\nThe CRA rightly addresses the need for commercial suppliers to protect their customers from exploits and cyber attacks. But legislators have exposed the open development of software itself to the regulations rather than just the for-profit use of Open Source artifacts in the marketplace. They are\u00a0incorrectly\u00a0assuming that Dirk Riehle\u2019s terminology calling single-company projects \u201ccommercial Open Source\u201d means it\u2019s possible to use the \u201ccommerciality\u201d of an application to distinguish single-company activity from community projects, and by using the\u00a0concepts of proprietary software\u00a0to then define boundaries.
\nThere will be no escape from this for European projects like\u00a0the Eclipse Foundation, but projects outside Europe \u2014 especially smaller projects \u2014 may just decide to erect geo-blocks and not deliver their work to European IP addresses. CRA-motivated geo-blocks start with needing to seek legal advice because it\u2019s so confusing\/unclear, only then to be told \u201cmaybe,\u201d leaving you to make the decision on your own.
\nOne response when I raised this was to say that the European Union is a massive and valuable market, and projects would not risk being excluded from it by geo-blocking. But this argument ignores the fact that just because Alice deploys some code profitably in Europe, it doesn\u2019t mean\u00a0Bob in Nebraska\u00a0who wrote the code will share in the profit, whether he\u2019s in business or not where he lives. Open Source licenses do not create a relationship in which financial reward is guaranteed.
\nGeo-blocks have happened before. Many small global publications\u00a0block access from the EU\u00a0rather than resolve legal uncertainties with GDPR. But the risk of CRA-related geo-blocks is much more consequential because reading those sites is optional whereas much Open Source software maintained internationally is woven into the fabric of Europe\u2019s infrastructure.
\nIn addition, those avoiding evaluating their GDPR responsibilities (or evading them after evaluating them) are likely to fear compliance will impact the benefit they gain from surveillance advertising, while for Open Source developers the perceived risk is of being the target of a punitive bureaucracy for failing to complete paperwork that adds nothing to their work.
\nIf the confusion persists, Open Source projects will need to thoughtfully consider how to proceed. Disentangling dependencies that choose to pragmatically block Europe will be traumatic; should they be forked or substituted? Things could get very messy. Let\u2019s hope the co-legislators see sense, finally\u00a0talk to the Open Source community\u00a0and address the issues.
\nThis article first appeared on Webmink in Draft.
\nImage created by Simon Phipps featured on Webmink in Draft.
\nThe post <span class=’p-name’>The Cyber Resilience Act introduces uncertainty and risk leaving Open Source projects confused<\/span> appeared first on Voices of Open Source.
\n
![](\"https:\/\/plus.maciejpiasecki.info\/wp-content\/uploads\/2023\/05\/b9b32e0991793bd5.png\")
\nSource: opensource.org <\/p>\n","protected":false},"excerpt":{"rendered":"