Python is a high-level interpreted programming language whose philosophy emphasizes the readability of its code.
Deb Nicholson executive director of the Python Software Foundation announced that the proposed Cyber Resilience Law (CRA) of the EU launched last year, can cause problems that jeopardize the mission of the organization and the reputation of the free software community.
The proposal is necessary to increase the level of user trust and the attractiveness of EU products containing digital elements while providing legal certainty.
For those who are unaware of the Python Software Foundation (PSF) you should know that is a non-profit, charitable organization whose goal is to promote, protect, and promote language programming Python. The Python Software Foundation facilitates technical discussions for the broader ecosystem and supports many educational opportunities for the global Python developer community.
La Python Software Foundation expresses concern about some formulations of the policy currently proposed as "no it's clear enough for an ecosystem like Python's." As currently written, the Free Software Foundation could be financially responsible for any product that includes Python code, although it has never received monetary profit from any of these products.
“The risk of huge potential costs in practice would prevent us from continuing to supply Python and PyPI to the European public. »
Deb Nicholson mentions that "certainly everyone wants security, for consumers to have reasonable guarantees, and for the software industry to be accountable to its customers." However, it is essential that these guarantees are expected from the correct entity and that the legal burden of any failure to report falls on the correct entity.
Many pieces of software that end up in commercial software or hardware products come from free, publicly available software repositories, such as PyPI, where no compensation is paid. Open source languages and repositories are not to be thanked for the public services they provide for free with the continued risk of ruinous and costly legal action. FSP should not be responsible for every app or device that contains Python code.
According to the PSF, assigning responsibility to each upstream developer would reduce security, not increase it. Leaving individual and/or under-resourced developers in a legally unclear position by contributing to public repositories like the Python Package Index would surely have a negative effect on them.
Only entities that sell enough software or software/hardware combinations to assume product liability could continue to operate openly. The user enhancements and shared security benefits of global software collaboration would only be available to developers working on behalf of a few large companies.
On the other hand, it is also mentioned that growth and innovation would be stifled, since the security of languages like Python depends on the continuous availability of a neutral entity and non-commercial that can serve as a clearinghouse for new software, enhancements, and bug fixes that can be freely shared by the software community at large.
“PSF members and Python users in Europe can write to their MEP to raise concerns about the EU cyber resilience bill before April 26, as amendments are still being considered to protect public repositories from free software.
It is possible to designate an authorized representative: in fact, as a manufacturer, you can designate an external representative who can relieve you of the management of the EU declaration of conformity and for market surveillance purposes.
Finally, it is not too early to start planning accordingly, adapting your digital product strategy and choosing the right specialist partners so as not to miss out on the opportunity to access the EU single market.
Separately, it mentions that while cyber resilience law supports the stated policy goals of increasing safety and responsibility for European software consumers, the Python Software Foundation says it is concerned that policies that are too broad could unintentionally harming the users they are meant to protect.
“We think it's important to consider the role that vendor-agnostic nonprofits, especially public software repositories, play in modern software development.
Many modern software publishers rely on open source software from public repositories without notifying the author and certainly without entering into any commercial or contractual relationship with him. If the proposed law is applied as currently written, the authors could be legally and financially responsible for how its components are applied in a third party's commercial product.
According to the Python Software Foundation, the current text makes no difference between independent authors who have never been paid to provide software and tech giants who sell products in exchange for payments from end users.
“We believe that the greatest responsibility must be carefully assigned to the entity that has entered into an agreement with the consumer. We join our European colleagues at the Eclipse Foundation and NLnet Labs in expressing our concerns about how these policies could affect global open source projects. “
We do many other things in service of our charitable mission,” but there are two activities that could be affected by the Python Software Foundation:
“No one pays us for the software, either for the base language or for the packages that you can download from the repository that we maintain. At first glance, this might suggest that there is no money to be made from Python or Python packages. In fact, the opposite is true,” says the Python Software Foundation.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.
That law has no head or tail, I doubt that they will apply it against Python. In addition to the case, it would affect all programming languages, operating systems, etc, etc. I think the law was removed to have an excuse when something bothers them and they want to get rid of it.