In the dynamic sphere of open-source software and its community, the proposed Cyber Resilience Act (CRA) by the European Commission stands as a pivotal piece of legislation that could significantly influence the European digital market. To dissect the implications and shed light on this legislation, the Linux Professional Institute (LPI) recently convened a panel of experts for an online roundtable discussion.
The panel featured a diverse lineup:
Iván started the conversation by voicing his concerns about the CRA’s potential impact on developers like him, especially those involved in projects that may inadvertently find their work used in critical applications, such as border monitoring by Frontex. He humorously yet pointedly shared his “nightmare” scenario of being held liable for unforeseen uses of his software, encapsulating the apprehensions of many developers regarding the proposed act.
Moreno shared his trepidation about the liability that could fall on developers for code shared in good will, emphasizing the need for a balanced and fair approach in the CRA that would not stifle the open-source spirit.
Ingo, bringing his perspective as an organizer of large Linux events and a lobbyist for open-source software, shared his involvement with the Open Source Business Alliance. He made a distinction between open software development and offering a product: Software development in the open should be completely excluded from the CRA. The person who puts the software on the market as a product should be the one who is liable.
Andrea approached the discussion with a legal lens, explaining the European Union’s trajectory toward enhancing digital product security through the CRA. He acknowledged the open-source community’s concerns and the recent amendments that sought to address them, signaling a shift toward a more inclusive approach to the legislation.
The conversation delved into the nitty-gritty of what defines a manufacturer and the scope of responsibility, a discussion that Andrea highlighted as crucial under the CRA. He suggested that future dialogues could further unpack the complex definition of the term “manufacturer” and its implications for developers.
Iván pointed out the philosophical dichotomy of software as intellectual versus physical property, challenging the panel and policymakers to consider the unique nature of software in the context of the CRA.
Elzbieta underscored the importance of community activism and the influence it can wield on legislative processes, as seen in past movements within the open-source realm.
Moreno reinforced the sentiment that developers should not bear undue liability for unforeseen uses of their open-source contributions, a stance that resonates with the wider community’s plea for fair and equitable treatment under the law.
Ingo, reflecting on the evolution of open-source development, argued for clear exemptions in the CRA for education and research, highlighting the need for legislation that understands and adapts to the multifaceted nature of open-source software.
The roundtable ended on a note of cautious optimism, with participants agreeing on the need for further discussions to ensure that the CRA aligns with the principles and practices of the open-source community. Andrea, with his legal expertise, and Iván, with his developer’s perspective, both agreed to rejoin the conversation in the future, demonstrating a collective commitment to shaping a law that fosters innovation while safeguarding the community’s ethos.
As we launched the video recording, this blog post is a testament to the engaging and multifaceted dialogue that took place. The Cyber Resilience Act history is far from over: stay tuned on this page for information about the next episode of LPI’s CRA webinars.