|Python Software Foundation Raises EU Open Source Concerns|
|Written by Kay Ewbank|
|Tuesday, 18 April 2023|
The Python Software Foundation (PSF) is concerned about plans by the European Union (EU) regarding distributing open source software.
The PFS is a non-profit with the mission of fostering development of both the Python language and the Python community. It is responsible both for developing the core Python distribution, PyPI, and for organizing PyCon.
The concerns relate to the EU's proposed Cyber Resilience Act (CRA) and Product Liability Act. The Product Liability Directive provides consumers with the ability to seek damages for defective products. It was adopted in 1985. The CRA is currently being reviewed and is yet to be adopted; the public consultation period ends on May 25. Under the CRA, producers of digital products will be required to improve the security of their products; set up a cybersecurity framework; mitigate security vulnerabilities; and disclose security problems to customers.
Organizations breaching the terms could be fined up to €15 million or 2.5 percent of annual turnover, whichever is the greater.
The PSF says that the two acts:
"put the mission of our organization and the health of the open-source software community at risk."
The blog post says that while the goals of the two acts are fine, the PSF feels the EU hasn't taken enough consideration of the role vendor-neutral nonprofit organizations—especially public software repositories—play in the modern development of software.
"Many modern software companies rely on open-source software from public repositories without notifying the author, and certainly without entering into any kind of commercial or contractual relationship with them. If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility for the way their components are applied in someone else's commercial product."
The problem, according to the PSF, is that at the moment the language of the acts doesn't differentiate between independent authors who have never been paid for the supply of software and large corporate tech organizations selling products in exchange for payments from end-users.
"We believe that increased liability should be carefully assigned to the entity that has entered into an agreement with the consumer. We join our European open source colleagues at the Eclipse Foundation and NLnet Labs in voicing our concerns over how these policies could affect global open source projects."
As the blog post points out, nobody pays PSF for software, either for the core language or any of the packages that you can download from the repository, but many organizations build things with Python, analyze data with Python or create AI models with Python either at commercial companies, academic institutions or government agencies where they are paid to work.
PSF says that any policy that does not provide clear carve outs for repositories offered for the public good will do irreparable harm to the individual's accessibility to the power of modern software development.
"Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products. The risk of huge potential costs would make it impossible in practice for us to continue to provide Python and PyPI to the European public."
The conclusion by the PSF is that PSF members and Python users in Europe may wish to write to their MEP voicing their concerns about the proposed CRA law before April 26th, while amendments that will protect public open source repositories are still being considered.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Tuesday, 18 April 2023 )|