Python Software Foundation Warns EU Law for Open Source Community Health

The Python Software Foundation (PSF) warns that the EU's Cyber ​​Resilience Act and Product Liability Act could endanger the health of the open source community.

Python Software Foundation News: The EU's Proposed CRA Law May Have Unintended Consequences for the Python Ecosystem

Python foundation slams pending EU cyber security rules • The Register

While the PSF supports policies to increase security and accountability for software consumers in the two legislations that the EU is promoting, the PSF believes that overly broad policies may unintentionally harm the users it seeks to protect. He said he was worried about causing harm.

Many modern software companies rely on open source software in public repositories without notifying the authors and without entering into a commercial or contractual relationship with the authors. According to PSF, if the law is enforced without modification, component authors may be legally and financially liable if open source components are used in any commercial product.

For example, PSF hosts the core Python programming language, standard library, and interpreter, and makes them available free of charge to anyone who wants to use them. More than 300 million downloads per day. It also hosts the Python Packaging Index (PyPI), a vast library of software packages written by thousands of different organizations and individuals, all of which are freely available. PyPI is a critical infrastructure for the entire ecosystem, with thousands of individuals and businesses relying on it, with an average of 10 billion package downloads per month.

However, PSF does not receive any money from any of the packages downloaded from the repositories it controls. At first glance, it doesn't look like you're making money off of Python or Python packages, but in fact a significant portion of your profitable technology depends on Python. Specifically, YouTube, Instagram, Spotify, etc. are all built with Python code.

In the Cyber ​​Resilience Law and Product Liability Law, there is a phrase to the effect that ``a person or company that makes significant changes to a product is considered a manufacturer'', but PSF will not make substantial changes to an open source project if this continues. It is pointed out that it can be interpreted to mean that all those who added are responsible for the results of the change. Also, the definition of 'commercial activity' as 'providing a software platform for manufacturers to monetize other services' includes offering all kinds of paid products and services, such as t-shirts, event tickets, coding classes, etc. The law will also apply to organizations like the PSF.

In this regard, the PSF argues that legislators such as the EU should provide clear exemptions for public software repositories that serve the public interest and for organizations and developers hosting packages in public repositories. increase.

Bradley Kuhn, policy fellow at the Software Freedom Conservancy, told the news site The Register, ``The free and open source (FOSS) community should think carefully about the scope of exemptions that are being sought. is concerned that FOSS people are falling into the trap commercial companies are trying to set on this issue: blanket exceptions to FOSS seem like a good thing on the surface But in reality, this is an attempt by companies to help the FOSS community avoid the usual product liability: commercial companies deploying FOSS do the same for their users as do proprietary software companies. We should have a duty of security and certainty.'