[OSGeo-Discuss] [Board] EU Cyber Resilience Act - potential impacts on open geospatial software?

Even Rouault even.rouault at spatialys.com
Fri Aug 18 12:08:52 PDT 2023 

Le 18/08/2023 à 20:50, Jody Garnett via Discuss a écrit :
> Thanks for setting that up, can we add it to the website ad an event 
> or news item? That way it can be shared on social media and email lists.
>
> The missing voice on this discussion (and osgeo in general) is the 
> small and medium business owners.
>
> A whole bunch of the concern is the impact on small and medium 
> business owners. We have not yet heard from our service providers and 
> sponsors on this subject.

I count as a small business owner, actually a one man company, and 
service provider and I'm indeed really concerned by the CRA.

Seeing obligations of reporting security events within a 24h delay makes 
me believe that I will have no right for any vacations.... The whole 
text seems to have being written with quite large software companies in 
mind with sufficiently big teams so they can organize on-call teams.

It is also completely inadequate to make a service provider responsible 
for the whole codebase: if I charge a customer for an enhancement in a 
part of the software, is it legitimate to make bear what happens in 
other places of the code base I may possibly not have written ? The text 
possibly doesn't imply this (but then it becomes fun to determine who is 
responsible to respond to a given security event), but such scenarios 
specific to open source decentralized model are not detailed, so we are 
in the legal uncertainty domain...

Also the obligations linked to the lifetime of a version are written 
with companies that have regular income from licensing fees and can 
actually take a part of them to organize security monitoring and 
response. Service providers don't necessarily have recurring income 
sources linked to a software, given that they charge for the labor (one 
time event) but not usage (long-term event).  What happens if I'm no 
longer involved with a software: am I still liable for what I wrote in 
the past, and people still use for free, but I should still bear the 
costs while no longer getting any related revenue ?

Even

-- 
http://www.spatialys.com
My software is free, but my time generally not.

More information about the Discuss mailing list