Greg Kroah-Hartman Explains the Cyber Resilience Act for Open Source Developers
Posted3 months agoActive3 months ago
theregister.comTechstory
skepticalnegative
Debate
70/100
Cyber Resilience ActOpen Source DevelopmentRegulationLinux
Key topics
Cyber Resilience Act
Open Source Development
Regulation
Linux
Greg Kroah-Hartman discusses the implications of the Cyber Resilience Act on open source developers, sparking concerns about regulatory burdens and potential impacts on Linux and other open source projects.
Snapshot generated from the HN discussion
Discussion Activity
Active discussionFirst comment
2h
Peak period
13
2-4h
Avg / period
4.7
Comment distribution28 data points
Loading chart...
Based on 28 loaded comments
Key moments
- 01Story posted
Oct 2, 2025 at 5:42 AM EDT
3 months ago
Step 01 - 02First comment
Oct 2, 2025 at 7:18 AM EDT
2h after posting
Step 02 - 03Peak activity
13 comments in 2-4h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 3, 2025 at 10:35 AM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45447776Type: storyLast synced: 11/20/2025, 12:47:39 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
I share code for the good of the industry and society. A lot of what developers do, is solving problems, and the solutions can often be time consuming and difficult to find. So there is a lot of value in Open Source.
What I will not do, is accept personal liability in any way for those solutions I share. Then it becomes a professional partnership, and I will expect a contract and compensation.
CRA has a simple effect for me, I will no longer share code. I have deleted my github account because of this trend to "know your developer", and as a small stand agAInst our rush towards AGI. I wonder where the liability lies for all this AI/LLM regurgitated copyrighted code?
If you allow yourself to make money from the code, you're accepting liability for it. If you choose not to accept money in exchange for it, you don't have to accept liability.
This seems fair to me - the law doesn't let you both "sell" it (however low the minimum price is) and refuse to give any rights to the people who gave you money.
In the past we could choose to work for peanuts with low risk. Now we can't. We have to work for nothing or work for a lot to have a chance of covering compliance.
And even then, you have to be unlucky enough to actually get caught and investigated by market surveillance authorities. I think you're going to be more likely to get caught up in income/donation/gift tax bracket fraud investigation than to ever feel the impact of the CRA as a hobby open source dev.
Now, from a US perspective rather than an EU one, even being investigated in the US carries a huge risk. It is especially bad in the case that someone wants to prove a point against you. You could suddenly find yourself having to spend huge amounts of money defending yourself because someone wants to make a name for themselves, or you pissed a large political donor off.
If you’re a FOSS dev in the EU who works on something controversial, and you accept donations, it would be better to outsource the project “ownership” to someone unnamed or outside of EU jurisdiction.
Perhaps the future is shadowy projects led by an anonymous figure who merely merges pull requests, while named devs contribute work and receive support from their fans/supporters.
"There is no legal risk for individual contributors simply sharing code online or in publications, even when they receive payment for writing an article, as long as the software itself is not monetized or organized."
So, maybe EU developers would have to learn the safe wording through which to solicit and accept donations, but at the very least, donations supporting their software activities in general (and not tied to a specific software program) will likely not increase CRA requirements - and maybe even voluntary donations to support development of a specific software program but which are not in any way mandatory.
I am hoping an anonymous ecosystem springs up due to the increasingly hostile legal environment around development.
Of course you can't expect someone who just put something online as a hobby project to take much responsibility. But to ask some basic security/reliability from companies, foundations etc... Shouldn't that just be normal?
This is only about safety. As i told to my coleagues in a former workplace: Safety first (that was one of company's mottos), quality second.
These websites and applications can still have vast security implications depending on what kind of data is being collected.
The advertising industry has done security a huge disfavor by collecting every bit of data they can about everyones actions all the time. Adding some ad library to your website or app now could turn it into a full time tracking device. And phone manufactures like Google don't want this to change as the more information they get, the more ads they can stuff in your face.
These can be quite intense (but, to be fair there's a ton of dross, there, as well). Probably best to avoid the broad brush.
However the software has a terrible label placement algorithm that happily switches around the labels of adjacent elements. And it does so without notice after some changes to the model. That is behavior that can lead to pretty dangerous mistakes.
The reply of the software company: you have to check it anyway. That is why you get paid, right?
For SW ? No way. For electronic components, yes, for mechanical components, yes, but not for software. It is not cool. Fixing bugs is much, much harder than modifying UI elements (hello Google, Microsoft) with every release.
Greg KH says it's going to be great... let me ask, can I /dev/null the email Greg?