> On 24 Oct 2025, at 11:27, Mark Thomas <[email protected]> wrote:
>
> On 24/10/2025 08:27, Olle E. Johansson wrote:
>>> On 23 Oct 2025, at 19:09, Piotr P. Karwasz <[email protected]>
>>> wrote:
>>>
>>> Hi Mark,
>>>
>>> On 23.10.2025 14:03, Mark Thomas wrote:
>>>> There is currently an expectation in the CRA that a product will not be
>>>> released if there are known (by the maintainer) security vulnerabilities
>>>> in that product.
>> That must be a misunderstanding here somewhere. The CRA talks about products
>> “placed on the market”. I don’t think Open Source counts as that.
>
> This thread started as direct result from a discussion at Code & Compliance.
> I'll let Dirk-Willem fill in the details but there is - currently - an
> expectation that OSS will not be releasing software with known
> vulnerabilities. The purpose of this thread is to collect examples as to why
> that might not always be the case so that at be fed back and the expectation
> corrected.
Ok. Wish I had been able to be there.
>
>> The CRA also talks about three categories of vulnerabilities
>> - known vulnerabilities
>> - exploitable vulnerabilities
>> - known exploited vulnerabilities
>> I think that it says that products should not be placed on the market if the
>> product - including dependencies - has known exploited vulnerabliities.
>
> No. Annex 1, Part 1, Para 2, point (b): "... without known *exploitable*
> vulnerabilities”
>
Ok
> It also doesn't define known by whom.
Exactly. I was hoping the NIS2 technical guidance would say something here, but
it doesn’t seem that way.
>
>> The guidelines has not been published of what this means. A possible
>> inspiration can be the Technical implementation guide to NIS2 that was
>> published by ENISA
>> in June -
>> https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance
>> I haven’t read it fully, but I glanced over the parts about vulnerability
>> management
>> and was not very impressed and a bit shocked. But I guess that is another
>> story.
>> My real question here is whether the obligation to place a product on the
>> market
>> without (some level of known) vulnerabilities applies to Open Source?
>
> Directly, no, because Open Source Stewards don't place products on the market.
>
> However, if you look at the text around attestation programmes you see
> phrases like:
>
> "...voluntary security attestation programmes for assessing the
> conformity of products with digital elements qualifying as free and
> open-source software with all or certain essential
> cybersecurity requirements or other obligations laid down in this
> Regulation..."
>
> Given that one of the essential cyber security requirements is releasing
> without known vulnerabilities, that could apply to OSS if OSS wanted to use
> attestations. From a market efficiency point of view, manufacturers are going
> to want at least popular OSS dependencies to have attestations (even if the
> manufacturers have to fund that themselves).
Won’t there be a difference between projects that deliver “assembled” products
like OCI containers or operating systems consisting of many third party
products and projects that deliver a piece of their own code, maybe linux
packages, that depend on third parties but do not deliver them?
There’s a lot of stuff here to think about. Good discussion! :-)
/O
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
