zlacker

>>ahuber+(OP)
It appears that targeted exceptions have been added for specific situations lobbied by current FOSS and commercial stakeholders. Hopefully there will be an ongoing process to address the need for new exclusions, as the vast scope of the CRA becomes clear to societies eaten by software.

New OSS governance and runtime binary attestation (aka DRM) layers are being defined by the CRA, e.g. only specific attested binaries from open-source trees that follow specific development practices would be allowed to run in critical systems:

  Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product.

  … Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software.

  … security attestation programmes should be conceived in such a way that … third-parties, such as manufacturers that integrate such products into their own products, users, or European and national public administrations [can initiate or finance an attestation].

Legal liability and certification for commercial sale of binaries built from FOSS software will alter business models and incentives for FOSS development.

Related:

Dec 2023, "What comes after open source? Bruce Perens is working on it" (174 comments), >>38783500

>>transp+K6
> New OSS governance and runtime binary attestation (aka DRM) layers are being defined by the CRA, e.g. only specific attested binaries from open-source trees that follow specific development practices would be allowed to run in critical systems

That doesn't seem like what the CRA stipulates. I think it's more about manual attestation in its most traditional meaning, i.e, an organization attests that X software is secure.