Maarteen

 

I think the way they’ve framed commercial activity is problematic.

It’s also inconsistent with other EU legislation where they’ve specifically carved out smaller businesses, which they should be doing here as well.

TLDR – I’m not going to lose sleep if RedHat have to do something, but I really don’t want a small open source software company with a handful of staff to be forced to meet the same criteria as a multi-billion dollar company.

 

Regards


Michele

 

 

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59  9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

 

 

From: Maarten Aertsen <maarten@nlnetlabs.nl>
Date: Tuesday, 29 November 2022 at 11:30
To: Michele Neylon - Blacknight <michele@blacknight.com>, opensource-wg@ripe.net <opensource-wg@ripe.net>
Subject: Re: [opensource-wg] concern re: Cyber Resilience Act effects on open source?

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

hi Michele,

Thanks for taking the time to respond, I really appreciate that.

On 28/11/2022 18:09, Michele Neylon - Blacknight wrote:
> Maybe I’m missing something, but the draft language **excludes** open
> source software [..]

"Yes*, but with a /very big asterisk/" (quoting from [1])

I am really thankful that an exception, even a limited one, made it at all.

And at the same time, this may draw our attention away from the facts
that the current proposal:

   1. misses an opportunity to actually support the open source work our
society depends on (in any way: acknowledgement, incentives to
contribute, financial, liability, ..)
   2. creates a new barrier to people or projects that move from 100%
volunteer-effort to having some income by introducing compliance work
that may be hard to be met by small or cash-strapped developers.

I'm curious about your thoughts on the concept of "commercial activity"
as it applies to software you write or use. I hope my writing on its
role in the CRA is of any help.

kind regards, Maarten

[1]
https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#but-wait-isnt-there-an-exception-for-open-source

--
Maarten Aertsen
   senior internet technologist, NLnet Labs