The Python Software Foundation on European cybersecurity
source link: https://lwn.net/Articles/929855/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
The Python Software Foundation on European cybersecurity
Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products. The risk of huge potential costs would make it impossible in practice for us to continue to provide Python and PyPI to the European public.
The Internet Systems Consortium has also recently put out a statement on the proposal.
(Log in to post comments)
The Python Software Foundation on European cybersecurity
Posted Apr 21, 2023 21:17 UTC (Fri) by pbonzini (subscriber, #60935) [Link]
Second, "a natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements shall be considered a manufacturer for the purposes of this Regulation" should refer to downstream modifications. Making modifications upstream of products (which is what happens in Python or Debian) is not a modification of the product, it is a modification of something else.
Finally, the other quoted sentence, "providing a software platform through which the manufacturer monetises other services", is not complete and thus hard to interpret. Still the interpretation of the PSF only seems to work if the PSF is considered a manufacturer, which it should not be since it's not operating for-profit.
In fact, the European Parliament Research Service's briefing on the CRA (https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/7...) says that they consider open source software to be "less exposed to cybersecurity risks. This is because when many programmers are involved in the
continuous development of software, there is a higher chance that vulnerabilities are spotted by someone
throughout the development or update process".
While this is only a footnote, it is clear that the intention of the EU is not (as the PSF says) to make "hobbyists, individuals and other under-resourced entities who host packages on free public repositories like PyPI" liable, even if they authored software that is used in what the CRA defines as a "critical product" such as a router or a password manager. In fact the spirit of the law is the opposite, i.e. to make sure *manufacturers* do their due diligence, both when they source external packages and to ensure that their products remain secure.
The Python Software Foundation on European cybersecurity
Posted Apr 21, 2023 22:15 UTC (Fri) by pizza (subscriber, #46) [Link]
> The text of CRA appears to deviate from the Blue Guide creating significant uncertainty about scope of application.
>Although we set out our observations above using the multiple factors provided by the Blue Book explaining why we believe our organisations and similarly situated entities should not be treated as supplying software as part of a “commercial activity” in a “business related context,” the text of the proposed laws under discussion seems to drag us away from that analysis.
When pretty much every established F/OSS foundation/organization that operates in Europe thinks there's a problem with the text _as it is currently written_ then it seems prudent to listen to them, instead of reassurances from random folks posting on various internet forums.
(Especially as history has shown us repeatedly which way the kudgel falls)
The Python Software Foundation on European cybersecurity
Posted Apr 21, 2023 22:31 UTC (Fri) by pbonzini (subscriber, #60935) [Link]
In the case of the PSF, their second point is similar but explained worse, while the first point mangles the meaning of the letter of the law.
The Python Software Foundation on European cybersecurity
Posted Apr 21, 2023 23:57 UTC (Fri) by pizza (subscriber, #46) [Link]
The Python Software Foundation on European cybersecurity
Posted Apr 21, 2023 21:19 UTC (Fri) by domdfcoding (guest, #159754) [Link]
(heavy sarcasm)
The Python Software Foundation on European cybersecurity
Posted Apr 21, 2023 21:36 UTC (Fri) by tao (subscriber, #17563) [Link]
Or are you expecting British software vendors to stop selling their products to EU countries and British developers to stop participating in European software projects?
The Python Software Foundation on European cybersecurity
Posted Apr 21, 2023 21:39 UTC (Fri) by flussence (subscriber, #85566) [Link]
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK