Software engineering takes surprisingly little responsibility compared to other engineering disciplines. This seems like a good development to me.
Of course you can't expect someone who just put something online as a hobby project to take much responsibility. But to ask some basic security/reliability from companies, foundations etc... Shouldn't that just be normal?
The overloaded "software engineering" label can also refer to formal software engineering centered around examples of DO-178C for aviation software, IEC 61508 for railway software, ISO 26262 for road vehicle software, EAL5+ for cybersecurity related software, etc. It's somewhat unfortunate the label is also applied to CRUD websites and mobile applications, even there there is a world of difference in the various levels of formal engineering applied.
It's somewhat unfortunate the label is also applied to CRUD websites and mobile applications,
These websites and applications can still have vast security implications depending on what kind of data is being collected.
The advertising industry has done security a huge disfavor by collecting every bit of data they can about everyones actions all the time. Adding some ad library to your website or app now could turn it into a full time tracking device. And phone manufactures like Google don't want this to change as the more information they get, the more ads they can stuff in your face.
To give an example from my software at work, structural engineering:
You make a 3D-model (BIM, Building Information Model) of the steel skeleton of some project. The software can than generate 2D drawings, the blueprints. All beams, colums etc should be labeled in the drawing with the steel profile and quality (if non-standard).
However the software has a terrible label placement algorithm that happily switches around the labels of adjacent elements. And it does so without notice after some changes to the model. That is behavior that can lead to pretty dangerous mistakes.
The reply of the software company: you have to check it anyway. That is why you get paid, right?
"As long as a project is not organized as a legal or commercial entity, the CRA requires only a basic "readme" with a security contact."
I share code for the good of the industry and society. A lot of what developers do, is solving problems, and the solutions can often be time consuming and difficult to find. So there is a lot of value in Open Source.
What I will not do, is accept personal liability in any way for those solutions I share. Then it becomes a professional partnership, and I will expect a contract and compensation.
CRA has a simple effect for me, I will no longer share code. I have deleted my github account because of this trend to "know your developer", and as a small stand agAInst our rush towards AGI. I wonder where the liability lies for all this AI/LLM regurgitated copyrighted code?
sure, I have no control if the software is monetized or not. And this is still a fundamental change in how open source works. A name behind every line of code.
The one selling it is the one that has the obligations. If a company grabs open-source code from you and sells it (e.g. as part of a bigger product) to someone else, they have to assume liability towards their customer, you don't have to be involved at all if you don't want to. That's the good thing about the carve-outs established, it's not your problem if you are just publishing your code for fun, the ball is entirely in the court of people that want to profit from it.
Greg K-H's explanation (as paraphrased by the journalist) confirms that, for example, receiving payment for an article which is accompanied by a software example would not trigger the requirements that come with monetization. Here's the exact quote - look at the "even when" part:
"There is no legal risk for individual contributors simply sharing code online or in publications, even when they receive payment for writing an article, as long as the software itself is not monetized or organized."
So, maybe EU developers would have to learn the safe wording through which to solicit and accept donations, but at the very least, donations supporting their software activities in general (and not tied to a specific software program) will likely not increase CRA requirements - and maybe even voluntary donations to support development of a specific software program but which are not in any way mandatory.
If you allow yourself to make money from the code, you're accepting liability for it. If you choose not to accept money in exchange for it, you don't have to accept liability.
This seems fair to me - the law doesn't let you both "sell" it (however low the minimum price is) and refuse to give any rights to the people who gave you money.
The big problem is reward risk. Risk is 15,000,000 euros. Reward is peanuts.
In the past we could choose to work for peanuts with low risk. Now we can't. We have to work for nothing or work for a lot to have a chance of covering compliance.
The GDPR carries a fine risk of up to 20 million, but usually the fines are a few hundred/thousand euros depending on the entity. Think "300 euro fine to a driving school" rather than "300 million euro fine to Google".
And even then, you have to be unlucky enough to actually get caught and investigated by market surveillance authorities. I think you're going to be more likely to get caught up in income/donation/gift tax bracket fraud investigation than to ever feel the impact of the CRA as a hobby open source dev.
It would be foolish to ignore the risk, however, especially if you work on something potentially controversial, such as encryption, privacy tools, or any software that may have uses that the EU frowns upon. I strongly suspect that this will eventually be used as a cudgel against disfavored projects/devs to compel project changes or even kill the project outright (or force it to move overseas).
If you’re a FOSS dev in the EU who works on something controversial, and you accept donations, it would be better to outsource the project “ownership” to someone unnamed or outside of EU jurisdiction.
Now, from a US perspective rather than an EU one, even being investigated in the US carries a huge risk. It is especially bad in the case that someone wants to prove a point against you. You could suddenly find yourself having to spend huge amounts of money defending yourself because someone wants to make a name for themselves, or you pissed a large political donor off.
Patreon/LiberaPay style individual sponsorship should be a simple path around this. If I am sponsoring an individual because I like the work they do in general, I am not contributing towards a single “project”. Especially if the dev contributes to more than one project. The wider the grey area the better.
Perhaps the future is shadowy projects led by an anonymous figure who merely merges pull requests, while named devs contribute work and receive support from their fans/supporters.
The sentence says you can fall under more onerous terms if the project is “organized,” whatever that means, and even under the loosest terms you are required to report security issues to an outside organization. So there is liability if you don’t. And virtually any project has arguable security issues.
CYA & report all issues to said outside organization? Any bug where a feature doesn't work is a denial of service on that feature, and therefore a security issue. Lack of accessibility features is a DoS against people who need those features and thus a security issue, and so adding screenreader support is a security fix. Etc, etc.
Software engineering takes surprisingly little responsibility compared to other engineering disciplines. This seems like a good development to me.
Of course you can't expect someone who just put something online as a hobby project to take much responsibility. But to ask some basic security/reliability from companies, foundations etc... Shouldn't that just be normal?
The overloaded "software engineering" label can also refer to formal software engineering centered around examples of DO-178C for aviation software, IEC 61508 for railway software, ISO 26262 for road vehicle software, EAL5+ for cybersecurity related software, etc. It's somewhat unfortunate the label is also applied to CRUD websites and mobile applications, even there there is a world of difference in the various levels of formal engineering applied.
> CRUD websites and mobile applications
These can be quite intense (but, to be fair there's a ton of dross, there, as well). Probably best to avoid the broad brush.
It's somewhat unfortunate the label is also applied to CRUD websites and mobile applications,
These websites and applications can still have vast security implications depending on what kind of data is being collected.
The advertising industry has done security a huge disfavor by collecting every bit of data they can about everyones actions all the time. Adding some ad library to your website or app now could turn it into a full time tracking device. And phone manufactures like Google don't want this to change as the more information they get, the more ads they can stuff in your face.
To give an example from my software at work, structural engineering: You make a 3D-model (BIM, Building Information Model) of the steel skeleton of some project. The software can than generate 2D drawings, the blueprints. All beams, colums etc should be labeled in the drawing with the steel profile and quality (if non-standard).
However the software has a terrible label placement algorithm that happily switches around the labels of adjacent elements. And it does so without notice after some changes to the model. That is behavior that can lead to pretty dangerous mistakes.
The reply of the software company: you have to check it anyway. That is why you get paid, right?
A lot of software is built on layer upon layer of unknown code and black boxed silicon. It is hard to know how that would work in practice.
"As long as a project is not organized as a legal or commercial entity, the CRA requires only a basic "readme" with a security contact."
I share code for the good of the industry and society. A lot of what developers do, is solving problems, and the solutions can often be time consuming and difficult to find. So there is a lot of value in Open Source.
What I will not do, is accept personal liability in any way for those solutions I share. Then it becomes a professional partnership, and I will expect a contract and compensation.
CRA has a simple effect for me, I will no longer share code. I have deleted my github account because of this trend to "know your developer", and as a small stand agAInst our rush towards AGI. I wonder where the liability lies for all this AI/LLM regurgitated copyrighted code?
You have another alternative: share the code on a Radicle node hosted as a Tor onion site. Nobody needs to know who you are.
I am hoping an anonymous ecosystem springs up due to the increasingly hostile legal environment around development.
Or put code in the public domain?
did you read the sentence after the one you quoted?
sure, I have no control if the software is monetized or not. And this is still a fundamental change in how open source works. A name behind every line of code.
The one selling it is the one that has the obligations. If a company grabs open-source code from you and sells it (e.g. as part of a bigger product) to someone else, they have to assume liability towards their customer, you don't have to be involved at all if you don't want to. That's the good thing about the carve-outs established, it's not your problem if you are just publishing your code for fun, the ball is entirely in the court of people that want to profit from it.
I understand that part. But I could read 'monetized' as a project the received a donation.
Greg K-H's explanation (as paraphrased by the journalist) confirms that, for example, receiving payment for an article which is accompanied by a software example would not trigger the requirements that come with monetization. Here's the exact quote - look at the "even when" part:
"There is no legal risk for individual contributors simply sharing code online or in publications, even when they receive payment for writing an article, as long as the software itself is not monetized or organized."
So, maybe EU developers would have to learn the safe wording through which to solicit and accept donations, but at the very least, donations supporting their software activities in general (and not tied to a specific software program) will likely not increase CRA requirements - and maybe even voluntary donations to support development of a specific software program but which are not in any way mandatory.
I think that's how it's intended to be read.
If you allow yourself to make money from the code, you're accepting liability for it. If you choose not to accept money in exchange for it, you don't have to accept liability.
This seems fair to me - the law doesn't let you both "sell" it (however low the minimum price is) and refuse to give any rights to the people who gave you money.
The big problem is reward risk. Risk is 15,000,000 euros. Reward is peanuts.
In the past we could choose to work for peanuts with low risk. Now we can't. We have to work for nothing or work for a lot to have a chance of covering compliance.
The GDPR carries a fine risk of up to 20 million, but usually the fines are a few hundred/thousand euros depending on the entity. Think "300 euro fine to a driving school" rather than "300 million euro fine to Google".
And even then, you have to be unlucky enough to actually get caught and investigated by market surveillance authorities. I think you're going to be more likely to get caught up in income/donation/gift tax bracket fraud investigation than to ever feel the impact of the CRA as a hobby open source dev.
It would be foolish to ignore the risk, however, especially if you work on something potentially controversial, such as encryption, privacy tools, or any software that may have uses that the EU frowns upon. I strongly suspect that this will eventually be used as a cudgel against disfavored projects/devs to compel project changes or even kill the project outright (or force it to move overseas).
If you’re a FOSS dev in the EU who works on something controversial, and you accept donations, it would be better to outsource the project “ownership” to someone unnamed or outside of EU jurisdiction.
This is a rather big maybe.
Now, from a US perspective rather than an EU one, even being investigated in the US carries a huge risk. It is especially bad in the case that someone wants to prove a point against you. You could suddenly find yourself having to spend huge amounts of money defending yourself because someone wants to make a name for themselves, or you pissed a large political donor off.
Patreon/LiberaPay style individual sponsorship should be a simple path around this. If I am sponsoring an individual because I like the work they do in general, I am not contributing towards a single “project”. Especially if the dev contributes to more than one project. The wider the grey area the better.
Perhaps the future is shadowy projects led by an anonymous figure who merely merges pull requests, while named devs contribute work and receive support from their fans/supporters.
The sentence says you can fall under more onerous terms if the project is “organized,” whatever that means, and even under the loosest terms you are required to report security issues to an outside organization. So there is liability if you don’t. And virtually any project has arguable security issues.
CYA & report all issues to said outside organization? Any bug where a feature doesn't work is a denial of service on that feature, and therefore a security issue. Lack of accessibility features is a DoS against people who need those features and thus a security issue, and so adding screenreader support is a security fix. Etc, etc.
This shouldn’t be downvoted. “I do not accept liability” is literally the core of every open source license. Go look. Even MIT.
Video: https://youtu.be/U7pZbCnJxEw?t=6105 (Kernel Recipes 2025 - Day 2)
Even the requirement of a security email contact in a readme is a liability put on the hobbyist. It's antithetical to making code available "as is".
Greg KH says it's going to be great... let me ask, can I /dev/null the email Greg?