Python head hisses at looming Euro cybersecurity rules
Red-tape vague enough to land open source volunteers in hot water for iffy code
The Python Software Foundation (PSF) is concerned that proposed EU cybersecurity laws will leave open source organizations and individuals unfairly liable for distributing incorrect code.
"If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility for the way their components are applied in someone else's commercial product," the PSF said in a statement shared on Tuesday by executive director Deb Nicholson.
"The existing language makes no differentiation between independent authors who have never been paid for the supply of software and corporate tech behemoths selling products in exchange for payments from end-users."
The existing language makes no differentiation between independent authors who have never been paid for the supply of software and corporate tech behemoths selling products
European lawmakers last year introduced two pieces of legislation to address software security and liability. And since then, the technical community has been voicing opposition to the broadly drafted rules.
The Cyber Resilience Act aims to promote the security of digital products by requiring product makers to review product security, implement vulnerability mitigation procedures, and disclose security information to customers. The public comment period closed in November and the public consultation period for the law concludes on May 25.
The maximum fines under the law can reach €15 million or up to 2.5 percent of annual turnover, whichever is greater. The CRA has yet to be adopted by the European Parliament and Council.
The Product Liability Act updates Europe product liability rules by including, among other things, digital product changes arising from software updates. It allows consumers to seek damages if they are harmed by products made unsafe through software revisions.
The PSF and other organizations including the Eclipse Foundation and NLnet Labs, to name a few, are urging EU lawmakers to clarify the broad language in the proposed legislation so open source organizations and developers aren't held accountable for flaws in commercial products that incorporate their code.
"Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products," the PSF said, adding such risk would make it impossible for the foundation to continue to provide Python and PyPI (the Python Package Index) in Europe.
The non-profit org, which oversees and champions the Python programming language globally, argues that holding open source developers liable for code contributions would discourage contributors to open source projects. It cites two particular passages as excessively broad.
The first is Article 16, which says "A natural or legal person, other than the manufacturer, the importer or the distributor, that carries out a substantial modification of the product with digital elements shall be considered a manufacturer for the purposes of this Regulation."
That definition could be interpreted to mean that anyone who made a substantive change to an open source project would be liable for the consequences of that change.
- Open source software has its perks, but supply chain risks can't be ignored
- Three quarters of UK tech pros are ready to leave their jobs
- Nearly one in two industry pros scaled back open source use over security fears
- Python charmer? Data science whizz? Linux engineer? Get a load of these exciting career opportunities waiting for you
The second is a passage that exempts "free and open-source software developed or supplied outside the course of a commercial activity" but defines "commercial activity" as "providing a software platform through which the manufacturer monetizes other services" — a definition that could apply to organizations like PSF that offer any sort of paid products or services, like t-shirts, event tickets, or coding classes.
The PSF argues the EU lawmakers should provide clear exemptions for public software repositories that serve the public good and for organizations and developers hosting packages on public repositories.
"We need it to be crystal clear who is on the hook for both the assurances and the accountability that software consumers deserve," the PSF concludes.
The PSF is asking anyone who shares its concerns to convey that sentiment to an appropriate EU Member of Parliament by April 26, while amendments focused on protecting open source software are being considered.
Bradley Kuhn, policy fellow at the Software Freedom Conservancy, told The Register that the free and open source (FOSS) community should think carefully about the scope of the exemptions being sought.
"I'm worried that many in FOSS are falling into a trap that for-profit companies have been trying to lay for us on this issue," he said. "While it seems on the surface that a blanket exception for FOSS would be a good thing for FOSS, in fact, this an attempt for companies to get the FOSS community to help them skirt their ordinary product liability. For profit companies that deploy FOSS should have the same obligations for security and certainty for their users as proprietary software companies do." ®