(reformatted in-line - to be able to have a structured conversation)On 4 Jul 2024, at 13:50, Steve Millidge (Payara) <steve.millidge@xxxxxxxxxxx> wrote: On 4 Jul 2024, at 13:30, Dirk-Willem van Gulik via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote: So in the ASF we've been discussing edge cases. And I'd like to test one here. So would love your feedback/insights on below: 1) Tomcat is open source software from the ASF And the ASF is an open source steward that qualifies.
Is Q1 covered by recital 15? In which case they are an economic operator and subject to the CRA?
(15) This Regulation applies to economic operators only in relation to products with digital elements made available on the market, hence supplied for distribution or use on the Union market in the course of a commercial activity. Supply in the course of a commercial activity might be characterised not only by charging a price for a product with digital elements, but also by charging a price for technical support services where this does not serve only the recuperation of actual costs, by an intention to monetise, for instance by providing a software platform through which the manufacturer monetises other services, by requiring as a condition for use the processing of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software, or by accepting donations exceeding the costs associated with the design, development and provision of a product with digital elements. Accepting donations without the intention of making a profit should not be considered to be a commercial activity.
That is indeed the first/default assumption I think. However this then gets refined in the next artciles with: (16) Products with digital elements provided as part of the delivery of a service for which a fee is charged solely to recover the actual costs directly related to the operation of that service ... should not be considered as being made available on the market within the meaning of this Regulation.Which is not applicable here - as there is no fee. But I would argue that Tomcat from the ASF under the industry standard Apache license (that is almost synonymous with an open source license) qualifies for 17 and 18:(17) Software and data that are openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market. To foster the development and deployment of free and open-source software, in particular by microenterprises and small and medium-sized enterprises, including start-ups, individuals, not-for-profit organisations, and academic research organisations, the application of this Regulation to products with digital elements qualifying as free and open-source software supplied for distribution or use in the course of a commercial activity should take into account the nature of the different development models of software distributed and developed under free and open-source software licences.
And a definition of open source:
(18) Free and open-source software is understood as software the source code of which is openly shared and the licensing of which provides for all rights to make it freely accessible, usable, modifiable and redistributable. Free and open-source software is developed, maintained and distributed openly, including via online platforms. In relation to economic operators that fall within the scope of this Regulation, only free and open-source software made available on the market, and therefore supplied for distribution or use in the course of a commercial activity, should fall within the scope of this Regulation. The mere circumstances under which the product with digital elements has been developed, or how the development has been financed, should therefore not be taken into account when determining the commercial or non-commercial nature of that activity. More specifically, for the purposes of this Regulation and in relation to the economic operators that fall within its scope, to ensure that there is a clear distinction between the development and supply phases, the provision of products with digital elements qualifying as free and open-source software that are not monetised by their manufacturers should not be considered a commercial activity. Furthermore, the supply of products with digital elements qualifying as free and open-source software components intended for integration by other manufacturers into their own products with digital elements should only be considered as making available on the market if the component is monetised by its original manufacturer. For instance, the mere fact that an open-source software product with digital elements receives financial support from manufacturers or that manufacturers contribute to the development of such a product should not in itself determine that the activity is of commercial nature. In addition, the mere presence of regular releases should not in itself lead to the conclusion that a product with digital elements is supplied in the course of a commercial activity. Finally, for the purposes of this Regulation, the development of products with digital elements qualifying as free and open-source software by not-for-profit organisations should not be considered to be a commercial activity provided that the organisation is set up in such a way that ensures that all earnings after costs are used to achieve not-for-profit objectives. This Regulation does not apply to natural or legal persons who contribute with source code to products with digital elements qualifying as free and open-source software that are not under their responsibility.Which is not applicable here - as there is no fee.
But I would argue that Tomcat from the ASF under the industry standard Apache license (that is almost synonymous with an open source license) qualifies for 17 and 18:
We then have:
(19) Taking into account the importance for cybersecurity of many products with digital elements qualifying as free and open-source software that are published, but not made available on the market within the meaning of this Regulation, legal persons who provide support on a sustained basis for the development of such products which are intended for commercial activities, and who play a main role in ensuring the viability of those products (open-source software stewards), should be subject to a light-touch and tailor-made regulatory regime. Open-source software stewards include certain foundations as well as entities that develop and publish free and open-source software in a business context, such as not-for-profit entities developing free and open-source software in a business context. The regulatory regime should take account of their specific nature and compatibility with the type of obligations imposed. It should only cover products with digital elements qualifying as free and open-source software that are ultimately intended for commercial activities, such as for integration into commercial services or into monetised products with digital elements.
I think that provided the ASF meets all the obligations of Article 24 -- we are are subject to the CRA - but are not placing something on the market (at that point) as the Apache Software Foundation ? 2) BigCo sells support for Tomcat. Their customers obtain Tomcat direct from the ASF and then BigCo helps then install, configure. BigCo does not contribute to the Tomcat community at all. Q1. Is BigCo subject to the CRA? I guess the fair starting position here is that IF the customer ‘honestly’ obtains it from the open source steward. And that this is an informed, intentional action where they have the know how to understand what they are doing (why: EU law is much more about intend than letter/loopholes). In which case BigCo is not placing Tomcat on the market. And, for Tomcat, escapes the CRA. There is probably going to be case law for situations where its install and configure is soo much manifesting a ‘product with digital elements’ into being that that gets seen as placing it on the market. I.e. where the Customer cannot reasonably be seen as the entity fetching Tomcat. I.e. there will be some legal test that "BigCo is not essential to Customer using Tomcat". And if it is - then the CRA starts to fall on BigCo. 3) After installing it - BigCo operates Tomcat for Customer.
Once BigCo _operates_ Tomcat - other (delivering a service (with digital elements) aspects start to kick in. So let’s assume it does not operate it - only does some L2 and L3 support.
And within that constrain - all this dodges the CRA if Tomcat came from an Open Source Steward.
4) If BigCo opens bug reports against Tomcat on behalf of their customers does that change the answers to Q1 & Q2?
My take - No - BigCo is still not placing a product with digital elements on the market.
5) If BigCo provides patches with some of those bug reports does that change the answers to Q1 & Q2? 6) If BigCo employs one or more committers of the Tomcat project and allows them to work on Tomcat tasks as part of their employment does that change the answers to Q1 & Q2?
So the intention of the whole brouhaha & why the CRA was in earlier version so deadly was that in this case BigCo ended up on the hook for not just its own customers; but for any downstream of the tomcat it indirectly ever contributed to. This issue / chain was broken by the open source steward concept.
So my answer here would be - no BigCo is not on the hook.
With one caveat — if it provides those patches directly (or more timely / ahead of integration by Tomcat) to the customer or is essentially marketing these by itself. E.g an early access programme, etc.
As then it starts to place (part of) a product with digital elements on the market. And thus is on the hook.
There are quite a few companies doing that sort of preferential / paying-customers-first / freeloaders later thing.
6-variant) If BigCo employs one or more committers of the Tomcat project and INSTRUCTS them to work on Tomcat tasks as part of their employment does that change the answers to Q1 & Q2? Not sure here (at the ASF - we have no relations with companies and every one is volunteering on a personal basis). Would love to hear peoples thoughts. 7) If BigCo employs a lot of the of committers of the Tomcat project and allows them to work on Tomcat tasks as part of their employment does that change the answers to Q1 & Q2?
So if we assume that the Open Source Steward of tomcat has solid governance & can demonstrate that it has processes in place to prevent BigCo from running the show (i.e. sufficient committer diversity, not too many form one company, sensible release votes, PMC +1 votes for release must be multi-employer and all the usual good stuff, etc) - then no - not on the hook.
But the moment BigCo is trying to game the system (even if it can be shown to fail) - yes - fully on the hook. My take is that this is intentional - and that the CRA was written with a fair bit of distrust and (over) sensitive to ‘commercial open source’ bypasses/loops. And even more distrust of BigCo.
So BigCo better be at legal/etc arms length from the open source foundations too. I.e there is some sort of governance expectation that ensures that BigCo's money cannot meaningfully influence what developers do or work on at that open source steward.
8) If BigCo employs ALL of committers of the Tomcat project and allows them to work on Tomcat tasks as part of their employment does that change the answers to Q1 & Q2? Yes - they are now under the CRA - as Tomcat clearly is no longer an open source steward - but a (joint venture / extension of a commercial activity). 7) If BigCo produces "BigCo Web Server for Java that is based on Apache Tomcat" then clearly they will be subject to the CRA for that product. Would love to hear where this goes wrong / your reasoning / my mistakes !
|
