<span style="font-family: Arial; font-size: 14px; line-height: 150%;"><div>On the CRA, Mike was gracious enough to note in his first blog post that, while Eclipse and a few other big shops might be able to metabolize the overhead of all the conformity/safety-testing-and-certifying that a regulatory regime might impose ... most FOSS shops could not. But as he also notes, this EU proposal probably comes from a place of good will: it's not a deliberate attack on noncommercial / indie code development. In case this didn't get mentioned in the thread, there's more of a discussion of this ongoing legislative issue in Open Forum Europe channels. <br></div><div>Jamie usually from OASIS but personal views only here.</div><br>On 2/23/2023 at 2:39 PM, "Mike Milinkovich" <mike.milinkovich@opensource.org> wrote:<blockquote style="border-left:solid 1px #ccc;margin-left:10px;padding-left:10px;"><div>
<div>
</div>
<div>
<div class="moz-cite-prefix">On 2023-02-20 1:36 p.m., Brian
Behlendorf wrote:<br>
</div>
<blockquote>On
Sat, 18 Feb 2023, Thorsten Glaser wrote:
<br>
<blockquote style="color:#007cff;">What is a CRA?
Assuming you don’t means clan restoration act here…
<br>
</blockquote>
<br>
Cyber Resiliency Act, the prompt for this thread:
<br>
<br>
<a class="moz-txt-link-freetext" rel="noreferrer" target="_blank" href="https://eclipse-foundation.blog/2023/01/15/european-cyber-resiliency-act-potential-impact-on-the-eclipse-foundation/">https://eclipse-foundation.blog/2023/01/15/european-cyber-resiliency-act-potential-impact-on-the-eclipse-foundation/</a></blockquote>
<p>For those who are interested in this topic, I've written <a rel="noreferrer" target="_blank" href="https://eclipse-foundation.blog/2023/02/23/cyber-resilience-act-good-intentions-and-unintended-consequences/">a
second blog post</a>[1] on the unintended consequences of the
Cyber Resilience Act. <br>
</p>
<p>I have also recently come to realize that the CRA needs to
understood as a companion piece to the <a rel="noreferrer" target="_blank" href="https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/739341/EPRS_BRI(2023)739341_EN.pdf">revised</a>
<a rel="noreferrer" target="_blank" href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0495&from=EN">Product
Liability Directive</a>[2][3]. AIUI the CRA is the legislation
that makes the open source community <i>responsible </i>for the
CE Mark validation for all of its software, and it is the PLD that
makes the open source community <i>liable </i>for any defects. <br>
</p>
<p>I cannot stress enough how damaging these soon-to-be laws are to
the future viability of open source as we know it. <br>
</p>
<p>[1]
<a class="moz-txt-link-freetext" rel="noreferrer" target="_blank" href="https://eclipse-foundation.blog/2023/02/23/cyber-resilience-act-good-intentions-and-unintended-consequences/">https://eclipse-foundation.blog/2023/02/23/cyber-resilience-act-good-intentions-and-unintended-consequences/</a><br>
[2]
<a class="moz-txt-link-freetext" rel="noreferrer" target="_blank" href="https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/739341/EPRS_BRI(2023)739341_EN.pdf">https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/739341/EPRS_BRI(2023)739341_EN.pdf</a><br>
[3]
<a class="moz-txt-link-freetext" rel="noreferrer" target="_blank" href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0495&from=EN">https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0495&from=EN</a><br>
</p>
<p><br>
</p>
</div>
</div></blockquote></span>