You make a good point Brian. Clearly the restaurant owner bears responsibility in your analogy.
But what about the case where a consumer takes the tainted cucumbers from the farm stand and gets sick/dies? Who is responsible then? Does the farmer bear any responsibility for distributing tainted cucumbers that caused a fatality? Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Brian Fox Sent: Monday, July 31, 2023 1:57 PM To: [email protected] Cc: [email protected]; scrm-nist <[email protected]>; swsupplychain-eo <[email protected]>; Steve Springett <[email protected]> Subject: Re: [spdx] EU CRA is very supportive of SBOM On Sun, Jul 30, 2023 at 8:05 AM Dick Brooks <[email protected] <mailto:[email protected]> > wrote: Mike, I agree. The CRA is raising questions about the open-source business model, which IMO is broken and needs to be fixed. Open-source developers and maintainers are very talented and work very hard; they deserve to be properly compensated as they develop more “secure by design” concepts into their software offerings. IMO, The EU CRA is designed to help protect the consumers of software; they bare all the cost, risks and harm of a cyber-incident. If you think of this in another context, would you as a consumer accept a free food product that causes cancer to occur? I'll take the bait, except the analogy is not quite aligned (as basically all analogies are, but I'll try). Let's say a restaurant buyer stumbles on a home farm stand with cucumbers that say "free, use at own risk, no warranty implied" and decides to take them all and sell them in the restaurant. If people get sick, who's to blame? The person offering their extra produce for the public good, or the restaurant passing it off in a product that they collect revenue for? Or try another, lets say a local blacksmith makes various doodads and gives away some extra pieces of metal for art because he likes to make them. Someone comes along and takes those doodads and uses them for a totally different purpose, like in a space craft. That part fails and kills people, who was at fault? The hobbyist sharing things for the purpose of art with no implied warrantee, or the manufacturer taking something and using it for a totally different purpose without any diligence or understanding if the part is fit for (a new) purpose? Would you accept software that causes a malicious cyber incident to occur? As I said, IMO the EU CRA is more about consumer protection than an attack on open-source developers. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Mike Milinkovich via lists.spdx.org <http://lists.spdx.org> Sent: Thursday, July 27, 2023 4:51 PM To: [email protected] <mailto:[email protected]> Cc: [email protected] <mailto:[email protected]> ; scrm-nist <[email protected] <mailto:[email protected]> >; swsupplychain-eo <[email protected] <mailto:[email protected]> >; Steve Springett <[email protected] <mailto:[email protected]> > Subject: Re: [spdx] EU CRA is very supportive of SBOM On 2023-07-27 10:52 a.m., Dick Brooks wrote: Today, all the risks and cost from a cyber attack fall on the consumer. IMO the EU CRA is designed to protect consumers by sharing responsibility for cyber attack liabilities with software producers. The issue IMO is the open source model fails to properly compensate the talented people behind open source projects The entire open source ecosystem is built upon the understanding that the software is freely provided, but that the producers of free software provide no warranties and accept no liability. The CRA breaks that fundamental deal by imposing CE Mark conformance requirements on all software, including all of the open source software that matters, made available in Europe. Failure to conform with these requirements results in a fine of the greater of €15 million or 2.5% of the manufacturer's annual revenue, whichever is greater. Under the CRA the responsibility for implementing CE Mark conformance will fall upon the people and groups least able to deal with the effort. I.e. the developers, projects, communities, and nonprofit foundations who distribute open source projects. The end result will not be more secure software. The end result will be that many projects will say that their open source software cannot be used in Europe. Which will not be a positive result for the EU. It is important to stress that this is not a misunderstanding. The European Commission and the relevant parliamentary committee know full well that the words in the CRA will impose these requirements on the open source community. In addition, the CRA will require open source projects to report unpatched vulnerabilities to either national authorities or ENISA (depending on which version prevails in the trilogue). It will also outlaw open source development best practices where intermediate builds are made available under open source licenses (see Article 4). I know this is a place where everyone gets to talk about how great SBOMs are. But defending the CRA because it mandates SBOMs is absurd. The approach outlined in the US National Cybersecurity Strategy is far better. It makes it clear that the open source producers will not be held responsible and puts the responsibility for security on the parties who are commercializing the open source components. That approach is far more likely to achieve the result we all desire, which is more secure software. On Jul 26, 2023, at 4:24 PM, John Sullivan <mailto:[email protected]> <[email protected]> wrote: On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote: Very encouraging language in the EU CRA for SBOM adoption and vulnerability monitoring/reporting. Small consolation given what a potential disaster the CRA is for open source / free software in general (see especially Problem 3): https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/ -- Mike Milinkovich Executive Director Eclipse Foundation AISBL -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1731): https://lists.spdx.org/g/spdx/message/1731 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
