On Mon, 2023-07-31 at 14:54 -0400, Dick Brooks wrote: > Thanks for providing your feedback and insights Mike. It seems we > agree on two important points: > > AGREE: “We can all agree that improving the security of software is > necessary. Consumers deserve protections that they currently do not > have.” > > AGREE: “I agree that the CRA is intended to protect consumers.” > > I think we see the EU CRA differently with regard to open-source > software and the open-source community. > > You assert: “But it is also definitely an attack on open source > developers” > > I assert: This is a wakeup call that we all need to step up and > support the open source community with financial and other resources > to ensure they are able to produce “secure by design” software > products. This isn’t an “attack” on developers; it’s a call to fix > problems with the open source business model that is putting software > consumers at risk. > > Like you said, “We can all agree that improving the security of > software is necessary”, but we cannot do this until we address the > open-source business model with financial support that will enable > and empower the open source community to produce secure software for > everyone. Let’s give the open-source community the respect it > deserves and has earned. Let’s find a way to support the open-source > software community while we make open source software more secure.
I agree protecting consumers is good and that the CRA protects consumers. What it isn't going to do is give the open source community any respect, quite the opposite. I don't know of any open source contributor who can take on the risks/liabilities that the CRA asks them to personally. If they can't take them on personally, who is going to? You might say, ok we need an entity to do that. The trouble is those entities will need something in return, they can't do it for free. The requirement will likely be the license to the code. It is perceived as less risky if they can restrict access to the code for example. Certainly they'll want more control over it so they can control their liability (understandably). It will more likely than not then no longer be free or open source. So when people say this puts open source at risk, they are entirely correct. What it will do is remove the things which let open source function and mean it will no longer exist as it is no longer practical. I speak as a leader of an open source project which is struggling for resources and as someone struggling with burnout. I would love to make the model more sustainable and there are things in action to help but this will not help IMO, this would be the point I'm forced to find a new job. Regards, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1740): https://lists.spdx.org/g/spdx/message/1740 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
