Who is responsible for bad code in free software? Is it about to change?
The Python Software Foundation has expressed "concern that proposed #EU #cybersecurity laws will leave #opensource organisations and individuals unfairly liable for distributing incorrect code".
Let's put the legal journey aside for a moment. Python Software Foundation's concerns illuminate a conundrum in every innovative organisation. #Innovation and #cybersecurity are diametrically opposite without purposeful consideration. We need both, but without getting in each other's way.
We'll have to see how amendments and legal interpretation play out. However, we all want underlying open-source software to exhibit best practices in governance, which these foundations embody. Foundations require funding to exist, which means it's natural for them to sell something (e.g. as indirect as t-shirts and as direct as training & certification, but they don't sell the software itself). Under the EU's proposed "Cyber Resilience Act" and "Product Liability Act", such foundations could be interpreted as software companies. Under such an interpretation, the foundation and possibly the individual contributor are as liable as an entity making commercial gains from software. Yet that contributor made no financial gain from their contribution.
Let's assume it plays out this way. Then the long-term result would be the loss of the global innovations bought about by open source (which underpins nearly everything digital today). Another possible solution is to provide an exception for such software and foundations. The concern then becomes we also need to ensure companies that deploy open-source software are appropriately liable. It's easy to see exploitations of such exceptions unfairly affecting contributors or consumers. We'll have to watch this space.