The European regulators listened to the Open Source communities

Debian statement, Dec 2023, <a href="https:&#x2F;&#x2F;bits.debian.org&#x2F;2023&#x2F;12&#x2F;debian-statement-cyber-resillience-act.md.html" rel="nofollow">https:&#x2F;&#x2F;bits.debian.org&#x2F;2023&#x2F;12&#x2F;debian-statement-cyber-resil...</a><p><i>&gt; Even if only &quot;commercial activities&quot; are in the scope of CRA, the Free Software community - and as a consequence, everybody - will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneurs.</i>

This reminds me very much of the warnings by people like Robert C Martin over a decade ago that unless the software industry adopted better practices for quality and regulated itself regulators would step in. Regulators understand very little about the software process so the laws they are pass are unlikely to be the best way to solve it. Years after those lectures little has changed and now the regulation is coming at an increasing pace.<p>None of this will be good for small software companies, this sort of regulation will entrench the big players as it always does.

&gt; In particular, “digital artisans” using Open Source software at small scale – the main concern of Debian – will need guidance from the European Commission.<p>Sadly I don&#x27;t think it will move, the commission doesn&#x27;t want to weaken the legislation because they don&#x27;t want to much discrepancy between member states.<p>It will once again be up to individual countries to set up this law with their own interpretation.<p>In my experience with Rgpd, the watchdogs in at least 3 countries (France, Italy, Germany) are extremely helpful in navigating regulations, especially if you are incidentally its target (As a PaaS that hosted health data, we were).<p>I understand that this is both unclear, unknowable and a pretty huge risk (not really factually, but it feels like one): I&#x27;m not saying Debian people are wrong to want to clarify, I&#x27;m not saying people should take this as a victory, or that EU is perfect : I&#x27;m just saying that as a complex federation, with current rules, this law will probably be the best we will get, and sadly, local &#x27;forgiveness&#x27; and loose execution is the only thing you can count on.<p>Because in the EU eyes, the law being loose is way, way worse than the local executive power being loose.

If you want to entrepreneur in the software industry, move fast, folks.<p>They&#x27;re closing in and the level of freedom we have today isn&#x27;t likely to exist in years to come.

OT: Anyone have a more useful link to the Apache Foundation&#x27;s statement?<p>All the links to the other statements in the article go to the sites of the organizations they are quoting, but the one for the Apache Foundation goes to something called sandbox-pad.webm.ink.<p>That just gives me an error dialog in Chrome, Firefox, and Safari that says &quot;sframe-boot.js must only be loaded in a nested context&quot; then a shield with a keyhole image fads in over it along with &quot;Loading...&quot; text, and nothing more happens (at least in the 30 minutes I&#x27;ve had that tab open).

I don&#x27;t understand what&#x27;s going on. Could someone give me a birds eye view of what this is about?<p>- What is the regulation aimed at?<p>- What did the open source community communicate?

I think, the CRA might create an incentive for companies not free loading Open Source Software but instead putting money in the open source eco system (though mainly on Security) and that is somehow great!

Doesnt this version still screw up the individual developers or smaller outfits that provide paid addons&#x2F;upgrades to their open source software? It exonerates open source projects that dont engage in any business activity, but holds responsible the &#x27;stewards&#x27; who provide paid services and addons? This would kill a lot of individual software developers and small outfits that fund themselves by selling paid upgrades&#x2F;addons or other services whereas the non-profit projects still remain for major corporations to leech off of them. Added bonus is that the law will eliminate the small competitors of all those major corporations as individual devs and small outfits cant handle the financial burden of this compliance. To make an example from a healthy open source ecosystem: WordPress project would continue without issues, but all the small developers and outfits who make a living by creating plugins, themes and other things for that ecosystem will go kaput.<p>Am I misunderstanding this?

there are improvements but please, the implementations are the test. Regulators, senior politicians and others can and do change the course in implementation phase.<p>this is not over, in any way