That is incredibly rich coming from __FileZilla__, one of the few OSS projects that accepts money from malware makers to catch out unwary windows users.
I wonder if they're actually more worried about having the EU go after them legally if some EU member loses data or money directly because of that malware?
There was a thread on the old FileZilla support forum[1] where the developer describes the adware included in the installer offered to unwary downloaders, which sounds a but shady but is probably not malware.
A lot of AV engines use crowdsourced classifiers like virustotal to flag “potentially unwanted applications (PUA)” as a threat and quarantine, but the term “malware” is a category reserved for destructive or criminal application behavior. I’m not convinced that is what was or is bundled with “sponsored” Filezilla installers.
At some point the bundled adware was apparently something called OpenCandy related to ask.com, and the developer of FileZilla is alleged to have concealed rather than disclosed it.[2]
The adware-free installer was/is reported to be available for download freely on the same site, but for the extra browsing effort.
Fundamentally, malware is about deception. If the user understands what is being done and why (we're tracking everything we can, then selling that to everyone) then it's not malware. The typical adware hosted on FileZilla shows a screen in the middle of the install process with multiple paragraphs of text in a font smaller than everything else, which vaguely refers to ad supported software and a link to a privacy policy that nobody reads or understands.
I don't know if there's a legal definition of malware, that's definitely malware in my understanding of the word.
Malware is defined many industry standard places, like NIST 800-61 which is the Computer Incident Response Guide, US-CERT, and EU-CERT.
From what is your understanding of the term malware derived?
Fundamentally, malware is about destructive application behavior. It’s a negatively charged term that should be reserved for tools created/used with actual malice by threat actors.
Oh, this isn't in any way a new thing. They've been pulling this shit for probably over a decade now.
Naturally the whole time they've tried to paint themselves as innocent victims, and wouldn't people PLEASE just try running the malware themselves to find out it's all an innocent misunderstanding.
Meanwhile, the several in-depth analyses of the various "extra" payloads delivered by their installer always come to: "It's 100% malware, delivered using evasion techniques that try to avoid system/virus detection, and have no place in legitimate software. DO NOT use this".
> The CRA goes against this principle by imposing unavoidable liability on producers of free software, requiring them to make their development, testing, and documentation activities much harder and complex.
If the EU wants this, they should use part of their budget to fund it.
This is the same argument for businesses using FOSS, if you want support, pay for it, otherwise you get what you pay for.
I see that the Linux Foundation has posted a blog opposed to this. I wonder if they could single-handedly destroy this legislation by revoking the license for Linux in the EU.
Of course this would be difficult because existing contributions can't be relicensed. But they could maybe start accepting new patches with a non-Eurpoe license. Or does the GPL prevent this as they are building on GPL code and need the same license? I double the EU would be ok with running on outdated Linux or trying to maintain their own.
They cannot revoke the licence under the GPL. If new patches are under a non-Europe licence, then they cannot be combined and redistributed with the existing GPLv2 codebase.
There is a provision in section 8 of the GPLv2 that allows excluding certain countries, but it can only be activated in the face of copyright or patent restrictions on the distribution of the software. IANAL, but one approach to activate this provision might be to implement a patented technique within the kernel, for which the patent licence only allows implementations outside the EU.
My gut feeling is that EU wouldn't cave and would be OK on running on outdated Linux. There is really no citizen influence on block wide policies so I doubt a protests would work or that any majority of non-technical people would care.
Unpopular thought, but eu’s CRA may reduce open source software availability, increasing scarcity and thus leading to a potential indie market. Software is one of the few industries where people have freely made the product of their labor available in large quantity, dramatically reducing their prospect of earning independently just by writing software. The more indie software makers the more proper engineering can be done - as opposed to simply giving it for free to corporations.
TLDR: In protest of the Cyber Resilience Act. FOSS projects have been raising alarms for a while. Today ITRE voted. Now it's game over for FOSS in Europe
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
I'm not sure where people get the idea that donations are considered commercial activity. Support subscriptions and such make you liable (but I don't see why that would be a problem). Ubuntus's Snap store is a platform through which the manufacturer monetises other services. Half open source (i.e. FileZilla Pro) also counts as closed source software, of course.
Most of the protests seem to come from people who operate a business that sells their open source software and wants to remain off the hook to get an advantage over their closed source competition.
is there a explainer of what the legislation is supposed to do and how does it harm foss?
i have had trouble with understanding the push for EVERYONE doing https even in localhost because "security". boo.
i live in a place where by law ISPs need to have DPI. they can access any communication regardless of SSL or https or anything in between so why should i bother with the added nonsense of "much security" when it is not supposed to even work?
i understand there are attempts to make https to be as transparent when it works but why should that not be restricted to banking transactions or login pages and payment links? again, DPI.
now this cyber resillience act which i am assuming wants to "security".
This post by the The Apache Software Foundation is fairly complete:
> And what makes matters worse is that the type of open source organizations most affected are also exactly those that, today, tend to have very mature security processes, with vulnerabilities getting triaged, fixed, and disclosed responsibly with CVEs to match. While it generally is further downstream; with the companies that place the product on the market — that the CRA needs to drive significant improvement. It now risks doing the reverse.
But all organizations (ECLIPSE, LINUX, ...) raised alarms
Very good description, and if the protections from OSS are not enough I expect more noise in the next weeks/months
> There is of course an elephant in the room: the well-oiled mechanism that “The internet treats censorship as a malfunction and routes around it” (John Perry Barlow).
The parliament position reads:
> Only free and open-source software made available on the market in the course of a commercial activity should be covered by this Regulation
> Whether a free and open-
source product has been made available as part of a commercial activity should be
assessed on a product-by-product basis, looking at both the development model and
the supply phase of the free and open-source product with digital elements.
> (10a) For example, a fully decentralised development model, where no single commercial
entity exercises control over what is accepted into the project’s code base, should be
taken as an indication that the product has been developed in a non-commercial
setting.
Didn't we read about EU trying to put backdoors in E2E messaging apps like two months ago? I think parent comment has at least some truth to the claims
Ha, you mean the backdoors (and frontdoors) the GAFA and many other top players in the web ecosystem already have everywhere, so much that the US government just has to buy commercially available data to spy on its citizens - without having to change laws to do it by itself?
I wonder if they're actually more worried about having the EU go after them legally if some EU member loses data or money directly because of that malware?