Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] More edge cases 
On 5 Jul 2024, at 01:00, Idelberger, Florian (IIWR) via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

> Afaik you cannot automatically assume „license is FOSS“ == no manufacturer. This is especially so as the legislators especially wanted to cover cases like Chromium and similar. So in the case where „BigCo“ empty all committers of a project and are using it in some commercial fashion - even for advertising, market capture or whatever, they would probably qualify as manufacturer.

Secondly - I would also think it is fair to assume (and also to work in our suggested definitions) that the history of a foundation or a code base is not so much of interest.

It is wether a code base that is under a free and open source license is currently being well governed at decent legal/control arms-length of a (an incestious body of) company(ies). I.e. sufficient to say that these companies are basically placing (their) product on the market in all but yet skirt the CRA definition.

So I would expect

-	good governance - with things like conflicts of interest known for the officers

-	developers hailing from a sufficiently diverse body of companies, from disinterested companies or true volunteers

-	a well governed set of rules and processes that prevents a single, of a few barely competing, outside interests to sway what the developers to work on or cannot work on. E.g through targeted donations.

-	a mature release process that requires multiple votes by the developers (as opposed to their companies) to approve a release; with sufficient diversity in those developers (e.g. not all working for the same company group)

and so on.

> Regarding the case where some deploys a FOSS project for someone - maybe we can compare it to the case that was brought up where someone deploys a configured and/or customized FOSS product for a client.  As a product doesn’t have to be publicly available on the market to qualify as being available on the market, it is likely that even if such a custom product is used by a client, it counts as being available on the market. Thus there would be an obligation to comply. And this could be similar to deployments of tomcat for example - not if they are merely installed, but if they are modified in some way at least. (Would have to spend more work to provide citations, which I cannot do right now, so I hope it’s fine like this for now)

I would expect that we can find some sort of definition/description were we distinguish between a company consulting and installing/configuring or developing something (based on open source) under instructions from the customer; and where the customer is largely on the hook for maintenance and stability - and able to steer/adjust and realistically have it modified if they wanted to. Versus the case where a company basically sells something based on open source as `product' - with the customer not having such abilities.

As to avoid a CRA-II going after the cases where a 'wget ... | sudo sh -' is used to skirt the CRA.

With kind regards,

Dw

Back to the top