On Mon, Jul 31, 2023, 1:27 PM Dick Brooks <[email protected]> wrote:
> You make a good point Brian. Clearly the restaurant owner bears > responsibility in your analogy. > > > > But what about the case where a consumer takes the tainted cucumbers from > the farm stand and gets sick/dies? Who is responsible then? Does the farmer > bear any responsibility for distributing tainted cucumbers that caused a > fatality? > What if the fruit stand produce was fine but the consumer wait a year before eating it? Does it matter if the produce has hidden defects the farmer doesn't know about? It's hard to know when the produce has gone bad.. and if the veggies is traditionally prepared in a way that's safe with the hidden disease but other ways, that are known to be dangerous, also exist? Where is the liability then? It gets super complex and muddled in a hurry because open source products wind up in so many unusual places. It's simply not possible to know if all og them are safe and/or insanely expensive and cost ineffective to guard against all possible malfeasance and or incompetence. Warner > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Brian Fox > *Sent:* Monday, July 31, 2023 1:57 PM > *To:* [email protected] > *Cc:* [email protected]; scrm-nist <[email protected]>; swsupplychain-eo < > [email protected]>; Steve Springett <[email protected]> > *Subject:* Re: [spdx] EU CRA is very supportive of SBOM > > > > > > > > On Sun, Jul 30, 2023 at 8:05 AM Dick Brooks < > [email protected]> wrote: > > Mike, > > > > I agree. The CRA is raising questions about the open-source business > model, which IMO is broken and needs to be fixed. Open-source developers > and maintainers are very talented and work very hard; they deserve to be > properly compensated as they develop more “secure by design” concepts into > their software offerings. > > > > IMO, The EU CRA is designed to help protect the consumers of software; > they bare all the cost, risks and harm of a cyber-incident. > > > > If you think of this in another context, would you as a consumer accept a > free food product that causes cancer to occur? > > > > I'll take the bait, except the analogy is not quite aligned (as basically > all analogies are, but I'll try). > > > > Let's say a restaurant buyer stumbles on a home farm stand with cucumbers > that say "free, use at own risk, no warranty implied" and decides to take > them all and sell them in the restaurant. If people get sick, who's to > blame? The person offering their extra produce for the public good, or the > restaurant passing it off in a product that they collect revenue for? > > > > Or try another, lets say a local blacksmith makes various doodads and > gives away some extra pieces of metal for art because he likes to make > them. Someone comes along and takes those doodads and uses them for a > totally different purpose, like in a space craft. That part fails and kills > people, who was at fault? The hobbyist sharing things for the purpose of > art with no implied warrantee, or the manufacturer taking something and > using it for a totally different purpose without any diligence or > understanding if the part is fit for (a new) purpose? > > > > Would you accept software that causes a malicious cyber incident to occur? > > > > As I said, IMO the EU CRA is more about consumer protection than an attack > on open-source developers. > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Mike > Milinkovich via lists.spdx.org > *Sent:* Thursday, July 27, 2023 4:51 PM > *To:* [email protected] > *Cc:* [email protected]; scrm-nist <[email protected]>; swsupplychain-eo < > [email protected]>; Steve Springett <[email protected]> > *Subject:* Re: [spdx] EU CRA is very supportive of SBOM > > > > On 2023-07-27 10:52 a.m., Dick Brooks wrote: > > Today, all the risks and cost from a cyber attack fall on the consumer. > > > > IMO the EU CRA is designed to protect consumers by sharing responsibility for > cyber attack liabilities with software producers. > > > > The issue IMO is the open source model fails to properly compensate the > talented people behind open source projects > > > > The entire open source ecosystem is built upon the understanding that the > software is freely provided, but that the producers of free software > provide no warranties and accept no liability. The CRA breaks that > fundamental deal by imposing CE Mark conformance requirements on all > software, including all of the open source software that matters, made > available in Europe. Failure to conform with these requirements results in > a fine of the greater of €15 million or 2.5% of the manufacturer's annual > revenue, whichever is greater. > > Under the CRA the responsibility for implementing CE Mark conformance will > fall upon the people and groups least able to deal with the effort. I.e. > the developers, projects, communities, and nonprofit foundations who > distribute open source projects. The end result will not be more secure > software. The end result will be that many projects will say that their > open source software cannot be used in Europe. Which will not be a positive > result for the EU. > > It is important to stress that this is not a misunderstanding. The > European Commission and the relevant parliamentary committee know full well > that the words in the CRA will impose these requirements on the open source > community. > > In addition, the CRA will require open source projects to report unpatched > vulnerabilities to either national authorities or ENISA (depending on which > version prevails in the trilogue). It will also outlaw open source > development best practices where intermediate builds are made available > under open source licenses (see Article 4). > > I know this is a place where everyone gets to talk about how great SBOMs > are. But defending the CRA because it mandates SBOMs is absurd. > > The approach outlined in the US National Cybersecurity Strategy is far > better. It makes it clear that the open source producers will not be held > responsible and puts the responsibility for security on the parties who are > commercializing the open source components. That approach is far more > likely to achieve the result we all desire, which is more secure software. > > > > On Jul 26, 2023, at 4:24 PM, John Sullivan <[email protected]> > <[email protected]> wrote: > > > > On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote: > > Very encouraging language in the EU CRA for SBOM adoption and vulnerability > > monitoring/reporting. > > > > Small consolation given what a potential disaster the CRA is for open > > source / free software in general (see especially Problem 3): > > https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/ > > -- > > *Mike Milinkovich* > > *Executive Director **Eclipse Foundation AISBL* > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1732): https://lists.spdx.org/g/spdx/message/1732 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
