zlacker

[return to "EU Cyber Resilience Act: What does it mean for open source?"]
1. greatg+2b[view] [source] 2023-12-30 21:34:43
>>ahuber+(OP)
This regulation is so shitty. I'm quite sure that it is supported by big actors in the end, because the end goal is to ensure to have a regulatory barrier that will avoid small actors to be able to strive in the software field.

Also, to avoid "dangerous" not yet professional amateurs having a chance against big editors.

◧◩
2. Larisc+4j[view] [source] 2023-12-30 22:28:16
>>greatg+2b
Unless you sell critical products as described in Annex III[1] the requirements to fulfill CRA are quite harmless. It's mostly stuff you should be doing anyway like a risk assessment and documentation. An additionally requirement is to provide a conformity assessment, which you can do yourself for non critical software, and you must report vulnerabilities within 24 hours.

Not too bad really.

[1] https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...

◧◩◪
3. hgs3+Xr[view] [source] 2023-12-30 23:55:34
>>Larisc+4j
> critical products

IANAL but Annex III Class 1.2 states: "Standalone and embedded browsers" which would implicate every electron app. Class 1.5 states: "Products with digital elements with the function of virtual private network (VPN)" is so vague it could apply to video game chat messages.

The problem with regulations like this is they're so vague and will be selectively enforced. They won't affect Big Corp but will affect small business and solo developers.

[go to top]