On Sun, Jul 30, 2023 at 8:05 AM Dick Brooks < [email protected]> wrote:
> Mike, > > > > I agree. The CRA is raising questions about the open-source business > model, which IMO is broken and needs to be fixed. Open-source developers > and maintainers are very talented and work very hard; they deserve to be > properly compensated as they develop more “secure by design” concepts into > their software offerings. > > > > IMO, The EU CRA is designed to help protect the consumers of software; > they bare all the cost, risks and harm of a cyber-incident. > > > > If you think of this in another context, would you as a consumer accept a > free food product that causes cancer to occur? > I'll take the bait, except the analogy is not quite aligned (as basically all analogies are, but I'll try). Let's say a restaurant buyer stumbles on a home farm stand with cucumbers that say "free, use at own risk, no warranty implied" and decides to take them all and sell them in the restaurant. If people get sick, who's to blame? The person offering their extra produce for the public good, or the restaurant passing it off in a product that they collect revenue for? Or try another, lets say a local blacksmith makes various doodads and gives away some extra pieces of metal for art because he likes to make them. Someone comes along and takes those doodads and uses them for a totally different purpose, like in a space craft. That part fails and kills people, who was at fault? The hobbyist sharing things for the purpose of art with no implied warrantee, or the manufacturer taking something and using it for a totally different purpose without any diligence or understanding if the part is fit for (a new) purpose? > Would you accept software that causes a malicious cyber incident to occur? > > > > As I said, IMO the EU CRA is more about consumer protection than an attack > on open-source developers. > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Mike > Milinkovich via lists.spdx.org > *Sent:* Thursday, July 27, 2023 4:51 PM > *To:* [email protected] > *Cc:* [email protected]; scrm-nist <[email protected]>; swsupplychain-eo < > [email protected]>; Steve Springett <[email protected]> > *Subject:* Re: [spdx] EU CRA is very supportive of SBOM > > > > On 2023-07-27 10:52 a.m., Dick Brooks wrote: > > Today, all the risks and cost from a cyber attack fall on the consumer. > > > > IMO the EU CRA is designed to protect consumers by sharing responsibility for > cyber attack liabilities with software producers. > > > > The issue IMO is the open source model fails to properly compensate the > talented people behind open source projects > > > > The entire open source ecosystem is built upon the understanding that the > software is freely provided, but that the producers of free software > provide no warranties and accept no liability. The CRA breaks that > fundamental deal by imposing CE Mark conformance requirements on all > software, including all of the open source software that matters, made > available in Europe. Failure to conform with these requirements results in > a fine of the greater of €15 million or 2.5% of the manufacturer's annual > revenue, whichever is greater. > > Under the CRA the responsibility for implementing CE Mark conformance will > fall upon the people and groups least able to deal with the effort. I.e. > the developers, projects, communities, and nonprofit foundations who > distribute open source projects. The end result will not be more secure > software. The end result will be that many projects will say that their > open source software cannot be used in Europe. Which will not be a positive > result for the EU. > > It is important to stress that this is not a misunderstanding. The > European Commission and the relevant parliamentary committee know full well > that the words in the CRA will impose these requirements on the open source > community. > > In addition, the CRA will require open source projects to report unpatched > vulnerabilities to either national authorities or ENISA (depending on which > version prevails in the trilogue). It will also outlaw open source > development best practices where intermediate builds are made available > under open source licenses (see Article 4). > > I know this is a place where everyone gets to talk about how great SBOMs > are. But defending the CRA because it mandates SBOMs is absurd. > > The approach outlined in the US National Cybersecurity Strategy is far > better. It makes it clear that the open source producers will not be held > responsible and puts the responsibility for security on the parties who are > commercializing the open source components. That approach is far more > likely to achieve the result we all desire, which is more secure software. > > > > On Jul 26, 2023, at 4:24 PM, John Sullivan <[email protected]> > <[email protected]> wrote: > > > > On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote: > > Very encouraging language in the EU CRA for SBOM adoption and vulnerability > > monitoring/reporting. > > > > Small consolation given what a potential disaster the CRA is for open > > source / free software in general (see especially Problem 3): > > https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/ > > -- > > *Mike Milinkovich* > > *Executive Director **Eclipse Foundation AISBL* > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1726): https://lists.spdx.org/g/spdx/message/1726 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
