-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hopefully not the end #144
Comments
Thanks for starting this discussion. First, I recently spent lot of time documenting my self about EU CRA. All my contributions including croniter were made with the fundamental OSS philosophies in mind: FREELY read/use/modify/distribute/share/educate. As most free licenses, croniter's one writes this in BOLD: """users have to take THEIR own responsibilities whenever they decided to use it""". My current plan if it stays under my umbrella (no transfer) includes:
Still the users have now been warned to promptly upgrade to another lib/fork as croniter will for now never be able to receive EU "CE Marking" label. Please feel free to share any remarks or ideas, as I am confident that your input will help us find the best solution. |
I really think it's a bit too drastic of a move, but I am willing - as part of the "Airlfow Beach Cleaning" project https://airflowsummit.org/sessions/2024/security-united-collaborative-effort-on-securing-airflow-ecosystem-with-alpha-omega-psf-asf/ to help to address some of the concerns raised here by @kiorky. I understand there is a lot of uncertainty about CRA scope and impact (mostly because it is not yet translated into actual law and standards - this is going to happen over the next 2.5 years) - but I think we can together work on making the whole ecosystem prepared better for what's coming (and I am even willing to spend quite some effort to help). Discussing this using private channels |
|
Not sure what makes you think that you put a product on the market under the CRA, I don't see any indicator of a manufacturer-type engagement. A project like this is clearly exempt, and that means the only thing that you may consider if you want to is Art. 15 (Voluntary Reporting), or best practices. But that's about it. |
As i already said: as working in IT barrier is thin between volunteer time & work, so it can be at best seen as part of my portfolio, and even worse if found in any of my downstream projects. In any cases, it can be seen as COMMERCIAL. Check mate. |
No, the commercial activity alone doesn't make it a product. If your code is used in a product by a manufacturer, they have to comply, not you. The CRA doesn't assign ANY obligation to you, only to the manufacturer that put the product on the market. If you don't care there is NOTHING that they can do from the viewpoint of the CRA, and there is nothing a manufacturer should ever expect from a project if not explicitly stated otherwise by it. For what you consume you are not responsible under that rule because you don't have a product, so none of the provisions apply. If you follow best practices you have already reached way more than the CRA can ever expect from you. The amount of open source projects that fall under the full scope of the CRA is very small, for the rest it's basically voluntary. |
1/ this regulation breaks my definition of free software (see above), and therefore the original LICENSE of croniter becomes obsolete without my consent. 2/ I work in IT, always around Free Software, and the boundaries between my personal and professional OSS contributions have always been blurred, as there was no regulation like this before. Even if initially non-commercial, all my OSS projects, including croniter, will inevitably be tied to my portfolio ( So with the CRA, I don’t see how I won’t be involved, whether as an OSS steward, manufacturer, or distributor (reading P28 of https://cnll.fr/media/CNLL_inno3_Guide-CRA_1.0.pdf). 3/ I can’t assume:
This Damocles sword of CRA hanging over me either as natural person, or sole trader, or Freelancer just shows that only larger structures can handle these obligations with peace of mind ( 4/ Non-risky options:
5/ I still have no answer and would like to know how to handle distributed versions (for croniter: PyPI releases + CI/CD Docker images, and for other projects: old Debian packages, Docker images). Are they liable and require unpublishing for CRA compliance if published before 2024, and during the transition period (2025-2026), or only releases after 2026 will be ? For me, everything should torn down, specially what's distributed (see bold in the references at the end). references for the CRA articles: https://eur-lex.europa.eu/eli/reg/2024/2847 |
The European Union is, of course, entitled to establish and enforce regulations as they see fit. For those affected, we invite you to consider using our fork of Croniter, available at https://github.com/USDOT-SDC/croniter, courtesy of the United States Department of Transportation. |
Kiorky, I respect that you don't want to deal with these matters, which is why I'd urge you to transfer control of the PyPI package instead of deleting it in left-pad style. (Which shouldn't be possible, but you can cause temporary damage by yanking all past releases.) You have made up your mind about the CRA's burdens, but others might be willing to bear this risk. I assume that I'll have to navigate that subject either way, so I'd be willing to take on croniter if necessary – but someone who's more interested in cron patterns might be a better fit. I don't want to convince you that the CRA is great all around (it isn't), but there are some relevant inaccuracies in the discussion so far:
I suspect that the greatest CRA impact for projects like croniter will be the increased frequency of people that ask for extra documentation, like "do you have a conformance statement?" or "can I haz SBOM?". Similarly, I remember when someone complained that my Python code wasn't FIPS compliant because it used a non-cryptographic hash function. Such requests are annoying, but aren't the apocalypse. |
Maybe a stupid question. I didn't read the CRA. Coud you simply put a disclaimer to waive the liability? Like,
|
As I have already mentioned, I am currently in private discussions transferring the majority of my public OSS contributions, including Croniter.
Come on, stop with this. That said, the regulations are in place, and for my part, it seems impossible to comply.
Good catch, and my apologies for the misleading statement, so I heavily edited my previous comment to reflect the relevant articles that may apply to my situation. That said, I already formed my opinion a few days ago after reading the latest regulation you mentioned (https://eur-lex.europa.eu/eli/reg/2024/2847).
For projects like Croniter and others, I own them directly as a NATURAL PERSON, which creates an inextricable problem. Exactly, and this is the crux of the issue: my situation is inherently different due to the intertwining of my professional and personal OSS history, and the boundaries are blurred for most of the free software projects I’ve been involved with.
This is unfortunately not the case for me.
CRA, and by extension, these requests, were never part of the original LICENSE or the expectations when Croniter was first published. So, I’m drawing the line here. With the new regulation changing the rules, I maintain that I can't and won't comply as long as I still have the right to make this choice. My former comment still apply : #144 (comment) . |
Part of the problem :)
I would'nt ever take such a strong decision if a disclaimer would circumvent such a restrictive regulation. |
Earlier today, commit dbeeb1e was pushed, which declared the intention to end development of
croniter
and to maybe unpublish it in the course of 2025. This is due to the maintainers' worries about the EU Cyber Resilience Act, which will enter into force in phases between 2026-06-11 and 2027-12-11.Indeed, the CRA had received massive criticism when initially proposed, though subsequent lobbying by the Open Source community has reduced some of the impact. But as Felix Reda discusses on the GitHub blog, there are still many question marks about what the CRA will mean in practice, even if it does seem to exempt Open Source projects that aren't developed in the course of a commercial activity.
It is completely understandable if you, @kiorky, don't want to bother about any of this.
But it would be unnecessarily destructive to unpublish or otherwise remove a package with ~46 million monthly PyPI downloads (source). Please consider an alternative, like passing on control to another maintainer. I am not interested in doing this, but would commit to the bare minimum maintenance if the alternative is that this package enters the eternal /dev/null.
The text was updated successfully, but these errors were encountered: