238 comments

[ 2.9 ms ] story [ 262 ms ] thread
This is ridiculous, all blame/liability should lie with either the provider of commercial software who chooses to rely on open source software or the end user for relying on free/open source software.

I personally will not allow people in the EU to use any software I write going forward, I imagine other open source developers will take these steps as well.

This seems a bit extreme, it isn't even a law yet (or anywhere close).

That being said, if you don't audit your open source libraries, you should be held liable. I've seen open source encryption libraries do some really dumb things that I wouldn't touch with a ten foot pole. Yet they are some of the more popular ones.

(comment deleted)
Why should I be held accountable if you just run some code you found on GitHub? Am I reliable when I sell hammers and you bash your face in?

/e: let me clarify, I agree with the three comments under me. You, the commercial entity using my code, is accountable. I am not liable if you as a private person run my shitty code. I was thinking of private persons and being on the hook for my GitHub repos.

No no, you should be held accountable if _you_ run some code you found on GitHub in your product that I pay you for.
I think you might be misreading it. The person who ships the product commercially is liable. If you sell them your code, you'd be liable but if they just use your open source code, they are liable for any potential issues in their program caused by your code (instead of you being liable).

Basically they can't just brush off responsibility for using FOSS code by saying "well I didn't write it, it's not my fault" unless you as the FOSS developer are selling them a support contract for any potential issues in your code.

People are just npm installing whatever without even checking the github stars or usage; not that that says anything but not even that. As a bare minimum devs should check if their libraries have robust testing, are maintained by people who have the time to do so etc. A lot of open source libraries are really bad and if you are building commercial (packaged / saas, doesn't matter) software on top of that, you definitely should be held liable if that causes harm. This lazy behaviour should end as it indeed does cause horrible messes.

This over the top article is, I guess, pointing to open source software that's used by an individual directly from the source as an enduser and then causes harm, not to parts of commercial software that includes open source software when they talk about holding open source devs liable.

Perhaps less pitchfork brandishing, more reading the article?

> all blame/liability should lie with ... the provider of commercial software

Is precisely what the EU intend to do (according to the article - no idea how accurate it is), not put the liability on open source devs.

From the article:

> So, how is open-source software implicated? If a commercial software product causes harm, whoever put the software on the market will soon be strictly liable. You will need to prove that your code wasn’t to blame to escape the costs. But what if you’ve embedded open-source code, used open-source tools, or called open-source APIs? Under the pending rules, you’d be liable for any errors in those sources as well, regardless of whether you directly contributed or not. A license like the one Apache provides won’t help, since state-imposed strict liability isn’t a harm that can be licensed away by private actors. The user must be made whole, and that’s on you. Worse still, how will you in turn identify or sue the collaborator or collaboration that actually wrote the faulty open-source code to recoup your costs? In that case, the license you signed likely insulates your open-source partners from your claims.

What does it mean if you publish your open source android application on the play store (with no ads or monetary compensation, simply just to make it easier for users to use?).

Seems to me that you'll be liable for any issues.

Why would you be? Did you sell the user the app? If not I can't see how it would be commercial
It seems the author is refering to the EU Cybersecurity Act that should be voted early 2024.

The last draft clearly excludes open source software as long as there is no commercial activity associated. If voted in this state, it won't affect the vast majority of developers releasing some code under an Open Source license. But it will wipe out all small businesses: if you're a solo company selling support or feature development on some Open Source software you wrote, paperwork and liability are just not worth it.

And good luck selling anything relying on existing Open Source libraries, because you're now liable for them too. Given the cost of a security audit, you may as well stop trying and just sell SaaS (which is explicitely excluded from the bill, funny).

Larger companies of course won't care and will continue shipping buggy software riddled with security holes because they can afford the paperwork and absorb the legal risk.

He’s probably talking about the Product Liability Directive reform.
> as long as there is no commercial activity associated

My recollection, from previous discussion on HN, is that the definition of "commercial activity" is far more broad than the open source community would like it to be. And by "open source community", I mean the people that run various foundations and non-profits and things like that.

I don't think that throwing up a virtual tip jar on your Github page counts, but offering paid support would. If you collect telemetry and then sell "usage insights" that would also count as commercial activity. Advertising on the download page is commercial activity. If you have a Patreon account? I actually don't know about that. Anyone know?

Correct. I would be perfectly fine with some amount of control and liability proportional to the size of the company, excluding tiny ones as it is often the case.

With this new act, even selling 100€/month of support for a piece of software you are contributing to makes you subject to the full force of the bill (and the full force includes scary numbers, millions, with zero information on how precise amounts will be calculated).

We can only hope that it is not voted in this sorry state.

Yes, proportionality, or at the very least some sort of clarity on where the line is drawn. Nobody wants to be the test case that determines if something is commercial or not.

An acknowledgment that it costs some small amount of money to host a website for the code, or that you may from time to time want to hire someone to do something specialized (design a logo?) and need to raise some amount of money for that to happen.

By world-wide standards (though not necessarily by Silicon Valley standards) I am fairly wealthy and thus could afford to support a completely commercial-free open-source project out of my professional salary. And this would make my project liability-free in the EU. But someone else, who didn't grow up in the USA at a time when university tuition was cheap, would not be able to do the same and their otherwise-identical project is subject to legal liability.

How is that fair? Isn't this just going to further concentrate open source contribution and leadership in a handful of rich countries (that are mostly not in the EU)?

tl;dr Noooo I can’t be held liable for the (open source or not) code I commercially ship, how dare you.
FINALLY. This industry needs some regulation...

I'm mostly curious what that means for something like the MIT license... For those who need a refresher, this is the part I mean.

> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

> This industry needs some regulation

Are there cases of open source projects being careless or negligent that have caused harm that this would address? Aside from some unintentional vulnerabilities that have been found, it’s hard for me to think of an example that would necessitate more regulation.

I can think of exactly one rather popular one: left-pad.

The author should have been liable for the damage they caused. The industry self-regulated itself but that is a case that I can think of, specifically caused by negligence.

Npm Inc. is the only party liable for left-pad.
NPM wasn't the one who pushed the "delete project" button, knowing full well what would happen.
You knew all this before you decided to use it. Next time make better calls instead of blindly pulling shit like an idiot.
I never used it; I just knew about the situation and used it as an example.
Except that all the people using left-pad weren't paying for left-pad, and didn't have a contractual relationship with the author. IANAL, but I'm doubtful the courts would find there is enough of a relationship for the author to be liable.
That is what new laws are for.
No, they aren't. Even in the most liberal interpretation of the new laws, there's nothing specifying that you need to continue making your open-source package continually and indefinitely available.
I don't mean THESE new laws, just new laws in general.

> nothing specifying that you need to continue making your open-source package continually and indefinitely available.

There's a difference between making it available, and deliberately causing harm and untold productivity loss in a single day. This was a case of the latter.

Someone deleted a publicly accessible file off the internet, and it broke workflows of people with whom they have no existing contract. Good luck proving that was done to deliberately cause harm.
In this case, they freely admitted to doing it with the intent to harm. A person slapping me in the face doesn’t have a contract with me, but they are still liable for that harm. This isn’t rocket science.
This is a very dangerous line of thought, and frankly, appalling.
How is holding people responsible for their actions "dangerous" or "appalling?"
Left-pad is a very good case study.

For most of my early career (Security focused), companies would download copies of packages for use, they would go through a rigorous security scanning and vulnerability management processes before being included into a whitelist of internally approved tooling for product dev. Licensing, regulatory compliance and international involvement in dependencies was reviewed at this stage.

In this type of environment, which is very good from a security perspective, it would be virtually impossible for the Left-pad removal to have the impact that it did. So the problem as I see it is not that the author of Left-pad did a naughty thing (he was well within his rights given the 'why' of it all), the problem is that generations of developers have been successfully trained to believe that all their assurance work has just magically been done for them: In many cases the modern ecosystems make it virtually impossible for them to verify and control packages themselves.

> This industry needs some regulation

I concur, but I don't agree this is in the right direction.

> I'm mostly curious what that means for something like the MIT license

I think the article addressed that. Let me quote it for you:

> Today you can license-away that liability by putting the onus on the user to accept the risk, since bugs happen and hackers hack. Not your fault, you did your best, and you told the user that upfront. My read of the emerging regime changes that. It forces you to prove your code wasn’t the cause of the harm – “strict liability” in legal circles. Products like cars often get regulated this way. Essentially, the carmaker is at fault when something goes wrong unless they can prove they’re not.

> A license like the one Apache provides won’t help, since state-imposed strict liability isn’t a harm that can be licensed away by private actors.

If strict liability isn't a harm that can be licensed away by private actors then the last sentence you quoted couldn't be enforced:

> IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Ah thanks, it wasn't explicit that this was what it was referring to and was ambiguous (at least to me).
As far as I can tell whether you are libel has nothing to do with the licence, or whether the software is open source. Instead you must have gained revenue from someone (somehow, directly or indirectly) by providing the buggy software to them, and it must have harmed them. It's the same as getting a car with a defect. If you didn't buy it from them (eg, it was a gift) then the giver isn't libel. Even if you did pay for it, if it's not too serious they may get away with it. But if you paid for a new car, and you died because of a defect in it, then the manufacturer has a problem.

So if someone downloaded the software from some public repository without consulting you (let alone paying you), it doesn't apply to you. I imagine that would be true if they downloaded a binary and there was no source available (so it's not open source), and it had some horrible proprietary licence that nonetheless let you use it for free.

But on the other hand, if you made them pay for some GPL'ed software and them made the source available on request as the GPL insists you must, then it does effect you despite it being open source. So really, open source and open source licences have nothing to with it.

In fact from what I can tell, part of the reason this law exists it to forbid shrink wrap licences on paid software exempting the supplier from liability. The licence having no effect on the applicability of the law is a desired feature. If the consumer paid for it, it applies no matter what your licence says.

Why this wasn't always the case is what's odd here, not this attempt to fix it.

Honestly just sounds like a misreading of the law to me. I don't believe it. One part says

"If open source resources are in/called/touched your code, you’re responsible for their performance too. The open source resource licensed away their liability to you."

This is the norm. The private company holds responsibility for vetting everything they ship.

It's a speculation on how the law will be enforced for a law with no history and I don't see why you would assume the worst interpretation

Also the EU laws are read here, by people who live in countries where that would be the case, with way too much weight. People from the US putting cookie accept banners and gdpr blah on their sites while they don't have to, because they are not violating in the first place (the intent of the gdpr is very simple; don't do things you don't want to have done to you to others; tracking, collecting info you don't need to run the business etc; if you do more, you have to be able to defend that and ask for permission), but in the US they can expect a cease and desist in 2 seconds while in the EU that's not going to happen. They are going after large abusers or abusers that won't listen after a ton of warnings. Which they should.
Yea, the “pragmatic” EU approach to legislation: write it in draconian language and let it carry incredible sanctions (like millions of euros), but then just don’t enforce it. Unless you anger some bureaucrat of course.
They enforce it, just not against small companies as that is not the intent of these laws. You know, unlike pragmatic US legislation where you can fuck over anyone anytime over nothing valid.
If that’s not the intent of these laws then it should say so in the law. That’s what rule of law is all about.
Not really: it formulates what is illegal etc but then, when there is an infringement, a judge should still interpret the intent vs the letter. Countries that rule too heavy towards the letter suck for ‘the little guy’ as, invariably, it gets abused to get people in trouble. But you cannot formulate a law like that as then the little guy that actually is abusing cannot be caught out. Again, law sucks everywhere, but, in my opinion, it’s vastly worse in countries that are ‘tough on crime’ as they use more so the letter of the law and so screwing poor people over nothing.
(comment deleted)
GitHubs next feature: litigation tracker.
"Sue Request"
Given that GitHub is a Microsoft product now, this would actually fit well with the company’s history.
I find this article and the reactions here confusing. This seems to me like unequivocally a good thing for open-source devs.

Making commercial vendors who rely on open source software liable for bugs is fantastic news, that's how it always should have been. You can't have a commercial company throw their hands up and say "well github.com/cutefuzzypuppy is at fault for writing an open-source npm package we used so harm to our customers is not our fault!"

The article is misleading unless you read the whole thing and the reactions are standard knee-jerk ones from HN users that didn't need to read past "EU" to assume the worst possible misinterpretation.
I read the article, but it was quite ambiguous, at least to me. It isn't very well written / clear on what is actually going on.
I agree it's very ambiguous, but if you read the whole thing it's clear that when dev A releases code under an open source license and it's included in a commercial product by company B that then harms person C, the liability will be on company B. Most of the hot-under-the-collar responses here are assuming it will fall on dev A, which is a misinterpretation the article's author did not do much to discourage.
Actually, I may have missed buried lede in this case where there is no company B, and citizen C is harmed by dev A's github project.

That is actually kinda concerning, if my MIT license of "no guarantee" won't protect me.

Other commenters who got it:

https://news.ycombinator.com/item?id=38808821

https://news.ycombinator.com/item?id=38808756

That is concerning, but I think the author’s interpretation of the upcoming regulation may be wrong.

See here for example: https://www.euractiv.com/section/digital/news/eu-updates-pro...

Specifically: “The Directive will not apply to free and open-source software developed or supplied outside a commercial activity. The liability rules apply when the software is supplied in exchange for a price or personal data used for anything other than improving the software’s security or compatibility.”

IMHO the original article is either wrong or trying to spread FUD.

My take is, if this law passes, I’m an EU citizen, and I use your MIT software without paying you and without engaging with it through some service of yours (e.g. sevaghbook.com) then you’re not liable if I get damaged.

Why none of these articles (neither TFA nor the one you're linking) link to the actual directive is beyond me.

But here it is:

https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...

> With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.

Thanks for linking to the actual directive!

In light of it, I think the article I found didn’t link to it out of sloppiness, because their summary seems reasonably accurate to me, and the fine article didn’t link to it because they want to spread FUD, as the text you quoted directly contradicts some of the fear mongering in the original article.

Still not clear for me. What about a company open sourcing some libraries used in its product. Will it be liable? Or would this be 'supplied outside the course of commercial activity'
Take OpenSSL. Their open source product would be free of liability. Their commercial support offering of that same product would not be.
Basically EU will treat open source devs as idiots by preventing them from making living off it. And you feel that's fine?
If open source devs make a living off it by charging users for money (or PII), the devs should be liable for the code they are selling. It does not matter if it is open source. Whoever makes a commercial offering based on that software must be liable.
I have no idea how you interpret it this way.

How does being liable for damages caused by software or services you sell equate to being an idiot? I just see it as the normal way to do business, and the reason why limited liability (the way I’ve been doing business for more than 2 decades) exists.

Example: I will make a library controlling some integrated circuit as open source and charge money for commercial use. My software has a little bug that occasionally causes misreading of the IC values. A military software company uses my open source library in their nuke platform. My library misreads values on one nuke that goes off. Are you telling me I am going to be liable for that? Let's say independent multi-pass root cause analysis pinpointed the problem to my library and only to my library.
My take would be that if the military company paid you for the commercial use right, then you have "sold" the software and yes you would be liable. If they used it in an open source compatible way (no actual license is stated), and did not pay you for it then no, you would not be liable.
So basically I have no say about how my library is going to be used once I sell a license to a company, and if its use by a 3rd party leads to e.g. a mass-casualty event due to a bug in my code, I am liable?
If you did not sell the library to the military software company then no, it’s them whom are liable (assuming they did sell their software, that uses your library, to whomever had the nuke that went off) and not you.

IANAL but it seems clear cut to me: if you asked for money in exchange for your software (or to access to your software through an API or similar), or if you asked for personal information (in exchange for your software) then you’re liable, otherwise, you’re not.

That completely ignores the second half of the article. I agree that it's confusing why the article goes into so much depth on "companies are now liable, similar to how everyone expects" in the first half when the main talking point is/should be "open source devs are now liable if consumers use their software directly" (as discussed in the second half).
Most commenters here only read the first half it seems, I expected more of the hn audience.
Yes, the author of the article is all over the place

>But what if you’re just part of a collaborative open source project, give away your app, or if there’s open source code in the product you put on the market? Who gets blamed when open source might be the heart of the problem?

Every other sentence is dripping in "sympathy for open-source creators", but buried in the subtext is "sympathy for the innocent commercial vendors who decided to rely on open-source projects."

>So, how is open-source software implicated? If a commercial software product causes harm, whoever put the software on the market will soon be strictly liable.

Good!

>You will need to prove that your code wasn’t to blame to escape the costs. But what if you’ve embedded open-source code, used open-source tools, or called open-source APIs? Under the pending rules, you’d be liable for any errors in those sources as well, regardless of whether you directly contributed or not.

Better! Now a big evil company _can't_ pass the buck to the unpaid hobby project creator!

So can we expect popular yet understaffed open source software -- like OpenSSL -- to get a lot of paid code review or patches?
expect new, certified companies with security and finance, to become the officially required caretakers along with many fees; expect new monetized systems to distribute security patches passed through new bureaucracies, with logging of the government ID of all recipients; expect the restriction of new security patches to authorized users only.
The end of that paragraph continues in the same line:

> Worse still, how will you in turn identify or sue the collaborator or collaboration that actually wrote the faulty open-source code to recoup your costs? In that case, the license you signed likely insulates your open-source partners from your claims.

I sincerely hope this will never become a possibility. The chilling effect would presumably be catastrophic for Free and Open Source software in the relevant legal jurisdiction. Why would anyone voluntarily release their code as FOSS if it opens them up to lawsuits?

Are we reading the same article? The final paragraph even says:

> My prediction, for what it’s worth, is that open source’s days outside academia and hobbyists are numbered.

The article literally ends in bold with "Someone, or some entity, will need to accept financial and legal responsibility for what the project does in consumer hands. No license can insulate them from that. " If people are having a fearful reaction to the article it's the authors fault.
i think the article is deliberately written to be confusing
Maybe, but maybe the legislation also is:

"What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated. Does it matter if they signed a license or didn’t pay someone? Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them. Someone should be strictly liable. But who?

The EU is grappling with that very question, and it culminates in whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in. But lawmakers know enough to realize that much of the open source out there – by definition – belongs to no one, or many someones, or really nobody that can be named and made liable. So waiting on a court case might provide clarity but no compensation and no one to even argue the case. Not the clarity a law is designed to provide."

But I rather think that no, the law just talks about products where you pay money for. And when I pay money for something, I do expect liablity in some way and this is allright. But it is not allright to mix them both up for politicial support (or whatever the motivation here is).

> But I rather think that no, the law just talks about products where you pay money for.

Ianal but my intuition is that you're on point.

The CRA is not about liability or consumer compensation. The remedies for non-compliance are fines or removal of a product from the EU market. The forthcoming update of the Product Liability Directive, which will probably take a similar approach (exempting open source unless it is placed on the market, so as the article describes, developers of products that are placed on the market are responsible for the security of their products, including open source incorporated in said product) on the other hand is.

I only skimmed the OP and doubt it's intentionally confusing, but it is confusing because its prediction of doom is wacky. Manufacturers (eg developers of IoT devices, the insecurity of a major impetus for the legislation, apps, etc) will need to adopt modern development practices such as updating their dependencies when a vulnerability is known -- and that includes manufacturers that wrap a mostly open source codebase in a final product or monetise an open source codebase in various ways called out in the legislation.

Yes if a consumer is harmed by a completely open source thing not placed on the market, say something in Debian, they will not be able to sue the developers, and the developers aren't subject to fines etc under the CRA. That's the balance intended by the legislation (after lots of attempts to get it right), to not wreck incentives to develop open source, but to make product developers more responsible. In other words, the public policy is not exactly as you state it. :)

as i understand it, the problem with some of the previous drafts of the produt liability directive was that by making a commercial product open-source, you could become liable for how random people who weren't paying you used it

consider ghostscript, for example, which is open-source and a commercial product from artifex. the license terms are such that you generally only have to pay for it if you're embedding it in a printer, which many manufacturers do. but virtually every gnu/linux box has it installed without needing to pay for a license. suppose a security vulnerability in ghostscript (of which there have been a number) allows an attacker to own a million ubuntu machines and inject ransomware into thousands of companies in the eu who have no relationship with either the ubuntu company or with artifex

as i understand it, previous drafts of the product liability directive would have made artifex liable for damages in this situation, creating a strong incentive against making any commercial software open-source. do we know this cra avoids making artifex liable for fines? it seems that liability for fines would create the same kinds of incentives

has this been fixed?

as you likely know, i think a necessary and nearly sufficient step to solving the iot security problems is requiring the firmware to be open-source so that consumers can update it whether the manufacturer wants to or not

Wish I could say for certain, but we'd need the final texts of the CRA and PLD, and EU lawyers, to say for sure. This is the sort of situation that the general aim of the EU policymakers seems to be to avoid what they'd see as loopholes, where a business is avoiding responsibility simply by making a product open source, and avoiding destroying open source. It's plausible, perhaps likely, that open source ghostscript would be exempt, but the one there's a transaction for (clearly being placed on the market -- that, rather than "commercial product" is the key concept) would surely not be. The same vulnerability might impact both, but the developer may only be responsible for the latter. It's possible under the CRA artifex could be considered (very late addition) the steward of the open source version, which was intended largely to cover (give some responsibility to) foundations, but without any real penalties -- but, we'll see.

I'm not surprised that's what you think. I'm doubtful anywhere close to sufficient, as much as I'd like that to be true. The focus of the CRA is of course to make the manufacturer be responsible, including for providing security updates for as long as the product is expected to be used (5 years or more typically). There probably is a weak recital suggesting manufacturers might make source code available to other undertakings so that they might provide security updates after the original manufactuerer's support period, but no enforcement of this, and explicitly not requiring open source. Seems like a potential area for future regulation to improve upon.

thank you very much!
[flagged]
"What few people understand is that it is already the law that developers owe duties to their users that cannot be eliminated through communist licensing."

What law exactly?

I think that this part of it could break either way, but the concern is that when faced with a choice between being liable for their own code or being liable for open source code, most companies will choose to write their own code. If so, that would be a net harm to open source and user freedom. I'm not sure it'll happen, but it might.

The biggest issue I see with this law is around liability for open source projects that people are using directly. It'll be disastrous if all open source software ceases to exist or be available in Europe because volunteers face legal liability if their code has a bug. In theory this could even impact people outside of Europe if they don't prohibit access to their code by EU citizens.

I release a lot of code on github. Most of it is just random crap that I wrote to solve a specific need or to explore an idea, and I put it up under an open source license because why not? If it helps someone, that's great. Now I need to be concerned that the random "example-service" project I wrote in C and published a decade ago to go with a blog post I wrote will end up costing me all the money I have ever or will ever earn in my career.

>>> when faced with a choice between being liable for their own code or being liable for open source code, most companies will choose to write their own code.

Not even FAANG can achieve this for 1/10th of the code they rely on.

Hmm. They can probably find other companies willing to sell them support contracts, and take on that liability. Even for things that are open source. You're back to the old enterprise software model then, really, even if the code in question is "officially" open source. You won't be able to run versions that your supplier hasn't certified, and the rate of change will slow to a crawl.
> You won't be able to run versions that your supplier hasn't certified, and the rate of change will slow to a crawl.

Interesting times indeed. Though I think open source software generally is reliable enough that companies will simply continue business as usual and take on all the liability. They have enough deep pockets to pay compensation that one time something goes wrong, or at least that's my impression.

No, they can't. Paying for all code by paying employees or paying third parties is still paying for all code. That's not feasible. The EU regulators are simply nuts.
The hypothetical company that warranties log4js is selling many of those contracts, but only doing the authentication work once for each release.
A capitalistic corporation seem to be a terrible way to maintain software since the "means of production" is in the workers' heads. Especially with these new management fads punishing loyalty. The attrition just makes stuff collapse from unknown complexity.

It is not surprising that volunteer run projects kinda can keep up.

> >>> when faced with a choice between being liable for their own code or being liable for open source code, most companies will choose to write their own code.

All those coding jobs lost to AI will be regained when everything needs to be reinvented in-house.

Whenever there is some kind of innovation like AI that makes people think that their jobs will go away the easy response is that there will always be someone that can’t figure how to get it to work and skills just start to shift to that like prompt engineering or vector databases.
> most companies will choose to write their own code.

That might depend on the ubiquity of the OSS in question. If a company's option is to rely on a piece of open source software that has been used billions of times over without incident versus rolling their own solution that at best has only been tested in-house, could they say the latter is really the safer bet?

I'm not saying this will happen, just that it's the one of the concerns that people have. I can certainly see the argument that some companies will go this route. It might not be the most rational decision, but people aren't always rational. Having something in your control often _feels_ safer.
Well let's say an incident happens. A big one. Lots of egg on C-level face.

Would those execs rather . . .

a) publicly berate and fire the internal developer who created the problem

or

b) have to point out that the opaque series of tests internally just wasn't up to snuff and promise to improve them?

When the bug's in OSS and the company is held responsible, there is no option a.

Unless the OSS projects themselves are staffed up and able to provide legal responsibility, why use them?

I think I must be misunderstanding. The article makes it seem like the user of open source code is responsible for making sure it is suitable and they are liable for when it fails. Doesn't that mean that someone who merely releases code onto GitHub will, in fact, not be liable, since it is the user of said code that is liable?

As far as

> when faced with a choice between being liable for their own code or being liable for open source code, most companies will choose to write their own code. If so, that would be a net harm to open source and user freedom

goes, even if that is true (I'm not really convinced) it doesn't really matter. What matters is finding the correct answer to "who is responsible" to which the answer can't be "nobody". And if it can't be nobody, then it must be somebody. And if it must be somebody, it absolutely shouldn't be some random guy who never specifically signed off on your usage of their open source code.

There are two issues here. The first is when there's some product that's being sold. It could be directly, like selling someone software, or indirectly, like selling them a device that includes software. In that case, whoever sold the thing is responsible for all of the software.

I think that's more-or-less fine. There's a concern that companies don't want to be responsible for open source code, and will write everything in-house instead. I wouldn't be surprised if some companies do that, even if it's a bad idea. I don't know how common it'll be, but the worst case scenario is that it turns out to be bad for developers and for free software.

The second, murkier issue, is what happens when there is no selling involved at all. If I download a debian iso, or clone some random repository on github, then there has been concern that the author of that code will be financially liable for any errors in the software. That would be very, very bad. Early versions of the law seem to explicitly say that it would be the case. More recent versions seem like they might have an exception so long as there is absolutely no money changing hands. It's unclear what would happen in cases where open source software accepts donations. It could still end up being harmful to individual developers and to open source software in general. It's hard to say.

> the worst case scenario is that it turns out to be bad for developers and for free software.

Which would in turn be very bad for society.

To be clear I agree with this, I didn't intend to downplay the impact of that consequence. I think the continued existence of free software is both a practical and moral necessity.

What I was trying to communicate here is that I think meaningful negative impact to free software and to developers is a worst-case scenario and not the most likely scenario. It's plausible, and we should be concerned, but I think there's also a plausible outcome that is neutral or positive for free software if companies end up contributing more to free software as a way of ensuring they are meeting their obligations under the law.

Thanks for the clarification :)
I think this is roughly correct. There is already a trend in many companies toward actively eliminating or minimizing external open source dependencies in their code bases for supply chain reliability and security reasons. Adding significant new liabilities to the use of external open source dependencies will only encourage this trend.

At the very least, I think it will have a chilling effect on the production and use of open source.

Writing their own code is not mutually exclusive with open sourcing it. Arguably it might even be safer to open source it, since more eyes will be on the code looking for bugs.

Some of the biggest open source projects are owned by megacorps, like React (Facebook), TypeScript (Microsoft), and Tensorflow (Google). And it's clear from these examples that their stewardship has wrought benefits for both the company and the community. The company benefits from what would otherwise be their internal tooling becoming an industry standard - Facebook doesn't need to train React devs after hiring them. And the code is more robust as more people use it - Microsoft doesn't even need to use its latest TypeScript version, they can just wait for the community to test it for them...

Very bizarre, the implication is literally reversed in the analysis of the problem versus the actual problem.
(comment deleted)
> This seems to me like unequivocally a good thing for open-source devs.

I'm not certain the second order (or later) effects will necessarily be unequivocally good. Software supply chains are more like a double pendulum in that changes are probably chaotic enough to obscure their effects.

For example, my very first thought was that large businesses are generally risk adverse specifically in the realm of liability. Have you ever read a TOS? It feels to me the major elements of that interminable document are statements that limit liability. It is to the point of humor that we engage in the clicking through the "I accept" of a software license like some strange universal ritual. This is the realm we are dealing in here, deep and arcane. The ubiquitous TOS ritual should remind us all that software is beholden to forces outside of itself.

Companies go through insane effort to avoid legal liability. This law is going to change that calculus. If the cost of covering that change is high this could precipitate a change to closed-sourced alternatives that come with some delegation of liability. For the cynically minded, companies that offer equivalents to OSS that come with a liability waver might see an ascendance and potentially offer a good investment opportunity. Alternatively, repackaging existing OSS as a commercial product while only adding some legal liability as an add-on might become a viable business.

Those considerations challenge any argument towards unequivocally stating this is a good thing, even if there are definitely positive aspects to this change.

How in the world is this good for devs? It's terrible. Do you really think that "big corp" will not figure out how to pass the liability directly to the author?

What will happen the opensource world once you're held liable for some moron who uses some software I wrote for myself? or incorrectly uses it?

do you really believe the curl should be held liable because some POST failed and a user lost something over it?

what about my old backup scripts? I need to remove them from my repos?

I read the article twice, because the link title made me think that I as an open source contributor and publisher liable for complaints.

My reading of the text is that the one actually selling the software product is the one having to abide by this law. Am I incorrect?

How could this be negative? I presume that most publishers of open source software would prefer that some Silicon Valley Unicorn did _not_ half-heartedly integrate their library, causing security issues and tainting their library name?

Because lawyers and courts become involved. They don't understand software or anything related to it.
You failed to read and understand the article. Not only commercial vendors but also authors of open source software aimed at consumers , could be held liable. The courts would decide.

> "whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in.

This is BS. I've talked employers into releasing all sorts of useful things under FOSS licenses over the years. The conversation has always been like "we have this handy thing, and it's not related to our core business at all, and there's no way it'd be a marketable product, but other people could probably use it, too." And the release process has always been like "here's a thing we made to solve a problem we had, and it works for us, and maybe other people could also use it."

In every case, we used those projects in production in our own shop. The tools worked for us. If they didn't, we kept tweaking until they did. They may not have been perfect in all possible scenarios, but they were useful for us.

And if my employers faced any liability problems whatsoever, they'd never have given me permission to release them.

Imagine suing Linus because Linux turns out to be vulnerable to an attack that hasn't been invented yet. The OpenBSD gang for finding and fixing a bug, even though it wasn't known to be exploitable, because it could have been. My boss because a little tool I wrote turned out to have a problem in an environment and use case we'd never imagined anyone using it in.

This is bullshit.

Update: A lot of readers have been quick to point out that the BS laws don't apply to all situations. That doesn't help the situation. "Hey, boss, can I give this tool I made away? If an ambulance chaser sues us for idiotic reasons, we'll probably be fine because the law doesn't cover how we're releasing it. Hey, come back here! Stop running!" I present as evidence jackasses like this: https://www.abc15.com/news/local-news/investigations/disbarr...

Yeah, I'm sure my employer would eventually win a frivolous lawsuit, but the mere possibility of that being an issue would be catastrophic to FOSS as we know it.

This adds no new liability for the employers you persuaded to release that code open source, only for others that choose to include it in their commercial products. Please attempt to understand things before calling them "bullshit".
That strikes me as an unrealistically naive interpretation of what could possibly go wrong. When there's blood in the water, sharks may not be choosy in whom they bite.

I understand this. My reading and understanding of the issue leads me to believe that it's potentially disastrous.

You should probably read the article, as it doesn't say anything about what you are talking about
There seems to be some confusion in the comments regarding what this means for people releasing open source software.

The article makes it clear that (as the author understands it, at least) someone who uses open source software in their commercial product is liable; the people who wrote the open source code [1] are not.

> If a user is harmed by software, the person they paid (targeted ads would count) must compensate them for the harm – unless the software provider can prove their software played no role in the ... harm. If open source resources are [used by] your code, you’re responsible for their performance too. *The open source resource licensed away their liability to you*.

(Emphasis mine)

[1] Assuming they used a license that limits liability, such as Apache.

The article says it is not clear who provides relief if the user directly uses open source with no middle man. That is the most concerning part for me.
If you use open source you are accepting the license that says that there is no liability. This is similar to going walking in a national park, there is no liability for an injury that you incur. This is very different from walking in a shopping mall. If you fall in a hole on a mountain this is your problem. If you fall in a hole in a mall it's the mall's problem.

The article is attempting to create a scare about things that have always been true. If a telco's services crash the telco has to compensate customers even if it was a postgres failure that caused it by failing to authorise handsets for a connection in a cell. For example.

The line is very unclear to me. What if that national park accepts donations/has entry fee expressly to maintain the trail, would that make them liable for accidents or not?

The telco has service agreement with customers and it's clear exactly what service it was supposed to do and failed. Where is such agreement for a random github repository? To put it a bit ad absurdum, say user supplies parameter to your math function so that it divides by zero and it results in some injury or loss. Who is liable for that? Shold judge try to parse some piece of code for whether it was reasonable for user to expect passing zero will work?

I don't understand your confusion.

If you sell a product e.g. a car and the brakes don't work you are liable

If you sell a product e.g. a medical software which calculates and runs your insulin pump and it responds to a division by zero error with injection 1000x the amount of insulin your are liable.

You don't have to focus on the how, only on if it was your product and was sold to a customer.

Who was at fault (product or customer) will be decided in a lawsuit.

If you don't sell anything then these laws don't apply to you, even if the article seems to be unclear about that.[1]

https://www.europarl.europa.eu/news/de/press-room/20231205IP...

Edit: Somebody linked the full EU briefing: https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...

On Page 5 there is a passage about how free-of-charge open source software is excluded and also who is liable in a commercial activity:

With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.

As far as the broader scope of the proposal compared to the existing PLD on liable parties is concerned, Article 7 of the revised PLD lists the types of 'economic operators' which can be held liable for defective products, by introducing a layered approach to liability depending on the different qualification of the economic operator.

Among the list of economic operators are:

(i) the manufacturer of a product or component,

(ii) the provider of a related service, (iii) the authorised representative, (iv) the importer, and (v) the fulfilment service provider or the distributor. The manufacturer should be liable for damage caused by a defect in their product or components. An innovation introduced in the revised PLD is considering any economic operator who has substantially modified the product outside the control of the manufacturer liable for any defect. Such a party is then considered as a manufacturer.

When a manufacturer is established outside the EU, the revised PLD would further attribute liability for a defective product to the importer and the authorised representative in the EU. As a last resort, the fulfilment service provider (offering at least two of: warehousing, packaging, addressing and dispatching of a product, without having ownership of the product), will be held liable when the importer and authorised representative in the EU are based outside the EU.

Distributors of a defective product (offline and online sellers) can also be held liable upon request by a claimant and when the distributor fails to identify any of the above operators.

Online platforms should be liable in respect of a defective product on the same terms as such economic operators when performing the role of manufacturer, importer or distributor.

Neither article nor the PDF explains who is considered provider and who is not. Please point out where it says "only on if it was your product and was sold to a customer". I did not find it.

There's a reference to "Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008", which does not distinguish for-profit activity at all. Just "all poducts on market and all who manufacture and distribute shall conform".

From the linked pdf: 'In order not to stifle innovation, the rules will not apply to open-source software developed or supplied outside of a commercial activity'

(if you receive donations, it isn't commercial activity. If you display ads like Firefox or Brave, it is)

Sorry, at first I thought I couldn't reply to this comment.

I don't understand why you want to know what the provider is?

For the purpose of liability and open source the definition is that any open source free of charge software is excluded from the proposed changes, so the provider doesn't matter.

This can be seen in the first link,on the third headline bullet point "Not applicable to free-of-charge open-source software" as well as the second paragraph.

The provisional agreement on the liability of economic operators for damage caused by defective products aims to respond to the increase in online shopping (including from outside the EU) and the emergence of new technologies (such as AI) as well as to ensure the transition to a circular economic model. In order not to stifle innovation, the rules will not apply to open-source software developed or supplied outside of a commercial activity.

I also added the the briefing of the proposed EU law with the details

Thanks. Hopefully it will be accepted like this and binding. How do you not lose track in all these EU documents?
I don't :/ I searched for that document for about 10 minutes and then gave up and assumed that the EU press statement was accurate.

Then somebody linked it in a comment below and then it was fairly easy as I knew what to search for from the short description in the first link.

> If you use open source you are accepting the license that says that there is no liability.

The article directly contradicts this:

> What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated. Does it matter if they signed a license or didn’t pay someone? Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them. Someone should be strictly liable.

The article is wrong. It is only the case if the consumers are paying a commercial license or are monetized via ads or tracking.
> This is similar to going walking in a national park, there is no liability for an injury that you incur.

It's not exactly such way.

This is only case, if you are 21 or 25 years old (depend on country/state) and if you have insurance which cover this case, or if you have some juridical document for exactly this case.

For example if you toddler/teenager, NOT accompanied by an adult, will be responsible people, who have responsibility to restrict your appearance (entrance) in this park.

So in EU, usage of OSS or products with OSS dependencies, will be effectively prohibited for teenagers. This is not very large share of customers, but approximately 7% of EU residents.

"The article makes it clear that" - Sadly the article did NOT make this clear to me. I did finally pick up on it about halfway through, but until that point I was just as confused as everybody else. The title also doesn't help.

This is about liability for the organization that releases a product to be liable for it - all parts of it - regardless of whether some of those parts were developed by 3rd parties (e.g. Apache). But again, the headline and most of the article are not clear about this.

Can you comment on the part starting with

> What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated.

It's expressly not clear what the implications here are, according to the article.

If the consumers don't pay for it (not under a commercial agreement with the OSS provider) and are not monetized (with tracking data or ads in the OSS), it's pretty clear the OSS provider isn't liable.
The article is written by the CEO of a big tech lobbying group[0] who is trying to spread FUD to prevent the changes to the EU’s PLD that would include software once the intended changes go into effect.

The part you quoted continues with:

> Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them.

Those are not consumers. That's B2B and comes with significantly lesser protections (if any) in EU law due to the EU’s view of B2B relationships being less asymmetrical w/r/t power and businesses being better at assessing the risks.

The implications are clear because this is not some new thing the EU conjured out of thin air but rather an expansion of which products will fall under the PLD, so we know how this has shaken out historically.

The long and short of it is that with physical merchandise, manufacturers have long been liable if their products caused damage (e.g., batteries of electric scooters catching fire). Still, when it came to software, companies often just shrugged and said, “We provided it as is, so tough luck.” The EU now says that's simply not good enough, and software companies should be held to the same liability standards as merchandise manufacturers.

Software lobbyists, of course, don't like this, so to stop that, they've decided to spread FUD about FOSS.

That's it, that's the story.

0: https://www.bigtechwiki.com/index.php/Developers_Alliance

If you have any kind of Patreon, GitHub sponsorship, buy me a coffee, or anything to "support development" it would seem you have met the requirement of being a commercial developer who should be liable.
EU is really bent on destroying itself by any means. First AI regulation, now open source destruction, killing off any avenues for growth for the next century. It's already uncompetitive at both.
It may be difficult to understand, but maybe the EU has other things where they want to be competitive instead? Maybe, I don't know, quality of life...?

Please stop measuring the EU using US standards.

> Maybe, I don't know, quality of life...?

I’m very happy with my public healthcare. I think every American would be as well.

And not to mention that our kids don’t need to do active shooter drills in school.

Public healthcare? You mean the free healthcare for 1000EUR that single German freelancers have to pay monthly? For $1k you can get a US insurance for the whole family!
It’s tax funded, so you have a point. Still, it covers everyone so you never see anyone doing gofundmes just to stay alive.
Well, maybe try not to pay your health insurance as a freelancer and the insurance company promptly disowns you and you are at the same spot as uninsured US folks immediately. In Germany. Just because fees are hidden from you doesn't mean they aren't there and a failure to pay them results in similar consequences to US.
I wouldn't know, but I live in Ireland anyway, and while we have a two-tier system, we pay insurance only for the better hotel services in hospitals - things such as single-patient apartments.
Maybe ask yourself how is EU going to pay for all that if it misses on all trends in the industry and over-regulating anything that could be the next growth factor.
Doesn't seem to be working too bad so far.
I must be living in another world then. GDP of EU is stagnant since 2008 whereas US and Chinese GDP exploded during that time. Ultimately whoever has the most money is going to win so let's not try to redefine economical indicators and say that GDP is no longer relevant etc.
As a member of eastern EU block, I sometimes look at avg. salary in China (114029.00 CNY/Year per [tradingeconomics](https://tradingeconomics.com/china/wages)) and wonder when will they earn more (though the wages are basically incomparable due to different taxes). It won't take a long time.

15% inflation in 2022 was fun, 11% in 2023 even more fun.

AFAIK Chinese workers are already more expensive than eastern EU ones (but tight logistic integration makes the overall manufacturing cheaper) and so are Indian devs in India already more expensive than eastern EU devs. "Prosperity"
Japan's GDP has been stagnant since 1995.
> the EU is finalizing rules that will make open-source creators and licensees liable for any user harm their software might cause

Citation?

This nonsensical sentence is the heart of whats wrong with the article.

There is a tremendous difference between creator and licensee, and lumping them together shows either a fundamental misunderstanding or incentives so perverse they're blinding the author.

From what I understood, the liability would only touch the creator if they're providing a _service_ to the public, and wouldn't touch people who release code for others to use.

And looking at it like that, doesn't this make sense? Who would have ever expected the provider of a service would be free from liability they cause? Regardless of what tools they're using to provide it.

The article leans a bit towards a pessimistic tone imho, so here's another source: https://www-heise-de.translate.goog/news/EU-Regulierung-Ausn...

Apparently the current state of affairs is that open source (non-commercial!) devs and projects are safe. If you pack OSS as part of a commercial offering, you're on the hook for that as well (read: you're liable for the whole product you sell and can't put off some aspects to open source). So nothing to fear for us so far. Still in process though.

Hopefully this will change attitudes in application security. Developers often try to ignore vulnerabilities found in the libraries they used, coming from the POV of "well, that's not my code so it's not my fault" instead of "we chose that library so we're responsible for any vulnerabilities it creates for the company". If you're going to use FOSS and don't do anything to correct or mitigate the vulnerabilities in the part you choose to use, then it's your vulnerability. But they only see it from a POV of feeling blamed for something they didn't do as it's not their code and ignore the bigger picture of attackers not caring the slightest who introduced a vulnerability for them to exploit, they're just happy that it exists.
I have never ever met at dev with that attitude. I've seen managers trying to postpone fixes, because they naively thought there was little chance it would be discovered by hackers. A quick tour of Shodan, logs of SSH access attempts and access logs with the various script-kiddy attempts, usually convince that type of manager to prioritize hardening
That is already part of CRA:

> It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties.

> Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability to the person or entity maintaining the component.

EDIT: Also, I concur the poster below. It's developers who oppose against management to allocate time for bugs and technical debt instead of new features.

There is nothing preventing scammers from modifying the software once they receive it then saying it is faulty. Especially with web technologies but even with desktop applications too.
Ask scammers to demonstrate the fault using an unmodified copy downloaded from your downloads page. If the can not, no case.
Some bugs are one in a million and may not be easily reproduced. How would you prove it’s not one of those?
(comment deleted)
What specific scenario are you thinking of? Who is trying to prove what?
Anything? I tried to send money to someone but the button did not debounce the request and I ended up with more than one payment ?
Ah, OK, so the end user is trying to prove there is a hard-to-reproduce fault in the software. I do not know how this is being handled in practice, but I think it would be reasonable to require evidence.
I use an open source screen reader, NVDA.

It is completely open, and they produce an installer for people or you can build it yourself from Git.

Can you help me understand now, if there is a bug in NVDA (which is under the GPL) and it causes me trouble, say, it can't read a webpage that I need for some government thing, I could now sue my screen reader, which is actually just a bunch of dudes hacking something together? Is that the new behavior that is enabled by this upcoming law?

Next question, if this is the actual state of things, why would anyone ever make anything open source and allow it to be distributed in the EU now? It sounds like, and please please correct me if I am wrong, but it sounds like you could sue the makers of The Gimp, for instance, if a bug caused ... what, your pictures to come out looking wrong?

> Someone, or some entity, will need to accept financial and legal responsibility for what the project does in consumer hands.

Here's a crazy idea, maybe that person should be the consumer?

You can't.

Product liability excludes non commercial open source software, see:

https://www.europarl.europa.eu/news/de/press-room/20231205IP...

So basically open source devs can't make living off their work because some clueless EU regulator sees no other way? This is super heavy-handed and makes no sense outside ancient uncompetitive EU tech conglomerates trying to protect their turfs.
If the open source devs charge for their software, they should have the balls to accept the liability for whatever they are selling.
Really? Why? Just because somebody wants to regulate software? For what reason?
For the same reason literally every other industry does. You are forgetting that software is unique in not having these regulations. It’s not hard to figure out what life was like before these laws, and we don’t want history repeating itself on a platform that moves at light speed.
Why should a completely different industry be bent the same way legacy industry operates? Why does it have to be so? It makes little sense outside being "regulatory capture" of sorts for established players and a money maker for auditing companies.
Software is also unusual in being invented from scratch in living memory. Nobody knows how to do this flawlessly yet, and the few serious attempts (e.g., seL4) have taken stunning levels of time and effort.

In 1350, people were dying of the plague, and doctors didn’t know how to treat them. That sucks, but medicine wouldn’t exist if they couldn’t have kept trying and failing. That’s where we are.

Yes and in 1900-2000 pills and vaccines where killing people because the manufacturer either didn't follow any quality standards or didn't test it on pregnant women but still sold it to them.

That was the time the fda got far more rights to sanction and sue medical manufactures and I think we are in a better world for that.

The new law explicitly says what liability it wants to add:

* death or personal injury, including medically recognised psychological harm;

Whether software (including apps) was covered under the existing PLD has always been controversial.i For instance, there is controversy as to whether software should qualify as a product in the sense of the directive, ii or whether it is part of either the services or of the intangible goods category, iii which falls outside the scope of the existing PLD. iv

i) D. Wuyts, The product liability directive – more than two decades of defective products in Europe, 2014, and BEUC position paper on the Review of Product Liability Rules, 2017.

ii) See Article 2 of the existing PLD. A product has to be distinguished from a service and must be understood as 'all movables even if incorporated into another movable or into an immovable'.

iii) See pages 53-54 of the Commission staff working document on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products, 2018: 'The definition of "product" as per article 2 of the Directive is related to the concept of "movable". This has been interpreted as meaning that only tangible goods shall be considered products [...] the non-tangible nature of some new technological developments (software, applications, Internet of Things, Artificial Intelligence systems) makes it difficult to classify them as products rather than services'.

iv) K. Alheit, The applicability of the EU Product Liability Directive to software, 2001. EPRS | European Parliamentary Research Service 6

* property damage, while removing the threshold of €500 and the possibility for Member States to impose a financial ceiling of €70 million; and

* loss or corruption of data that is not used exclusively for professional purposes

You don't even have to do it flawless, you still have the same defences available as in other product liabilities:

* the defect did not exist when they placed the product on the market;

* or the state of technical knowledge at the time of placing the product on the market made it impossible to discover the defect (i.e., the 'development risk defence').

We all buy medical devices and the companies are fully liable for them and they contain software, so it is quite possible to build software without getting sued.

see:

https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...

edit: formatting

> Really? Why? Just because somebody wants to regulate software? For what reason?

Because open source would then be used as a loop hole you can drive a A380 through. Say I say invent a "house hold chores" robot. The robot has a bug that kills you. But your family can't sue because they made the bulk of it's software open source, and say give it to you for free. You paid for the hardware.

Like having a Patreon or similar sponsorship? Sounds like a recipe for licenses that say "you are not permitted to use this software if a bug could cause you any harm"
Be liable doesn't only mean that if the software you sold *harm* people then they can sue you. It doesn't mean they can sue you for every little bug.

So yes if you sell software, whether it is open source or not, you better have the balls to be liable.

(comment deleted)
"Harm" can over time mean your software was used to view non-approved content etc. Slippery slope...
They said: "not apply to open-source software developed or supplied outside of a commercial activity".

As I understand, if you work making more than 90% of your income as gardener, but on free time develop OSS, you will guaranteed not liable.

But if you are professional software developer, and make for example 50% of your income from software, you will need some powerful proof, that OSS from case and made by you was not part of commercial activity.

> Here's a crazy idea, maybe that person should be the consumer?

OK, so let's say you bought a special computer monitor that had screen reading technology built in so it could read out or describe anything displayed on it regardless of operating system, even a raw video feed. And one day it catches fire and burns your house down.

Most people would think it was acceptable to sue the manufacturer of the hardware device. But if using NVDA somehow ended up making your laptop catch fire and your house burned down, in that case, oh well, it's just tough luck, caveat downloador etc?

What if it came out in discovery that the author was previously made aware via numerous emails that their application had a tendency to cause laptops to dangerously overheat, and they chose to disregard the problem? Is that still the consumer's financial and legal responsibility?

(Not saying there's any right answer, just wondering if I understand your position properly.)

EDIT: Just read other comments that clarified that OSS isn't subject to this new directive, so this a moot issue I suppose.

> Most people would think it was acceptable to sue the manufacturer of the hardware device.

Are you from the US? In New Zealand sueuing is mostly a foreign idea and very rarely occurs.

Occasionally criminally negligent behaviour gets spanked - but even there it's often an idiotic scapegoating farce (local examples: CTV building, fund fraud, Royal Commission of Inquiry into the terrorist attack on Christchurch masjidain).

One alternative system is government insurance against harm e.g. New Zealand has a no-fault ACC system for helping victims of industrial accidents.

OSS is infrastructure and trying to scapegoat an individual developer or company for unforeseen harm is insanity. Finger pointing and a culture of blame seem to be unproductive.

A good place to start thinking about policy would be to look at log4j. What policy would prevent that? Would a culture of victimising creators have prevented that vulnerability?

> sue the manufacturer of the hardware device [that starts a fire].

There's the implicit philosophy that we can use reductionism to find a cause.

Finding cause is getting more difficult as we complexify the world. Read reports on disasters, and then try to imagine how to prevent them? There's an almost Christian religious belief that penalising the person who makes a mistake will fix the system.

Cue blaming the pilot. We still often blame the pilot even after decades of work in aviation management to try and produce safety systems that try to apply a fix in the correct place.

> If a user is harmed by software, the person they paid (targeted ads would count) must compensate them for the harm – unless the software provider can prove their software played no role in the breach/loss/failure/psychological/physical/financial or other harm. If open source resources are in/called/touched your code, you’re responsible for their performance too. The open source resource licensed away their liability to you.

This, especially the last sentence, sounds like a good thing.

what's new here? A commercial entity selling a product that also embeds open source components is liable is that entity's product causes harm, even if the fault lies in bugs in the OSS code itself. is that new ? assuming their own license does not also indemnify them. The OSS code, at least if it's mine, has "THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND" right there in the license. What's the change?
The article says that someone is liable. So if a user directly uses open source would the open source maintainers be liable? Would it be the operating systems company for allowing the software to run? It’s very unclear.
Maybe the article but the EU explicitly says opensource free of charge software is fine.

https://www.europarl.europa.eu/news/de/press-room/20231205IP...

What if its free of charge but I'm rattling a tin can? Is that "thanks for making my life better free of charge, buy yourself a beer" or is it "here's a quarter in exchange for 100% insurance covering anything I use this free thing you made for"?
As far as I understood it it would be ok to have a option for donating.

But I have no real basis for that, I would assume that based kickstarter and co also getting money from consumers without having to abide by any consumer rights.

I assume that the option of donating while keeping the software available free of charge would fall under the same category as getting gifts from strangers

Contrary getting displaying ads directly in the app would fall under commercial activity because you force the user of the app to give you money(via an ad provider)

There's so many more things that are ambiguous.

If I give away the software but sell support, am I only liable to customers or to everyone? Similarly, if I let people opt in to commercialization of their data, am I liable to those that opt out? Does someone signing a terms of service qualify as commercial activity?

If I fork something and give it away can I sue the person I forked it from? If I tell people "YOU ARE NOT ALLOWED TO USE THIS BUT YOU CAN FORK IT" am I liable if they ignore me? Does a fork qualify as a new product or is the original author liable?

I don't think that is ambitious:

With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity[1]

You are only in a commercial activity if you sell that product to that customer or you sold it to a distributor who then sold it to a customer.

E.g. if a customer doesn't buy from you he has no commercial activity with you so no liability.

I would argue that code is code and only becomes a non fungible product in the instance of selling it and only then the laws apply

[1]https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393... => page 5 under the light gray box

Edit: fixed italics

I know this legislation is in the EU, but in the US such a regulation seems to run up against the concept of free speech. What is the difference between these hypotheticals:

Case 1: I have a blog that takes a conspiracy-level, anti-tax position. In it, I say crazy things like, “The IRS is illegitimate and financial records are unnecessary.” From reading this, someone shreds all their financial documents. As far as I can tell, the blog is perfectly legal under the First Amendment.

Case 2: I am an open source maintainer of a home assistant program. It includes personal file management. Due to a bug in the software, an end-user’s financial documents are deleted.

The easiest distinction is that the conspiracy reader is taking an affirmative act of destroying their own documents. But, I think that’s less different than at first glance. The software user is setting up a computer system based on an open source program that may have bugs in it, and that causes a loss of data. The conspiracy reader is setting up a worldview based on information that may have bugs in it, and that causes a loss of data.

Why would the software bug be regulated, but the conspiracy falsehood not?

It's probably closer to releasing "open source blueprints" for a car (a steam engine is probably better) that explodes and kills it's occupants. Who is responsible for that? A better set of questions might be:

- Why does this person think they can release open source blueprints if they aren't qualified for what they design?

- Or, if a company used these blueprints to build a car, why didn't they do their due diligence?

It's something of a digression, but your understanding of Free Speech is incomplete.

>> As far as I can tell, the blog is perfectly legal under the First Amendment.

The blog is legal, but things can be legal and still have consequences.

Let's say you work at the office, and forget to lock up one night. Someone walks in and takes a laptop. -you- haven't committed a crime, but you'll likely lose your job.

Free Speech prevents the govt from locking you up based on what you say. (Unless what you say is a crime, like say inciting a riot.)

It does not provide you with the right to say whatever you like on a private (non govt) platform, nor does it absolve you from legal liability (consequences) of what you say.

The obvious example is "conspiracy to commit xxx" - sure all you did was -talk-, but Free Speech doesn't give you a pass for that.

So what happens in this situation:

I write open-source software, and make it available on GitHub, together with a nice installer. I deny any liability in my license, and the users are free to install it or not. They don't pay me in any way (not even in ads).

Am I liable according to new EU law?

No you are not liable. Liability is linked to a commercial activity because it is meant to protect consumers.

The article is very ambiguous in the way it describes the regulation. I recommended this one for more clarity : https://www.euractiv.com/section/digital/news/eu-updates-pro...

Would windows or whatever host operating system be liable potentially for the programs running on it even if they are open sourced programs?
I would think they would be *if* said program was included with the system, which makes sense. The manufacturer cannot be responsible for user-supplied programs, but they surely must know what they include with their system upon install.
This is great. Software is important, software has an impact, and so we need liability.

This regulation ensures that whoever sells the software to the consumer is responsible, and that's the way it should be. The creator of a library doesn't know how his library will be used in the wild, he can't anticipate all possible problems, the product maker can. It is the product maker's responsibility to integrate external components properly, having validated that they are up to standard.

If you're a manufacturer, you can't just pick components at random and then say it's not your fault if your product doesn't work. That's why manufacturers have whole teams of people working to ensure that what they receive from a supplier is up to spec.

please provide a link to all your software, so I can find bugs and then sue you for everything you have.
Please provide receipts or contracts showing you purchased said software from them, before you can sue.
https://daniel.haxx.se/blog/2023/11/26/you-have-hacked-into-...

He's got many other examples of emails he gets from people. They find his name or whatever in some apps attribution.

It doesn't matter if there's legal grounds or not. Someone and some lawyer will make your life hell. They don't understand software nor do they care. It will be horrifically stressful and potentially very expensive for someone.

Maybe it's better in the EU but the second the lawyers or the insurance companies get involved it will make everything awful.

You couldn't sue me for 2 reasons:

1 - This regulation only concerns commercial activity. So you could only sue the company I work for, and only if you've bought their products. Also by definition that excludes my personal projects.

2 - You can only sue for defects (in this legal context it means unsafe to use) or damage (physical or material). You can't sue for simple bugs.

These kinds of liabilities already exist for all the objects in your life and yet you don't spend your time suing people every time something does not work as expected I imagine

A law and regulation is written one way and interpreted a different way by the courts. In the USA it's all about case law.

Hypothetical:

I write a nifty alarm clock app. To cover some costs I charge a nominal fee. Some unknown condition occurs a user misses a flight and loses their job.

According to your position I should be sued.

Why should I be held liable?

Daniel Stenberg has a blog post somewhere about all the hate mail he gets over the fact that curl is bundled in some software. You don't think some litigious person won't attempt to go after him over it?

My family has personally impacted by a dumb lawyer trying to subpoena information incorrectly. Dealing with this was 7k in lawyer fees, covered by an insurance policy. Technically he could legally held for this terrible usage of the courts but it would have been an even bigger mess.

> A law and regulation is written one way and interpreted a different way by the courts. In the USA it's all about case law.

This is about the EU, not the US.

As someone who used to practice law in the EU before moving into software development, I can tell you that your hypothetical will never lead to a suit nor judgment in the EU, nor is your personal experience concerning a subpoena a thing that happens in the EU, if only because the concept of discovery doesn’t exist in civil law systems.

To put it differently and respectfully, you’re applying your knowledge of and experience with the US legal system to a completely different legal system that rarely produces outcomes similar to those in the US system.

Even the order of magnitude of judgments is leagues apart.

€1m judgments lead to coverage in legal outlets there if not regular mainstream media. In contrast, in the US, that money is thrown across the table to make an unviable but annoying class action disappear just because it’s cheaper than litigating it.

I’m bringing that up because, even in the unlikely instance of your hypothetical leading to a case that makes it to a hearing in the EU, the judgment against you will be close to, if not outright be, the nominal fee you charged the user (+ court fees) due to how the chain of causation works in the EU. The connection with losing your job is just too remote for any judge to consider liability.

Even if this would be about a car breaking down on the way to work, which already has strict liability under the current PLD, loss of job is just not going to be part of the equation, ever.

Fair enough w.r.t to how it works in the EU. I sort of knew that the legal system there was not as easy to bring suits etc.

As you said reaction is based on my personal experience in the US. However at times the US does pickup ideas and concepts from the EU, specifically California.

> and only if you've bought their products.

If that's true (I have no idea if it is or not) - I'd class it as a bug in the legalisation. Consider a router I've purchased. It has a bug that allows 1000's of them to be corralled into launching a DDOS against someone. The reality is I don't particular care that happened - it didn't effect me. But the person it did effect didn't buy it.

No, it is bad because it could also apply to open source software aimed at consumers, not only commercial vendors integrating OSS.

> whether “open source” is exempt from liability in a law designed to protect consumers. So far the answer is “probably not?” Exemption means consumers bear the cost – exactly what the law is trying to change. Perhaps if the open source in question remains an academic or research tool, versus reaching consumers, we’re okay? The proof may come when the first consumer demands compensation, and the courts step in.

The directive has not finished the legislative process yet so it's difficult to be exact but according to the briefing on the New Product Liability Directive redacted by the European Parliamentary Research Service

> In the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.

https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...

That's interesting. Where does Java script fall in this context, does it qualify as source code? I'm asking the EU lawmakers not you. I'm wondering how they would distinguish Java script source code and Java script product.
The article got me a bit worried about the idea of developing software out in the open, and the comments in this thread give me conflicting ideas.

If I make a public repository `ComputerCleaner` with a single file:

  #!/usr/bin/env bash

  # <imagine an MIT license here>

  rm -rf /

Should I soon expect to be defending legal threats from random strangers who ran this code only to gasp find that it deleted their files?
> Should I soon expect to be defending legal threats from random strangers who ran this code only to gasp find that it deleted their files?

Yes. The developers of software have a fiduciary duty to users of their software.

The UK court of appeals already determined that the MIT license does not eliminate these duties when it found the authors of Bitcoin Core liable for billions of pounds of damages to Satoshi Nakamoto when they failed to change the Bitcoin protocol to return the coins that hackers took from him.

If you don't want to get sued and end up homeless and bankrupt like those Bitcoin Core developers you need to learn to obey the law and act in the best interest of your user.

Would like to see some actual cases where this was an issue. If a plane goes down due to bugs in open source software, could Airbus just say it wasn't their fault? Can't imagine that. Or if you got hacked and customer's data exposed because of the log4j-bug, could you just say it was because of that library, case closed? That would be interesting to find out, but it sounds insane to me if you can just point at something that explicitly has no liability, that you chose to use in commercial software, and not be liable yourself.