[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] European Union Cyber Resilience Act (CRA)
From:       "David A. Wheeler" <dwheeler () dwheeler ! com>
Date:       2023-10-05 15:08:51
Message-ID: 1061E5A7-416D-4C7A-A2CC-AA3617ACAE13 () dwheeler ! com
[Download RAW message or body]

Solar Designed posted on October 1, 2023:
> The talk... starts with a mention of the European Union Cyber Resiliance Act (CRA)
> and how it is problematic for Open Source...
> (If we want to discuss in here, which I'm not sure of, please start a
> separate thread for this sub-topic, do not just reply to this one.)

Fair enough. The CRA *definitely* impacts open source software,
and it includes security-related requirements. So it seems on-topic for this mailing list, at
least to note that *many* people find the CRA concerning & to point to more information.

I think a good place to start is "Understanding the Cyber Resilience Act:
What Everyone involved in Open Source Development Should Know" from the Linux Foundation:
https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act

As currently written, individual developers of OSS are "probably excluded by the CRA requirements, even \
if you occasionally accept donations. But if you regularly charge or accept recurring donations from \
commercial entities (for example, if you do open source consulting), you'll likely be covered by the \
CRA." The bigger problem is that nonprofits & private companies are expected to a lot of things that \
don't make much sense. As noted, "the assumptions the CRA makes about software manufacturers do not \
necessarily hold for open source software developers."

The Linux Foundation EU has a page about the CRA:
https://linuxfoundation.eu/cyber-resilience-act
... it has many links, and is urging people work to #FixTheCRA.

Many organizations *have* been trying to get EU regulators to fix the CRA. This isn't a case where no one \
spoke up. The problem is that for the most part their concerns have been ignored by regulators: \
https://www.globenewswire.com/news-release/2023/04/17/2647861/0/en/The-Eclipse-Foundation-and-Leading-Open \
-Source-Organisations-Deliver-Open-Letter-to-European-Commission-Regarding-the-Cyber-Resilience-Act.html

I think the overall *goals* of the CRA are laudable. However, when evaluating laws & regulations you \
should always IGNORE their goals, because their goals are IRRELEVANT. What matters is what the laws and \
regulations will actually *CAUSE*. Put another way, RESULTS are the *only* legitimate basis for \
evaluating laws and regulations. In this case, I think too many regulators are focused on theoretical \
goals while ignoring what will actually happen.

Full disclosure: I work for the Linux Foundation, but I'm just speaking for myself here.

--- David A. Wheeler


[prev in list] [next in list] [prev in thread] [next in thread]