Dear all, here I offer yet another perspective on the Cyber Resilience Act (CRA), whose full impact remains poorly understood in our community (not the least by me).
My general impression from the draft legislation is it being written by folk that are either unfamiliar with, or do not understand, software development. The CRA treats software as a finished product that comes out of an assembly line, like a car, or from a food processing plant, like a package of tomatoes. The emergent nature of software (systems) development is blatantly ignored. An understanding of software as an organic entity, constantly evolving and adapting is simply not present. As such, this legislation is inevitably bound to go wrong at some point. The main objective of the CRA is to define a set of obligations, liabilities and penalties for software "manufacturers". The concept of manufacturer is well defined in clause 18 of Article 3: anyone that designs, develops, maintains or owns software. Essentially, this legislation makes everyone in this community liable, including the Foundation itself. It is capital to understand this. Software "manufacturers" thus become liable for certifying that software comply with a myriad of security and privacy requirements. These requirements apply to any software made available to the EU market, either against payment of for free. This is were things are pretty much open for interpretation. In our community the concept of "market" simply does not exist as such, software is shared and co-developed. Services are marketed, for sure, but in general not the software itself. If I push a repository with some research programme to Codeberg does it become a "marketed" product in the EU? Some other observations: - The certification requirements appear densely bureaucratic and expensive to comply with. - Software must be re-certified for every (major?) release. - Certification cannot be waved with a Licence. Consider also that many open source licences out there are not legally valid in the EU (hence the EUPL) [0]. - Software not compliant with the CRA can only be available to the "market" for a limited period of time (unspecified). In a worst case scenario, in which any software publicly available in a code forge is regarded as available to the EU market, I see FOSS4G facing three main scenarios: 1. Large user base projects, e.g. GeoTools, Proj, GDAL, QGis. Eventually these projects will muster the resources to achieve compliance (and set the mechanisms for recurrent certification). However, considering the bureaucracy involved, and the requirement for compliance of upstream dependencies, certification can easily take years to complete. 2. Middle ground projects, i.e. in which the code base is not oversized vis-à-vis the user/developer community (pygeoapi is a good example). I expect the most challenging in these cases to be the certification of upstream dependencies. If a core dependency fails to comply with the CRA in a timely manner the project must to be removed from the market. Many of the companies currently providing services around this type of software will either fold or move on to other software that may achieve certification earlier. 3. Projects with low committer-to-code ratio, mostly stable, legacy projects, maintained by a small community. The best example is GRASS, but projects like MapServer might also fall in this category. I simply do not see how such projects can ever reach compliance. How will it ever be possible to certify the hundreds of modules in GRASS? Including all upstream dependencies? The current CRA draft has over 40 000 words, for sure I do not grasp it all and certainly misinterpreted something. However, there are two main points for this community to take stock: (i) the CRA has the potential to profoundly impact the collaborative and legal processes we have been heretofore used to. This includes folk outside Europe, as they must at least consider if/how to make software available here. (ii) uncertainty remains large, especially around the meaning of making software available to the EU market. At this stage, more than lobbying, the Foundation can have an important role in seeking and diffusing useful and concrete information on the CRA. Hopefully the CRA can take a central role in next year's conference in Tartu. I hope this was helpful. Best. Luís P.S.: On a more personal perspective, looks like the CRA largely breaks the Open Science paradigm the EU has been pushing for almost a decade. Left wondering how EU institutions can yield such antagonist views on software development. [0] In Europe the concept of "public domain" does not exist legally as in the US, for instance. _______________________________________________ Discuss mailing list Discuss@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/discuss