I think the (potentially well-meaning) intent of the CRA does not matter if it
backfires the way it will, in it’s current form. It _might_ reach it’s goal,
because if any relevant OSS project/foundation withdraws usage rights for
European entities, that will kill any commercial software endeavors dead. So no
security issues any more, well done… but I’d rather prefer a way that cures the
headache that does not involve shooting ourselves in the head.
The effects of this are actually unthinkable, I can’t get my head around what
the EU would look like if this goes through (and companies care about
compliance with it – I know that the automotive sector definitely will)…
Fingers crossed,
Daniel
Daniel Krippner
Enterprise Architecture
M +49 172 833 1416
[email protected]<mailto:[email protected]>
ETAS GmbH, ETAS-VCS/ETH
Borsigstraße 24, 70469 Stuttgart, Germany
www.etas.com<http://www.etas.com/>
ETAS – Empowering Tomorrow’s Automotive Software
Managing Directors: Dr. Thomas Irawan, Nicolet Eglseder, Mariella Minutolo
Chairman of the Supervisory Board: Dr. Walter Schirm
Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB:
19033
From: [email protected] <[email protected]> On Behalf Of Dick Brooks via
lists.spdx.org
Sent: Sunday, 30 July 2023 14:05
To: [email protected]
Cc: [email protected]; 'scrm-nist' <[email protected]>; 'swsupplychain-eo'
<[email protected]>; 'Steve Springett' <[email protected]>
Subject: Re: [spdx] EU CRA is very supportive of SBOM
Mike,
I agree. The CRA is raising questions about the open-source business model,
which IMO is broken and needs to be fixed. Open-source developers and
maintainers are very talented and work very hard; they deserve to be properly
compensated as they develop more “secure by design” concepts into their
software offerings.
IMO, The EU CRA is designed to help protect the consumers of software; they
bare all the cost, risks and harm of a cyber-incident.
If you think of this in another context, would you as a consumer accept a free
food product that causes cancer to occur?
Would you accept software that causes a malicious cyber incident to occur?
As I said, IMO the EU CRA is more about consumer protection than an attack on
open-source developers.
Thanks,
Dick Brooks
[cid:[email protected]] [cid:[email protected]]
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and
report!<https://reliableenergyanalytics.com/products> ™
http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/>
Email: [email protected]<mailto:[email protected]>
Tel: +1 978-696-1788
From: [email protected]<mailto:[email protected]>
<[email protected]<mailto:[email protected]>> On Behalf Of Mike Milinkovich
via lists.spdx.org
Sent: Thursday, July 27, 2023 4:51 PM
To: [email protected]<mailto:[email protected]>
Cc: [email protected]<mailto:[email protected]>; scrm-nist
<[email protected]<mailto:[email protected]>>; swsupplychain-eo
<[email protected]<mailto:[email protected]>>; Steve Springett
<[email protected]<mailto:[email protected]>>
Subject: Re: [spdx] EU CRA is very supportive of SBOM
On 2023-07-27 10:52 a.m., Dick Brooks wrote:
Today, all the risks and cost from a cyber attack fall on the consumer.
IMO the EU CRA is designed to protect consumers by sharing responsibility for
cyber attack liabilities with software producers.
The issue IMO is the open source model fails to properly compensate the
talented people behind open source projects
The entire open source ecosystem is built upon the understanding that the
software is freely provided, but that the producers of free software provide no
warranties and accept no liability. The CRA breaks that fundamental deal by
imposing CE Mark conformance requirements on all software, including all of the
open source software that matters, made available in Europe. Failure to conform
with these requirements results in a fine of the greater of €15 million or 2.5%
of the manufacturer's annual revenue, whichever is greater.
Under the CRA the responsibility for implementing CE Mark conformance will fall
upon the people and groups least able to deal with the effort. I.e. the
developers, projects, communities, and nonprofit foundations who distribute
open source projects. The end result will not be more secure software. The end
result will be that many projects will say that their open source software
cannot be used in Europe. Which will not be a positive result for the EU.
It is important to stress that this is not a misunderstanding. The European
Commission and the relevant parliamentary committee know full well that the
words in the CRA will impose these requirements on the open source community.
In addition, the CRA will require open source projects to report unpatched
vulnerabilities to either national authorities or ENISA (depending on which
version prevails in the trilogue). It will also outlaw open source development
best practices where intermediate builds are made available under open source
licenses (see Article 4).
I know this is a place where everyone gets to talk about how great SBOMs are.
But defending the CRA because it mandates SBOMs is absurd.
The approach outlined in the US National Cybersecurity Strategy is far better.
It makes it clear that the open source producers will not be held responsible
and puts the responsibility for security on the parties who are commercializing
the open source components. That approach is far more likely to achieve the
result we all desire, which is more secure software.
On Jul 26, 2023, at 4:24 PM, John Sullivan
<[email protected]><mailto:[email protected]> wrote:
On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote:
Very encouraging language in the EU CRA for SBOM adoption and vulnerability
monitoring/reporting.
Small consolation given what a potential disaster the CRA is for open
source / free software in general (see especially Problem 3):
https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/
--
Mike Milinkovich
Executive Director Eclipse Foundation AISBL
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1733): https://lists.spdx.org/g/spdx/message/1733
Mute This Topic: https://lists.spdx.org/mt/100370207/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
