After #FOSDEM my current understanding of how #EU #CRA and #PLD affects #FDroid and anyone who contributes to it:
* F-Droid org makes the "product" so it would be liable
* F-Droid is currently entirely non-commercial, handles no money
* Volunteer contributors are very clearly exempt from all this
* Donation funded contributions are also exempt
* Contracted contributors are helping build the regulated product, so the legal entities of the contractors would not be liable for F-Droid's "product"
Based on @maarten 's post https://blog.nlnetlabs.nl/what-i-learned-in-brussels-the-cyber-resilience-act/ I think the only people listed in my example that would be at all regulated by the #CRA would be the last one: "contracted contributors". It sounds like they might be considered "open source software stewards" with obligations under Article 17a depending on whether the #EU considers F-Droid as "intended for commercial activities"
https://www.cyberresilienceact.eu/the-cyber-resilience-act/
My guess is #Nextcloud/#Ubuntu would be considered commercial while #FDroid/#Debian would not
@eighthave that's how I understand it too
I am not a lawyer. #CRA is #CyberResilienceAct and #PLD is #ProductLiabilityDirective.