The EU Cyber Resilience Act will introduce new cybersecurity requirements for software released in the EU. Learn what it means for your open source projects and what GitHub is doing to ensure the law will be a net win for open source maintainers.
  • souperk@reddthat.com
    0·
    2 months ago

    I would really appreciate an ELI5, or some examples. For example, would lemmy be regulated by CRA? What about lemmy instances? Is there a difference if there is a fee or a recurrent donations?

    • Mora@pawb.social
      0·
      2 months ago

      First: IANAL, EU law is complicated. This is my understanding as of now:

      TL;DR: The EU Cyber Resilience Act (CRA) aims to enhance cybersecurity standards for products with digital elements. It introduces mandatory requirements for manufacturers and retailers to ensure cybersecurity throughout a product’s lifecycle. The CRA excludes open-source software developers unless their software is used commercially as part of a “product with digital elements”.

      would lemmy be regulated by CRA?

      Lemmy, as an open-source project, would likely not be directly regulated by the CRA. The Act specifically excludes open-source developers from its scope unless their software is used commercially.

      Whaz about lemmy instances?

      Lemmy instances might be regulated by the CRA if they are operated commercially as part of a “product with digital Elements”. (Is there a pay for access instance or hosting as a service for lemmy? I am not aware of one.) However, since most instances are run non-commercially or for personal use, they would likely fall outside the CRA’s scope.

      Is there a difference if there is a fee or a recurrent donations?

      Yes:

      • A fee is typically a mandatory payment for a service or product, e.g. a feature locked behind a paywall.
      • A recurring donation is a voluntary, regular contribution to support an organization or cause, often without receiving goods or services in return.

      The key distinction lies in the obligation attached to the payment. Fees come with an expectation of receiving something in return, while donations are given freely without such expectations.

      • vrighter@discuss.tchncs.de
        0·
        2 months ago

        so, if a company decides to, for example, start using some MIT licensed software, does that suddenly materialize extra responsibilities for that software’s dev?

        • souperk@reddthat.com
          0·
          2 months ago

          My understanding is that the company would be regulated by CRA and not the developer. However, that does not stop the company from pushing the developer for CRA compliance.

          • Rogue@feddit.uk
            0·
            2 months ago

            That’s actually pretty reasonable. I’d be happy to make my open source projects compliant for a company - but they can damn well pay me for the effort.

              • Rogue@feddit.uk
                0·
                2 months ago

                Indeed, that’s why I use the AGPL license. Corporations hate it because it forces them to give back.

                • logging_strict@lemmy.ml
                  0·
                  2 months ago

                  it's free as in go pound sand if you aren't going to fund maintainers

                  it doesn’t force them to do anything until devs refuse to work for any company that doesn’t.

                  i’m with you on agplv3+. The copyright recognition document comes before the resume.