[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] European Union Cyber Resilience Act (CRA)
From:       Dirk-Willem van Gulik <dirkx () webweaving ! org>
Date:       2023-10-09 10:52:59
Message-ID: 3C6BAFEB-A4D8-4691-9C7A-76B36B1BB74D () webweaving ! org
[Download RAW message or body]

On 8 Oct 2023, at 22:56, Jean Luc Picard <atari2600a@gmail.com> wrote:

> 'sharing', they'd likely blow a gasket.  It appears it's too late to bring
> in the real industry experts into the committee meetings but not too late
> to make a meaningful difference.  That said, the community at large needs
> to prepare for a lull in rights & freedoms.  Perhaps if it got to a point

While I am not quite sure what qualifies as a `real' industry expert :) — fair to \
assume that over the last 2 years a very sizeable body of such domain experts have \
enagaged with the European Commission, with the members (Shadows) of the European \
Parliament, with the Council (and at the national level - as in effect the council \
‘is' the cabinets/ministers at country level).

This was not just open source [1,2,3,4] but also the industry [5,6]. In particular.

If you are in any doubt - check the last page of 6 for the ‘who' — that is the \
entire Who-is-who of Europes technical industry and notice that 5 comes from one of \
the most powerful industry bodies in Europe. And know that the interaction was not \
just `an email' or a `like' — but involved may face to face meetings, in Brussels.

At this point I think it is fair to assume that the policy makers understand the \
impact the CRA can have on this industry. 

And that they are (fairly!!, that is their role) trading this impact against the \
damage that bad software/security practices of our industry is doing to society.  \
Which is also considerable.

Much like, in the latter half of the previous century, society introduced things such \
as safety belts, roll-cages and crumple zones for cars — accepting that it would \
literally decimate a very large industry; allowing only a few large (combined brand) \
players to survive. And making cars 10-30% more expensive.

My reading is that part of  ‘forcing' the CRA on open source is their hope that \
this will make it cheaper and more `do able' for SME's in Europe to implement the \
CRA. I.e. move the ‘cost' of CRA compliance `upstream' — away from the \
downstream*. And, perhaps, their hope is that the open-source is soo crucial to the \
industry - that industry will simply fund this**, ***.

Obviously it is galling that open source (say, at the ASF),  is usually NOT the one \
patching & fixing late - au contraire) — but we are part of this industry & often \
the foundation of it all.

Also note that the CRA is the `light' one, impact wise. 

The real sizzler for the industry (and not so much for Open Source)  is the Product \
Liability Directive — that introduces `strict liability[7].

With kind regards,

Dw 


1: https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act
                
2: https://eclipse-foundation.blog/2023/02/23/cyber-resilience-act-good-intentions-and-unintended-consequences/ \
                (and a lot of others)
3: https://blog.sonatype.com/eu-cyber-resilience-act-good-for-software-supply-chain-security-bad-for-open-source
                
4: https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act
5: https://www.vda.de/dam/jcr:888e90b1-84dc-4660-a266-f246a141112f/VDA%20Brief%20position%20FOSS_EN.pdf?mode=view
                
6: https://cdn.digitaleurope.org/uploads/2023/09/DIGITALEUROPE_Building-a-strong-foundation-for-the-CRA_key-considerations-for-trilogues.pdf
                
7: Using the USA term for this; `when a defendant is fully liable for the effects of \
its product regardless of what the expected/intended when putting it on the market'

*: Ignoring the rather large issue that, like `trust not being transitive' — \
notified bodies/certification authorities generally do not allow such/look at the \
                final step.
**: And there is this assumption; based on the high 100's if not mid 1000's of \
millions put into open source foundations by big-tech - that they are already funded \
                well enough as it is.
***: my personal expectation is the opposite; the two or three main players in this \
industry may well fund this only for their own clouds & and simply tell the punters \
that you must run on platform X or Y in their cloud in order to be compliant.=


[prev in list] [next in list] [prev in thread] [next in thread]