Open chadwhitacre opened 7 months ago
Compliance vendors are already emerging.
https://www.i46.cz/ https://www.i46.cz/2024/01/18/the-cyber-resilience-act-bringing-all-developers-including-open-source-under-its-umbrella/
2023-01-15
– European Cyber Resilience Act: Potential Impact on the Eclipse Foundation, Eclipse2023-01-30
– The ultimate list of reactions to the Cyber Resilience Act, OSI/Webmink2023-03-14
– The comprehension error behind the CRA issue, Webmink2023-04-11
– The EU's Proposed CRA Law May Have Unintended Consequences for the Python Ecosystem, PSF (HN, Reddit)2023-04-17
– Open Letter to the European Commission on the Cyber Resilience Act, Eclipse2023-09-08
– Understanding the Cyber Resilience Act, Linux Foundation2023-09-12
– Will the Cyber Resilience Act help the European ICT sector compete?, Linux Foundation2023-09-19
– The European Cyber Resilience Act, LWN2023-10-13
– Can open source be saved from the EU's Cyber Resilience Act?, sjvn in The Register (Reddit)2023-10-25
– EU Cyber Resilience Act would harm open source software and competitiveness, EDRi2023-10-30
– EU policymakers’ advance on open source software, support period in new cybersecurity law, Euractiv2023-11-20
– The Cyber Resiliency Act and Open Source Concerns, SparkFabrik2023-11-27
– Presentation of the Cyber Resilience Act, OpenForum Europe 📺2023-12-04
– EU Cyber Resilience Act Takes a Leap Forward2023-12-19
– Good News on the Cyber Resilience Act, Eclipse2023-12-27
– Statement about the EU Cyber Resilience Act, Debian2023-12-30
– EU CRA: What does it mean for open source?, bert hubert (HN)2024-01-12
– EU’s Cyber Resilience Act Passes with Wins for Open Source2024-01-15
– EU amendment changes open source definition, ComputerWeekly2024-01-15
– Open source wins concessions in new EU cyber law, Developer2024-02-02
– Meet the OSS Stewards - Foundations’ New Role, OpenForum Europe 📺2024-02-02
– The European regulators listened to the Open Source communities!, OSI blog2024-02-03
– The Regulators Are Coming: One Year On, FOSDEM panel2024-02-04
– CRA: 40 new ways the CRA can accidentally harm open source, FOSDEM2024-02-07
– What I learned in Brussels: the Cyber Resilience Act, NLnet Labs2024-02-19
– Europe’s Cyber Resilience Act: Redefining open source, SecurityIntelligence2024-04-02
– The Open Source Community is Building Cybersecurity Processes for CRA Compliance, Eclipse2024-04-10
– Securing Open Source Software, the Cyber Resilience Act Way, sjvn in DevOpsI made this ticket while watching "EU Open Source Policy Summit 2024 Panel: Meet the OSS Stewards - Foundations’ New Role," which kinda blew my mind tbh. I've had CRA on the edge of my radar, but ... this is big.
The software industry from now on is, essentially, regulated, and that is a massive, massive change.
(src)
These transitions [from Developer, to Steward, to Manufacturer], in the future we will need to make very explicitly, and clearly announce them in a certain way, so that it's clear which role you play at a certain time.
(src)
A few more notes from a first pass through this video:
The CRA will have some effect on Manufacturers but I don't care so much about that. What effect will it have on OSS foundations and indie devs? It seems like it will be really significant.
Here's a link to the adopted text: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html
The drafts in https://github.com/chadwhitacre/openpath/issues/40#issue-2238422830 are outdated.
The Eclipse news was put on my radar right before it broke, during a call with a director of one of the foundations involved.
LF is conspicuously absent from this latest, though they were on the original open letter. Looks like they have their own effort, ... aaaaand, "It will unfortunately require a little bit of centralization from us." 😒 🤨 🧐
@mswilson Why is that link so hard to find from either their main page or Wikipedia? 😭 Where did you get it from?
En route from Lulu. 👍
The CRA is only one part of the legislative framework; the revised Product Liability Directive (PLD) may also end up defining some of the specific factors around what's a "product" that would need to meet higher standards. Current PLD draft text excludes "Free and open-source software...", but it's not clear in practice how that will actually be interpreted.
PLD is definitely not an easy thing to research, but here's one overview that explains the concept: https://www.taylorwessing.com/en/insights-and-events/insights/2024/03/software-als-produkt
Essentially, the EU thinks products should be fit for purpose, or otherwise the producer could be liable. The revised PLD will essentially treat software as a product, with liability more like a car than like what software engineers expect. 😿
Point made here is that if manufacturers are responsible for due diligence, that puts backpressure on upstream OSS to conform even if not directly named.
A couple places where tension between formal foundation and informal community comes up:
@mswilson Why is that link so hard to find from either their main page or Wikipedia? 😭 Where did you get it from?
I have no idea why it's so hard. It took quite me a while to find. I happened to know a unique phrase that was added in the adopted text, and Google found it.
PLD is definitely not an easy thing to research
I found a helpful lightning talk from the FOSDEM policy track.
Also (from here):
Omar Enaji's (European Commission) introduction to the PLD during the "The Regulators Are Coming: One Year On" (starting at 25min20s) at FOSDEM's main stage
(twitter)
@chadwhitacre too bad you kept it to yourself! https://www.lulu.com/search?sortBy=RELEVANCE&page=1&q=cyber+resilience+act
@pombredanne Hah! 😁 It's a little more complicated to publish to Lulu vs. printing for oneself. I did try to determine copyright information for the document. It should be public domain, right? In the end I decided not to bother. It's easy enough to upload the PDF and print it, and if someone else wants to publish it on the Lulu bookstore, I'm certainly not going to get in their way. 😉
Regarding the roles defined with the CRA—manufacturer, steward, individual—I found this comment from Mirko insightful:
The first question is, which of the roles are you? Make sure you know, and then act at least according to what we know today. This leads to a couple of really interesting questions, because our projects grow very dynamically. An individual developer has a great idea, starts to work on something on the weekend. It has legs. It starts to grow. Three people start pitching in, they start making regular releases. At what point does this group now become a steward? Also, they start selling, maybe, support contracts. They will become a business. These transitions from, "I'm a hobbyist, I contribute to somebody else's project," to, "I become maybe a small community, maybe I put that community under the umbrella of a foundation," or, "I will start a business"—these transitions, in the future, we will need to make very explicitly, and clearly announce them, in a way, so that it's clear which role you play at a certain time.
Reticketed from https://github.com/chadwhitacre/openpath/issues/39. This is a BFD.
The Cyber Resilience Act (CRA) is a piece of European Union legislation that regulates software as a product. Toys and electronics and appliances and such must meet certain safety standards and carry the CE mark to be sold in Europe. The CRA is on its way to enter into force in 2027, at which point "products with digital elements" (i.e., software) will likewise need to meet certain safety (i.e., security) standards and carry the CE mark.
The Product Liability Directive (PLD) is a related document that is also getting an update to make it clear that software manufacturers are on the hook for bugs in their code, even far downstream.
This ticket includes a reading list and my first attempts to take on board some of the implications of this legislation.