[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] European Union Cyber Resilience Act (CRA)
From:       Katherine Mcmillan <kmcmi046 () uottawa ! ca>
Date:       2023-10-05 15:59:57
Message-ID: YT2PR01MB9827F9C7112CAAF0FFFC320CE8CAA () YT2PR01MB9827 ! CANPRD01 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]


"However, when evaluating laws & regulations you should always IGNORE their=
 goals, because their goals are IRRELEVANT. What matters is what the laws a=
nd regulations will actually *CAUSE*. Put another way, RESULTS are the *onl=
y* legitimate basis for evaluating laws and regulations. In this case, I th=
ink too many regulators are focused on theoretical goals while ignoring wha=
t will actually happen."

Wisely said, David.

Full disclosure, I work for the Linux/Unix Management Directorate for the G=
overnment of Canada and this is something we, of course, also have our eyes=
 on.

Sincerely,
Katie
________________________________
From: David A. Wheeler <dwheeler@dwheeler.com>
Sent: 05 October 2023 11:08
To: oss-security@lists.openwall.com <oss-security@lists.openwall.com>
Subject: [oss-security] European Union Cyber Resilience Act (CRA)

Attention : courriel externe | external email

Solar Designed posted on October 1, 2023:
> The talk... starts with a mention of the European Union Cyber Resiliance =
Act (CRA)
> and how it is problematic for Open Source...
> (If we want to discuss in here, which I'm not sure of, please start a
> separate thread for this sub-topic, do not just reply to this one.)

Fair enough. The CRA *definitely* impacts open source software,
and it includes security-related requirements. So it seems on-topic for thi=
s mailing list, at
least to note that *many* people find the CRA concerning & to point to more=
 information.

I think a good place to start is "Understanding the Cyber Resilience Act:
What Everyone involved in Open Source Development Should Know" from the Lin=
ux Foundation:
https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act

As currently written, individual developers of OSS are "probably excluded b=
y the CRA requirements, even if you occasionally accept donations. But if y=
ou regularly charge or accept recurring donations from commercial entities =
(for example, if you do open source consulting), you=92ll likely be covered=
 by the CRA."
The bigger problem is that nonprofits & private companies are expected to a=
 lot of things that don't make much sense. As noted, "the assumptions the C=
RA makes about software manufacturers do not necessarily hold for open sour=
ce software developers."

The Linux Foundation EU has a page about the CRA:
https://linuxfoundation.eu/cyber-resilience-act
... it has many links, and is urging people work to #FixTheCRA.

Many organizations *have* been trying to get EU regulators to fix the CRA. =
This isn't a case where no one spoke up. The problem is that for the most p=
art their concerns have been ignored by regulators:
https://www.globenewswire.com/news-release/2023/04/17/2647861/0/en/The-Ecli=
pse-Foundation-and-Leading-Open-Source-Organisations-Deliver-Open-Letter-to=
-European-Commission-Regarding-the-Cyber-Resilience-Act.html

I think the overall *goals* of the CRA are laudable. However, when evaluati=
ng laws & regulations you should always IGNORE their goals, because their g=
oals are IRRELEVANT. What matters is what the laws and regulations will act=
ually *CAUSE*. Put another way, RESULTS are the *only* legitimate basis for=
 evaluating laws and regulations. In this case, I think too many regulators=
 are focused on theoretical goals while ignoring what will actually happen.

Full disclosure: I work for the Linux Foundation, but I'm just speaking for=
 myself here.

--- David A. Wheeler



[prev in list] [next in list] [prev in thread] [next in thread]