The increasing rate of software supply chain attacks has raised concerns about the security of open source ecosystems. However, the policies and regulations governing the software industry have not kept pace with the rising threats. The lack of communication with the open source community and the absence of a global strategy to address software security have resulted in a patchwork of regulations worldwide.
One particular policy that has the potential to harm the open source ecosystem is the EU’s Product Liability Directive (PLD). While the directive aims to establish better standards for software and improve accountability for software vendors, it contains ambiguous language that could unintentionally target open source software distributors such as Maven Central, PyPi, npm, and GitHub.