Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 8 Oct 2023 13:56:15 -0700
From: Jean Luc Picard <>
Subject: Re: European Union Cyber Resilience Act (CRA)

These people are not developers live & govern a part of earth ripe with
anti-communist/socialist sentiment.  If you were to explain to them that
their cellphones security is protected by things like 'community' &
'sharing', they'd likely blow a gasket.  It appears it's too late to bring
in the real industry experts into the committee meetings but not too late
to make a meaningful difference.  That said, the community at large needs
to prepare for a lull in rights & freedoms.  Perhaps if it got to a point
to where, like the cookie law, some vital repositories start geoip blocking
in protest, things might move along.  One thing for sure, things are about
to get weird.

On Sun, Oct 8, 2023 at 1:21 AM Fabian Keil <>

> "David A. Wheeler" <> wrote on 2023-10-05 at
> 11:08:51:
> > Solar Designed posted on October 1, 2023:
> > > The talk... starts with a mention of the European Union Cyber
> Resiliance Act (CRA)
> > > and how it is problematic for Open Source...
> > > (If we want to discuss in here, which I'm not sure of, please start a
> > > separate thread for this sub-topic, do not just reply to this one.)
> >
> > Fair enough. The CRA *definitely* impacts open source software,
> > and it includes security-related requirements. So it seems on-topic for
> this mailing list, at
> > least to note that *many* people find the CRA concerning & to point to
> more information.
> I agree that it's on-topic.
> > I think a good place to start is "Understanding the Cyber Resilience Act:
> > What Everyone involved in Open Source Development Should Know" from the
> Linux Foundation:
> >
> I tried to access this URL but it seems to be "protected" by
> ClownFlare and as a Tor user I'm apparently not allowed to
> access the page without executing proprietary JavaScript,
> for details see [0].
> Maybe someone from the "Linux Foundation" could fix this
> as it looks a bit ridiculous to me.
> If their GNU/Linux servers can't handle the load anymore
> they could probably simply use a BSD instead ...
> > The Linux Foundation EU has a page about the CRA:
> >
> > ... it has many links, and is urging people work to #FixTheCRA.
> Sounds somewhat interesting but accessing it seems to require
> the execution of proprietary JavaScript as well so I didn't read
> it either.
> > Many organizations *have* been trying to get EU regulators
> > to fix the CRA. This isn't a case where no one spoke up.
> > The problem is that for the most part their concerns have
> > been ignored by regulators:
> >
> Great, a link that actually works.
> The "demands" seem somewhat reasonable to me:
> | Moving forward, we urge you to engage with the open source
> | community and take our concerns into account as you consider the
> | implementation of the Cyber Resilience Act. Specifically, moving
> | forward, we urge you to:
> |
> | 1. Recognise the unique characteristics of open source software
> |    and ensure that the Cyber Resilience Act does not
> |    unintentionally harm the open source ecosystem.
> | 2. Consult with the open source community during the co-legislative
> |    process.
> | 3. Ensure that any development under the CRA takes into account
> |    the diversity of open and transparent open source software
> |    development practices.
> | 4. Establish a mechanism for ongoing dialogue and collaboration
> |    between the European institutions and the open source community,
> |    to ensure that future legislation and policy decisions are informed.
> Of course the organisations that wrote the letter don't actually
> represent the whole "open source community" which I assume includes
> the free software community as well but I assume the "demands" will
> be ignored anyway so it probably doesn't make a difference.
> > I think the overall *goals* of the CRA are laudable.
> I must confess that I still haven't figured out what the goals
> are supposed to be. The article you posted above doesn't seem
> to mention the goals or maybe I just overlooked them.
> Anyway:
> >                                                      However,
> > when evaluating laws & regulations you should always IGNORE
> > their goals, because their goals are IRRELEVANT. What matters
> > is what the laws and regulations will actually *CAUSE*. Put
> > another way, RESULTS are the *only* legitimate basis for
> > evaluating laws and regulations.
> Agreed.
> > In this case, I think too many regulators are focused on
> > theoretical goals while ignoring what will actually happen.
> Given that we are talking about the EU I also wouldn't
> rule out the possibility that at least some regulators
> have already been bought by "lobbyists" and thus aren't
> interested in doing "the right thing" anyway and then
> there are probably a fair amount of regulators who are
> simply to stupid to understand reasonable arguments ...
> Happy hacking,
> Fabian
> [0] <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.