On Mon, Jul 31, 2023 at 3:10 PM David Prater via lists.spdx.org <dprater= [email protected]> wrote:
> Addressing the open-source business model by ensuring that no commercial > entities will participate in/contribute to open source work for fear of > being held responsible for that software is certainly an interesting > approach. That seems like the opposite of what you’re hoping for – getting > resources for the OS community. It’s difficult for me to imagine how this > legislation could have the intended effect. Seems more likely to me that > OSS software licenses will start including the clause “May not be > used/distributed in EU countries”. Hopefully I’m entirely mistaken. > > > This ^^. > Regards, > David > > > > *From: *[email protected] <[email protected]> on behalf of Dick > Brooks <[email protected]> > *Date: *Monday, July 31, 2023 at 2:55 PM > *To: *[email protected] <[email protected]> > *Cc: *[email protected] <[email protected]>, 'scrm-nist' <[email protected]>, > 'swsupplychain-eo' <[email protected]>, 'Steve Springett' < > [email protected]> > *Subject: *Re: [spdx] EU CRA is very supportive of SBOM > > Thanks for providing your feedback and insights Mike. It seems we agree on > two important points: > > > > AGREE: “We can all agree that improving the security of software is > necessary. Consumers deserve protections that they currently do not have.” > > > > AGREE: “I agree that the CRA is intended to protect consumers.” > > > > I think we see the EU CRA differently with regard to open-source software > and the open-source community. > > > > You assert: “But it is also definitely an attack on open source developers” > > > > I assert: This is a wakeup call that we all need to step up and support > the open source community with financial and other resources to ensure they > are able to produce “secure by design” software products. This isn’t an > “attack” on developers; it’s a call to fix problems with the open source > business model that is putting software consumers at risk. > > > > Like you said, “We can all agree that improving the security of software > is necessary”, but we cannot do this until we address the open-source > business model with financial support that will enable and empower the open > source community to produce secure software for everyone. Let’s give the > open-source community the respect it deserves and has earned. Let’s find a > way to support the open-source software community while we make open source > software more secure. > > > > > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Mike > Milinkovich via lists.spdx.org > *Sent:* Monday, July 31, 2023 1:25 PM > *To:* [email protected] > *Cc:* [email protected]; 'scrm-nist' <[email protected]>; > 'swsupplychain-eo' <[email protected]>; 'Steve Springett' < > [email protected]> > *Subject:* Re: [spdx] EU CRA is very supportive of SBOM > > > > Dick, > > We can all agree that improving the security of software is necessary. > Consumers deserve protections that they currently do not have. Regulation > of the software industry is coming and is arguably overdue. > > I agree that the CRA is intended to protect consumers. But it is also > definitely an attack on open source developers. I can say that with > certainty because I have met the authors of the CRA in person and discussed > it at length with them. (Here > <https://news.apache.org/foundation/entry/asf-legal-committee-issues-generative-ai-guidance-to-contributors> > is an excellent summary of the issues and motivations from the Apache > Software Foundation.) > > I have not met a single open source developer who does not see the CRA as > an attack on them and their projects. Because it is. > > The CRA does nothing to improve the compensation of open source developers > or the sustainability of open source projects. Instead it places a massive > regulatory and legal burden on the people and nonprofits least able to deal > with it. In contrast, the US National Cybersecurity Strategy is > demonstrating that it is possible to protect consumers while still > retaining software freedom. > > On 2023-07-30 8:05 a.m., Dick Brooks wrote: > > Mike, > > > > I agree. The CRA is raising questions about the open-source business > model, which IMO is broken and needs to be fixed. Open-source developers > and maintainers are very talented and work very hard; they deserve to be > properly compensated as they develop more “secure by design” concepts into > their software offerings. > > > > IMO, The EU CRA is designed to help protect the consumers of software; > they bare all the cost, risks and harm of a cyber-incident. > > > > If you think of this in another context, would you as a consumer accept a > free food product that causes cancer to occur? > > Would you accept software that causes a malicious cyber incident to occur? > > > > As I said, IMO the EU CRA is more about consumer protection than an attack > on open-source developers. > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > > > *From:* [email protected] <[email protected]> <[email protected]> *On > Behalf Of *Mike Milinkovich via lists.spdx.org > *Sent:* Thursday, July 27, 2023 4:51 PM > *To:* [email protected] > *Cc:* [email protected]; scrm-nist <[email protected]> <[email protected]>; > swsupplychain-eo <[email protected]> <[email protected]>; > Steve Springett <[email protected]> <[email protected]> > *Subject:* Re: [spdx] EU CRA is very supportive of SBOM > > > > On 2023-07-27 10:52 a.m., Dick Brooks wrote: > > Today, all the risks and cost from a cyber attack fall on the consumer. > > > > IMO the EU CRA is designed to protect consumers by sharing responsibility for > cyber attack liabilities with software producers. > > > > The issue IMO is the open source model fails to properly compensate the > talented people behind open source projects > > > > The entire open source ecosystem is built upon the understanding that the > software is freely provided, but that the producers of free software > provide no warranties and accept no liability. The CRA breaks that > fundamental deal by imposing CE Mark conformance requirements on all > software, including all of the open source software that matters, made > available in Europe. Failure to conform with these requirements results in > a fine of the greater of €15 million or 2.5% of the manufacturer's annual > revenue, whichever is greater. > > Under the CRA the responsibility for implementing CE Mark conformance will > fall upon the people and groups least able to deal with the effort. I.e. > the developers, projects, communities, and nonprofit foundations who > distribute open source projects. The end result will not be more secure > software. The end result will be that many projects will say that their > open source software cannot be used in Europe. Which will not be a positive > result for the EU. > > It is important to stress that this is not a misunderstanding. The > European Commission and the relevant parliamentary committee know full well > that the words in the CRA will impose these requirements on the open source > community. > > In addition, the CRA will require open source projects to report unpatched > vulnerabilities to either national authorities or ENISA (depending on which > version prevails in the trilogue). It will also outlaw open source > development best practices where intermediate builds are made available > under open source licenses (see Article 4). > > I know this is a place where everyone gets to talk about how great SBOMs > are. But defending the CRA because it mandates SBOMs is absurd. > > The approach outlined in the US National Cybersecurity Strategy is far > better. It makes it clear that the open source producers will not be held > responsible and puts the responsibility for security on the parties who are > commercializing the open source components. That approach is far more > likely to achieve the result we all desire, which is more secure software. > > > > On Jul 26, 2023, at 4:24 PM, John Sullivan <[email protected]> > <[email protected]> wrote: > > > > On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote: > > Very encouraging language in the EU CRA for SBOM adoption and vulnerability > > monitoring/reporting. > > > > Small consolation given what a potential disaster the CRA is for open > > source / free software in general (see especially Problem 3): > > https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/ > > -- > > *Mike Milinkovich* > > *Executive Director **Eclipse Foundation AISBL* > > -- > > *Mike Milinkovich* > > *Executive Director | **Eclipse Foundation AISBL* > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1730): https://lists.spdx.org/g/spdx/message/1730 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
