2

The Python Software Foundation on European cybersecurity

 1 year ago
source link: https://lwn.net/Articles/929855/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

The Python Software Foundation on European cybersecurity

[Posted April 21, 2023 by corbet]
This ten days old but hopefully better late than never: the Python Software Foundation has put out an article describing how the proposed European "cyber resilience act" threatens the free-software community.
Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products. The risk of huge potential costs would make it impossible in practice for us to continue to provide Python and PyPI to the European public.

The Internet Systems Consortium has also recently put out a statement on the proposal.

(Log in to post comments)

The Python Software Foundation on European cybersecurity

Posted Apr 21, 2023 21:17 UTC (Fri) by pbonzini (subscriber, #60935) [Link]

The language actually seems pretty clear to me. First of all, the proposal does not cover open source as long as it's not-for-profit.

Second, "a natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements shall be considered a manufacturer for the purposes of this Regulation" should refer to downstream modifications. Making modifications upstream of products (which is what happens in Python or Debian) is not a modification of the product, it is a modification of something else.

Finally, the other quoted sentence, "providing a software platform through which the manufacturer monetises other services", is not complete and thus hard to interpret. Still the interpretation of the PSF only seems to work if the PSF is considered a manufacturer, which it should not be since it's not operating for-profit.

In fact, the European Parliament Research Service's briefing on the CRA (https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/7...) says that they consider open source software to be "less exposed to cybersecurity risks. This is because when many programmers are involved in the
continuous development of software, there is a higher chance that vulnerabilities are spotted by someone
throughout the development or update process".

While this is only a footnote, it is clear that the intention of the EU is not (as the PSF says) to make "hobbyists, individuals and other under-resourced entities who host packages on free public repositories like PyPI" liable, even if they authored software that is used in what the CRA defines as a "critical product" such as a router or a password manager. In fact the spirit of the law is the opposite, i.e. to make sure *manufacturers* do their due diligence, both when they source external packages and to ensure that their products remain secure.

The Python Software Foundation on European cybersecurity

Posted Apr 21, 2023 22:15 UTC (Fri) by pizza (subscriber, #46) [Link]

To quote the ISC's statement:

> The text of CRA appears to deviate from the Blue Guide creating significant uncertainty about scope of application.

>Although we set out our observations above using the multiple factors provided by the Blue Book explaining why we believe our organisations and similarly situated entities should not be treated as supplying software as part of a “commercial activity” in a “business related context,” the text of the proposed laws under discussion seems to drag us away from that analysis.

When pretty much every established F/OSS foundation/organization that operates in Europe thinks there's a problem with the text _as it is currently written_ then it seems prudent to listen to them, instead of reassurances from random folks posting on various internet forums.

(Especially as history has shown us repeatedly which way the kudgel falls)

The Python Software Foundation on European cybersecurity

Posted Apr 21, 2023 22:31 UTC (Fri) by pbonzini (subscriber, #60935) [Link]

I agree that prudence is needed. But the ISC is really asking for nothing more than a more precise definition of "commercial activity". It's not like it's arguing against the idea of the CRA, more the contrary in fact.

In the case of the PSF, their second point is similar but explained worse, while the first point mangles the meaning of the letter of the law.

The Python Software Foundation on European cybersecurity

Posted Apr 21, 2023 23:57 UTC (Fri) by pizza (subscriber, #46) [Link]

I don't think anyone is arguing against the idea or nominal intent of the CRA, instead, the PSF and ISC join the many, many others that have pointed out how the text _as written_ muddies the notion of liability so badly that it's barely a stretch to see how that could lead to the cessation of F/OSS development in the EU, and not just at the non-profit/individual volunteer level, but also corporate-sponsored as well.

The Python Software Foundation on European cybersecurity

Posted Apr 21, 2023 21:19 UTC (Fri) by domdfcoding (guest, #159754) [Link]

Seems like the EU are doing an excellent job without us. I can't fathom why anybody voted for Brexit.

(heavy sarcasm)

The Python Software Foundation on European cybersecurity

Posted Apr 21, 2023 21:36 UTC (Fri) by tao (subscriber, #17563) [Link]

I think it's rather naïve to think that this won't affect Britain too and that Brexit will make any difference (well, except that Britain lost the ability to veto this, of course).

Or are you expecting British software vendors to stop selling their products to EU countries and British developers to stop participating in European software projects?

The Python Software Foundation on European cybersecurity

Posted Apr 21, 2023 21:39 UTC (Fri) by flussence (subscriber, #85566) [Link]

The UK doesn't really have a technology economy to legislate over in the first place.

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK