The Python Software Foundation (PSF) is unhappy with new EU legislation regarding cybersecurity. According to PSF head Deb Nicholson, open-source developers can be held responsible for flaws in code which they themselves have earned nothing from making.
The EU drafted two laws in 2022 that have not yet been approved by the European Parliament and the European Commission. The Cyber Resilience Act holds software companies responsible for any security weaknesses in their products. In addition, the Product Liability Act ensures that updates that lead to problems with an application may lead to claims for damages.
Too broad
The PSF’s argument is that EU law is too broadly drafted. No distinction is made between large companies that sell software and open-source developers who have no financial interest in their code. Indeed, many commercial products contain open-source code, which may be written in Python, among other languages.
Penalties can go up to €15 million or 2.5 percent of annual revenue, whichever is highest. The genuine threat of such a penalty, according to the PSF, may cause the open-source community to diminish. After all, there is no way to predict what will be done with publicly available code.
While there are exceptions for open-source software in the proposed EU legislation, it does not provide complete certainty. PSF may be a nonprofit organization, but it does offer coding classes and merchandise sales at conferences. This means the group is still engaged in commercial activities, so the law would not protect them.
Fall of big tech
Speaking with The Register, policy expert Bradley Kuhn of the Software Freedom Conservancy reports that a trap is ready to be sprung. Large companies could stand to benefit from the clauses that open-source developers are asking for. “A blanket exemption for open-source developers is an attempt by companies to use this group to circumvent their responsibility.” So the final word has not yet been said on this issue.
Also read: Events, dollars & cents: the state of open source in 2023
7 hours ago
