guidovranken is either the primary contact or is in the CCs list of projects/bignum-fuzzer.
guidovranken has previously contributed to projects/bignum-fuzzer. The previous PR was #10139
guidovranken is either the primary contact or is in the CCs list of projects/circl.
guidovranken has previously contributed to projects/circl. The previous PR was #11959
guidovranken is either the primary contact or is in the CCs list of projects/lame.
guidovranken has previously contributed to projects/lame. The previous PR was #2651
guidovranken is either the primary contact or is in the CCs list of projects/libsrtp.
guidovranken has previously contributed to projects/libsrtp. The previous PR was #2651
guidovranken is either the primary contact or is in the CCs list of projects/libressl.
guidovranken has previously contributed to projects/libressl. The previous PR was #11431
guidovranken is either the primary contact or is in the CCs list of projects/bearssl.
guidovranken has previously contributed to projects/bearssl. The previous PR was #12300
guidovranken is either the primary contact or is in the CCs list of projects/bls-signatures.
guidovranken has previously contributed to projects/bls-signatures. The previous PR was #12226
guidovranken is either the primary contact or is in the CCs list of projects/django.
guidovranken has previously contributed to projects/django. The previous PR was #3212
guidovranken has previously contributed to projects/bitcoin-core. The previous PR was #11431
guidovranken is either the primary contact or is in the CCs list of projects/cryptofuzz.
guidovranken has previously contributed to projects/cryptofuzz. The previous PR was #12730
guidovranken is either the primary contact or is in the CCs list of projects/libecc.
guidovranken has previously contributed to projects/libecc. The previous PR was #12300
guidovranken is either the primary contact or is in the CCs list of projects/libtheora.
guidovranken has previously contributed to projects/libtheora. The previous PR was #2827

In light of the EU Product Liability Directive and other speech criminalizations I am ceasing all my publications including FOSS contributions.

In light of the EU Product Liability Directive and other speech criminalizations I am ceasing all my publications including FOSS contributions.

That's a sad decision. Are you aware that the directive doesn't apply to FOSS?

Edit update: nevermind, we've found copies!

Would you please restore your https://github.com/guidovranken/python-library-fuzzers repo so that we can carry on with the work that the CPython project has found useful on our own?

That's a sad decision. Are you aware that the directive doesn't apply to FOSS?

Only non-commercial FOSS. Whether that includes or excludes grants and bug bounties I don't know, but I don't even want to bother figuring that out. Take it or leave it.

That's a sad decision. Are you aware that the directive doesn't apply to FOSS?

Only non-commercial FOSS. Whether that includes or excludes grants and bug bounties I don't know, but I don't even want to bother figuring that out. Take it or leave it.

Okay, I'm aware that you don't owe anybody anything, but here's my take. Read it or don't.

IANAL and I don't know your personal situation, so the following is my interpretation of the directive and independent of your case. (In any case, I'm not allowed to give you legal advice that is specific to your case.)

The intent of the directive is to hold accountable manufacturers for their products (incl. software) if they do damage to consumers/natural persons. (Say a manufacturer creates an exploding toaster, puts it on the market and thus sells it indirectly, via some third-party intermediate store to consumers. Without a dedicated legal framework for holding the manufacturer accountable, there would be no way to do this because there's no contract between manufacturer and consumer.) If someone received a compensation for writing software, they may or may not have some contractual liability to whoever gave them the money. But that is entirely independent of the directive.

Let's look at the text of the directive.

• "This Directive does not apply to free and open-source software that is developed or supplied outside the course of a commercial activity." Okay, "outside the course of a commercial activity." First note that it says "or", so b FOSS is unaffected if it's either developed OR supplied outside the course of a commercial activity. Let's look at the "supplied" part and recital (14): "Providing such software on open repositories should not be considered as making it available on the market, unless that occurs in the course of a commercial activity. [...] However, where software is supplied in exchange for a price, or for personal data used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity, this Directive should apply." Software such as a fuzzer that does not show ads or collect user data in a public repo on GitHub is not supplied in exchange for anything, nor can I think of any other reason where the public supplying of such software on GitHub could be considered commercial. Bug bounty are collected by the one who finds the bug, not the one who develops the bug finding tool and makes it available publicly. Even if someone paid a developer to make software available on GitHub, supplying the software to public for free is entirely uncommercial. Recital (13) goes a step further even: "Information is not, however, to be considered a product, and product liability rules should therefore not apply to the content of digital files, such as media files or e-books or the mere source code of software." And one could probably make a similar point when it comes to the "developed" part. It's just too far.
• The directive applies to a) death or personal injury, b) destruction of property, c) "destruction or corruption of data that are not used for professional purposes." I'm sure we can agree that only c) could be relevant here. But really, the risk is very low. This is not about backup tools or hard disk formatting tools, or a smartphone OS that overcharges your battery until it explodes. Just from technical point of view, I don't see how running a tool like a fuzzer could realistically delete someone's personal data.
• Finally, even if I'm wrong about everything I said above, "This Directive shall apply to products placed on the market or put into service after 9 December 2026." So anyone who is concerned about being affected by the Directive has at least two more years to resolve this situation and can keep the repos online so that others can fork and bear the risk if they want to. This is true even if you consider each commit to a public repository a fresh act of placing a product on the market (which is unlikely because the Directive has a concept of a "a substantial modification of the product").