Mastodawn

Marlin Jan 1, 2024

bert hubert 🇺🇦🇪🇺🇺🇦

New post! The EU Cyber Resilience Act is now (almost) final, but what does it ACTUALLY mean for open source? It is mostly good news, and there are real opportunities to use the #CRA to our advantage: https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/

EU CRA: What does it mean for open source? - Bert Hubert's writings

The final compromise text of the EU Cyber Resilience Act is now officially available, and various open source voices are currently opining on it. This is a complex act and other parts of the open source world (like the Eclipse Foundation and NLNet Labs) have been hard at work to advocate with the EU and member states to get a CRA that is good for open source. I’ve also been highly critical.

Bert Hubert's writings

⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️Dec 30, 2023

@bert_hubert no, its still shit ex 10c "under their responsibility." Well, I wrote the MR under a CLA that warrants it's suitability and includes test cases. Seems I'd be responsible, no?

bert hubert 🇺🇦🇪🇺🇺🇦Dec 30, 2023

@falken @revk @neil if you sign pieces of paper saying you are responsible, you might perhaps end up being responsible? This does not seem to be a CRA problem.

⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️Dec 30, 2023

@bert_hubert @revk @neil sure it is if individuals who can't afford a law suit from $corp (meritied or not, malicious or not) are exposed while their own employees are shielded behind lawyers with infinite pockets

⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️Dec 30, 2023

@bert_hubert @revk @neil unless effectively baning individual contributions, with or with out CLA, is acceptable?

Alessandro Lai Dec 31, 2023

@falken @bert_hubert @revk @neil the actual CRA reports that just contributing doesn't make you liable... If there's a CLA, it depends on what it entails, but I would expect CLAs to be rewritten with the CRA in mind now.

⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️Dec 31, 2023

@alessandrolai @bert_hubert @revk @neil thanks for the insight

Marco Bellaccini Dec 30, 2023

@bert_hubert great post! I strongly agree: CRA is a great opportunity for FOSS. People who still have concerns should provide their feedback through the EU portal (it's easy: I did it months ago).

Juliette Dec 30, 2023

@bert_hubert This is encouraging. I was already looking into moving to Africa... (100% of my work is open source)

Brendan Jones Dec 30, 2023

@bert_hubert Fantastic write up, thanks.

bert hubert 🇺🇦🇪🇺🇺🇦Dec 31, 2023

@Brendanjones my pleasure! And always happy to hear that people find the work useful.

Mathijs Dec 31, 2023

@bert_hubert thanks for that writeup! Do you expect that the CRA in this form might discourage the commercial use of open source software? It seems to me that putting companies on the hook for issues in their foss dependencies may scare them off from using them in the first place.

bert hubert 🇺🇦🇪🇺🇺🇦Jan 1, 2024

@mvgorcum well - open source is not special in this regard. Commercial libraries are treated just the same, but are far harder to inspect. The dynamics will be interesting!

@bert_hubert I’m interested to understand how onerous the obligations are going to be in companies as well.

We (@firebrick) are in a very unusual position where our code is written from the ground up, drivers, protocol stacks, the lot. But most companies are using an operating system, and tools and drivers and so on. Ensuring they all comply with new rules will not be easy, I expect.

@bert_hubert @firebrick even with a small project like my little ESP32 boards, they use an underlying o/s and even ROM that comes with the chip. The project is open source but we sell h/w that uses it. I can’t even work out if it is in scope. People run the s/w on their own h/w as well. We pre-load it on the boards we sell, but explicitly as a convenience and not as part of what is sold.

bert hubert 🇺🇦🇪🇺🇺🇦Jan 1, 2024

@revk @firebrick will get back to this later. The UK also has legislation that is further along & that might apply to you. Feel free to remind me if I forget ;-) But if you currently do CE marking (or UKCA), you likely are in scope..

@bert_hubert @firebrick the firebrick does. The small ESP boards, however, are explicitly sold as hobbyist assembled PCBs, ie as parts, and not as a finished “product”, even in a PCB panel with snap off excess.

Nemo_bis 🌈Dec 31, 2023

@bert_hubert Thanks for the summary!

It seems very focused on two extreme #FreeSoftware cases, the very large projects/entities and the individual hobbyist. What about everything in between (of which #Debian has many)?

For example a freelancer or consultancy which maintains a #Wordpress or #MediaWiki extension and sells services for it. Or selling support https://www.gnu.org/philosophy/selling.html like Freexian https://www.freexian.com/services/debian-support/ .

Does "commercial activity" build on an existing concept in the #EU acquis?

Selling Free Software - GNU Project - Free Software Foundation

bert hubert 🇺🇦🇪🇺🇺🇦Dec 31, 2023

@nemobis quick response to your good question, the background of this act is the 'New Legislative Framework'. About the freelancer that lives from open source support, I think it would be worthwhile to write up that situation and send it to the EU institutes. Will do. https://single-market-economy.ec.europa.eu/single-market/goods/new-legislative-framework_en

New legislative framework

To improve the internal market for goods and strengthen the conditions for placing a wide range of products on the EU market, the new legislative framework was adopted in 2008. It is a package of measures that aim to improve market surveillance and boost the quality of conformity assessments.

Internal Market, Industry, Entrepreneurship and SMEs

Alexandre Neto Dec 31, 2023

@bert_hubert What would you think are the implications for individuals/ companies which services are providing implementation, support, training for open source software usage? Or even plugins or core implementations development?

bert hubert 🇺🇦🇪🇺🇺🇦Dec 31, 2023

@alexnetogeo if the open source software they support is not theirs, the CRA has no handle on them. If you contribute to an open source project you are "not responsible for", the CRA also has no handle on you. If you however publish the module yourself AND sell support on it for profit (and not to recoup support costs), then the CRA might apply to you and your module. Might.

Alexandre Neto Dec 31, 2023

@bert_hubert thanks!

Philippa Cowderoy Jan 1, 2024

@bert_hubert Am I right in thinking a lone individual taking Patreon sponsorship is probably good, assuming they're not pulling in "you make *how* much?!" money?

(10 million a year smells like money laundering, a plausible sweng salary not so much)

Jan Ainali Jan 9, 2024

@bert_hubert Thank you for a great analysis! I think I come to the same conclusion as you in almost everything. One thing that still seems a bit fuzzy is for the open source stewards because it has the "specific products .. *intended* for commercial activities" (my emphasis). How is the intention defined? I assume it does not need to be realized as commercial activity yet, or some other phrasing would have been more appropriate. What do you make of it?

@bert_hubert I was pondering.

people moan about Flipper Zero being able to hack access systems, so should be illegal. I aways feel what should be illegal is access systems that are so easily hacked.

Will CRA mean people selling a security/access system have to meet some standards that means they are not hackable like that.

I.e. no more 125kHz tags using just their ID, no MIFARE Classic, etc. What of those already deployed?

Or will CRA not touch that?

bert hubert 🇺🇦🇪🇺🇺🇦Jan 12, 2024

@revk so the wording has been in flux a bit, but here are several overlapping requirements to not *ship* stupid stuff with default passwords or insecure defaults or known exploitable bugs or a needlessly large attack surface. But this is all for new things being sold. The details will also be interesting. UK law already has 'secure by default' on the books as a requirement.