101 comments

[ 4.4 ms ] story [ 197 ms ] thread
Note: it's not clear from the title, but this is in the context of the Cyber Resilience Act, the one that might make OSS developers responsible and liable for bugs.
I wasn't going to click because I believed it was about the futile "won't somebody think of the open source developers, give them a little money". It's true, but it won't happen at scale.

This was much more interesting.

That liability is a part of the proposed revisions to the Product Liability Directive, which is also covered by this letter.

The Cyber Resilience Act would potentially require open source developers to follow a compliance regimen, similar to any EU manufacturer. The concern is that this would place too high of a regulatory burden on item source projects. The act's view of the software world is less nuanced than that of the open source community, making a distinction only between commercial and non-commercial.

I don't fully understand the implications for open source projects, but it also seems like the legislators do not understand the implications for the EU. There is legitimate concern that the EU could be cut off from open source repositories as the entities running them seek to avoid liability.

Is this for real? If there are people that want to hold independent volunteers responsible, that would kill the world. Most of our current technology is stacked on top of OSS developers that worked for free. Now they can be responsible for any bug someone might find? Then, who would bother to continue putting code out there to share. This can't be right.

It would be like holding people responsible if someone got hit on the head by an apple that fell from the tree they planted as a volunteer on earth day.

It is for real, but what you write is why it will never hold up. It is a bug in the legal text.
What about the case of a major corporation releasing an OSS package.
> hold independent volunteers responsible

iirc there is already a carveout for free open-source contributions, it only applies to (the very widely applicable) commercial activity. My understanding is, this letter is about developers organized as non-profits, but who are still paid for their work.

One problem I got are package repositories publishing work and making money through other sources might be liable for all packages they host.

Commercial software isn't even liable for bugs. See EULAs, zero days, ransomware, etc...
That's exactly what this law wants to fix: Companies won't be able to hide behind license agreements for some of the high impact security bugs.
As a US based developer, would I have the option to ban people in the EU from using my software? It's the only way I would be able to keep distributing.

Edit: I think I misunderstood. This seems to only apply to OSS non profits.

Edit 2: I am not only developing my own software, I am doing it under my LLC, packaging and distributing on itch.io, and in one case charging a low amount. So this likely would apply to me. Since I've made a whopping $200 in donations and sales total over the course of several months, that will be the end of my side business / passive income.

And since I'm in the US this feels unfair. I really shouldn't be bound by EU laws. I'd rather just ban the EU from my software if it comes down to that.

edit 3: ok that last bit is over the top. i understand i have to follow international law... my American-ism is kicking in.

Somebody please chip in an informed opinion on how much legal exposure a US entity has to EU litigation. Especially if said US entity doesn't really have any paying EU customers.
IANAL but the EU's GDPR also applies to companies providing services "even in the absence of commercial transactions"[0]. I've seen quite a few US news sites that simply refuse to show me any content.

If the EU stays consistent with this stance - and the US sites refusing to deliver content aren't just being overly cautious - then I could see providing a download may already count as providing a service in the most pessimistic interpretation.

[0] https://termly.io/resources/articles/gdpr-in-the-us/

I'd like to think these things are treated differently. Browsing to a web page and getting cookied is different from actively choosing to run some software. Gets more complicated with web apps, but I'm personally willing to accept a disclaimer from sites and software I'm not directly paying for.
I've wondered, how enforceable is a EU court ruling on a company with no assets in the EU?

If they can't enforce it, then does it matter if they fine you a centillion euros?

> I've wondered, how enforceable is a EU court ruling on a company with no assets in the EU?

Article 27 GDPR.

If you are not established in the EU, you must designate, in writing, a representative in the EU:

The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

this is a good point.
Until you want to holiday in Europe.
never have never will. i strangely have no desire.
they can enforce it when you travel to the EU
In a download situation, is a US site providing data to someone in the EU, or is the person requesting data from someone in the US? ;-)
both, because the server logs potentially store the downloaders ip address
> Especially if said US entity doesn't really have any paying EU customers.

Aah the good old US mentality, everything must revolve around money. :)

My friend, "paying" doesn't come into it. It's all about PII, "Personally Identifiable Information".

To paraphrase Dean Martin....

     Got EU people on your mailing list ?  That's GDPR.
     Silently harvesting telemetry, IP addresses, setting cookies etc. ? That's GDPR.
etc. etc. etc.
You are correct that money doesn't enter into it (at least directly).

The Dean Martin paraphrase however is not quit correct. Having EU people on your mailing list does not necessarily make you subject to GDPR. It depends on where you are, and possibly on your intent.

The territorial rules for GDPR are:

1. It applies if you are in the Union, regardless of where the people on your mailing list are and regardless of whether processing their data takes place in the Union or not.

2. If you are not in the Union, GDPR applies to the processing of data of people in the Union where the processing activities are related to ...

2a. ... the offering of goods or services (regardless of whether payment is required or not) to people in the Union, or

2b. ... the monitoring of the behavior as far as their behavior takes place within the Union.

Whether or not you are offering goods or services to people in the Union depends on whether you envisage to do so. The mere accessibility of your website from the Union is not sufficient.

For example if you were running a mailing list for your small city's chess club and someone in the EU found your site and signed up, you probably would not have any GDPR obligations to them.

If your chess club site also sold chess equipment that still probably wouldn't be enough unless you did something to indicate that you were actually trying to include EU. For example if your site had localization for all major EU languages, gave pricing in both dollars and Euros, and included VAT you would be covered by GDPR.

But if the site is only in English (and maybe Spanish), gives pricing in dollars and only accepts dollars, only collects US sales taxes, only ships via USPS, and doesn't have anything that indicates you might be catering to EU people, you are probably in the clear.

As an EU developer i would also like to know how to block the EU from my customer base.
As an EU developer I would also like to know how to block fascists from my customer base, esp. US, Russian and Chinese companies and state orgs.
They are not expecting the xkcd “Dependency” comic situation to be possible in the first place, and trying to pressure commoners to sort it out by an “or else,” threat, which isn’t working well.

0: https://xkcd.com/2347/

> They are not expecting the xkcd “Dependency” comic situation to be possible

Rightfully so if you assume certain engineering standards. "Made by a nameless guy in a shack in oregon" is something you never want your auditor to hear.

I think that having some kind of "supply chain accreditation" might be something to look at. However, this kind of thing can become a nightmare.

I used to work for an ISO-9000 company.

> some kind of "supply chain accreditation"

As long as the for profits and governments that use OSS are paying for the process and regulations, otherwise you are putting undue burden on OSS developers.

now that I am fine with, but i still think this is nutty overall. there's nothing wrong with anon contributions to software.
It all depends on the final use of the software.

I think that anyone that includes anyone else’s work, is responsible to do due diligence on the library/module/code they import.

That applies to free or paid software/work.

Some companies I have known, have refused to use any free work; even when donated (I tried donating, once). Instead, they insist on paying a small sum (in the US, a single dollar is customary), and having a legally-binding contract.

Having the supplier sign a contract may suffice for “due diligence,” as it puts the supplier “on the hook” for the quality of their work.

It could also absolve the supplier, and place the burden on the consumer.

In any case, I don’t have any “right” to just fart out some junk, and expect it to become crucial infrastructure. If I want my work to be used at that level -whether paid, or not-, then it’s incumbent on me to test, document, and support that work.

I have written systems that have become infrastructure; both as paid work, and for free. This is something I have some experience in.

I mentioned this in an above comment - here is a repo that I use in two of my apps that I compile with pyinstaller and distribute:

https://github.com/Capsize-Games/aihandler/blob/master/setup...

There are hundreds if not thousands of developers who have contributed to those libraries and the dependencies of those libraries.

Are you saying that you feel it is up to someone (myself or some service) to track down and verify the identity of each of these developers, and that I shouldn't use these libraries or distribute them until that happens?

Like I said, if I use someone else’s stuff in my work, it’s my responsibility to assure myself, and anyone upstream, of the veracity of that work.

That’s the theory behind efforts like ISO-9000, but I find them pretty “top-heavy.”

A good example might be Linux. There are thousands of contributors, but Linux is backed by one of the best (and harshest) developers on Earth. He puts his personal stamp on it, and has trained a bunch of others to be equally insistent on Quality.

Git is the same (I believe that you may find some "relation" to Linux). In fact, Git has probably had a bigger impact on the world than Linux, and he put that out in ten days, as a side project.

The deal is, that he is used to developing software to be used as infrastructure, and that takes some serious Discipline. That kind of Discipline is actually fairly rare, these days. If someone has it, you can rely on almost anything they do.

The quality of the guarantor is an important component of almost any working relationship. Standards bodies try to avoid that, but I'm not confident it works. The one thing that I remember from working in ISO-9000 environments, was myriad ways to work around the requirements. They end up actually causing more problems than they solve.

There's really no way to avoid the need for personal and institutional Integrity.

> Rightfully so

who cares if some nameless guy in a shack contributed to your third-party libraries? anon people contribute to open source software all the time, its irrelevant, as is their living situation.

People who will have to vendor that code.
look at all these libraries that i package with my distributed software:

https://github.com/Capsize-Games/aihandler/blob/master/setup...

On top of that, there are dependencies for each of those libraries.

i don't know the names of any of the people that wrote any of that code and I don't intend to dig into it.

You don't vendor anything. You only name it as dependency. I'd fail my audits if i did that.
> You don't vendor anything. You only name it as dependency

i'm not? how are you using the term "software vendoring" specifically? I am packaging with pyinstaller and distributing as an app.

Simplified: locally-stored forks of all dependencies where we also commit our own patches to.
No one cares that your equipment is based on early works by young Isaac Newton. But;

... if you tell them that he is actually a living man in rural Nebraska, presently mixing dehydrated macaroni on one hand, holding his crude manuscript in the other hand, actively adding fixes to fundamental errors in it, and that multiple copies of that manuscript is used to control anything from lightbulbs to government communications to fission reactors, right now, that is not going to let them sleep better at nights. And they ARE starting to get uncomfortable with that.

"Made by a nameless guy in a shack in oregon" is something you never want your auditor to hear.

If you are a business buying software from a business, sure. But if you are anyone getting your OSS from the guy in Oregon, sure.

The goal here seems to be shielding larger companies when they use 3rd party OSS. Exploitation at its finest.

Besides, what about EULAs and other liability limiting license terms?

In the license add a section that prohibits people from the EU using it.
Not feasible to do license changes on larger projects.
Why not?
Because every contributor has to be contacted and agree to the change. If one can't or won't your only option is to revert their changes and everything derived from them.

This is yet another way the OSI was a bad idea. For a while they approved a bunch of open but incompatible licenses that couldn't be changed

Yeah, i just read the proposal, there is a lot of holes, but, from general to specific:

First: even if you piss off a EU member state and they direct their watchdog to your product (i trust my country's watchdog wouldn't listen 99% of the time, but we are 28, so it could potentially happen), this has to go to the court. You won't have to pay for a lawyer and still have competent representation, and likely win because the ECJ dislike state entities going after small business. It's the same for GDPR btw. The watchdog would rather needle you to implement changes than go to court. And it's the same for trade laws (I know an irish business importing to France that have production facilities in Scotland, who kinda broke import laws multiple time since brexit and is still fine, even received a procedure on "how to fill you paperwork).

Second: Not sure how this will apply. From what i got, this can either go "internationnal treaty", and in this case it will apply to all europe the same way, or the "each country implement the idea however they want, this is the baseline" way. If its the second, the baseline will be much lower because...

Third: this isn't even the final proposition. Even if it was, it has to go through the parliement and will be changed. I would love having a diff tool to show people how much the parliement change the law from the initial proposition (either european or my country, sometime the final law can be on the opposite of the proposed law (or at least orthogonal)).

International law is not the same thing as the EU dictating laws that they want to apply internationally.

It think it's totally reasonable to say that you didn't vote for any EU legislators, couldn't even if you wanted to, and they have as much right to tell you what to do as the Kremlin does - zero.

If your own elected representatives want to enter into an enforcement or reciprocity agreement with the EU on this matter, that's fine, but until then extra-territorial regulation of technology is a pretty clear moral overreach.

agreed on all this

> International law is not the same thing as the EU dictating laws that they want to apply internationally

I definitely used the wrong term.

>As a US based developer, would I have the option to ban people in the EU from using my software? It's the only way I would be able to keep distributing.

?!?!?!?!??! No, just tell the EU to go fuck itself. If like me you're in the US they don't have any jurisdiction! It's not our problem. How the hell did the entire concept of sovereignty apparently evaporate on HN? The EU is absolutely no different than China, Russia, Iran, or North Korea in this regard. They can pass whatever domestic laws they want. They can also setup a Great Firewall and block off countries they don't like. But if you don't live there and you have no operating presence there then it doesn't matter if their people come and access our sites and services, anymore than if they flew over to the US and access it from here. It is Not Our Problem. Software is protected by the First Amendment. I don't respect blasphemy laws or any of that other crap either.

>edit 3: ok that last bit is over the top. i understand i have to follow international law... my American-ism is kicking in.

That's not "Americanism" nor over the top in the slightest bit. There is no such thing as "international law" in any way that's the same as domestic law. Countries can agree upon treaties, which they then translate into domestic laws for their own citizens same as any other law. But there is no World Government, and what the EU passes matters only to the extent you wish to have a physical presence in EU jurisdiction or the US agrees to the same thing and passes domestic law to that effect. Big Tech players and such obviously fall into the first bucket, at their scale and for what they offer physical presence is vital, which naturally puts them in the jurisdiction of wherever they are up to the limit of being willing to leave.

For those of us who are just single devs putting out software, free or commercial, if someone from the EU wants to go after us for liability they'd have to do so in US court under US law.

(comment deleted)
> If like me you're in the US they don't have any jurisdiction!

They do if you do business in Europe, for example by serving users in Europe.

this is where my confusion is:

i am writing software and adding to github, compiling on github and pushing to itch.io. lots of people from EU have downloaded my software and even donated.

am i serving customers in the EU? IMO no, but i could see how others would argue that I am.

edit: i think itch.io and github are serving customers in the EU, not me.

>They do if you do business in Europe, for example by serving users in Europe.

Nope, that's not doing business in Europe. If EU users come to my American-located site (or git repo or wherever) and grab my code that's theirs and the EU's business. Again, same as if some Iranian came and posted a comment deemed insulting to muhammad under their law or a Chinese citizen with a picture of Xinnie the Pooh genociding Uyghurs or used my software in some way to do the same or evade local censorship or something. Chinese or Iranian or EU government are then free to tell me to change my ways or give them info on the user or block them or whatever. Or demand I pay fines and go to jail. And I'm free to tell them to kiss my red white and blue ass.

If it's against the law in the US too, including treaties we've signed with other countries binding us as a matter of domestic law as well, then absolutely of course Americans have to respect that. Or again, if somebody wanted to maintain assets and presence in another country. Otherwise explain to me the exact mechanics by which you expect one of the courts from the other 194 countries in the world to enforce their own laws in the US contrary to US law?

Also, obviously if I make use of a large site that has physical presence in the EU, then the EU will have some level of sway over that site in turn, and could demand they block me to all EU citizens, or for that matter demand that they ban me and anyone else and enforce EU law worldwide. And then they would have to decide if it was worth staying under EU jurisdiction or not, and the US Government would have to decide whether to retaliate and demand EU companies enforce US law in the EU or be banned from the US market and it'd spiral off into far higher office and diplomacy. But none of that is the problem of those of us on the ground floor beyond convenience and our dependence (or not) on multinational mega entities. Can always fallback to our own local stuff.

Your license wouldn't count as open source any more if you discriminate against Europeans in it. Sounds like it already isn't FOSS though? You did mention GitHub further down so hmm.
at least they should be direct and upfront about what they want.

no more free digital assets. the logic of the market is imposing itself over the digital realm (the inside of the internet?)

this logic wants us to pay to copy. just imagine if you had to pay every time digital information gets copied!

I don't think anybody would be able to afford to run their own computers. how many times are bits getting copied all over the place during normal operation? all routers would have to be shut down to avoid litigation!

I know I am taking this to an extreme, but where does it end? does it ever stop? why should only some get to keep the enormous advantage unlocked by digital information while the rest are forced to pay?

to be fair this is also in reaction to https://torrentfreak.com/brazils-ministry-of-justice-asks-go...

(comment deleted)
The EU is really heading down a bad path recently with this, some aspects of the Digital Services Act (mandatory simplified explanations of content "algorithms"), the proposed AI Act, the proposed Chat Control Act, etc.

The EU should focus on improving the business environment by standardising and liberalising the payment of payroll and income taxes across the Union (so you could work for a company in one country and live in another), digital ID, international banking, pension and national insurance transfers, and residence registration (so it isn't a months-long bureaucratic process in any new country), companies registration (to make it simple for one company to operate and hire in the whole Union, without dozens of local tax and labour law issues, etc.) and solving issues like the housing crisis, disastrous rent control schemes, etc. that impede economic mobility.

The EU can only proceed where there is consensus and there is no appetite for harmonisation across the bloc for most of those issues.

Really what you are describing is a superstate akin to the US Federal Government, which is not the purpose or goal of the union.

Countries within the EU also have vastly different cultural attitudes to many issues. For example, in some countries having a national ID card is mandatory (Germany) and others don't have a national ID card at all (Ireland). Some countries have opted-out of the Euro single currency (Denmark) and others are dragging their heels even though they have an obligation to join (Sweden, Hungary, Poland, etc). Some countries have opted-out of the EU Mutual Defence Clause. One (Ireland again, due to border issues with Northern Ireland) didn't join Schengen.

Trying to force such a diverse set of populations into a single superstate will just lead to the break up of the union.

> which is not the purpose or goal of the union

That depends who you ask.

https://en.wikipedia.org/wiki/Union_of_European_Federalists

"Ever-closer union", the development of a common security and defence policy, and the introduction of a common currency all look quite federalist to me.

That was an extremely controversial phrase and Lisbon nearly fell apart due to it. It's worth noting that the full aim is "to continue the process of creating an ever closer union among the peoples of Europe, in which decisions are taken as closely as possible to the citizen in accordance with the principle of subsidiarity".

It was specifically worded that the union was of the peoples of the bloc, not the countries.

The Union of European Federalists have apparently 100,000 members out of a population of ~450 million. It's beyond a niche organisation.

I think it's more of a generational issue. as far as my experience goes most of the younger folks consider themselves european
The EU doesn't have a tech sector and is therefore very happy to destroy the services from other countries with stupid regulations. This is pretty clear after the cookie banners.
We differ very much on what the EU should/shouldn't do. You can already work for a company in one country and live in another. It might take a bit of effort on the employee's side, but that's it. Standardization of income taxes is a death knell for politics, and a sure-fire way to make the EU fail.

International banking is already settled, pensioning too. Insurance isn't needed. You can insure yourself in your new country.

> make it simple for one company to operate and hire in the whole Union

Oh, I see. You're only in it for the money.

The employer's side is already very complicated though.

International banking is not settled. You cannot settle your taxes in Spain with a foreign IBAN, there are similar issues with many other services too (internet, phone and utility contracts, etc.).

I didn't mention income taxes, but payroll taxes i.e. the employer side. But income tax shouldn't exist anyway.

> Insurance isn't needed. You can insure yourself in your new country.

But the employer is usually required to pay it - e.g. national insurance in the UK, social security in Spain, that is a massive barrier to international work even within the EU. There needs to be agreements to split the payment to allow the employer and the employee to reside and operate in different EU member countries.

> Oh, I see. You're only in it for the money.

Making business easier makes us all more money (less friction and overhead = a bigger pie). I'm not even a business owner, but could benefit a lot if I could more easily move somewhere within the EU with a lower cost of living.

> But income tax shouldn't exist anyway.

Indeed, we're on totally different sides of the isle.

> a massive barrier to international work

There are all kinds of agencies willing to make that easier for you. Sure, it costs, but that's business.

> I ... could benefit a lot if I could more easily move somewhere within the EU with a lower cost of living.

That's a perversion of the system. You want to eat from both sides: where the cost of living is high, the salaries are high, but you don't want to spend the money there. Instead, you'll drive up housing prices in a poorer country. "Some of you may die, but that's a sacrifice I'm willing to make."

The banking situation is like an MVP of the real thing. You can't easily get a mortgage in another country, some of the banks can't even serve you in English, etc.

As for taxes, in theory, you could have a unified system that exposes a bunch of knobs for each country to turn as they wish. Some might even set some of them to 0. You can do much better than the current mess. I guess you can also do much worse, especially for the people who've already found their niche tax-wise.

Everything is an even bigger mess when you are a company (not even an employer). E.g. recycling mess mentioned here: https://www.pcengines.ch/recycle.htm

The proposal claims to be proportionate, but I don't see any mention of minimum income threshold or even a broad "significant revenue" statement in the proposal. Are hobby developers who make 100€ per year going to be exposed to 15,000,000€ fines?

PS: I am reading through the requirements and these seem unreasonable for projects netting less than 100,000€ annually.

I never understood why so many Europeans think the EU exists as some sort of beneficial democratic institution that will "take care of the citizens". It was always a business club of the large European companies with a veneer of democratic institution. I won't cry a tear the day the whole thing crumbles into dust.

Parliament with barely a democratic mandate, executive with handpicked non-elected bureaucrats who strut around the world stage pretending to have some sort of mandate.

> It was always a business club of the large European companies with a veneer of democratic institution

It's original intention was to join EU countries to avoid another World War

That was true at one point (The original Steel and Coal union) but I don't think that plays a major factor anymore in the day to day. After the giant bribe scandal that is still ongoing in the parliament I'm going to lean towards that it's mostly about grifting these days.

I just want more local rule and less mandate from the kingdom of heaven like this crap about open source.

Who stands to make money from this grift ?

[dead]
Yes pretty good compared to the balkan alternative of tens of independent countries each trying to protect their interests alone.

Also you completely disregarded the human rights component which is a founding principle of EU and beyond (Council of Europe). What is democracy with strong mandate good for when there's no strong independent court involved in human rights?

As part of the Cyber Resilience Act (edit: and the Product Liability Directive), the EU plans to introduce some accountability and liability for software in the commercial realm. This letter pleads to exempt not-for-profit open-source developers from falling under the “commercial” definition even when they receive donations or similar.
Excellent TLDR. Thanks!

I'm wondering if my source-available work under non-commercial licenses (nevertheless permitted to be used by public / government institutions) would be automatically exempted (as it's outside the commercial realm)?

I literally just today published the source (not under an OSS license) of a major product in the remote browser isolation space: https://github.com/dosyago/BrowserBoxPro

(comment deleted)
> By definition, open source software is not sold - it is given to the world for free.

Is it? I thought open-source was a "business friendly" wording of free software. That is, the source code is made available, independent of what price (perhaps gratis) the author decides to distribute it. "Free as in freedom, not free as in beer" and all that. Am I missing something or did the OSI change the meaning to include that the sale price must be 0?

I believe the "open" in open source means "publicly accessible". The concept of "free" is a bit stronger, and grants the user rights to modify and redistribute (unless they do so under a proprietary licence).
The Open Source Initiative doesn’t and never did, and its founder (ESR) invented the phrase, having forked the Open Source Definition from the Debian Free Software Guidelines. (Before that, the common term was “sourceware”, and it was in fact somewhat vague as to what counts or not. It’s all but forgotten now, except for the website formerly maintained by Cygnus Support.)

Even the 2000s “Linux is a cancer” Microsoft chose to invent the term “shared source” rather than attempt to dilute “open source” when they publicly released some source code for academic and noncommercial use. (They still faced accusations of terminology confusion, which might well have been true.) In that respect, the recent attempts at redefinition by Mongo, Elastic, et al. are a truly novel strategy.

I stand corrected. Is it true nevertheless that open source software must make its source code publicly available? And that "free" is generally stronger than "open"?
There is a spectrum of perspectives on this topic. The "free software" maximalist side would argue that there are two ideas, free "as in beer" and free "as in freedom"... and they will typically say that anything that isn't free "as in freedom" does not conform to their view of what is in the spirit of open source. Then there's the other side of the perspective which argues that open source is being strip-mined by hyperscalers and that new licenses with very specific classes of restrictions aimed at protecting the developers are needed. That latter group typically would argue that the OSI is realistically controlled by the hyperscalers and hence it's all quite nuanced. It's a classic political debate with extremes on all sides and the rest of us having to survive somewhere in the middle
For all practical purposes, the terms "free software" and "open source" are equivalent - the difference is political (which still matters of course). The source code doesn't have to be publicly available with either, but every user must have access to it on request and they may redistribute it, so practically it usually becomes publicly available anyway.
This is incorrect, the OSD doesn't require that the source code be public, just that it be available to the same people the compiled binaries of the software is available to.

https://opensource.org/osd

Weird when a comment tries to dispel a common but annoying presumption not supported by the record, but the attempt at debunking itself contains relies on similar presumptions that lead to claims that are counter to what we know is true.

> its founder (ESR) invented the phrase

No, Raymond was at the meeting where it was coined, and he enthusiastically helped popularize the term. Christine Peterson invented it.

> Raymond was at the meeting where [“open source”] was coined, and he enthusiastically helped popularize the term. Christine Peterson invented it.

I wanted to grump about this not being written down, but even the OSI history page[1] mentions it. Huh. Thanks!

[1] https://opensource.org/history/

The Free Software Foundation has the following to say. [1]

> Many people believe that the spirit of the GNU Project is that you should not charge money for distributing copies of software, or that you should charge as little as possible—just enough to cover the cost. This is a misunderstanding.

> Actually, we encourage people who redistribute free software to charge as much as they wish or can.

So this “no selling” talk is defintely a diverging perspective and does not apply to all open source licenses. In fact I think it can’t apply to any, because commercial use is a freedom that would be restricted if it were true.

—-

[1] https://www.gnu.org/philosophy/selling.en.html

In its early days, the FSF used to send out tapes with “GNU” and charged (considerable, if fair) fees for media and labour, because FTP access was difficult to come by outside academic circles. The webpage can’t be that old (the web itself being younger), but still dates from the times when it might have made sense to buy a consumer Linux distro in a store, as a bunch of CDs in a box (I still have mine somewhere).

In the world of pervasive broadband and cheap hosting, I don’t think this business model could work—everybody you release your stuff to will just upload it to a public site. Red Hat will terminate the support contract in that case, which to me feels like a legal exploit I’m kind of conflicted about.

You are required, as that page notes, to include the source code at no additional charge whenever you sell or otherwise distribute the software. Unless you're charging for the source without providing working binaries at all, this is the same thing as setting the price of the source at zero.

You're also unable to restrict those who purchase your software from redistributing it:

> You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

( https://www.gnu.org/licenses/old-licenses/gpl-2.0.html )

That is enough to ensure that open source code is provided to the world for free. This is why we have a distinction between "open source" and "source available".

> That is enough to ensure that open source code is provided to the world for free.

Not necessarily, the people you distribute the source/binaries to are under no obligation to give them to anyone else.

People here seem to be forgetting that Open Source was a community driven ideal first. The License came later as "protection". Corporations were stealing code and there was no recourse. The variety of open source licenses were created to provide a framework for the community, to fight off stealing, to keep it open.

Programmers want to program, they started sharing code, then corporations started using it, and erasing the authors names. Originally there was no 'License', programmers didn't come together for the fun of creating 'Licenses'. They were forced to create license to cover their code to keep it open for anybody to use. The original licenses were really just to keep it free and provide attribution, so the authors were known.

This almost sounds like mixing up the terms or history of open source and free software.

While both may have been driven by ideals, many of the licenses typically applied by people who call themselves "open source developers" do not contain copyleft. Therefore it is inherently easy for corporations to "steal" the code. "Steal" in quotes, because when the developers chose a license, they should have been aware of that their software can be used in any context without they themselves ever learning about it or seeing any contributions flowing back, so it is not really stealing anything, but the developers short-sighted choice of license.

Sustainability in terms of keeping things open (libre) is more an area of licenses like GPL, AGPL, which contain copyleft. These are more commonly applied by developers calling themselves "free software developers". Most self-respecting free software developers will also call their software free (libre) software, instead of saying open source, even, if many open source licenses are also valid free software licenses.

Guess, I'm thinking farther back, when developers first started sharing code openly with no licenses at all. Just groups working together to build something. Then some corporation, or guess anybody, could take it, erase the names, and start making money. Then there was a profusion of new licenses of all types trying to strike a balance, but all to protect the programmers from being erased. Some to make money and some just for joy.
Initially software wasn't even copyrightable, so it wasn't even possible to apply a license because there were no laws against taking code like that.
good points. my main projects are free software as they are using GPL and AGPL
Corporations are still stealing open source code, nothing has changed there. Hopefully the Conservancy vs Vizio lawsuit will make it easier to sue companies for source code. That aims to make it possible for end users to sue, rather than copyright holders being the ones to sue.

https://sfconservancy.org/copyleft-compliance/vizio.html

Personally, I find the cyber security act to be a difficult topic. I generally agree that there should be some form of liability for software, but the list of cases I can imagine make it difficult to decide on the criteria. Most of the proposed changes seem to easily lead to changes in business models to avoid said liability.
If they are going to hold volunteers responsible for their work, they should pay them. If I'm planting trees on earth day, and someone hands me a dollar, am I now paid, and now responsible if the tree falls on someone.
> If I'm planting trees on earth day, and someone hands me a dollar, am I now paid, and now responsible if the tree falls on someone.

Afaik I can't just plant trees anywhere I want and might be liable for damage I do while planting trees or if I plant it unsafely so it falls on someone.

Can someone correct me on that? It came up at least one other time in this thread already.

The article is about volunteers writing code. The tree example is on earth day as part of a group, planting in an approved area, just like adding code on github. What if someone gives them money, are they now liable.
> The article is about volunteers writing code.

Maybe I misread, but the article seems to be specifically not about volunteers. (The only mention about volunteers is "[Writing secure and stable software] cannot be accomplished long-term by the efforts of volunteers alone")

> The tree example is on earth day as part of a group, planting in an approved area

Thank you for the context that was not obvious to me.

It is worth reading this in the context of the wider discussion around the EU CRA and free software, and the previous joint response by ISC, NLnet Labs, CZ.NIC, netDEF: https://www.isc.org/blogs/2023-cyber-resilience-act-comment/ There is much more detailed analysis in that earlier post. I work for ISC but I have not been involved in the work on this issue and I have not read all the material linked from the earlier blog post.