Hello! [ These are my personal opinions. I have some degree of understanding of law, yet I'm not a lawyer at all. I'm an employee of CZ.NIC, yet this is not an opinion of my employer, I'm writing on my own behalf. ]
I would like to understand the number of people/organisations on this list who are concerned about the European Commission's Cyber Resilience Act proposal effects on open source software development.
This topic was presented at RIPE85 [1] and covered in a recent blog (see below, should have cross-posted), which was republished at RIPE Labs last week:
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-pro...
You would help both me and RIPE NCC staff that are tracking the proposal by speaking up on list. Answers by both developers and users are valuable.
Regarding the liability act, I think we may simply declare that only the cases covered by automated testing is the intended use case and if anybody wants to run BIRD outside these cases, they have to check it on their own risk or they have to pay us to implement and test these scenarios for them. It's just the wording in the documentation to be amended. Regarding the CRA: Definition of the exception in (10) is one thing, definition in article 3 (18,23) doesn't exempt non-commercial development at all. * article 13 (9) and 14 (6) doesn't work at all for open-source products where the manufacturer is a group of people and orgs all around the world; probably this may be covered by articles 15 and 16, yet the wording is quite fuzzy * article 24 where it speaks about critical software is completely unreasonable even for fully commercial developers. Everybody uses some underlying technology, e.g. we'd have to assess LibSSH security probably, and who knows, maybe even the GCC / CLang security or the build system itself? Who's gonna assess Debian security? Reading the CRA more thoroughly, if the audits are done strictly, I foresee this: * RedHat and SUSE are going bankrupt as the amount of work needed to audit the whole Linux infrastructure is totally out of their scope. * Everybody using Debian / Arch / whatever non-commercial distribution must be considered a software importer and therefore has the same liabilities as a manufacturer. * Hardware router manufacturers go bankrupt as well or have to raise their prices significantly. Or the audits can be done somehow to do the paperwork just to assure the Commision that something is being audited. In this interpretation, it's only the paperwork with no real impact on the actual security, and therefore it's probably just a waste of money and effort. My suggestions for regulation amendments: * the regulation should strictly exempt products distributed completely freely (for zero money and in exchange for nothing, not even a single bit of personal / user data) case-by-case * if the software is both sold (e.g. with technical support) and distributed freely, the regulation applies only for cases it's sold → then we can explicitly state what features are covered by the contract * if anybody uses a software which they got for free, they are responsible for that and possibly also for auditing We may also create an NCC which would perform all the necessary audits for open-source software in a reasonable (non-profit) price range. To be honest, while thinking about it more, I'm starting to see the proposed acts as a kind-of way how to push the (big commercial) users to contribute more with real money to open-source development, yet it must be stated strictly enough that everybody can either contribute to have the audit done by the manufacturer, or they are responsible for auditing their intended use of the software completely themselves. We may also simply stop selling technical support for BIRD and also stop releasing any final versions. All BIRD versions will be only testing releases and we can simply sell another product "based on" BIRD, with all the audits needed and marked CE, completely commercial. In all cases, I think that the regulation needs much more care regarding open-source software as it looks like the authors don't know much about that. The regulation also doesn't care much about the sole fact that IT systems are typically built from multiple blocks joined together and the liability and auditing responsibility is not well defined in these cases. Thank you for raising this issue. Maria developer of BIRD on my own behalf