Thanks for providing your feedback and insights Mike. It seems we agree on two important points:
AGREE: “We can all agree that improving the security of software is necessary. Consumers deserve protections that they currently do not have.” AGREE: “I agree that the CRA is intended to protect consumers.” I think we see the EU CRA differently with regard to open-source software and the open-source community. You assert: “But it is also definitely an attack on open source developers” I assert: This is a wakeup call that we all need to step up and support the open source community with financial and other resources to ensure they are able to produce “secure by design” software products. This isn’t an “attack” on developers; it’s a call to fix problems with the open source business model that is putting software consumers at risk. Like you said, “We can all agree that improving the security of software is necessary”, but we cannot do this until we address the open-source business model with financial support that will enable and empower the open source community to produce secure software for everyone. Let’s give the open-source community the respect it deserves and has earned. Let’s find a way to support the open-source software community while we make open source software more secure. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Mike Milinkovich via lists.spdx.org Sent: Monday, July 31, 2023 1:25 PM To: [email protected] Cc: [email protected]; 'scrm-nist' <[email protected]>; 'swsupplychain-eo' <[email protected]>; 'Steve Springett' <[email protected]> Subject: Re: [spdx] EU CRA is very supportive of SBOM Dick, We can all agree that improving the security of software is necessary. Consumers deserve protections that they currently do not have. Regulation of the software industry is coming and is arguably overdue. I agree that the CRA is intended to protect consumers. But it is also definitely an attack on open source developers. I can say that with certainty because I have met the authors of the CRA in person and discussed it at length with them. (Here <https://news.apache.org/foundation/entry/asf-legal-committee-issues-generative-ai-guidance-to-contributors> is an excellent summary of the issues and motivations from the Apache Software Foundation.) I have not met a single open source developer who does not see the CRA as an attack on them and their projects. Because it is. The CRA does nothing to improve the compensation of open source developers or the sustainability of open source projects. Instead it places a massive regulatory and legal burden on the people and nonprofits least able to deal with it. In contrast, the US National Cybersecurity Strategy is demonstrating that it is possible to protect consumers while still retaining software freedom. On 2023-07-30 8:05 a.m., Dick Brooks wrote: Mike, I agree. The CRA is raising questions about the open-source business model, which IMO is broken and needs to be fixed. Open-source developers and maintainers are very talented and work very hard; they deserve to be properly compensated as they develop more “secure by design” concepts into their software offerings. IMO, The EU CRA is designed to help protect the consumers of software; they bare all the cost, risks and harm of a cyber-incident. If you think of this in another context, would you as a consumer accept a free food product that causes cancer to occur? Would you accept software that causes a malicious cyber incident to occur? As I said, IMO the EU CRA is more about consumer protection than an attack on open-source developers. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <mailto:[email protected]> <[email protected]> On Behalf Of Mike Milinkovich via lists.spdx.org Sent: Thursday, July 27, 2023 4:51 PM To: [email protected] <mailto:[email protected]> Cc: [email protected] <mailto:[email protected]> ; scrm-nist <mailto:[email protected]> <[email protected]>; swsupplychain-eo <mailto:[email protected]> <[email protected]>; Steve Springett <mailto:[email protected]> <[email protected]> Subject: Re: [spdx] EU CRA is very supportive of SBOM On 2023-07-27 10:52 a.m., Dick Brooks wrote: Today, all the risks and cost from a cyber attack fall on the consumer. IMO the EU CRA is designed to protect consumers by sharing responsibility for cyber attack liabilities with software producers. The issue IMO is the open source model fails to properly compensate the talented people behind open source projects The entire open source ecosystem is built upon the understanding that the software is freely provided, but that the producers of free software provide no warranties and accept no liability. The CRA breaks that fundamental deal by imposing CE Mark conformance requirements on all software, including all of the open source software that matters, made available in Europe. Failure to conform with these requirements results in a fine of the greater of €15 million or 2.5% of the manufacturer's annual revenue, whichever is greater. Under the CRA the responsibility for implementing CE Mark conformance will fall upon the people and groups least able to deal with the effort. I.e. the developers, projects, communities, and nonprofit foundations who distribute open source projects. The end result will not be more secure software. The end result will be that many projects will say that their open source software cannot be used in Europe. Which will not be a positive result for the EU. It is important to stress that this is not a misunderstanding. The European Commission and the relevant parliamentary committee know full well that the words in the CRA will impose these requirements on the open source community. In addition, the CRA will require open source projects to report unpatched vulnerabilities to either national authorities or ENISA (depending on which version prevails in the trilogue). It will also outlaw open source development best practices where intermediate builds are made available under open source licenses (see Article 4). I know this is a place where everyone gets to talk about how great SBOMs are. But defending the CRA because it mandates SBOMs is absurd. The approach outlined in the US National Cybersecurity Strategy is far better. It makes it clear that the open source producers will not be held responsible and puts the responsibility for security on the parties who are commercializing the open source components. That approach is far more likely to achieve the result we all desire, which is more secure software. On Jul 26, 2023, at 4:24 PM, John Sullivan <mailto:[email protected]> <[email protected]> wrote: On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote: Very encouraging language in the EU CRA for SBOM adoption and vulnerability monitoring/reporting. Small consolation given what a potential disaster the CRA is for open source / free software in general (see especially Problem 3): https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/ -- Mike Milinkovich Executive Director Eclipse Foundation AISBL -- Mike Milinkovich Executive Director | Eclipse Foundation AISBL -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1728): https://lists.spdx.org/g/spdx/message/1728 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
