The Cyber Resilience Act Threatens the Future of Open Source

Legal liability for failure to future-proof software?


You know, I’m a layman in this issue but I’ve worked around software long enough to think there’s a deep schism here that people are trying to reason out. Here’s my crackpot theory (one more for the internet, I suppose).

They’re trying to solve the age old questions of “who’s to blame?” and “how do you hold them accountable?”.

This will fundamentally have a tension with open source software because OSS thrives on anonymous contribution. It seems to me that this legislation is targetting exactly what makes OSS so powerful to begin with. In a sense, I don’t think we can ever really have our cake and eat it too here.

Am I way off base in reading it this way? I’m genuinely not interested in being controversial but I’d like to understand this a bit better.


I think that in addition to those two age old questions you mention, this is an attempt to implement the kind of dissuasive reasoning behind harsh criminal penalties like life imprisonment and the death penalty in the criminal justice system. Some have proposed that these harsh penalties will prevent future crimes by making would-be perpetrators think twice before acting. History has demonstrated this is not the case, as crime statistics remained pretty much the same. So the people proposing this legislation may be thinking in these same lines. If there’s legal liability for producing software prone to security vulnerabilities, software developers will think twice before producing flawed or buggy software. I don’t think so. What could happen is that software developers could choose to restrict access to their software in countries that implement this type of legislation, somewhat like is done with music and movies today. Imagine an option in GitHub that lets you select the countries that can access your repo; definitely not good for software in general and open source in particular.


I worry this is exactly what would happen

1 Like

I think there is a naivete in the general public about how software is made which manifests in lawmaking bodies due to their being pulled from the public. Worse, they are generally pulled from segments of the population which are less likely to have any enthusiasm for technology and artistic endeavors, older and highly privileged individuals. I doubt that most of them can conceive of software as anything other than a product, created by industry in order to be consumed by the public for the purpose of generating profit. They would likely be incredibly surprised to find out that there are people who tinker with computers for fun and give their work away for free. Somewhere from surprised to incredulous, really.

While I don’t want to see our “industry” (just a hobby for me) hobbled by crap legislation like this I have little doubt that’s just what is eventually going to happen. Consider other technologies, such as Radio and electronics. In the early to mid 1900’s Radio was, for a lot of people, a hobby that involved building your own equipment from discrete parts. My grandfather had his own ham shack, stuffed full of transmitting and receiving equipment which he had pieced together himself based one designs found in magazines and a lot of his own ingenuity. Not to diss today’s ham community, but almost nobody builds their own transmitter now. And while it’s technologically still possible to do you would be crazy to try to sell anything you built in a shack behind your house due to liability concerns. Point of fact if your homeowners insurance caught wind of your home built equipment they could very well jack up your rates or drop you entirely. That little “UL” stamp that is required for a product to sit on store shelves involves enough expense to acquire for your product that the average person could never afford to do it. So, while Leo Fender was able to transition from a radio repair business to selling hand wired guitar amplifiers and electric guitars and build an empire in the 1950’s California, there’s no way I could or would try to market my own hand wired guitar amplifiers (another hobby of mine actually) due to liability. We’re expected to leave it to the experts. It will probably happen to software as well. We should fight it of course, but all of the same forces are at work.