Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 9 Oct 2023 12:52:59 +0200
From: Dirk-Willem van Gulik <dirkx@...weaving.org>
To: oss-security@...ts.openwall.com
Subject: Re: European Union Cyber Resilience Act (CRA)

On 8 Oct 2023, at 22:56, Jean Luc Picard <atari2600a@...il.com> wrote:

> 'sharing', they'd likely blow a gasket.  It appears it's too late to bring
> in the real industry experts into the committee meetings but not too late
> to make a meaningful difference.  That said, the community at large needs
> to prepare for a lull in rights & freedoms.  Perhaps if it got to a point

While I am not quite sure what qualifies as a `real’ industry expert :) — fair to assume that over the last 2 years a very sizeable body of such domain experts have enagaged with the European Commission, with the members (Shadows) of the European Parliament, with the Council (and at the national level - as in effect the council ‘is’ the cabinets/ministers at country level).

This was not just open source [1,2,3,4] but also the industry [5,6]. In particular.

If you are in any doubt - check the last page of 6 for the ‘who’ — that is the entire Who-is-who of Europes technical industry and notice that 5 comes from one of the most powerful industry bodies in Europe. And know that the interaction was not just `an email’ or a `like’ — but involved may face to face meetings, in Brussels.

At this point I think it is fair to assume that the policy makers understand the impact the CRA can have on this industry. 

And that they are (fairly!!, that is their role) trading this impact against the damage that bad software/security practices of our industry is doing to society.  Which is also considerable.

Much like, in the latter half of the previous century, society introduced things such as safety belts, roll-cages and crumple zones for cars — accepting that it would literally decimate a very large industry; allowing only a few large (combined brand) players to survive. And making cars 10-30% more expensive.

My reading is that part of  ‘forcing’ the CRA on open source is their hope that this will make it cheaper and more `do able’ for SME’s in Europe to implement the CRA. I.e. move the ‘cost’ of CRA compliance `upstream’ — away from the downstream*. And, perhaps, their hope is that the open-source is soo crucial to the industry - that industry will simply fund this**, ***.

Obviously it is galling that open source (say, at the ASF),  is usually NOT the one patching & fixing late - au contraire) — but we are part of this industry & often the foundation of it all.

Also note that the CRA is the `light’ one, impact wise. 

The real sizzler for the industry (and not so much for Open Source)  is the Product Liability Directive — that introduces `strict liability[7].

With kind regards,

Dw 


1: https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act
2: https://eclipse-foundation.blog/2023/02/23/cyber-resilience-act-good-intentions-and-unintended-consequences/ (and a lot of others)
3: https://blog.sonatype.com/eu-cyber-resilience-act-good-for-software-supply-chain-security-bad-for-open-source
4: https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act
5: https://www.vda.de/dam/jcr:888e90b1-84dc-4660-a266-f246a141112f/VDA%20Brief%20position%20FOSS_EN.pdf?mode=view
6: https://cdn.digitaleurope.org/uploads/2023/09/DIGITALEUROPE_Building-a-strong-foundation-for-the-CRA_key-considerations-for-trilogues.pdf
7: Using the USA term for this; `when a defendant is fully liable for the effects of its product regardless of what the expected/intended when putting it on the market’

*: Ignoring the rather large issue that, like `trust not being transitive’ — notified bodies/certification authorities generally do not allow such/look at the final step.
**: And there is this assumption; based on the high 100’s if not mid 1000’s of millions put into open source foundations by big-tech - that they are already funded well enough as it is.
***: my personal expectation is the opposite; the two or three main players in this industry may well fund this only for their own clouds & and simply tell the punters that you must run on platform X or Y in their cloud in order to be compliant.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.