I believe our industry needs regulations and liability, but the CRA could be dangerous. (See my comment at [1].)<p>There is a better way [2], but I don't know how we would convince politicians that there is a better way.<p>[1]: <a href="https://news.ycombinator.com/item?id=38788919">https://news.ycombinator.com/item?id=38788919</a><p>[2]: <a href="https://gavinhoward.com/2023/11/how-to-fund-foss-save-it-from-the-cra-and-improve-cybersecurity/" rel="nofollow">https://gavinhoward.com/2023/11/how-to-fund-foss-save-it-fro...</a>
> CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA.<p>Isn't that the idea? If you can't innovate, litigate - see regulatory capture [1].<p>We hold the power, not the EU. Debian, FOSS developers, and small businesses world-wide should block EU IP addresses. No more Linux, no more Python, no more nothing. When the EU's digital infrastructure begins crumbling they'll change their tune.<p>[1] <a href="https://en.wikipedia.org/wiki/Regulatory_capture" rel="nofollow">https://en.wikipedia.org/wiki/Regulatory_capture</a>
And don't skip over the part where they want developers to report any zero day's you discover to them within 24 hours so they can use them as exploits against innocent civilians not involved in any crime. And yes, the Netherlands changed the law recently so they can do this and without requiring any judge involved. And yes, they are allowed to hack people not involved with any crime as well. As well as changing the law in 2020 so all of government, including their prosecutors may law in court under oath and not be held liable.<p>And then they want other people to be accountable, how about government be accountable first.
A lot of folks seem very angry about this and are making some broad statements with no specific citations. Can someone please give me a specific quote from the bill and explain how that will for sure be detrimental to open source projects?
It’s time for governments to have more responsibility. The cyber resilience acts pushes 15,000,000 euros penalty to software developers. How much liability does government have for anything bad they do ? First it’s extremely difficult to get to them to be responsible for anything. Then in the Netherlands any liability would be a pittance. Nothing like 15,000,000 euros.
Maybe change the link to the actual result, rather than 2nd-hand reporting?<p><a href="https://www.debian.org/vote/2023/vote_002#statistics" rel="nofollow">https://www.debian.org/vote/2023/vote_002#statistics</a><p>(No matter how good LWN's original journalism is, this is just a news link that does little more than link to the source itself)
It’s time for everyone to put a clause in their licenses banning direct and transient free use of their software for governments.<p>I have two projects and added such a clause in protest.
The Debian team announcement is on the right track.
Asking freelancers and free software groups to face the same measures and fines as big tech companies is unfair competition.
The E.U. of course, was never friendly to free software[1].
The bureaucratic and neoliberal extremists that are in the lobby of Brussels will always try to destroy free and independent creation.<p>[1]: <a href="https://totsipaki.net/ikiwiki/nparafe/posts_en/posts/Can_European_union_save_free_software/" rel="nofollow">https://totsipaki.net/ikiwiki/nparafe/posts_en/posts/Can_Eur...</a>
Given that this will affect costs by one, maybe two orders of magnitude, why would any developer want to do business with the EU.<p>Is disqualifying EU users even possible?
Obviously it wouldn’t work for a project as large as Debian, but I wonder if there is some exclusion clause that can be inserted that forbids all users that would be covered under the Cyber Resilience Act from using the software?
> It's very unfortunate to see such anarco-capitalist FUD being voted as the preferred option, on such a low turnout.<p>Posted Dec 27, 2023 19:32 UTC (Wed) by bluca (subscriber, #118303)<p>Can someone explain to me what in the statement from Debian is "anarco-capitalist FUD"? I find it quite reasonable overall.
This makes a lot of sense if you follow judgements internationally.<p>Last year in the UK the creator of BitCoin won a multi-billion pound judgement against usurper "open source" developers who refused to alter the protocol to allow him to recover coins a hacker took from him.<p>Developers have a duty of care to their users which no license can remove even if they are communists calling themselves "open source". You either make good software and comply with your duty or you will be ruined. That is the law.
Small businesses and solo-entrepreneurs have to deal with liability and permits all the time in other fields, even actual street bazaars for that matter, exception being when there is some "flexibility" between the laws and how they happen to be applied.
What about the CRA is so bad? The requirements seem like common sense. Can anyone point out something specific that seems overly onourous? Debian couldn't...<p>Our industry desperately needs better regulations, IMO.
Additionally, there's nothing wrong with what we have now. So there are some security flaws. But we have really fancy mobile phones and an amazing Internet.<p>Now rewind to 1990 or so. Add a Cyber resilience act. At best we maybe have a phone about as advanced as an old Nokia. But yeah, maybe hardly any cyber security flaws because the Internet would hardly function.<p>Instead of thanking all of the millions of developers who contributed to this, they proceed to kick them in the teeth and enact laws to steal from them in principle by raising the cost of entry.
>CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work.<p>If Debian depends on people's work so badly maybe they should pay for it.