zlacker

EU Cyber Resilience Act: What does it mean for open source?

submitted by ahuber+(OP) on 2023-12-30 20:23:28 | 151 points 99 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
2. transp+K6[view] [source] 2023-12-30 21:07:41
>>ahuber+(OP)
It appears that targeted exceptions have been added for specific situations lobbied by current FOSS and commercial stakeholders. Hopefully there will be an ongoing process to address the need for new exclusions, as the vast scope of the CRA becomes clear to societies eaten by software.

New OSS governance and runtime binary attestation (aka DRM) layers are being defined by the CRA, e.g. only specific attested binaries from open-source trees that follow specific development practices would be allowed to run in critical systems:

  Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product.

  … Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating the cybersecurity risks posed by a product with digital elements qualifying as free and open-source software.

  … security attestation programmes should be conceived in such a way that … third-parties, such as manufacturers that integrate such products into their own products, users, or European and national public administrations [can initiate or finance an attestation].
Legal liability and certification for commercial sale of binaries built from FOSS software will alter business models and incentives for FOSS development.

Related:

Dec 2023, "What comes after open source? Bruce Perens is working on it" (174 comments), >>38783500

3. jahav+A8[view] [source] 2023-12-30 21:18:31
>>ahuber+(OP)
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONS...

Important bits (10c and around):

* Libraries/non-end products are fine, unless monetized.

* Employee contributions seem to be fine.

* Foundations seem to be fine.

* Non-core developers are fine

Seems like significantly better version.

11. gavinh+dc[view] [source] 2023-12-30 21:42:48
>>ahuber+(OP)
Boy, I hope the new version is better.

If we don't want poor regulation, we had better regulate ourselves first.

Bonus: regulating ourselves might fund Open Source. [1]

[1]: https://gavinhoward.com/2023/11/how-to-fund-foss-save-it-fro...

◧◩◪
29. EMIREL+Sg[view] [source] [discussion] 2023-12-30 22:12:19
>>Etienn+lf
This question was asked a lot when GDPR came around, and it's essentially an implication that the regulator will act in bad faith.

Courts and regulators, particularily European ones, understand when there's a "will" to follow the law. It's one of the differences between "rules-based" and "principles-based" regulations.

>>17100541

31. dang+qh[view] [source] 2023-12-30 22:16:05
>>ahuber+(OP)
Related. I thought there were others, can anyone find them?

Open source liability is coming - >>38808163 - Dec 2023 (218 comments)

Debian Statement on the Cyber Resilience Act - >>38787005 - Dec 2023 (144 comments)

Can open source be saved from the EU's Cyber Resilience Act? - >>37880476 - Oct 2023 (12 comments)

European Cyber Resilience Act [Discussion] - >>37580247 - Sept 2023 (4 comments)

◧◩
33. transp+ki[view] [source] [discussion] 2023-12-30 22:23:11
>>chacha+Dg
One example from the BSA (Business Software Alliance) statement on an earlier draft of CRA, https://www.bsa.org/files/policy-filings/11012022eucra.pdf

   The CRA requires manufacturers to ensure vulnerabilities are handled effectively for the expected product lifetime or 5 years, whichever is shorter.
◧◩
36. Larisc+4j[view] [source] [discussion] 2023-12-30 22:28:16
>>greatg+2b
Unless you sell critical products as described in Annex III[1] the requirements to fulfill CRA are quite harmless. It's mostly stuff you should be doing anyway like a risk assessment and documentation. An additionally requirement is to provide a conformity assessment, which you can do yourself for non critical software, and you must report vulnerabilities within 24 hours.

Not too bad really.

[1] https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...

37. troupo+mj[view] [source] 2023-12-30 22:30:19
>>ahuber+(OP)
I've got to say, I like how people have started paying attention to these laws, actually reading them, and them write measured takes based in reality, and not in the hallucinations by the industry that is usually very much oppposed to any kind of regulation.

Other good takes in recent regulations:

- Unraveling the EU Digital Markets Act https://ia.net/topics/unraveling-the-digital-markets-act

- The truth about the EU AI Act and foundation models, or why you should not rely on ChatGPT summaries for important texts https://softwarecrisis.dev/letters/the-truth-about-the-eu-ac...

◧◩
48. Larisc+7n[view] [source] [discussion] 2023-12-30 23:02:53
>>chacha+Dg
This is described in Annex IV, V and VI [1]. You must do a conformity assessment and provide a declaration of conformity. For non-critical software you can do the assessment yourself see the first five points in Annex VI. The only thing that maybe requires a bit of effort is that you must write some technical documentation including a cybersecurity risk assessment during the assessment if you have not already done so. For critical software the process is of course a bit more involved because it requires certification by a "notified body".

[1] https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...

◧◩◪
76. jdsull+601[view] [source] [discussion] 2023-12-31 08:15:29
>>Msurro+cg
IPOs are way way down since Sarbanes Oxley.

https://www.jstor.org/stable/43303857

◧◩◪◨⬒⬓⬔
79. troupo+591[view] [source] [discussion] 2023-12-31 10:54:58
>>hgs3+wI
Hacking risk leads to recall of 500,000 pacemakers due to patient death fears https://www.theguardian.com/technology/2017/aug/31/hacking-r...

Your distinction is without meaning

◧◩◪
82. peyton+oe1[view] [source] [discussion] 2023-12-31 12:02:09
>>troupo+Wc1
I dunno, the second-ever GDPR enforcement action was against a kebab shop: https://www.enforcementtracker.com/

Lots of tiny businesses on that list too. Also a bunch of local governments, weirdly.

Feels like if we’re at kebab shop levels of granularity for 88 pages of rules governing the entire planet, “a lot of work” is unavoidable, no?

◧◩◪◨⬒⬓⬔⧯
84. hgs3+Jk1[view] [source] [discussion] 2023-12-31 13:22:11
>>troupo+591
> Hacking risk leads to recall of 500,000 pacemakers due to patient death fears

A recall was issued therefore there is already regulatory oversight where it counts. The CRA is at best redundant and at worst a prime example of regulatory capture [1].

[1] https://en.wikipedia.org/wiki/Regulatory_capture

◧◩◪◨
85. troupo+2p1[view] [source] [discussion] 2023-12-31 14:10:27
>>peyton+oe1
>I dunno, the second-ever GDPR enforcement action was against a kebab shop: https://www.enforcementtracker.com/

I wish people would actually read the links they post.

That "poor kebab shop" was fined for this:

--- start quote ---

CCTV was unlawfully used. Sufficient information about the video surveillance was missing. In addition, the storage period of 14 days was too long and therefore against the principle of data minimization. Addendum: Fine has been reduced to EUR 1500 by court,

--- end quote ---

GDPR is there only because of the data storage. Illegal CCTV is covered by different laws that, in a twist that should surprise no one, you shouldn't break even if you are a kebab shop.

The actual first business listed there is a "betting place", and it was fined for illegal use of CCTV, too.

> Also a bunch of local governments, weirdly.

It's not weird. It's how laws are supposed to work: governments are not exempt from them.

◧◩◪◨⬒⬓⬔⧯
90. troupo+Vs2[view] [source] [discussion] 2023-12-31 22:51:51
>>jart+4o2
Too much ranting, too little sense. Are you sure you haven't generated it with your generator? ;)

You're trying to carve out an exception for you yourself specifically because you assume that your special case is too special.

1. Laws don't usually work that way

2. There are innumerable cases when "innocuous" software is used as an attack vector precisely because "we don't do nothing why would we keep our software secure"

3. In EU you're safe until you really screw up. More discussion in this thread: >>38819780

[go to top]