zlacker

[return to "EU Cyber Resilience Act: What does it mean for open source?"]
1. joketh+Zc[view] [source] 2023-12-30 21:47:15
>>ahuber+(OP)
Good that the backtracked on a lot of the CRAp (which would have meant the end of OSS in Europe, talk about destroying the world with the wrong swift movement of a pen!) BUT I'm still angry:

1. This adds barriers to sell OSS software, which helps solidify existing markets and prevents new competitors from stepping up

2. This won't change anything except forcing projects to waste money in legal BS, when the responsibility should be uniquely on the commercial entities USING and providing a service (and therefore making money) with the OSS software

3. This is only the first step, I'm sure they'll keep adding rules

4. I'm thinking they may have been heavy handed in the first draft just so that people would think at the end "oh, phew! the regulators didn't kill ALL OSS software in Europe, great!" without thinking why do we need this regulation or how it improves ANYTHING

Will it actually improve security? I don't think so.

If someone is paying for commercial support they likely already have security updates and, once vulnerabilities are known by the maintainers, the news spread.

The security problem with OSS is not that things are not communicated promptly, but that it's hard to make money with OSS so there is no staff working on security.

This would have not saved us from eg. OpenSSL vulnerabilities and it will be even harder to $NextOSSOrg to start charging for their product and improve their security.

◧◩
2. mqus+Pk[view] [source] 2023-12-30 22:44:11
>>joketh+Zc
> 2. This won't change anything except forcing projects to waste money in legal BS, when the responsibility should be uniquely on the commercial entities USING and providing a service (and therefore making money) with the OSS software

First of all, most of the software companies do SaaS, meaning they also provide the service. And then, even if they don't, the users will just hand down the paperwork to the companies developing the software. Because those know what was put in, security and components, and want to have this in legal writing.

Secondly, imagine your average IoT seller. They should not be liable for their bad product because they don't run it themselves? "The user" is liable? In most cases the "user" can't even do anything about their insecure device.

I think developers are rightly responsible here. It's pretty comparable to other industries where the products have to be safe when getting sold, think pharma, food, toys, cars, etcpp.

> Will it actually improve security? I don't think so.

Think B2C. It will improve things there, and massively so. Software in B2B was already somewhat regulated via audits and certifications.

[go to top]