ngx-extended-pdf-viewer icon indicating copy to clipboard operation
ngx-extended-pdf-viewer copied to clipboard

Published 20 hours ago verified publisher icon stephanrauh

European Cyber Resilience Act - legal advice wanted

Open stephanrauh opened this issue 1 year ago • 11 comments

Update Mai 24th, 2024: At the moment, I'm positive that the Cyber Resilience Act is implemented in a way that allows me to carry on with the project. However, until I've seen the final German law, there's no way to be sure. Generally speaking, I believe the Cyber Resilience Act is a very good idea and I support it, but even so, there's a 10% chance I have to abandon this library. Alternatively, if it comes to the worst and I do not want to abandon the library, I might be forced to make money from it just to be able to fulfill the law. If it comes to that - remember, that's unlikely - please support me!

Originial post: If the full obligations of the European Cyber Resilience Act apply to the library, I'll have to abandon the library. That's not unlikely, because ngx-extended-pdf-viewer is based on a part of the Mozilla browser, which belongs to the second of three security categories defined in the act.

So I'm reducing my engagement with this library, preparing to shut it down. Until the law comes into effect, I'll fix a few bug, but I'll stop developing new features, and quit work entirely after that.

However, if someone can convince me that ngx-extended-pdf-viewer does not belong to class I or II defined in the CRA, I'll pick up work again.

  • [ ] How does the upcoming European Cyber Resilience Act affect pdf.js? @timvandermeij @calixteman
  • [ ] Do projects using pdf.js have to fulfil the same obligations?

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_17000_2023_INIT

stephanrauh avatar Jan 08 '24 20:01 stephanrauh

I just want to say.... this is an AMAZING library, please don't give up!!!

juqing27 avatar Jan 25 '24 19:01 juqing27

Thanks! The problem is not giving up. The problem is a can't pay the fees of up to 15 million EUR, and the legal text is confusing, to put it mildly.

stephanrauh avatar Jan 26 '24 14:01 stephanrauh

I'm afraid I can't help out with this because I'm not familiar with the ECRA and its legal implications. Perhaps the Mozilla legal team can help out with this?

timvandermeij avatar Jan 27 '24 12:01 timvandermeij

Hello Stephan,

I've found this article explaining the relation of CRA to open source. It might help

https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/

At first glance it looks okay if the project is not a commercial monetised one

rafparedis avatar Jan 27 '24 14:01 rafparedis

@timvandermeij That's a very good idea. I haven't found a contact address. Can you give me a hint how to approach them?

stephanrauh avatar Jan 27 '24 19:01 stephanrauh

I'm not entirely sure because I can't find a direct e-mail address of the legal team, but I did find https://www.mozilla.org/en-US/foundation/licensing about licensing with an e-mail address at the bottom (and I guess your question is also related to licensing of Mozilla PDF.js in combination with new EU law). If they cannot answer your question, most likely they can point you to the right person/team.

timvandermeij avatar Jan 27 '24 19:01 timvandermeij

Thank you very much! I've sent the email. Fun fact: I've been on the same page, but for some reason I've missed the email address.

@rafparedis Thanks for showing me the article. I agree - the text really indicates I can relax. However, several lawyers make big money by finding and exploiting loopholes in laws, so I prefer to be careful.

stephanrauh avatar Jan 27 '24 20:01 stephanrauh

I would not worry, the latest version of the CRA is much nicer than the previous draft. It should not change much for such projects.

sylvestre avatar Jan 28 '24 20:01 sylvestre

Sounds encouraging! BTW, I don't object the regulation as such. Most of it makes sense to me. Basically, I'm only worried about having to get a security assessment because that sounds expensive. On the other hand, I'm already running Mend Bolt, Snyk, Dependabot and Sonarcloud today. I wonder if that counts as security assessment?

stephanrauh avatar Jan 28 '24 21:01 stephanrauh

@stephanrauh whats happening now all working good ?

Tweniee avatar Jun 06 '24 04:06 Tweniee

@Tweniee That's a very good question. At the moment I simply wait for the law to pass. After doing a lot of research, I know for sure that the EU does not want to kill small open-source projects. But it's still possible that they will do it accidentally, pretty much they accidentally killed my travel blog with GDPR.

The latest draft of the Cyber Resilence Act is full of contradictions, so it's impossible to tell what a malevolent lawyer is going to make of it. I hope the German law is going to be more concise and clear.

In the meantime, I'll continue working on the project, but with reduced effort because the end might be near. That's be a pity given the tremendous success of the library. It grew organically to 80.000 downloads per week, with a short peak of 250.000 downloads when it was listed by https://github.com/PatrickJS/awesome-angular?tab=readme-ov-file#viewers.

stephanrauh avatar Jun 06 '24 19:06 stephanrauh