The Python Software Foundation (PSF) is dissatisfied with the new EU legislation on cybersecurity. According to Deb Nicholson, head of the PSF, open-source developers can be held responsible for code that they have not earned anything from. The EU drafted two laws last year, which have not yet been approved by the European Parliament and the European Commission. The Cyber Resilience Act makes software companies liable for any security weaknesses in their products, while the Product Liability Act ensures that updates that make an application unsafe can lead to claims for damages.
The PSF argues that the EU legislation is too broad, as it does not distinguish between large companies that sell software and open-source developers who have no financial purpose for their code. Many commercial products contain open-source code, which can be written in Python, among other things. Penalties can amount to 15 million euros or 2.5 percent of the annual turnover, whichever is higher. The PSF believes that the real threat of such a punishment could weaken the open source community, as it is impossible to predict what will be executed with publicly available code.
Although there are exceptions for open source software in the proposed EU legislation, this does not provide complete certainty. The PSF is a non-profit organization, but it still offers coding classes and merchandise sales at conferences, meaning the law would not protect them. Policy expert Bradley Kuhn of the Software Freedom Conservancy tells The Register that a trap is on the way. Large companies could benefit from the clauses that open-source developers ask for. “A general exemption for open-source developers is an effort by companies to evade their responsibility.” So the last word has not yet been said on this issue.
