This is what Claude2 (with 100K context window) has to say about your comment, after I supplied him with the entire proposal of the regulation: Based on my understanding of the Cyber Resilience Act, I don’t think that assessment is entirely accurate. The key factor is whether the open source software is placed on the market in the course of commercial activity, not the employment status of individual contributors.
The regulation explicitly excludes open source software developed or supplied outside of commercial activity. As I mentioned before, this means pure community-driven projects where the software is freely shared and open should not fall under the requirements.
It does not matter if some contributors are corporate employees, as long as they contribute to a non-commercial community project in their personal capacity. For example, if a developer who works for Company X contributes code to Project Y in their free time, that alone would not make Project Y commercial.
The regulation would likely apply if a company systematically develops open source software as part of their business model. But just having corporate contributors among many community members would not automatically trigger the rules.
Overall, I think the regulation aims to avoid putting burdens on pure community open source projects, as long as the software is not placed on the market commercially. But the details of implementation will be important to watch to ensure a proper balance is struck.
Or Logseq is a great Obsidian alternative with no account needed and apps for Linux and Android. You can sync it with Syncthing.