John, We must have secure software products for consumers. This is not negotiable, it is a binding constraint in the solution to defend against cyber-attacks.
We must also be willing to support the talented and hard working open-source community by providing the resources they need to produce secure software products. The open-source community should no longer be expected to give away their valuable time and talents so that others, with a lot more resources, can benefit. Secure Software and Open-Source are not a mutually exclusive choice, IMO. We MUST support and help the open-source community build secure software by providing this hard working and valuable engineering community with the resources they need to build secure software products. The EU CRA seems to achieve the first objective, protecting consumers, but it could use some help on the second objective, supporting the open-source community as they build and distribute more secure software product, that we all depend on. I don't have an answer to achieve this "balanced solution", but I'll bet WE can find one, collaboratively, if we have the will to do so. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: SCITT <[email protected]> On Behalf Of John Sullivan Sent: Wednesday, July 26, 2023 4:24 PM To: [email protected] Cc: [email protected]; 'scrm-nist' <[email protected]>; 'swsupplychain-eo' <[email protected]>; Steve Springett <[email protected]> Subject: Re: [SCITT] [spdx] EU CRA is very supportive of SBOM On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote: > Very encouraging language in the EU CRA for SBOM adoption and > vulnerability monitoring/reporting. > Small consolation given what a potential disaster the CRA is for open source / free software in general (see especially Problem 3): https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-susta inability/ -john -- SCITT mailing list [email protected] https://www.ietf.org/mailman/listinfo/scitt -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1743): https://lists.spdx.org/g/spdx/message/1743 Mute This Topic: https://lists.spdx.org/mt/100485301/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
