Maarteen I think the way they’ve framed commercial activity is problematic. It’s also inconsistent with other EU legislation where they’ve specifically carved out smaller businesses, which they should be doing here as well. TLDR – I’m not going to lose sleep if RedHat have to do something, but I really don’t want a small open source software company with a handful of staff to be forced to meet the same criteria as a multi-billion dollar company. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Maarten Aertsen <maarten@nlnetlabs.nl> Date: Tuesday, 29 November 2022 at 11:30 To: Michele Neylon - Blacknight <michele@blacknight.com>, opensource-wg@ripe.net <opensource-wg@ripe.net> Subject: Re: [opensource-wg] concern re: Cyber Resilience Act effects on open source? [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. hi Michele, Thanks for taking the time to respond, I really appreciate that. On 28/11/2022 18:09, Michele Neylon - Blacknight wrote:
Maybe I’m missing something, but the draft language **excludes** open source software [..]
"Yes*, but with a /very big asterisk/" (quoting from [1]) I am really thankful that an exception, even a limited one, made it at all. And at the same time, this may draw our attention away from the facts that the current proposal: 1. misses an opportunity to actually support the open source work our society depends on (in any way: acknowledgement, incentives to contribute, financial, liability, ..) 2. creates a new barrier to people or projects that move from 100% volunteer-effort to having some income by introducing compliance work that may be hard to be met by small or cash-strapped developers. I'm curious about your thoughts on the concept of "commercial activity" as it applies to software you write or use. I hope my writing on its role in the CRA is of any help. kind regards, Maarten [1] https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#... -- Maarten Aertsen senior internet technologist, NLnet Labs