Python LTS and maintenance cycles

The change was to add the need for consent to have the cookies
track users.

And a number of open source projects I work on didn’t bother. Rather
than listening to reactionary lawyers who would have instructed them
to over-complicate every last bit of Web real estate they managed,
community members looked at the spirit of the GDPR and realized that
if sites/systems were merely relying on cookies for things like
(consensual) user authentication, setting preferences, handling load
balancer persistence, and so on then there was no need to include
complex solutions for explicitly opting into that. And yes, I’ve
been long-involved in the same CRA/PLA discussions, participating in
the Open Regulatory Compliance WG workstreams for
practices/standards/definitions. I think a lot of engineers (and
even lawyers) lose sight of the fact that legislation is designed to
be interpreted by people not machines, so reason and intent plays a
big role in all of this.

When it comes to topics like release cadence and support timeframes
for software, just earlier this week I had to remind people in
projects I’m involved with that today is far too soon to start
redoing workflows and processes to comply with all of these
not-yet-solidified expectations. In this way, it’s actually not
unlike software engineering: avoid the urge to prematurely optimize.

Oh, also, I am not a lawyer and this is not legal advice.

Actually not. Hobbyist / research projects that are not intended to be used for production (i.e. not put on the market) are specifically excluded. The EU experts and open-source practitioners have thought about it.

Define “production” and “market”. To me, those are almost orthogonal - production code doesn’t have to be sold for money, it just has to be useful and in use.

I’ll give some specific examples from my own projects.

• GitHub - Rosuav/StilleBot: Open source Twitch chat bot My flagship project, at the moment. It’s a Twitch channel bot that does a ton of things for a ton of people. I don’t monetize it in any way, although I do accept donations (not that many people actually donate, but the option is there). Is that “on the market”?
• GitHub - Rosuav/EU4Modding Game modding. No monetary compensation in any way. The mods (well, some of 'em) are published on the game’s official hosting for mods. “On the market” or purely hobbyist?
• GitHub - gsarchive/markdown: POC/stub of a Markdown-based renderer for Archive pages Markdown pages as part of the larger Gilbert and Sullivan Archive which has been ongoing for decades.
• GitHub - Rosuav/choc: Chocolate Factory and related tools JavaScript UI library. Used in StilleBot (above), and also some proprietary code that I can’t share. Is this “on the market” on account of being used in code that I have been paid to write? Or on account of it being used in commercial software?

I am not paid for any of this software. But these are most definitely in production, this isn’t just me messing around on my own computer. There are people that depend on these. (Okay, nobody’s depending on the game mods for anything other than a few friends having fun together, but the others, definitely.)

But more importantly: I am not European. I am not under this jurisdiction. So who, if anyone, is being required to comply with this law?

As explained above - market does not need to be for money directly. The intent is that whoever places it on the market has an intention to make money because of it (i.e. commercial activity).

Enough that you intend it to be used by end-user and you might get google sponsorship opened to anyone who wills to pay you this sponsorship for example. Or that you treat the software as a marketing material for your skills as freelancer. And yes the particular difference when you stop being hobbyist and start offering product on the market is a bit blurry and will be likely subject to more detailed definition and description.

Here is the final text of CRA in .pdf form: https://data.consilium.europa.eu/doc/document/PE-100-2023-INIT/en/pdf

And particular definition of placing on the market:

‘making available on the market’ means the supply of a product with digital elements for
distribution or use on the Union market in the course of a commercial activity, whether in
return for payment or free of charge;

There are many more interesting things there:

For example, for a product type, each individual product with digital elements should have received all security patches or updates available to address relevant security issues when it is placed on the market.

Which means that everyone who makes software available on the market (for example via service) should make sure that every individual product (i.e. package) they use is patched with latest securit fixes.

And there are many more interesting passages there.

As usual - law does not compile, intents is what matters. And I am not a lawyer, and even if I was - you are solely responsible for classification and you are responsible to know the law. Lawyers will anyway always tell you “it depends …” anyway and charge you for hour regardless.

If your intended users are EU residents, then you will have to comply. If you make it available to download for anyone in EU - you fall into the scope of placing product on the market.

Additionally If you intend to increase your personal value by supporting, doing similar projects, or advertisiing your skills via software you developed, this is commercial activity and you will have to comply as anyone else.

No, anyone can say no to any such requests. Suppose that I publish a project on github and PyPI, but I make no attempt to promote it or even suggest that others may find it useful. And in spite of that, some organisation decides to use it in a commercial product. They then find some security vulnerabilities, and start demanding that I fix them. It seems to me that I’m perfectly within my rights to tell them to get lost. Even if I do promote my project as potentially useful, I’m still making no commitment to support it. Or are you saying that the EU believes they have the right to hold me somehow liable in that situation - because I certainly don’t have or want “Open Source Steward” status. As far as I can see, I don’t need “Open Source Steward” status to be allowed to say “no”…

I’m sorry, but this sounds like scaremongering to me.

This article does a nice summary

Oh absolutely, if your intention is not make money in any way and someone takes your software and “puts the software on the market” with commercial intention (whether for money or for free) - they fall into CRA not you. Because you are Hobbyist you are excluded.

But you have to have absolutely no intent to make any money - not even get paid telling “I am the author of this software and this increases my value as I can help you to solve problems with it” (then it is seen as commercial activity). And yes - this particular distinction is blurry and most of “single person projects” will not fall into it.

But they might fall into irrelevance because nobody in the right mind will want to use them and take the responsibiltiy.

Interesting. I still feel you’re painting everything in a very negative light. My work on pip is 100% hobbyist, and I have no intention to make money from it. The other maintainers might, but I don’t. I wonder how that would work - would the other pip maintainers be required to jump through the hoops you describe, but I wouldn’t be?

Who exactly^[1] in the open source community does the EU feel they have the right to impose penalties on? And how would they impose such penalties?

1. individuals, not informal groups like “the maintainers of pip” or “the PyPA” ↩︎

And also @pf_moore where “open source steward” is different - they CAN make money - to keep them running.

That’s what the status of being open source steward allows them to do. If you are not open-source stewart and your intent is to make any money in connection to the software (for example by telling I am the author of this and can help you with solving problems with it) then you are doing commercial activity.

And BTW. This is not intended to target individual users. This is intended to target "open-core’ companies that release open-source software for free and then charge for supporting it or serving it as a service. Such projects even if open-source using OSI-Approved licences but not under the open-source steward umbrella, will be treated as purely commercial activity of the “vendor” that open-sources them.

This is what “open-source-steward” is all about.

PIP is PSF project. Your work will fall into open-source steward umbrella. you are not personally doing commercial activity. That’s exactly what open-source-steward is all about.

My GitHub is public. Anyone can access it. At what point do I fall under EU jurisdiction? I don’t think I understand this concept. Is the EU now in charge of, like, the whole world?

Same as they do with GDPR. This is precisely what happened already - and why all the companies - including US - display the “allow cookies” banner. If there was not good market leverage, they would not do it. Simply your insurance company (when you are running a company) will refuse to insure you when you do business in EU and will not comply for example. They won’t have to sue you. This is already happening apparently, it’s already getting more and more difficult to get insurance if you develop software.

Yes. Same as GDPR. When you allow EU residents to download and use your software and you will have intent to make any money connected to the software. If you do not have that intent. You are hobbyist, and are excluded.

BTW. Not really. It’s not negative. It’s super optimistic. There will be more money for open-source software developers and open-source foundations, more people will want to donate their software to the open-source foundations, commercial users will upgrade way faster and will put money in the system to avoid developing and applying bugfixes themselves.

I think it’s super positive to be honest.

See, the problem is, I’m not a lawyer, and it’s hard to justify paying a lawyer to tell me whether or not this is going to affect me.

It’s posts like yours that result in people just pulling access to their things, because it’s simply not worth the risk. I hate it when this sort of thing happens, and my best option is to make the world a worse place.

No, no it’s not. You’re extremely doomy about the impact this will have. You’re suggesting that a lot of us are suddenly going to have to comply with a lot of legislation, which isn’t worth most of our whiles, and so most likely this will result in stuff not being permitted for use in Europe… and if there’s no easy way to do that, the likely result is that projects just get shuttered. At least, if what you’re saying is true, I may actually be legally required to disallow access to a lot of my software.

If you read the article I shared you can share code without being subject to this new law as long as you don’t intend to make any profit from the development or use of this library

That’s it, simple as

Sharing this again once more

You overestimate my influence. I hope the most that can happen is to get people thinking and do their own fact checking. And yes. Knowing haw law impacts you is not only good it’s a base of any law system. You cannot justify non-compliance of law because you do not know it, This is at the very base of any law system out there.

But yes - likely you will not be affected, likely in the next 2-3 years there will be plenty of guidelines, articles and places where you will be able to do the fact checking and make your own mind what to do.

BTW. IMHO - the individuals will be very little impacted, but foundations (very positively) and “fast upgrades” (very positively), Commercial users will increase their prices to cover the extra cost - and end-users will effectively pay a little more (that was even estimated and taken into account by EU that prices will increase). Generally the society will be better.

But the biggest loosers in the whole CRE will be open-core companies that try to “lure” business pretending they are open-source but effectively controlling their single-vendor software and later even changing the licence (mongodb for example, or even openai). Their companies and even “commercial foundations” created solely for the benefit of the company will not be “open source stewards”, and they will be the one who will put the software on the market and will have to apply all fixes and bear the whole cost of it. And their users will be in full right to get all those fixes for free, without delay and their pressure will be much stronger than that for open-source-stewards, where they will basicelly have expectations to follow “good practices”.

And I think it’s also good. The open governance, vendor neutrality and collaboration will have much more value.

Really?

I accept donations as part of my livestreams. My code is available worldwide.

Some of my open source software has been used by my consulting clients, who pay me money. My value to them, and therefore my employability, is increased by the knowledge I have of these projects.

I don’t know whether this is the legislation, or just these posts, but this is a VERY broad definition of “commercial activity”, and that’s a pretty scary thing.