> And it is that entire stack which the SME, as the party that places it on the market, is liable for.<p>This has been a nit of mine as others cry out how I'm a "NIH" curmudgeon for not importing some library because I need, oh, "upshiftFirstCharacter" or some other thing.<p>Like many, I do incorporate other projects into my own. But, also, I tend to just write my own stuff for "little things", even when they creep into "big" things, as many are wont to do.<p>And the canard I hoist when challenged on this stuff, I simply point out "We may only being using a a small piece of it, but we're responsible for all of it." And point to the trail of jars that simple utility is dragging with it.<p>There's a lot of pressure for things to have fewer and fewer dependencies. As a Java developer, I strive to rely as much as practical on the JDK and the utilities they provide.<p>My code is as imperfect as anyone else's. But I watch threads on forums about "how can I do XXX" and what they really mean is "what package do I need to do XXX" rather than just, you know, "doing it". It's a spectrum of complexity, but if I can get away with a simple BlockingQueue instead of loading in some off the shelf behemoth for a simple twixt threads queue, I'm going to do that. Use the stuff I have until it fails before I drag and drop some onerous jar and a boat of dependencies to do the same thing. "This has monitoring and plugins and ...!" "Do we need that?" "...Maybe?" "Well lets wait and see, shall we?"
This definitely brings out the Accelerationist in me.<p>Keep making more changes, more regulation Europe. It'll make an interesting story one day. But only after extreme turmoil & chaos. After the dust settles.<p>And I don't think these attempts to regulate the planet, to impose your will & shift so much burden onto those doing & making & creating is going to work as you hope. I don't think it will give your societies the safety you think you can demand, and I think the difficulties you are creating are going to cause great suffering for your nations.<p>I respect your desire for a better more sensible world but forever more layering in more and more constraints & burdens on the active agents in your systems has such unfathomable costs.<p>And you don't have the right. You don't get to tell the entire world how to behave. There are impossible asks, utterly ridiculous, and you make them against everyone. You already have your foot on the floor, speeding us so quickly to breaking.
> EU lawmakers also realise that open source is often 95% or more of the software stack on which a typical European Small and Medium Enterprises (SME) operates or is licenced.<p>> it is that entire stack which the SME, as the party that places it on the market, is liable for.<p>> policy makers assume that these process improvements [...] are costly; on the order of 25% more in cost overhead<p>> for most European SMEs this extra effort over the full 100% would be several times their engineering effort and hence would not be feasible<p>> certifying the 5 or 10% of the code they build on top of the open source stack is a lot more achievable.<p>From what I understand of what the Apache Foundation has written, what the CRA does is to take the certification obligation from the entity that takes the open source products and profits from it, and push it on to the entity that produced the open source software.<p>So if I have a business that uses a tech stack built on top of Rocky Linux, for example, I only have to certify the part of the stack that I built, and I can push the liability for the rest of the stack to the Rocky Linux vendor, even if I never bought a support contract.
The CRA draft has been accepted. I submitted this a couple of hours ago: <a href="https://news.ycombinator.com/item?id=36790228">https://news.ycombinator.com/item?id=36790228</a>.
What are the implications if an open source library is simply maintained in the US and consumed in the EU?<p>Does the EU company then need to handle the details of certifying it? Do you end up with an entire industry around companies "importing" open source libraries into essentially a library of usable verified things that companies are then allowed to consume?<p>Does this end up with EU companies using out of date things because it requires certification? How do you avoid it either becoming a rubber stamp with a fee attached or EU industry being behind insofar as its ability to use technology.<p>EG a US developer can use A B or C whereas EU dev can only use a 2 year old version of A which may be less secure for lack of improvements on further versions rather than more secure. Essentially a certified predictable level of inferiority.<p>> Some of the obligations are virtually impossible to meet: for example there is an obligation to “deliver a product without known exploitable vulnerabilities”.<p>Is it possible we actually CAN meet something a lot closer to that? There isn't infinite ways to use something and if the use is novel and out of scope of the library itself wouldn't that be something out of scope and part of the companies job to certify?<p>Consider languages and technology that obviate or drastically decrease entire classes of bugs from memory safe langues, to comprehensive testing, to static analysis, to more secure OS like seL4.
So what I don't get is why they don't have it as two tiers, aka if you make software and sell it. Your software and all dependencies must be certified.<p>The people doing certification must have a active hand in the development process of the specific software component. who, at their option can charge for certification.<p>This would allow open source projects that are used in industry to charge for certification labels, to the commercial companies that require it. But non-commercial which does not need a certified stack, is business as usual.<p>Seems like it would incentivize funding of open source, right? As long as the fees are low enough, no one will fork. But since only the people maintaining the project can make (and optionally charge for) certifications, it would incentivize knowing your software stack, and paying for maintenance/contributing back.
From what I can tell, it sounds like the lawmakers have the right intentions here. So I'm not too worried that this law will get passed in its current problematic state. Am I naive?