Cyber Resilience Act effects on OSS on agenda of open source-wg
Dear cooperation working group, I'd like to call your attention to my talk on the draft agenda of the open source wg this Wednesday, because I believe it may be of interest to members of this group: On 10/10/2022 18:47, Marcos Sanz wrote:
Agenda RIPE 85 Open Source WG Session Wednesday, October 26, 10:30 - 11:30 (CEST) [..] B. "Cyber Resilience Act effects on OSS", Maarten Aertsen, NLnet Labs
NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act intends to ensure cybersecurity of products with digital elements by laying down requirements and obligation for economic operators.
In this short talk you'll learn what to expect in the Cyber Resilience Act and why this proposal may matter to you as a developer or user of open source software. If so, let's make sure that policy makers take into account its effects on open source development by professional organisations and volunteers alike.
Do get in touch with Maarten when you have similar concerns, want to team up or can help us to provide technical expertise in the right places.
If you would like to read a little more on the topic, Olaf Kolkman has just published a blog post on the same topic at the Internet Society blog [1]. I'm new to this community: don't be shy and talk to me :-) kind regards, Maarten [1] https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilien... -- Maarten Aertsen senior internet technologist, NLnet Labs
Hi Maarten, Thank you for the heads-up - it is definitely a proposal that needs to be followed. Julf On 24-10-2022 14:58, Maarten Aertsen wrote:
Dear cooperation working group,
I'd like to call your attention to my talk on the draft agenda of the open source wg this Wednesday, because I believe it may be of interest to members of this group:
On 10/10/2022 18:47, Marcos Sanz wrote:
Agenda RIPE 85 Open Source WG Session Wednesday, October 26, 10:30 - 11:30 (CEST) [..] B. "Cyber Resilience Act effects on OSS", Maarten Aertsen, NLnet Labs
NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act intends to ensure cybersecurity of products with digital elements by laying down requirements and obligation for economic operators.
In this short talk you'll learn what to expect in the Cyber Resilience Act and why this proposal may matter to you as a developer or user of open source software. If so, let's make sure that policy makers take into account its effects on open source development by professional organisations and volunteers alike.
Do get in touch with Maarten when you have similar concerns, want to team up or can help us to provide technical expertise in the right places.
If you would like to read a little more on the topic, Olaf Kolkman has just published a blog post on the same topic at the Internet Society blog [1].
I'm new to this community: don't be shy and talk to me :-)
kind regards, Maarten
[1] https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilien...
Hi all, I just browsed the ISOC article linked below and it sounds wrong to me. While it is correct to note that "certification will not eradicate bugs even when a manufacturer is fully compliant", trying to exempt FOSS is not the right approach. What software would you use, a fully certified, professional OS, or a run-at-your-risk product by hobbyists who are exempted from security regulations by a compassionate exception to the Cyber Resilience Act? If the point is certification costs, I'd recommend that certification agencies be required to work for a percentage of the cover price of the product they're certifying, which is 0 for most FOSS packages. No exceptions. Best Ale On Tue 25/Oct/2022 10:53:39 +0200 Johan Helsingius wrote:
Hi Maarten,
Thank you for the heads-up - it is definitely a proposal that needs to be followed.
Julf
On 24-10-2022 14:58, Maarten Aertsen wrote:
Dear cooperation working group,
I'd like to call your attention to my talk on the draft agenda of the open source wg this Wednesday, because I believe it may be of interest to members of this group:
On 10/10/2022 18:47, Marcos Sanz wrote:
Agenda RIPE 85 Open Source WG Session Wednesday, October 26, 10:30 - 11:30 (CEST) [..] B. "Cyber Resilience Act effects on OSS", Maarten Aertsen, NLnet Labs
NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act intends to ensure cybersecurity of products with digital elements by laying down requirements and obligation for economic operators.
In this short talk you'll learn what to expect in the Cyber Resilience Act and why this proposal may matter to you as a developer or user of open source software. If so, let's make sure that policy makers take into account its effects on open source development by professional organisations and volunteers alike.
Do get in touch with Maarten when you have similar concerns, want to team up or can help us to provide technical expertise in the right places.
If you would like to read a little more on the topic, Olaf Kolkman has just published a blog post on the same topic at the Internet Society blog [1].
I'm new to this community: don't be shy and talk to me :-)
kind regards, Maarten
[1] https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilien...
From what I can see from the proposal, there are a couple of things to note:
1. As soon as you go "commercial" in whatever way, your FOSS project must be bound by the Cyber Resilience Act. So, you can take a FOSS project, but as soon as you ask for "paid" support, your whole project (including the FOSS part) suddenly becomes part of that Cyber Resilience Act. 2. Hacking a product will violate the Cyber Resilience Act. It clearly states that you must do anything to "prevent" your product from being tampered with (as in do something it was not intended to do). 3. You also need to supply a "bill of software", which means you need to give a lengthy file with ALL the software used in your product. Knowing how good the python "rabbit hole" can be, I am wondering what rabbit holes this can bring since this can blow up significantly (I want to know EVERY package that is being used, not just "yeah, we're running this framework from this supplier")... 4. It looks like the hardware and the software running on it need to have a CE marking. Just stating that the hardware is CE certified is not good anymore, also the application needs to be CE-certified. Knowing how stuff sometimes goes, I am waiting for the time when we have a recall of consumer fridges because the "software might pose a security risk to consumers". Greetings, Julius On Mon, Oct 31, 2022 at 11:15 AM Alessandro Vesely <vesely@tana.it> wrote:
Hi all,
I just browsed the ISOC article linked below and it sounds wrong to me. While it is correct to note that "certification will not eradicate bugs even when a manufacturer is fully compliant", trying to exempt FOSS is not the right approach.
What software would you use, a fully certified, professional OS, or a run-at-your-risk product by hobbyists who are exempted from security regulations by a compassionate exception to the Cyber Resilience Act?
If the point is certification costs, I'd recommend that certification agencies be required to work for a percentage of the cover price of the product they're certifying, which is 0 for most FOSS packages. No exceptions.
Best Ale
On Tue 25/Oct/2022 10:53:39 +0200 Johan Helsingius wrote:
Hi Maarten,
Thank you for the heads-up - it is definitely a proposal that needs to be followed.
Julf
On 24-10-2022 14:58, Maarten Aertsen wrote:
Dear cooperation working group,
I'd like to call your attention to my talk on the draft agenda of the open source wg this Wednesday, because I believe it may be of interest to members of this group:
On 10/10/2022 18:47, Marcos Sanz wrote:
Agenda RIPE 85 Open Source WG Session Wednesday, October 26, 10:30 - 11:30 (CEST) [..] B. "Cyber Resilience Act effects on OSS", Maarten Aertsen, NLnet Labs
NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act intends to ensure cybersecurity of products with digital elements by laying down requirements and obligation for economic operators.
In this short talk you'll learn what to expect in the Cyber Resilience Act and why this proposal may matter to you as a developer or user of open source software. If so, let's make sure that policy makers take into account its effects on open source development by professional organisations and volunteers alike.
Do get in touch with Maarten when you have similar concerns, want to team up or can help us to provide technical expertise in the right places.
If you would like to read a little more on the topic, Olaf Kolkman has just published a blog post on the same topic at the Internet Society blog [1].
I'm new to this community: don't be shy and talk to me :-)
kind regards, Maarten
[1]
https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilien...
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/cooperation-wg
[no hat] On 31 Oct 2022, at 10:14, Alessandro Vesely wrote:
What software would you use, a fully certified, professional OS, or a run-at-your-risk product by hobbyists who are exempted from security regulations by a compassionate exception to the Cyber Resilience Act?
I don't understand what the point of this (perhaps rhetorical) question is. In a former day-job, I've had to deal with a "professional" Linux distro, whose provider was so risk-averse, and who operated such an ossified acceptance process for integrating upstream FOSS packages, that the distro was operationally unfit for purpose unless I chose to do without the "protection" supposedly provided by the "professional" packaging. I also know some hobbyists whom I would trust with my personal physical safety, or even my life. The only thing one can be sure of with certification is that the holder of a certificate managed to pass the test. https://dilbert.com/strip/2000-08-31 Best regards, Niall
On Thu 10/Nov/2022 19:41:21 +0100 Niall O'Reilly wrote:
On 31 Oct 2022, at 10:14, Alessandro Vesely wrote:
What software would you use, a fully certified, professional OS, or a run-at-your-risk product by hobbyists who are exempted from security regulations by a compassionate exception to the Cyber Resilience Act?
I don't understand what the point of this (perhaps rhetorical) question is.
In a former day-job, I've had to deal with a "professional" Linux distro, whose provider was so risk-averse, and who operated such an ossified acceptance process for integrating upstream FOSS packages, that the distro was operationally unfit for purpose unless I chose to do without the "protection" supposedly provided by the "professional" packaging.
Yup, it may well be that the Cyber Resilience Act is going to result in a grossly scatterbrained attempt at imposing rules that nobody will follow. However, I fear the act can be orchestrated with big software producers in such a way that their products only will be able to advertise the certification.
I also know some hobbyists whom I would trust with my personal physical safety, or even my life.
Users at large, however, don't know how software is produced. Branding certification can have an impact on their decisions. A captivating campaign could reduce FOSS market share by a great deal.
The only thing one can be sure of with certification is that the holder of a certificate managed to pass the test.
For fairness, all software producers should have equal opportunities to have their software pass the test. Free software should be tested for free, regardless of what its authors do for a living.
:-) Best Ale --
niall.oreilly@ucd.ie 2022-11-10 18:41 [+0000]:
The only thing one can be sure of with certification is that the holder of a certificate managed to pass the test.
My take on that is "the only thing one can be sure of with certification is that the holder has acquired the necessary insurances, so you can coerce money from them when you sue them. YMMV. ;-) Cheers, /Liman
Good morning, I just published an extended, written version of my RIPE talk in the open-source wg [1] with NLnet Labs' perspective on the European Commission's proposal for a Cyber Resilience Act vs. Open Source: https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/ We feel the current proposal misses a major opportunity. The CRA could bring support to open-source developers maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support, the current proposal will overload small developers with compliance work. At the same time, this is only the Commission's proposal. I hope there is opportunity to raise awareness and influence the coming positions and negotations. I'm very grateful to the many people in the RIPE community that talked to me after my presentation. I feel my understanding of the issue is improving. Curious to hear what you think, how you feel this affects the projects you rely on and what we have yet to learn about the implications. kind regards, Maarten [1] https://ripe85.ripe.net/archives/video/911
participants (6)
-
Alessandro Vesely -
Johan Helsingius -
Julius ter Pelkwijk -
Lars-Johan Liman -
Maarten Aertsen -
Niall O'Reilly