Re: [OSGeo-Discuss] Revamped spatialreference.org

[Even Rouault via Discuss]

ESRI used to have the most comprehensive on-line CRS repository, but 
it was taken off line some years back. Therefore spatialreference.org 
is also an important resource to ESRI users.


The raw content is available in their github repository at 
https://github.com/Esri/projection-engine-db-doc/ . That's what PROJ 
ingests regularly to refresh objects under the ESRI authority (which are 
now available on spatialreference.org)


--
http://www.spatialys.com
My software is free, but my time generally not.
___
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss

Re: [OSGeo-Discuss] Cyber Resilience Act staying informed on updates

[Even Rouault via Discuss]

Hi Jody,

thanks for the update.

The clarification of point 3 is still fuzzy to me. What do they actually 
mean by "monetised by manufacturers". Is monetizing only when the 
software is open source but people have to pay to use it on SaaS or 
similar models ? Otherwise if it is about money being involved in the 
making of the open source software, then that contradicts the second 
point that how the development was financed shouldn't be taken into 
account to determine commercial activity... Is consulting about open 
source software "monetizing" it ... ?


Even

Le 06/12/2023 à 16:09, Jody Garnett via Discuss a écrit :
Follow up to November discussion and blog post 
 
asking OSGeo community to be informed.


 1. At the end November Europe lawmakers agreed on something:

https://www.consilium.europa.eu/en/press/press-releases/2023/11/30/cyber-resilience-act-council-and-parliament-strike-a-deal-on-security-requirements-for-digital-products/


Free and open source was so far down the priority list that the
press release does not even mention it.


 2. Next there were assurances that free and open-source community
concerns were addressed:

https://www.europarl.europa.eu/news/en/press-room/20231106IPR09007/cyber-resilience-act-agreement-with-council-to-boost-digital-products-security


The quote did indicate how our concerns were addressed:

> We have ensured support for micro and small enterprises and
better involvement of stakeholders, and addressed the concerns of
the open-source community, while keeping an ambitious European
dimension.


 3. This week I can find a articles providing clarifications that have
been added:
https://openforumeurope.org/eu-cyber-resilience-act-takes-a-leap-forward/


Two clarifications:

> the provision of free and open-source software products with
digital elements that are not monetised by their manufacturers is
not considered a commercial activity

> The mere circumstances under which the product has been
developed, or how the development has been financed should
therefore not be taken into account when determining the
commercial or non-commercial nature of [making free and
open-source software available on the market].


—
Jody

___
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss


--
http://www.spatialys.com
My software is free, but my time generally not.
___
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss

Re: [OSGeo-Discuss] EU Cyber Resilience Act - potential impacts on open geospatial software?

[Even Rouault via Discuss]

Hi,

I've drafted some personal notes in a pad 
https://annuel2.framapad.org/p/osgeo_cra-a2r1 if that may help for 
further action. Feel free to drop yours into it (anyone with the link 
should have edit rights).


I most certainly have mis-understood some things, and the formulation is 
too naive to be reused directly


The more I read the actual text of the act, the more it scares me. There 
is no way unpaid volunteers can comply with that (just look at the 
"CONTENTS OF THE TECHNICAL DOCUMENTATION" in Annex V, and consider such 
documentation may potentially have to be written in an official language 
of each member state). Even with funding, this would require specific 
expertise, and a serious revamp of our processes, which might end up 
being just incompatible with how OSS works.


Even

Le 18/08/2023 à 12:39, Angelos Tzotsos via Discuss a écrit :

Hi all,

We are planning to make a community meeting about the EU CRA, so we 
can discuss our action plan forward.


The meeting is planned for Tuesday 22 Aug 13:00 UTC in our Jitsi room:
https://meet.jit.si/OSGeo

Best,
Angelos

On 7/22/23 00:20, Adam Steer via Discuss wrote:

Hi OSGeo

The European Union's proposed Cyber Resilience Act has just come to the
attention of many non-EU folks as a potential dampener on open source
geospatial software development and usage. A summary from GitHub is here
(thanks Marco Bernasocchi for pointing it out):

https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/ 



  It's being discussed in the OSGeo board, and some responses from other
open source organisations have already been made, for example:
https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act 



It would be great to hear your thoughts on the impact of the proposed
legislation on open source geospatial software development across the
globe  - so we can form an appropriate community response as soon as
possible. What are your thoughts?

Yes, we're late in gettung our attention on to this. Hopefully not too
late.

Thanks,

Adam

--
Dr. Adam Steer
OSGeo director


___
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss



--
http://www.spatialys.com
My software is free, but my time generally not.

___
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss

Re: [OSGeo-Discuss] [Board] EU Cyber Resilience Act - potential impacts on open geospatial software?

[Even Rouault via Discuss]

However you do not have to be the distributor -


Wondering if I'd be a "manufacturer" instead ? There are many 
obligations for the manufacturer in the CRA...


"manufacturer’ means any natural or legal person who develops or 
manufactures products with digital elements or has products with digital 
elements designed, developed or manufactured, and markets them under his 
or her name or trademark, whether for payment or free of charge;"


So because of the end precision, "markets them under his or name or 
trademark", maybe not me, but the project / OSGeo itself.



the customer self-serves from the open-source distribution. In this 
case the project - specifically the steering committee (acting on 
behalf of osgeo) are on the hook for a lot of these reg requirements.


That's a major issue. Members of steering committees are unpaid 
volunteers. They are more or less active. With our current organization, 
they are not in a capacity to face regulation requirements. Basically 
that would mean that projects should have salaried members, at least 
part-time, to do that.



--
http://www.spatialys.com
My software is free, but my time generally not.

___
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss

Re: [OSGeo-Discuss] [Board] EU Cyber Resilience Act - potential impacts on open geospatial software?

[Even Rouault via Discuss]

Le 18/08/2023 à 20:50, Jody Garnett via Discuss a écrit :
Thanks for setting that up, can we add it to the website ad an event 
or news item? That way it can be shared on social media and email lists.


The missing voice on this discussion (and osgeo in general) is the 
small and medium business owners.


A whole bunch of the concern is the impact on small and medium 
business owners. We have not yet heard from our service providers and 
sponsors on this subject.


I count as a small business owner, actually a one man company, and 
service provider and I'm indeed really concerned by the CRA.


Seeing obligations of reporting security events within a 24h delay makes 
me believe that I will have no right for any vacations The whole 
text seems to have being written with quite large software companies in 
mind with sufficiently big teams so they can organize on-call teams.


It is also completely inadequate to make a service provider responsible 
for the whole codebase: if I charge a customer for an enhancement in a 
part of the software, is it legitimate to make bear what happens in 
other places of the code base I may possibly not have written ? The text 
possibly doesn't imply this (but then it becomes fun to determine who is 
responsible to respond to a given security event), but such scenarios 
specific to open source decentralized model are not detailed, so we are 
in the legal uncertainty domain...


Also the obligations linked to the lifetime of a version are written 
with companies that have regular income from licensing fees and can 
actually take a part of them to organize security monitoring and 
response. Service providers don't necessarily have recurring income 
sources linked to a software, given that they charge for the labor (one 
time event) but not usage (long-term event).  What happens if I'm no 
longer involved with a software: am I still liable for what I wrote in 
the past, and people still use for free, but I should still bear the 
costs while no longer getting any related revenue ?


Even

--
http://www.spatialys.com
My software is free, but my time generally not.

___
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss

Re: [OSGeo-Discuss] EU Cyber Resilience Act - potential impacts on open geospatial software?

[Even Rouault via Discuss]

Hi Adam,

I'm not sure if we can come up with a completely novel analysis of the 
Act compared to what other foundations have already been done, but 
looking around the various resources and analysis, this is very 
worrisome if the text would pass in its current form (especially the one 
of the EU Parliament. Apparently the version of the EU Council would be 
better for open source). The open source exemption is really just for 
"hobby open source" projects.


Most OSGeo projects would be in scope:

- because of what they do: "This Regulation applies to products with 
digital elementswhoseintended orreasonably foreseeable use includes a 
direct or indirectlogical or physicaldata connectionto a device or 
network.".


- due to how they are developed: projects who receive contributions from 
sponsored/corporate contributors, are in scope since those are 
considered as commercial activities.


Like all legalese, fully understanding the implications is hard, but my 
understanding is that for OSGeo projects, OSGeo could potentially be 
considered as the ‘manufacturer’ for its graduated projects ("means any 
natural or legal person who develops or manufactures products with 
digital elementsor has products with digital elementsdesigned, developed 
or manufactured, and markets them under his or her name or trademark, 
whether for payment or free of charge;") and be subject to the various 
obligations of the text


- CE Marking (the analysis of the Eclipse Foundation goes to "all open 
source foundations should be responsible for CE Mark conformance: cf 
https://youtu.be/AmsM5_5QO5A?t=1577)


- active look up of vulnerabilities and associated obligations of 
declaring them to ENISA (the EU body that will be in charge of that),


- making sure to not deliver products with exploitable vulnerabilities 
(nice idea, but when combining lots of software, definitely an effort to 
put)


- specific documentation obligations

- constraints in the design

-etc etc..

Or perhaps the manufacturer could be each sponsored/corporate 
contributor, in particular the ones that would qualify as main 
contributors ?


The real novel aspect of the text is that it places tons of obligations 
to open source software (whose license mention it is delivered "as it", 
and which is generally distributed free of charge) that would fall in 
the scope of the regulation, for which neither the way projects/their 
supporting organization operate or their economics is prepared.


Perhaps a minimum form of support from OSGeo could be to add its 
signature to public positions already taken by well known open source 
foundations such as Mozilla, Apache, Eclipse, etc


github publised amendments for the text 
(https://github.blog/wp-content/uploads/2023/03/GitHub_Position_Paper-Cyber_Resilience_Act.pdf) 
that try to reduce the scope of open source projects to only those who 
are provided as paid or monetized products (the usual definition of 
commercial activity after all!), which also seem worth supporting.


Even


Le 21/07/2023 à 23:20, Adam Steer via Discuss a écrit :

Hi OSGeo

The European Union's proposed Cyber Resilience Act has just come to 
the attention of many non-EU folks as a potential dampener on open 
source geospatial software development and usage. A summary from 
GitHub is here (thanks Marco Bernasocchi for pointing it out):


https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/

 It's being discussed in the OSGeo board, and some responses from 
other open source organisations have already been made, for example: 
https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act


It would be great to hear your thoughts on the impact of the proposed 
legislation on open source geospatial software development across the 
globe  - so we can form an appropriate community response as soon as 
possible. What are your thoughts?


Yes, we're late in gettung our attention on to this. Hopefully not too 
late.


Thanks,

Adam

--
Dr. Adam Steer
OSGeo director




___
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss


--
http://www.spatialys.com
My software is free, but my time generally not.

___
Discuss mailing list
Discuss@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/discuss