I will be surprised if the EU CRA results in more F500 companies entering suppport contracts with their major OSS dependencies, but that would definitely be the ideal outcome.
There's some good pro-consumer intent in this law, but as is often the case the regulators barely understand the ecosystem they're regulating. It was not designed with the massive importance of open-source in mind from the start.
Why would it be the ideal outcome? Not everyone writing open source wants to be at the beck and call of some F500 companies.
That's likely the outcome that the corporate interests behind EU CRA want: to put a lasso around the neck of open source and have it be something that either serves them, or does not exist.
Under the EU CRA, open source maintainers have no obligations to anyone, unless they have paid contractual relationships with users. If anything, this means open source maintainers now have a revenue source; doing paperwork for things they are probably already doing.
Then you either continue to not those things (with no consequences, except maybe companies asking you to do them, maybe they will offer incentives), or you decide to do those things since they are a good idea anyway.
> I will be surprised if the EU CRA results in more F500 companies entering suppport contracts with their major OSS dependencies, but that would definitely be the ideal outcome.
If it's made simple enough (with an EU legal entity), I see it quite likely.
Seems very likely this will lead to “professional repackagers” whose business model is “for a fee you may install our fork of curl and we will promptly reply to emails like this”, unfortunately.
I will be surprised if the EU CRA results in more F500 companies entering suppport contracts with their major OSS dependencies, but that would definitely be the ideal outcome.
There's some good pro-consumer intent in this law, but as is often the case the regulators barely understand the ecosystem they're regulating. It was not designed with the massive importance of open-source in mind from the start.
IIRC the initial EU CRA was modified heavily after feedback from the FOSS community, some background in these articles.
https://lwn.net/Articles/944300/ https://lwn.net/Articles/1023306/
Why would it be the ideal outcome? Not everyone writing open source wants to be at the beck and call of some F500 companies.
That's likely the outcome that the corporate interests behind EU CRA want: to put a lasso around the neck of open source and have it be something that either serves them, or does not exist.
Under the EU CRA, open source maintainers have no obligations to anyone, unless they have paid contractual relationships with users. If anything, this means open source maintainers now have a revenue source; doing paperwork for things they are probably already doing.
https://lwn.net/Articles/944300/ https://lwn.net/Articles/1023306/
Paperwork ... just the thing you get into open source for.
What if you're not probably already doing those things?
Then you either continue to not those things (with no consequences, except maybe companies asking you to do them, maybe they will offer incentives), or you decide to do those things since they are a good idea anyway.
> I will be surprised if the EU CRA results in more F500 companies entering suppport contracts with their major OSS dependencies, but that would definitely be the ideal outcome.
If it's made simple enough (with an EU legal entity), I see it quite likely.
Seems very likely this will lead to “professional repackagers” whose business model is “for a fee you may install our fork of curl and we will promptly reply to emails like this”, unfortunately.
Red Hat would be smart to get in on this
Really? Asking a third-party dev to vouch for testing counts as risk assessment?
Feels like classic Big-4 CYA checkbox theater.