I am not an author of popular OSS project so my view is probably distorted, but as OSS develpper would you give a dime about legislation like this?
Edit:
It made me thinking, how would legislator ensure legislation is implemented? Would they start requiring escrow so they can check by themselves if software is developed to the correct security standard?
Developers working for free are explicitly exempt. The article lays out that the carve-out has issues and those should get resolved, but fundamentally it‘s there.
What happens with EU-based developers that work on OSS projects while on a company’s dime? I.e. said company doesn’t have any direct relation with that project, but wants to support it by paying some of its developers to put in the work. Or to developers that receive Patreon money based on their OSS projects? It can get pretty murky pretty fast.
Example: I contributed to the Elixir version of faker years ago. My customer allowed me to issue a PR with the Italian translations and it was accepted. This is clearly commercial because my customer was paying me and I was working at a commercial service. With this legislation I think they wouldn't let me send the PR (because maybe they would have had to pay for the certification) and/or it wouldn't be accepted (because the costs could be on the project.)
Then they‘re no longer working for free. That‘s exactly the issues this article is discussing - but that‘s not the point the parent poster was alluding to. They specifically mentioned „for free.“
However, if you build security critical software and get paid to do so it‘s not entirely unreasonable to require some sort of certification. You can‘t just build medical devices for money either without some sort of regulation. Or produce food for money. Or repair cars for money.
"THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ...... "
It is on the user (or a third party certification authority) to accept any liability for the quality of the software.
You cannot waive such rights in many jurisdictions, and such clauses are void there. Even where you can generally waive such warranty rights as a buyer in a contract, such waivers may still be curtailed in allowed scope. That includes most US states, too. E.g. if you sell a consumer product that's shoddily made and unfit for purpose and it blows up and injures its user, a signed contract where the buyer fully waives all implied warranties for fitness of purpose and accepts full responsibility -- caveat emptor! -- is probably void, and you are probably on the hook anyway.
> Limitation of consequential damages for injury to the person in the case of consumer goods is prima facie unconscionable
As I understand it, at least with contract law in common law jurisdictions, simply writing and freely posting OSS would not fall under this; a warranty is an implied part of a contract, and there is no contract that exists between the authors, and those who receive copies. No contract, no sale, no warranty. (A licence is not a contract, at least in some common law jurisdictions. But licences are contracts in civil law jurisdictions, usually...)
This would, however, not remain true if you're actually dealing with your users in a way that establishes mutual obligations (be careful you don't fall into a contract unawares!) Providing support for pay would do it, for example.
That law would override any such disclaimer by the seller (or other kind of "commercial producer") of OSS software. What is "critical" is determined by the catalogue of critical software categories.
Which would move up the chain to all dependencies of a critical project.
Libc, clang/gcc, whatever. Needs to be audited.
Perhaps they require the “integrator” to perform the audit or maybe the fact someone provides software which can be useful in critical environments is enough to signal an implied warranty and they are on the hook for compliance. Nobody knows until it all goes through costly legal procedures where everyone is trying to cover their asses and pass the buck.
I’m waiting for the day where FLOSS devs are greeted at EU airports by process servers because they released some software while in college and it got used in some critical software.
No, the draft requires the purpose of a software to be declared. So if you declare Linux to be a terminal emulator, not an operating system, and only sell/import/distribute it as such, you only need to comply with the somewhat easier self-certification requirements for non-critical software.
However, that declaration of purpose of course binds all other users/distributors of Linux, if they should dare to use or bundle it as a desktop, server or mobile operating system, they are doing so outside the original certification and need to have the required audit for critical software performed.
That, as far as I read it, also means that something like GCC, which is unambiguously a compiler, isn't critical and need not be audited, only self-certified, even if used to compile a critical software component.
> Developers working for free are explicitly exempt.
The problem lies, among other things, in the fact that a business activity might be assumed even if one does not explicitly receive money for the software directly, but indirectly. For example via donations, ads on the download Web-site, using it for self-promotion, paid consultancy, selling tutorials, ...
"[inside] the course of a commercial activity" "Commercial activity is understood as providing goods in a business related context."
secondary self-promotion, donations and ads are imho not "providing goods in a business-related context". Paid consultancy and selling tutorials might be though, But I assume that judges will rule on that if it comes to it and I assume that they will set some monetary boundary to which this still counts as "outside the course of commercial activity".
If "business-related" means: "what contributes to earn you money", then they are. The boundary is typically not the amount of money, but whether there is an intention to make a profit over a longer period of time.
So if you have a permanent Website of your open-source product to promote some other product or service, or ask for donations or put ads on the site, you intent to make a profit out of your open-source product. (Almost?) every possible answer to the question: "How can I generate revenue with my open source project?" describes a business related context.
As long as you‘re not financially profiting from the project, the legislation does not affect you. The moment you do financially profit of it (for example, if you have a business around it, or the software is developed by a business), then things get a little more complicated - if you have no clients in the EU and don‘t market or sell to the EU, you can mostly just ignore this. If you do, then you probably have to care about this.
You're saying this so definitively even though you can't know that what you're saying is true, based on the article:
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. [..]
> Commercial activity is understood as providing goods in a business related context. Non-profit organisations may be considered as carrying out commercial activities if they operate in such a context. This can only be appreciated on a case by case basis taking into account the regularity of the supplies, the characteristics of the product, the intentions of the supplier, etc. In principle, occasional supplies by charities or hobbyists should not be considered as taking place in a business related context.
> Open-source software is provided both within and outside of business related contexts. And the 'occasional supplies' exception in this quote seems to be of limited use to projects society comes to depend on. Would you consider an open-source operating system (MINIX) that has been freely available for 35 years an 'occasional supply'? What does its integration in all Intel processors since 2015 mean for being 'goods' outside a 'business related context'? How about the BIND project, a staple of open-source core Internet infrastructure shipping for 40 years?
This feels like a huge issue to me and that's before considering how most OSS we use everyday is worked on by full-time employees as a part of their jobs.
If you release TerminatorOS which is an experimental OS for AIs hellbent on destroying the world, you are fine.
If someone uses TerminatorOS and you did not sell it to them, they will be responsible for its use, you are fine.
If you start terminator.io, a startup that sells TerminatorOS powered drones that shoot you in the face, you are not fine and need to comply.
In the same way, if BIND starts BIND.io to sell Bind-as-a-Service, then they'll have to be compliant. If BIND is found to be ran at 90% by AWS with AWS paid employees, they won't need to be compliant. Otherwise, you'll be fine.
Source: this is not the US, European law takes context into account.
What if I've already released TerminatorOS for free and would prefer not to leave my users in the EU high and dry, but I also don't want to start a business or spend my free time dealing with legalese while getting nothing in return?
If you are not selling it to your EU users, you are fine. If you are selling it to EU users, leave them high and dry and offer no support. They can still clone it and run it on their own.
It's really the same thing as selling non certified products in Europe. If you are a registered EU business, you have to sell CE certified products, so we know that you're not going to burn my house down. If i buy from alibaba an LED strip that draws 500W and ends up burning my house down, it'll be my fault, the seller was in China and i knew what i was getting into.
Any kind of commercial gain can be considered "profit". 10ct/month from an ad banner is considered a commercial activity in Germany and courts treat it as such, with consequences like Impressumspflicht (need to publish personal data, tax number, phone and fax number of the person responsible for a website) and DSGVO applicability. Same for indirect "profit": there have been judgements that considered blogging a commercial activity if the topic of the blog is similar to the dayjob of the blogger because the blog is considered an advertisement to a future employer or customer.
Therefore I would consider any kind of open source contribution by an IT professional a commercial activity. Only if the open source contribution is strictly a hobby and your normal job involves nothing IT-like at all you'd maybe be safe.
Is having your name on a project “profiteering”? Is publishing a project to sustain the reputation of a conference speaker made as a sidekick, profiteering?
That is not true - donations are not usually considered profit, at least in Germany. They occupy a bit a weird middle ground. They may count as income, but for example donations we receive for the open source projects that our company runs are VAT exempt. However, it must be true donations and not provide material benefit - if the donations provide any substantial benefit (priority when considering features or bug fixes, access to special features, …), then it‘s no longer donations but services. Things like a mention on a supporter page, occasional swag and stickers, … are usually fine.
As always, talks to your tax accountant about your specific case, this is not legal or tax advice, …
You seem to be conflating being eligible for vat with income that would qualify as “profiting”. Profiting just means you benefitted. And taxable income is nearly always profiting.
all legislation is designed for Mittelstand (medium sized german companies)
tax, privacy, communications, employment, now software
this was seen with the VAT changes: it was raised that this would badly affect small companies, so they passed the legislation then penciled a meeting in for 3 years time to maybe think about small companies
False. In many cases you might be collecting it in the first place without realizing it (e.g. Analytics). Also it's a problem for developing anything to spend a lot of thinking "would this violate GDPR" instead of actual creative thinking and development.
I don't remember how many DAYS we've collectively lost in all the apps we're making, to make sure we comply with GDPR instead of focusing on productivity.
So it sounds like there is no point to comply ahead of time as if they do come after you they would just get future payments in which case you can close up sales in that region.
Say I'm an EU company. I use a small bit of GPL code in the course of my business, and I see a problem with it, so I change the code, fix the bug/add a feature/etc, push it back, does that count profiting from it?
I could instead not push it back, which is less immediate risk
> As long as you‘re not financially profiting from the project, the legislation does not affect you.
As highlighted in the article, "commercial activity" is what triggers the legislation, not profit, and it's a broader concept.
Note also this section on page 34:
‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
Supposedely, if this legislation passes then the EU will be in its rights to ask GitHub or any such platform to remove completely or to block OS projects that do not meet EU’s new security criteria.
Take what I’m saying with a huge grain of salt, cause I’m also not a OSS contributor nor do I work with tech-related legislation.
Edit: It made me thinking, how would legislator ensure legislation is implemented? Would they start requiring escrow so they can check by themselves if software is developed to the correct security standard?