Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If the legislator is so concerned that some random open source project with enough luck to become a foundation of something the EU relies on may be used to weaken its security... then why not just ... I don't know ... not use it and develop their own? It doesn't fit in my brain.


>---------------------------------------------------- The current CRA text only excludes OSS software that has no commercial activity around it. Unfortunately, it defines commercial activity in part, this way:

    “where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature.”
This can be read to mean that if the main contributors are not unemployed, then the project is commercially tainted. >----------------------------------------------------

It applies not just to foundations and companies but basically all software created or distributed within the EU so basically all software created by professional developers even outside of their employment.

Where the creator is beyond the reach of the EU the onus doesn't cease to exist it just falls on the company to certify as part of their due diligence for their product and this doesn't even make that version of that software or library itself certified out of scope of that usage so all non-certified software would need to be verified once per work unless someone stands up an entity to provide a certified version of whatever.

For open source software you are asking companies to write or buy their own everything.

The most reasonable scenario is probably European developers using a limited palette of software versions behind the US wherein in many cases the have to pay a European maintainer who pays the cheapest offshore labor it can find to give its rubber stamping of security a thin veneer of respectability while contributing nothing back to the people who write the software.

What it logically needs is a requirement that such labor come from the EU and a portion go back to the source project. We can call it the FULL EMPLOYMENT for EUROPEAN DEVS MAINTAINERS and ENGINEERS

aka FEEDME

In this fantasy land non-europeans would register for their portion of the money.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: