In a blog post by the Python Software Foundation, the group outlines concerns about the EU’s Cyber Resilience Act and Product Liability Act. Though they make clear that the foundation is in support of the state goals of the policies. They worry about the effects of these proposals on the health of open-source communities. Acknowledging the need for increased security and accountability for European software consumers; the foundation worries about the broad nature of the policies.
But what are their concerns? Well according to the post, it has to do with liability. As the Python Software Foundation states of the nature of open-source software, “Many modern software companies rely on open-source software from public repositories without notifying the author, and certainly without entering into any kind of commercial or contractual relationship with them.”
And that’s the meat of the matter. The proposals are quite general and could entangle open-source volunteers in legal disputes due to a large company’s use of the software. They go on to say, “If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility for the way their components are applied in someone else’s commercial product.”
This is because the current language as it stands those who author components to open-source software could find themselves taking on legal and financial reasonability by how those components are used by a commercial product. There isn’t any differentiation between independent authors who aren’t paid for their work on the software and the corporate entries who use the software to sell services/products.
In short, this could have a chilling effect that could adversely affect the dynamic nature of open-source projects. If programmers become concerned they could become the target of a lawsuit or fines by a state actor, then the likely hood of people putting themselves at risk by putting in effort maintaining and improving the open-source code will of course drop.
It’s not only the Python Software Foundation who are concerned. Other organizations within the EU, such as NLnet Labs and Eclipse Foundation have also been vocal about their own concerns about these policies and their effects on global open-source projects.