European cyber security rules

Apparently, new potential cyber security rules will make open source developers liable when they’re code is used in other programs.

Here is an article link

Interesting link:

The Product Liability Act updates Europe product liability rules by including, among other things, digital product changes arising from software updates.

Oops, Xojo Inc’s business model is on the line in Europe.

I dont see how they could possibly hope to enforce this across international boundaries

The Product Liability Act link / page says EU consumers would be able to hold the importer accountable.

when consumers are injured by unsafe products imported from outside the EU, they will be able to turn to the importer or the manufacturer’s EU representative for compensation.

The headline and body of the Product Liability Act link seem like the goal was to make someone responsible for the shit ChatGPT writes and the bad decisions AI make. I don’t think this was designed to target open source contributors as the original article states.

I don’t exactly have a favorable opinion of Python or developers who would steal bad code, not review it, include it in their project, and get paid for it… so I’d love to see other sources.

To stay on topic: lawmakers are not IT experts. The target is protecting consumers from fraudsters who sell faulty software and re-sell it again for the bug fixes (which amounts to plain fraud in physical products). There is however an overreach and I doubt that lawmakers are fully aware of the ramifications of their project. Matter to discuss for lawmakers and open source advocates.

Facebook, Google and Apple thought so too and then rubbed their eyes. And Genius says he’s not interested in any of that anyway, because he’s a Texas based company. That’s all true, but then it might just no longer be allowed for him to sell in Europe and he may no longer have to because no one will buy it anymore.

There are enough bilateral agreements with the USA and if European lawyers see an opportunity to make nice and easy money with American subsidiaries , then it’s a sure-fire success.

But since nobody really knows Xojo, it will probably continue to fly under the radar, latest until Android will be released. As always, where there is no plaintiff, there is no judge. - But ones there will be a plaintiff … have fun …

1 Like

which would then be whoever brought the software IN ?


Yes - why it should be any different for digital ones is been d me but we have seen that be the case. You sell me a product that has known & reported bugs they should be fixed without further cost
I can think of a certain business model that might get hurt here …

I suppose they could restrict their ability to sell to Europeans in some way
No idea HOW they would do that but … ask a lawyer :stuck_out_tongue:

EDIT : layer updated to LAWYER :slight_smile: silly typo

Well most likely a disclaimer would be enough that their software is buggy, uses outdated libraries and in no way corresponds to European guidelines and the Inc. expressly forbids any use in the European Economic Area. Who then uses it for European customers on European soil then has a problem, but not the Inc.

But since users run into problems with Xojo anyway, nothing really changes, does it? :slight_smile:

Not sure if this is expansive enough

thats what they currently have
probably needs to be a “we warrant nothing” kind of statement like

but then if nothing is warranted why is it used ?

Because it is great for Android development.

might as well say

This may work for you. Or not. Good luck !

Which ironically summarises their current status pretty well :slight_smile:

1 Like

It formally states that Xojo is good for nothing and shows a regrettable lack of pride and confidence in their own product.

The back door they use is the 90-day money-back guarantee. It won’t be enough to satisfy the new requirements.

I suppose like so many things until or unless someone makes a complaint things will continue as is and authorities will be blissfully unaware

I second @Jeannot’s statement that Xojo is insignificant because nearly no one is interested in it. It will remain a ‘secret’.
Xojo Inc may continue scavenging the few people they can get to buy a license.

As software developers, I believe we all would write bug-free code if we could. Most people who don’t write software don’t really understand this.

Maybe one day AI will write perfect software - different discussion.

If you look at software like other tangible products, every bug is an original defect in the design or manufacturing process. With tangible products, this would be a warranty claim or perhaps a product recall. If we attempt to treat the software industry this way, it will break. Its just not possible at this time to build software with as few defects as most other products. As a consultant I have had to try to explain this to some clients who questioned the cost of updates and fixes.

We know that our software is just one part of a total system that includes hardware and other software components including drivers and operating systems. Software that works perfectly today could break with an update from another component. And the consumer isn’t likely to know which component is actually at fault.

Wishful thinking: Politicians and judges will take the time to learn about things they don’t understand before messing with them.

This the Achilles’ heel of software development. As a relatively young industry the software industry at large is woefully unregulated. Some players take it as an opportunity to make a business model out of bugs and their fixes, running a ‘don’t fix it until the next major release’ scheme.

And as always, measures taken to protect consumers from bad players hurt the good players as well, if not even more.

I don’t want government regulation any more than I want some client or employer breathing down my neck with a bazillion constraints and limitations that will absolutely not fix the problem anyway.

Software is a non-deterministic conceptual abstraction, and not a physical thing – despite its efforts through OOP to model physical things and relationships and concepts. No matter how you “manage” it, it will never be bug-free and it will never be estimatable in the same way that building a garage or pouring a concrete driveway would be.

What would we have government do to fix this “woeful under-regulation”? Some dipshit legislator reads an article in a magazine and decides to mandate pure functional programming for everyone? Or they read the Agile Manifesto and mandate scrum?

There demonstrably are ways to make software with acceptable levels of bugs and to construct feedback loops to detect and address the ones that are missed. But there is no way to make software mathematically verifiably perfect, at least above the function / method level, and government regulation is only going to make it worse for the most part.

I am glad that I am on the glide path to retirement, because while I’m politically liberal and generally not anti-regulation, in this particular case I see it as codifying the bizarre interview / vetting process for new hires that’s currently in vogue, only on an everyday basis: there will be (re)certifications, tests and exams that will end up not having much to do with my everyday work, and which cannot capture 40+ years of experience and judgment, and which will just be more distraction from actually getting anything done or iterating on a problem.

In any case – I think that characterizing software development as a “young” discipline in other than an increasingly meaningless relative sense, is no longer valid. It is, depending on where you date the start of “modern” methods (I would date it from the invention of COBOL, more or less) it is 70-ish years old. It is also arguably at least as much craft as engineering or skill-set. The values and attitudes of a craftsman are instrumental in software quality too. No one regulates or certifies carpenters or millwrights, apart from those under whom they take their apprenticeships. Indeed, I’d argue and apprenticeship model is the right one for training new devs. Electricians fit that model too, though there are usually tests they have to pass to obtain licenses by demonstrating grasp of basic first principles. Some overarching vetting can be useful for certain things, but the notion that you can so quantify a whole discipline that you can insure each practitioner is omniscient and never makes mistakes, is silly.

Get used to it or leave the business. That’s a regulated market as I said long time before only nobody noticed that. There are standards for software and full filling them and documenting that makes the RISC for liability really small. Not working inside the standards costs extremely money. And that is nothing whee you can decide you want or don’t want. It is a big set of given Rules which are also coming up for us market soon.

1 Like

God I hope so. I’m of the understanding that some Android testers have actually used it in production.

But that leads to the whole notion of Xojo itself being in perpetual beta. Now, I have already characterized myself here as an historically satisfied customer of many years, due I’m sure to my focus on desktop. So I like to think that when I myself am critical, it’s the proverbial “Nixon going to China.” :slight_smile:

Even I have been getting bitten lately, and have been filing the issues to demonstrate. It is here that I ruefully note that I pay them well to be one of their beta testers.

And even when I myself am unaffected, I am nonetheless sympathetic to those who are.