On Nov 29, 2022, at 6:56 AM, Michele Neylon - Blacknight via opensource-wg <opensource-wg@ripe.net> wrote:

Maarteen

I think the way they’ve framed commercial activity is problematic.
It’s also inconsistent with other EU legislation where they’ve specifically carved out smaller businesses, which they should be doing here as well.
TLDR – I’m not going to lose sleep if RedHat have to do something, but I really don’t want a small open source software company with a handful of staff to be forced to meet the same criteria as a multi-billion dollar company.

Michele,

Amen! This is exactly my concern. The CRA could have the effect of putting the small open source companies out of business in Europe.

ISC, my employer, is ~35 people, so not *tiny*, but we would certainly struggle to meet all of the CRA requirements for our two major open source projects, BIND 9 and Kea DHCP. The impact would be to take resources away from other important work, such as fixing bugs, writing useful documentation, etc. We have been reporting vulnerabilities responsibly for years, signing our code, etc, so most of the provisions would not be new to us, but … Currently we do monthly development releases - would we have to go through some rigamarole for each release?? It would certainly be the end of monthly updates.

Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59 9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845