From oss-security Thu Oct 05 15:08:51 2023 From: "David A. Wheeler" Date: Thu, 05 Oct 2023 15:08:51 +0000 To: oss-security Subject: [oss-security] European Union Cyber Resilience Act (CRA) Message-Id: <1061E5A7-416D-4C7A-A2CC-AA3617ACAE13 () dwheeler ! com> X-MARC-Message: https://marc.info/?l=oss-security&m=169651842928131 Solar Designed posted on October 1, 2023: > The talk... starts with a mention of the European Union Cyber = Resiliance Act (CRA) > and how it is problematic for Open Source... > (If we want to discuss in here, which I'm not sure of, please start a > separate thread for this sub-topic, do not just reply to this one.) Fair enough. The CRA *definitely* impacts open source software, and it includes security-related requirements. So it seems on-topic for = this mailing list, at least to note that *many* people find the CRA concerning & to point to = more information. I think a good place to start is "Understanding the Cyber Resilience = Act: What Everyone involved in Open Source Development Should Know" from the = Linux Foundation: = https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-ac= t As currently written, individual developers of OSS are "probably = excluded by the CRA requirements, even if you occasionally accept = donations. But if you regularly charge or accept recurring donations = from commercial entities (for example, if you do open source = consulting), you=E2=80=99ll likely be covered by the CRA." The bigger problem is that nonprofits & private companies are expected = to a lot of things that don't make much sense. As noted, "the = assumptions the CRA makes about software manufacturers do not = necessarily hold for open source software developers." The Linux Foundation EU has a page about the CRA: https://linuxfoundation.eu/cyber-resilience-act ... it has many links, and is urging people work to #FixTheCRA. Many organizations *have* been trying to get EU regulators to fix the = CRA. This isn't a case where no one spoke up. The problem is that for = the most part their concerns have been ignored by regulators: = https://www.globenewswire.com/news-release/2023/04/17/2647861/0/en/The-Ecl= ipse-Foundation-and-Leading-Open-Source-Organisations-Deliver-Open-Letter-= to-European-Commission-Regarding-the-Cyber-Resilience-Act.html I think the overall *goals* of the CRA are laudable. However, when = evaluating laws & regulations you should always IGNORE their goals, = because their goals are IRRELEVANT. What matters is what the laws and = regulations will actually *CAUSE*. Put another way, RESULTS are the = *only* legitimate basis for evaluating laws and regulations. In this = case, I think too many regulators are focused on theoretical goals while = ignoring what will actually happen. Full disclosure: I work for the Linux Foundation, but I'm just speaking = for myself here. --- David A. Wheeler