> On 28 Jul 2023, at 20:30, Henk Birkholz <[email protected]>
> wrote:
>
> Hi Olle,
>
> Surprisingly,
>
> it seems the EU reserves some right to prescribe a format without
> highlighting how that process could look like (rendering the outcome a
> mystery, I think).
Exactly. It seems to me that if there’s an exploit in a product, that company
needs to provide an SBOM to Enisa, but not to customers. There are many things
about the CRA that seems “not done” to me, not thought through or not complete.
Also, including a lot of time-sensitive facts and procedures, like the
categories of products, in a law text is strange. The law should point to a
change process and a institution that maintains the list, not include the list.
Well, we haven’t seen the final text yet. Let’s hope they both fix the open
source part and the rest of it. The intention seems good to me.
/O
>
> Viele Grüße,
>
> Henk
>
> On 28.07.23 19:32, Olle E. Johansson wrote:
>> While the CRA mentions SBOM in the draft many times, it is not requiring
>> that the vendor
>> provides customers with an SBOM. It says that SBOM is a good tool for
>> vulnerability
>> tracking and opens up for the EU to decide on a recommendation on a
>> particular SBOM format.
>> So yes, it’s mentioning SBOM but it’s not going all the way.
>> /O
>>> On 27 Jul 2023, at 16:52, Dick Brooks <[email protected]>
>>> wrote:
>>>
>>> Today, all the risks and cost from a cyber attack fall on the consumer.
>>>
>>> IMO the EU CRA is designed to protect consumers by sharing responsibility
>>> for cyber attack liabilities with software producers.
>>>
>>> The issue IMO is the open source model fails to properly compensate the
>>> talented people behind open source projects
>>>
>>> Dick Brooks (REA)
>>>> On Jul 26, 2023, at 4:24 PM, John Sullivan <[email protected]> wrote:
>>>>
>>>> On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote:
>>>>> Very encouraging language in the EU CRA for SBOM adoption and
>>>>> vulnerability
>>>>> monitoring/reporting.
>>>>>
>>>>
>>>> Small consolation given what a potential disaster the CRA is for open
>>>> source / free software in general (see especially Problem 3):
>>>> https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/
>>>>
>>>> -john
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1722): https://lists.spdx.org/g/spdx/message/1722
Mute This Topic: https://lists.spdx.org/mt/100415743/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
