zlacker

This was the first question on my mind as well. How will this affect the one-man webshop owner or software developer? Seems only big established firms will be able to conform to this?

>>Etienn+(OP)
This question was asked a lot when GDPR came around, and it's essentially an implication that the regulator will act in bad faith.

Courts and regulators, particularily European ones, understand when there's a "will" to follow the law. It's one of the differences between "rules-based" and "principles-based" regulations.

>>17100541

>>EMIREL+x1
I don’t understand? So you should only in principle audit your Wordpress blog?

>>Etienn+b3
Read the comment I linked. It's about the regulation being enforced with its principles in mind, not robotically through its strict interpretation.

>>Etienn+b3
Questions:

- If you run a commercial kitchen on your own (or, let's say, with a staff of 2-3 people), can you ignore the food safety regulations? The fire regulations?

- If you run a one-man plumbing company, can you ignore safety regulations? Water regulations? Sewage regulations?

etc.

Why is it than when it comes to "commercial software" it is inevitably "oh my god these laws are so hard, why should I as one-man company be forced to comply with them". Because that is literally your job.

>>Etienn+b3
It means you will get treated differently whether you operate a one man show or a global conglomerate.

Follow best practices and demonstrate that you care goes a long way (that has been demonstrated time and time again in courts throughout the union).

Also it differentiates between what kind of product you are building (see the annexes).

Most of the requirements (look them up) are best software dev practices unless you are in one of the specific "critical" categories of products.

Then, to be honest I don't really care that you are a one person (commercial) shop when my car gets steered off the road because of a preventable security hole.

>>troupo+W4
In kitchens as in plumbings:

- There are rules, and clear established practices that allow you to follow these rules. In software the rabbit hole goes so deep that your average developer cannot even be aware of all the risks.

- You do not have to rely on millions of lines of code you have no control on.

As a simple example, if you are using network communications, you are probably using OpenSSL, GnuTLS or one of the few other TLS implementations. All of them have regular security issues, and simply selling support on an Open Source software you built using one of them will make you liable for these issues. There is no choice: you need TLS, and you're not going to implement it yourself. What are you supposed to do?

The fact that a solo developer selling 100€/month of support is treated the same way than a billion dollar company demonstrates the complete insanity of this act.

>>galdor+u7
> The fact that a solo developer selling 100€/month of support is treated the same way than a billion dollar company demonstrates the complete insanity of this act.

But they're not treated the same way. Both by the law itself and the standards courts and regulatory agencies use throught Europe.

>>EMIREL+z8
The text of this act treat them the same way unless I'm missing something (feel free to point me the text saying otherwise). A sane legal text would put in place thresholds with different levels of expectations and liability depending on the size of the company, who you are selling to (companies or individuals) and its revenues, respecting the principle of proportionality.

>>galdor+u7
Most regulations work like that. For example, just because you are cooking in a food truck does not exempt you from basic hygiene requirements. Also CRA will not put you into hot water because of a vulnerability in your dependencies. You may get in trouble if you refuse to provide a security update during the lifetime of your software product.

>>galdor+u7
For some reason I can't seem to open the text right now, but from my previous reading I remember a smaller variant of annex V for small businesses. So the solo dev is not treated the same.

As I read it, and with the caveat that the exact requirements are not yet determined: You will need a SBOM stating you use openssl, and how you plan to update openssl if it contains security bugs.

Update: found it, paragraph 46a: In relation to small and micro enterprises, in order to ensure proportionality, it is appropriate to alleviate administrative costs without [...]

>>galdor+U8
The principle of proportionality is a mandate of courts and regulatory agencies too. You're implying that they would act in bad faith by putting all their might on small/one-person businesses, while it's just not the case with EU bodies.

>>troupo+W4
Bad software won't give you food poisoning.

Regulations can make sense for software that could cause physical harm - like the software in an implanted medical device - but most software doesn't fall in that category. The CRA is about "security" not about "physical harm" - they are two different things. Regulations for the latter would likely receive less pushback.

>>EMIREL+x1
And then there’s the real world issue of Abmahn-Factories in Germany.

>>hgs3+bt
Hacking risk leads to recall of 500,000 pacemakers due to patient death fears https://www.theguardian.com/technology/2017/aug/31/hacking-r...

Your distinction is without meaning

>>troupo+KT
> Hacking risk leads to recall of 500,000 pacemakers due to patient death fears

A recall was issued therefore there is already regulatory oversight where it counts. The CRA is at best redundant and at worst a prime example of regulatory capture [1].

[1] https://en.wikipedia.org/wiki/Regulatory_capture

>>hgs3+o51
> A recall was issued therefore there is already regulatory oversight where it counts.

Just because a recall was issued doesn't imply that there's a regulatory oversight. And even that oversight exists in that particular case doesn't mean it is applicable to other areas.

What it does mean is that you're weak attempt to paint software being exempt because it "doesn't lead to food poisoning" is weak and uninformed at best.

> The CRA is at best redundant

It's not

> at worst a prime example of regulatory capture

Again, it's not.

Just because you engage in FUDing, doesn't make your words true.

>>troupo+xb1
Attacking my words as "weak", "FUD", or "uninformed" is arguing in bad faith. I gave a good faith effort to counter your points rather than simply labeling them "weak" or "uninformed".

>>hgs3+Mh1
There was no effort behind countering my words.

First you tried to pretend that software is somehow different because it "doesn't do any physical harm".

I addressed that directly with a very specific example of physical harm.

(Besides, there are many more concerns beyond just physical harm, and my example of food poisoning was just an example that you must follow safety regulations even if you're a "one-person" company)

So your next counter-claim was a non-sequitur that "since it was recalled it means that there are regulations" which doesn't make sense even logically, which I addressed as well.

And the rest is just unsubstantiated claims that the law is redundant at best and bad at worst which is pure FUD.

How's that for good faith argument?

With this, I remove myself from this discussion. Adieu.