On 2023-07-27 10:52 a.m., Dick Brooks wrote:
Today, all the risks and cost from a cyber attack fall on the consumer.
IMO the EU CRA is designed to protect consumers by sharing responsibility for
cyber attack liabilities with software producers.
The issue IMO is the open source model fails to properly compensate the
talented people behind open source projects
The entire open source ecosystem is built upon the understanding that
the software is freely provided, but that the producers of free software
provide no warranties and accept no liability. The CRA breaks that
fundamental deal by imposing CE Mark conformance requirements on all
software, including all of the open source software that matters, made
available in Europe. Failure to conform with these requirements results
in a fine of the greater of €15 million or 2.5% of the manufacturer's
annual revenue, whichever is greater.
Under the CRA the responsibility for implementing CE Mark conformance
will fall upon the people and groups least able to deal with the effort.
I.e. the developers, projects, communities, and nonprofit foundations
who distribute open source projects. The end result will not be more
secure software. The end result will be that many projects will say that
their open source software cannot be used in Europe. Which will not be a
positive result for the EU.
It is important to stress that this is not a misunderstanding. The
European Commission and the relevant parliamentary committee know full
well that the words in the CRA will impose these requirements on the
open source community.
In addition, the CRA will require open source projects to report
unpatched vulnerabilities to either national authorities or ENISA
(depending on which version prevails in the trilogue). It will also
outlaw open source development best practices where intermediate builds
are made available under open source licenses (see Article 4).
I know this is a place where everyone gets to talk about how great SBOMs
are. But defending the CRA because it mandates SBOMs is absurd.
The approach outlined in the US National Cybersecurity Strategy is far
better. It makes it clear that the open source producers will not be
held responsible and puts the responsibility for security on the parties
who are commercializing the open source components. That approach is far
more likely to achieve the result we all desire, which is more secure
software.
On Jul 26, 2023, at 4:24 PM, John Sullivan<[email protected]> wrote:
On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote:
Very encouraging language in the EU CRA for SBOM adoption and vulnerability
monitoring/reporting.
Small consolation given what a potential disaster the CRA is for open
source / free software in general (see especially Problem 3):
https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/
--
*Mike Milinkovich*
*Executive Director **Eclipse Foundation AISBL*
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1720): https://lists.spdx.org/g/spdx/message/1720
Mute This Topic: https://lists.spdx.org/mt/100370207/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
