Dick,
We can all agree that improving the security of software is necessary.
Consumers deserve protections that they currently do not have.
Regulation of the software industry is coming and is arguably overdue.
I agree that the CRA is intended to protect consumers. But it is also
definitely an attack on open source developers. I can say that with
certainty because I have met the authors of the CRA in person and
discussed it at length with them. (Here
<https://news.apache.org/foundation/entry/asf-legal-committee-issues-generative-ai-guidance-to-contributors>
is an excellent summary of the issues and motivations from the Apache
Software Foundation.)
I have not met a single open source developer who does not see the CRA
as an attack on them and their projects. Because it is.
The CRA does nothing to improve the compensation of open source
developers or the sustainability of open source projects. Instead it
places a massive regulatory and legal burden on the people and
nonprofits least able to deal with it. In contrast, the US National
Cybersecurity Strategy is demonstrating that it is possible to protect
consumers while still retaining software freedom.
On 2023-07-30 8:05 a.m., Dick Brooks wrote:
Mike,
I agree. The CRA is raising questions about the open-source business
model, which IMO is broken and needs to be fixed. Open-source
developers and maintainers are very talented and work very hard; they
deserve to be properly compensated as they develop more “secure by
design” concepts into their software offerings.
IMO, The EU CRA is designed to help protect the consumers of software;
they bare all the cost, risks and harm of a cyber-incident.
If you think of this in another context, would you as a consumer
accept a free food product that causes cancer to occur?
Would you accept software that causes a malicious cyber incident to occur?
As I said, IMO the EU CRA is more about consumer protection than an
attack on open-source developers.
Thanks,
Dick Brooks
/Active Member of the CISA Critical Manufacturing Sector, /
/Sector Coordinating Council – A Public-Private Partnership/
*/Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>/*™
http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/>
Email: [email protected]
<mailto:[email protected]>
Tel: +1 978-696-1788
*From:* [email protected] <[email protected]> *On Behalf Of *Mike
Milinkovich via lists.spdx.org
*Sent:* Thursday, July 27, 2023 4:51 PM
*To:* [email protected]
*Cc:* [email protected]; scrm-nist <[email protected]>; swsupplychain-eo
<[email protected]>; Steve Springett <[email protected]>
*Subject:* Re: [spdx] EU CRA is very supportive of SBOM
On 2023-07-27 10:52 a.m., Dick Brooks wrote:
Today, all the risks and cost from a cyber attack fall on the consumer.
IMO the EU CRA is designed to protect consumers by sharing responsibility
for cyber attack liabilities with software producers.
The issue IMO is the open source model fails to properly compensate the
talented people behind open source projects
The entire open source ecosystem is built upon the understanding that
the software is freely provided, but that the producers of free
software provide no warranties and accept no liability. The CRA breaks
that fundamental deal by imposing CE Mark conformance requirements on
all software, including all of the open source software that matters,
made available in Europe. Failure to conform with these requirements
results in a fine of the greater of €15 million or 2.5% of the
manufacturer's annual revenue, whichever is greater.
Under the CRA the responsibility for implementing CE Mark conformance
will fall upon the people and groups least able to deal with the
effort. I.e. the developers, projects, communities, and nonprofit
foundations who distribute open source projects. The end result will
not be more secure software. The end result will be that many projects
will say that their open source software cannot be used in Europe.
Which will not be a positive result for the EU.
It is important to stress that this is not a misunderstanding. The
European Commission and the relevant parliamentary committee know full
well that the words in the CRA will impose these requirements on the
open source community.
In addition, the CRA will require open source projects to report
unpatched vulnerabilities to either national authorities or ENISA
(depending on which version prevails in the trilogue). It will also
outlaw open source development best practices where intermediate
builds are made available under open source licenses (see Article 4).
I know this is a place where everyone gets to talk about how great
SBOMs are. But defending the CRA because it mandates SBOMs is absurd.
The approach outlined in the US National Cybersecurity Strategy is far
better. It makes it clear that the open source producers will not be
held responsible and puts the responsibility for security on the
parties who are commercializing the open source components. That
approach is far more likely to achieve the result we all desire, which
is more secure software.
On Jul 26, 2023, at 4:24 PM, John Sullivan
<[email protected]> <mailto:[email protected]> wrote:
On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote:
Very encouraging language in the EU CRA for SBOM adoption
and vulnerability
monitoring/reporting.
Small consolation given what a potential disaster the CRA is
for open
source / free software in general (see especially Problem 3):
https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/
--
*Mike Milinkovich*
*Executive Director **Eclipse Foundation AISBL*
--
*Mike Milinkovich*
*Executive Director | **Eclipse Foundation AISBL*
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1724): https://lists.spdx.org/g/spdx/message/1724
Mute This Topic: https://lists.spdx.org/mt/100370207/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
