the text
(https://github.blog/wp-content/uploads/2023/03/GitHub_Position_Paper-Cyber_Resilience_Act.pdf)
that try to reduce the scope of open source projects to only those who
are provided as paid or monetized products (the usual definition of
commercial activity after all!), which also seem worth supporting.
Even
Le 21/07/2023 à 23:20, Adam Steer via Discuss a écrit :
Hi OSGeo
The European Union's proposed Cyber Resilience Act has just come to
the attention of many non-EU folks as a potential dampener on open
source geospatial software development and usage. A summary from
GitHub is here (thanks Marco Bernasocchi for pointing it out):
https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/
It's being discussed in the OSGeo board, and some responses from
other open source organisations have already been made, for example:
https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act
It would be great to hear your thoughts on the impact of the proposed
legislation on open source geospatial software development across the
globe - so we can form an appropriate community response as soon as
possible. What are your thoughts?
Yes, we're late in gettung our attention on to this. Hopefully not too
late.
Thanks,
Adam
--
Dr. Adam Steer
OSGeo director
_______________________________________________
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss
--
http://www.spatialys.com
My software is free, but my time generally not.
_______________________________________________
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss
