Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 5 Oct 2023 11:08:51 -0400
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: oss-security@...ts.openwall.com
Subject: European Union Cyber Resilience Act (CRA)

Solar Designed posted on October 1, 2023:
> The talk... starts with a mention of the European Union Cyber Resiliance Act (CRA)
> and how it is problematic for Open Source...
> (If we want to discuss in here, which I'm not sure of, please start a
> separate thread for this sub-topic, do not just reply to this one.)

Fair enough. The CRA *definitely* impacts open source software,
and it includes security-related requirements. So it seems on-topic for this mailing list, at
least to note that *many* people find the CRA concerning & to point to more information.

I think a good place to start is "Understanding the Cyber Resilience Act:
What Everyone involved in Open Source Development Should Know" from the Linux Foundation:
https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act

As currently written, individual developers of OSS are "probably excluded by the CRA requirements, even if you occasionally accept donations. But if you regularly charge or accept recurring donations from commercial entities (for example, if you do open source consulting), you’ll likely be covered by the CRA."
The bigger problem is that nonprofits & private companies are expected to a lot of things that don't make much sense. As noted, "the assumptions the CRA makes about software manufacturers do not necessarily hold for open source software developers."

The Linux Foundation EU has a page about the CRA:
https://linuxfoundation.eu/cyber-resilience-act
... it has many links, and is urging people work to #FixTheCRA.

Many organizations *have* been trying to get EU regulators to fix the CRA. This isn't a case where no one spoke up. The problem is that for the most part their concerns have been ignored by regulators:
https://www.globenewswire.com/news-release/2023/04/17/2647861/0/en/The-Eclipse-Foundation-and-Leading-Open-Source-Organisations-Deliver-Open-Letter-to-European-Commission-Regarding-the-Cyber-Resilience-Act.html

I think the overall *goals* of the CRA are laudable. However, when evaluating laws & regulations you should always IGNORE their goals, because their goals are IRRELEVANT. What matters is what the laws and regulations will actually *CAUSE*. Put another way, RESULTS are the *only* legitimate basis for evaluating laws and regulations. In this case, I think too many regulators are focused on theoretical goals while ignoring what will actually happen.

Full disclosure: I work for the Linux Foundation, but I'm just speaking for myself here.

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.