[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] European Union Cyber Resilience Act (CRA)
From:       "David A. Wheeler" <dwheeler () dwheeler ! com>
Date:       2023-10-05 15:08:51
Message-ID: 1061E5A7-416D-4C7A-A2CC-AA3617ACAE13 () dwheeler ! com
[Download RAW message or body]

Solar Designed posted on October 1, 2023:
> The talk... starts with a mention of the European Union Cyber Resiliance Act (CRA)
> and how it is problematic for Open Source...
> (If we want to discuss in here, which I'm not sure of, please start a
> separate thread for this sub-topic, do not just reply to this one.)

Fair enough. The CRA *definitely* impacts open source software,
and it includes security-related requirements. So it seems on-topic for this mailing \
list, at least to note that *many* people find the CRA concerning & to point to more \
information.

I think a good place to start is "Understanding the Cyber Resilience Act:
What Everyone involved in Open Source Development Should Know" from the Linux \
Foundation: https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act


As currently written, individual developers of OSS are "probably excluded by the CRA \
requirements, even if you occasionally accept donations. But if you regularly charge \
or accept recurring donations from commercial entities (for example, if you do open \
source consulting), you'll likely be covered by the CRA." The bigger problem is that \
nonprofits & private companies are expected to a lot of things that don't make much \
sense. As noted, "the assumptions the CRA makes about software manufacturers do not \
necessarily hold for open source software developers."

The Linux Foundation EU has a page about the CRA:
https://linuxfoundation.eu/cyber-resilience-act
... it has many links, and is urging people work to #FixTheCRA.

Many organizations *have* been trying to get EU regulators to fix the CRA. This isn't \
a case where no one spoke up. The problem is that for the most part their concerns \
have been ignored by regulators: \
https://www.globenewswire.com/news-release/2023/04/17/2647861/0/en/The-Eclipse-Foundat \
ion-and-Leading-Open-Source-Organisations-Deliver-Open-Letter-to-European-Commission-Regarding-the-Cyber-Resilience-Act.html


I think the overall *goals* of the CRA are laudable. However, when evaluating laws & \
regulations you should always IGNORE their goals, because their goals are IRRELEVANT. \
What matters is what the laws and regulations will actually *CAUSE*. Put another way, \
RESULTS are the *only* legitimate basis for evaluating laws and regulations. In this \
case, I think too many regulators are focused on theoretical goals while ignoring \
what will actually happen.

Full disclosure: I work for the Linux Foundation, but I'm just speaking for myself \
here.

--- David A. Wheeler


[prev in list] [next in list] [prev in thread] [next in thread]