[OSGeo-Discuss] [Board] EU Cyber Resilience Act - potential impacts on open geospatial software?

Fri Aug 18 16:07:06 PDT 2023

Even:

Thank you very much for responding - I want to make the case that you are
not alone (and will get vacations). Even with regulations …

If you are charging for an enhancement - it is development work one and
done.  It is probably in your contract to meet the requirements (docs and
QA) to get the change into the open source codebase.

If you wish to offer (or if the customer requires) support for a period of
time they can negotiate that with you.

However you do not have to be the distributor - the customer self-serves
from the open-source distribution. In this case the project - specifically
the steering committee (acting on behalf of osgeo) are on the hook for a
lot of these reg requirements.

This could be good for osgeo (for this specific case) in terms of
encouraging code contributions (rather than forks and customizations).
OSGeo as a software foundation should be able to shelter small and medium
business (perhaps negotiating some participation to make the story work).

Jody

On Fri, Aug 18, 2023 at 12:09 PM Even Rouault via Discuss <
discuss at lists.osgeo.org> wrote:

>
> Le 18/08/2023 à 20:50, Jody Garnett via Discuss a écrit :
> > Thanks for setting that up, can we add it to the website ad an event
> > or news item? That way it can be shared on social media and email lists.
> >
> > The missing voice on this discussion (and osgeo in general) is the
> > small and medium business owners.
> >
> > A whole bunch of the concern is the impact on small and medium
> > business owners. We have not yet heard from our service providers and
> > sponsors on this subject.
>
> I count as a small business owner, actually a one man company, and
> service provider and I'm indeed really concerned by the CRA.
>
> Seeing obligations of reporting security events within a 24h delay makes
> me believe that I will have no right for any vacations.... The whole
> text seems to have being written with quite large software companies in
> mind with sufficiently big teams so they can organize on-call teams.
>
> It is also completely inadequate to make a service provider responsible
> for the whole codebase: if I charge a customer for an enhancement in a
> part of the software, is it legitimate to make bear what happens in
> other places of the code base I may possibly not have written ? The text
> possibly doesn't imply this (but then it becomes fun to determine who is
> responsible to respond to a given security event), but such scenarios
> specific to open source decentralized model are not detailed, so we are
> in the legal uncertainty domain...
>
> Also the obligations linked to the lifetime of a version are written
> with companies that have regular income from licensing fees and can
> actually take a part of them to organize security monitoring and
> response. Service providers don't necessarily have recurring income
> sources linked to a software, given that they charge for the labor (one
> time event) but not usage (long-term event).  What happens if I'm no
> longer involved with a software: am I still liable for what I wrote in
> the past, and people still use for free, but I should still bear the
> costs while no longer getting any related revenue ?
>
> Even
>
> --
> http://www.spatialys.com
> My software is free, but my time generally not.
>
> _______________________________________________
> Discuss mailing list
> Discuss at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/discuss
>
-- 
--
Jody Garnett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/discuss/attachments/20230818/4481a89c/attachment.htm>