Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Delete all my projects #12746

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

guidovranken
Copy link
Contributor

No description provided.

Copy link

guidovranken is either the primary contact or is in the CCs list of projects/bignum-fuzzer.
guidovranken has previously contributed to projects/bignum-fuzzer. The previous PR was #10139
guidovranken is either the primary contact or is in the CCs list of projects/circl.
guidovranken has previously contributed to projects/circl. The previous PR was #11959
guidovranken is either the primary contact or is in the CCs list of projects/lame.
guidovranken has previously contributed to projects/lame. The previous PR was #2651
guidovranken is either the primary contact or is in the CCs list of projects/libsrtp.
guidovranken has previously contributed to projects/libsrtp. The previous PR was #2651
guidovranken is either the primary contact or is in the CCs list of projects/libressl.
guidovranken has previously contributed to projects/libressl. The previous PR was #11431
guidovranken is either the primary contact or is in the CCs list of projects/bearssl.
guidovranken has previously contributed to projects/bearssl. The previous PR was #12300
guidovranken is either the primary contact or is in the CCs list of projects/bls-signatures.
guidovranken has previously contributed to projects/bls-signatures. The previous PR was #12226
guidovranken is either the primary contact or is in the CCs list of projects/django.
guidovranken has previously contributed to projects/django. The previous PR was #3212
guidovranken has previously contributed to projects/bitcoin-core. The previous PR was #11431
guidovranken is either the primary contact or is in the CCs list of projects/cryptofuzz.
guidovranken has previously contributed to projects/cryptofuzz. The previous PR was #12730
guidovranken is either the primary contact or is in the CCs list of projects/libecc.
guidovranken has previously contributed to projects/libecc. The previous PR was #12300
guidovranken is either the primary contact or is in the CCs list of projects/libtheora.
guidovranken has previously contributed to projects/libtheora. The previous PR was #2827

@guidovranken
Copy link
Contributor Author

In light of the EU Product Liability Directive and other speech criminalizations I am ceasing all my publications including FOSS contributions.

@real-or-random
Copy link

In light of the EU Product Liability Directive and other speech criminalizations I am ceasing all my publications including FOSS contributions.

That's a sad decision. Are you aware that the directive doesn't apply to FOSS?

@gpshead
Copy link
Contributor

gpshead commented Nov 24, 2024

Edit update: nevermind, we've found copies!


Would you please restore your https://github.com/guidovranken/python-library-fuzzers repo so that we can carry on with the work that the CPython project has found useful on our own?

@guidovranken
Copy link
Contributor Author

That's a sad decision. Are you aware that the directive doesn't apply to FOSS?

Only non-commercial FOSS. Whether that includes or excludes grants and bug bounties I don't know, but I don't even want to bother figuring that out. Take it or leave it.

@real-or-random
Copy link

That's a sad decision. Are you aware that the directive doesn't apply to FOSS?

Only non-commercial FOSS. Whether that includes or excludes grants and bug bounties I don't know, but I don't even want to bother figuring that out. Take it or leave it.

Okay, I'm aware that you don't owe anybody anything, but here's my take. Read it or don't.

IANAL and I don't know your personal situation, so the following is my interpretation of the directive and independent of your case. (In any case, I'm not allowed to give you legal advice that is specific to your case.)

The intent of the directive is to hold accountable manufacturers for their products (incl. software) if they do damage to consumers/natural persons. (Say a manufacturer creates an exploding toaster, puts it on the market and thus sells it indirectly, via some third-party intermediate store to consumers. Without a dedicated legal framework for holding the manufacturer accountable, there would be no way to do this because there's no contract between manufacturer and consumer.) If someone received a compensation for writing software, they may or may not have some contractual liability to whoever gave them the money. But that is entirely independent of the directive.

Let's look at the text of the directive.

  • "This Directive does not apply to free and open-source software that is developed or supplied outside the course of a commercial activity." Okay, "outside the course of a commercial activity." First note that it says "or", so b FOSS is unaffected if it's either developed OR supplied outside the course of a commercial activity. Let's look at the "supplied" part and recital (14): "Providing such software on open repositories should not be considered as making it available on the market, unless that occurs in the course of a commercial activity. [...] However, where software is supplied in exchange for a price, or for personal data used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity, this Directive should apply." Software such as a fuzzer that does not show ads or collect user data in a public repo on GitHub is not supplied in exchange for anything, nor can I think of any other reason where the public supplying of such software on GitHub could be considered commercial. Bug bounty are collected by the one who finds the bug, not the one who develops the bug finding tool and makes it available publicly. Even if someone paid a developer to make software available on GitHub, supplying the software to public for free is entirely uncommercial. Recital (13) goes a step further even: "Information is not, however, to be considered a product, and product liability rules should therefore not apply to the content of digital files, such as media files or e-books or the mere source code of software." And one could probably make a similar point when it comes to the "developed" part. It's just too far.
  • The directive applies to a) death or personal injury, b) destruction of property, c) "destruction or corruption of data that are not used for professional purposes." I'm sure we can agree that only c) could be relevant here. But really, the risk is very low. This is not about backup tools or hard disk formatting tools, or a smartphone OS that overcharges your battery until it explodes. Just from technical point of view, I don't see how running a tool like a fuzzer could realistically delete someone's personal data.
  • Finally, even if I'm wrong about everything I said above, "This Directive shall apply to products placed on the market or put into service after 9 December 2026." So anyone who is concerned about being affected by the Directive has at least two more years to resolve this situation and can keep the repos online so that others can fork and bear the risk if they want to. This is true even if you consider each commit to a public repository a fresh act of placing a product on the market (which is unlikely because the Directive has a concept of a "a substantial modification of the product").

DavidKorczynski pushed a commit that referenced this pull request Dec 12, 2024
The fuzzer repo https://github.com/guidovranken/python-library-fuzzers
was deleted for the owners own reasons so the project is now failing;
#12746. We've restored a fork of that repo and would like to keep this
fuzzing running for the CPython project for ourselves.

_(we may choose to move the repo to under the /python/ GitHub org in the
future, if so, that's just another followup PR)_
@guidovranken
Copy link
Contributor Author

Thanks, I understand. But I'm not afraid of anything. I'm just not going to accept being criminally liable (even just in theory) for giving things away out of the goodness of my heart that others are entirely free to not use for any misgivings they might have with regards to its safety. It's an absurd and humiliating proposition. There are other laws popping up across jurisdictions like the UK Online Safety Act where website administrators are criminally liable for content their users post, so people will delete their website. Driving all this to its logical conclusion, the internet will eventually be governed by a few large American conglomerates. That's not what I want, but at this point, stopping is more subversive to such a future than continuing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants