Re: Direct or indirect supplier?

Jan Thielscher

Probably just to prevent some misunderstanding or unnecessary fears:

The law, Dirk referred to, will be effective from 2023. Then it addresses companies with >3000 employees, from 2024 it will also address companies >1000 employees.
The focus is on human rights, it comprises direct as well as indirect suppliers - so this would not make much of a difference. But the requirements depend on several factors, one of them is the impact that the consuming company can have on the particular "violating supplier company".

The „violation“ is not based on  blacklisted countries! The „violation“ has to happen - systematically - within the particular supplier (direct or indirect) organisation. (e.g. coding kiddies, 20hrs a day in the dark and wet basement of the software provider might qualify)

I guess someone capable of contributing to open source, in general does not qualify for such a sort of „abuse“. ;-)
Mit freundlichem Gruß / kind regards
Jan Thielscher
T: +49 69 153 22 77 55
F: +49 69 153 22 77 51

Am 01.07.2021 um 16:50 schrieb Christopher Wood via <>:

That is a brilliant question. I would add to this that consideration of open source projects in general have many contributors.  Would that make a company contributing to the code-base “that may include individual contributors who reside in countries designated on the violators list”  at risk?  Remember that there is no requirement to vet contributions by nationality or residency?  This is a question that really requires a Legal opinion and perhaps a change to German law clarifying this.

Sent via carrier pigeon

On Jul 1, 2021, at 7:32 AM, Dirk Riehle <dirk@...> wrote:

On 01.07.21 13:35, Carlo Piana wrote:

I guess a German Lawyer should reply.
In general terms, as I have been pondering it on other accounts, I would suggest that making FOSS generally available does not qualify as a supplier relationship. One needs to have a development agreement or a support agreement for that. This could also include developing FOSS to be given at large.

It is also my guess that you need an explicit supply contract to establish the supplier relationship formally.

If you do it within a holding company (inner source) that formal relationship is established automatically, even if you don't put something down in writing. In open source, this is not the case AFAIK.

Morally, and the thrust of the law is a moral one, in-kind compensation or just the dependency still might create public backlash.

Cheers, Dirk

Confused about open source?
Get clarity through
Website: - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550

Join to automatically receive all group messages.