Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231008101808.54aa75f7@fabiankeil.de>
Date: Sun, 8 Oct 2023 10:18:13 +0200
From: Fabian Keil <freebsd-listen@...iankeil.de>
To: oss-security@...ts.openwall.com
Subject: Re: European Union Cyber Resilience Act (CRA)

"David A. Wheeler" <dwheeler@...eeler.com> wrote on 2023-10-05 at 11:08:51:

> Solar Designed posted on October 1, 2023:
> > The talk... starts with a mention of the European Union Cyber Resiliance Act (CRA)
> > and how it is problematic for Open Source...
> > (If we want to discuss in here, which I'm not sure of, please start a
> > separate thread for this sub-topic, do not just reply to this one.)
> 
> Fair enough. The CRA *definitely* impacts open source software,
> and it includes security-related requirements. So it seems on-topic for this mailing list, at
> least to note that *many* people find the CRA concerning & to point to more information.

I agree that it's on-topic.

> I think a good place to start is "Understanding the Cyber Resilience Act:
> What Everyone involved in Open Source Development Should Know" from the Linux Foundation:
> https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act

I tried to access this URL but it seems to be "protected" by
ClownFlare and as a Tor user I'm apparently not allowed to
access the page without executing proprietary JavaScript,
for details see [0].

Maybe someone from the "Linux Foundation" could fix this
as it looks a bit ridiculous to me.

If their GNU/Linux servers can't handle the load anymore
they could probably simply use a BSD instead ...

> The Linux Foundation EU has a page about the CRA:
> https://linuxfoundation.eu/cyber-resilience-act
> ... it has many links, and is urging people work to #FixTheCRA.

Sounds somewhat interesting but accessing it seems to require
the execution of proprietary JavaScript as well so I didn't read
it either.

> Many organizations *have* been trying to get EU regulators
> to fix the CRA. This isn't a case where no one spoke up.
> The problem is that for the most part their concerns have
> been ignored by regulators:
> https://www.globenewswire.com/news-release/2023/04/17/2647861/0/en/The-Eclipse-Foundation-and-Leading-Open-Source-Organisations-Deliver-Open-Letter-to-European-Commission-Regarding-the-Cyber-Resilience-Act.html

Great, a link that actually works.

The "demands" seem somewhat reasonable to me:

| Moving forward, we urge you to engage with the open source
| community and take our concerns into account as you consider the
| implementation of the Cyber Resilience Act. Specifically, moving
| forward, we urge you to:
|
| 1. Recognise the unique characteristics of open source software
|    and ensure that the Cyber Resilience Act does not
|    unintentionally harm the open source ecosystem.
| 2. Consult with the open source community during the co-legislative
|    process.
| 3. Ensure that any development under the CRA takes into account
|    the diversity of open and transparent open source software
|    development practices.
| 4. Establish a mechanism for ongoing dialogue and collaboration
|    between the European institutions and the open source community,
|    to ensure that future legislation and policy decisions are informed.

Of course the organisations that wrote the letter don't actually
represent the whole "open source community" which I assume includes
the free software community as well but I assume the "demands" will
be ignored anyway so it probably doesn't make a difference.

> I think the overall *goals* of the CRA are laudable.

I must confess that I still haven't figured out what the goals
are supposed to be. The article you posted above doesn't seem
to mention the goals or maybe I just overlooked them.

Anyway:

>                                                      However,
> when evaluating laws & regulations you should always IGNORE
> their goals, because their goals are IRRELEVANT. What matters
> is what the laws and regulations will actually *CAUSE*. Put
> another way, RESULTS are the *only* legitimate basis for
> evaluating laws and regulations.

Agreed.

> In this case, I think too many regulators are focused on
> theoretical goals while ignoring what will actually happen.

Given that we are talking about the EU I also wouldn't
rule out the possibility that at least some regulators
have already been bought by "lobbyists" and thus aren't
interested in doing "the right thing" anyway and then
there are probably a fair amount of regulators who are
simply to stupid to understand reasonable arguments ...

Happy hacking,
Fabian

[0] <https://curl.se/mail/lib-2023-09/0056.html>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.