Maarten
Spent my afternoon writing up @nlnetlabs current understanding of the Cyber Resilience Act and its effects on #opensource software. It goes beyond my recent introductory talk on the same subject at #RIPE85: https://ripe85.ripe.net/archives/video/911/
Happy with the progression in our understanding since then, based on many productive conversations with people similarly concerned about unintended consequences.
Nov 7, 2022 at 4:41pmWeb
Show threadMaartenNov 8, 2022

Challenge of the day:
Name #opensource software that you or your employer depend on AND that is on the (attached) lists of 'critical product' under @EU_Commission's upcoming #cyberresilienceact.

Bonus points!
- 10 points when: one or more developers have some kind of income from their work on this project ("commercial activity")
- 50 points when: you can connect us at @nlnetlabs to the developer to talk about our concerns

Thanks for helping me out!

Show threadThomas B. RückerNov 8, 2022
@maarten @EU_Commission @nlnetlabs
I'm mildly confused, is there an implicit "the developer contributes to the open source project" in this request?
As pretty much every company will have e.g. a Linux based device/server and that will come with minimum one of the listed items.
Show threadMaartenNov 8, 2022

@tbr

does s/their work on/their contributions to/ clarify things?

This is an attempt to find good examples of open source projects which are in this intersection of 'actually important to society' (ie. https://imgs.xkcd.com/comics/dependency.png), in one of these 'critical product' categories and where it's not just 100% volunteer developers.

The reason why this intersection is interesting, is because projects with these properties will bear the full compliance load of the proposal, including 3rd party audits.

Show threadThomas B. RückerNov 8, 2022
@maarten Yes, that's how I was guessing it was meant.
Show threadJiriNov 8, 2022

@maarten @[email protected] @nlnetlabs Hmm, is this not all software?

Yrs, I work with them al.

Show threadStéphane BortzmeyerNov 8, 2022

@maarten @EU_Commission @nlnetlabs Afnic heavily depends on Keycloak (item 1) and since the machines are CentOS, item 11 applies also.

And RedHat is certainly a commercial activity.

Show threadMaartenNov 14, 2022

I have just published the @nlnetlabs perspective on the @EU_Commission #CyberResilienceAct proposal vs #OpenSource:

https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/

We feel the current proposal misses a major opportunity. The CRA could bring support to #OpenSource devs maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support, the current proposal will overload small developers with compliance work.

Talk to me. Spread the word. Read the CRA

Open-source software vs. the proposed Cyber Resilience Act

By Maarten Aertsen NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act (CRA) intends to ensure cybersecurity of products with digital elements by laying down requirements and obligations for manufacturers. 🥳update, december 2023:

The NLnet Labs Blog
Show threadAlex BandNov 14, 2022
@maarten @nlnetlabs @EU_Commission A huge discussion on #OpenSource vs. the #CyberResilenceAct is unfolding on Hacker News. https://news.ycombinator.com/item?id=33594440
New security requirements for open source in the EU | Hacker News

Show threadbitkeksNov 15, 2022
@maarten @nlnetlabs @EU_Commission thank you for this extensive article! #CyberResilienceAct
Show threadAlex BandNov 15, 2022
@maarten @nlnetlabs @EU_Commission @neil Neil, do you perhaps have the #CyberResilienceAct on your radar?
Show threadMarcin KoziejNov 8, 2022
@maarten @nlnetlabs wow ;( this looks grave; Would you mind writing a TL;DR to boost here?
Show threadMaartenNov 8, 2022
@movonw @nlnetlabs happy to do so, will publish a blog with a summary here!
Show threadMaarten AertsenNov 21, 2022

I'm now working on a follow-up to last week's blog on the #CyberResilienceAct. Unsurprisingly, I've learned a few things since writing the original piece and some of what I wrote turned out to be a bit different.

Did you learn anything new that is relevant for #OpenSource developers? I'd be very happy to talk to you.