concern re: Cyber Resilience Act effects on open source?
good afternoon list, I would like to understand the number of people/organisations on this list who are concerned about the European Commission's Cyber Resilience Act proposal effects on open source software development. This topic was presented at RIPE85 [1] and covered in a recent blog (see below, should have cross-posted), which was republished at RIPE Labs last week: https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-pro... You would help both me and RIPE NCC staff that are tracking the proposal by speaking up on list. Answers by both developers and users are valuable. A simple +1 is fine. Thanks. kind regards, Maarten -------- Forwarded Message -------- Subject: Re: [cooperation-wg] Cyber Resilience Act effects on OSS on agenda of open source-wg Date: Mon, 14 Nov 2022 09:38:00 +0100 From: Maarten Aertsen <maarten@nlnetlabs.nl> To: cooperation-wg@ripe.net Good morning, I just published an extended, written version of my RIPE talk in the open-source wg [1] with NLnet Labs' perspective on the European Commission's proposal for a Cyber Resilience Act vs. Open Source: https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/ We feel the current proposal misses a major opportunity. The CRA could bring support to open-source developers maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support, the current proposal will overload small developers with compliance work. At the same time, this is only the Commission's proposal. I hope there is opportunity to raise awareness and influence the coming positions and negotations. I'm very grateful to the many people in the RIPE community that talked to me after my presentation. I feel my understanding of the issue is improving. Curious to hear what you think, how you feel this affects the projects you rely on and what we have yet to learn about the implications. kind regards, Maarten [1] https://ripe85.ripe.net/archives/video/911 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/cooperation-wg
+1 to this. Although I don't understand too much of the legal stuff, my concern is mostly with: "can I be held liable for something I wrote in my spare time for fun?" I am currently feeling like I am bitten twice by the same snake: I (as the owner of a piece of software) can be held liable if that piece of software gets used in someone else's business product, and because I use a lot of AI, I am also responsible if that AI model is used by that piece of software decides to go haywire. Do I really need to get a signature of conformity if I want to build SkyNet? Meanwhile, I have toys "made in China" with CE markings that simply lack the most basic security features, and they ask me to pay for an audit... Jokes aside, does this mean that Linux now needs a CE label? If so, what if they simply say "no" and block access to the EU? Think of the implications when that would happen... Julius Op ma 28 nov. 2022 15:59 schreef Maarten Aertsen <maarten@nlnetlabs.nl>:
good afternoon list,
I would like to understand the number of people/organisations on this list who are concerned about the European Commission's Cyber Resilience Act proposal effects on open source software development.
This topic was presented at RIPE85 [1] and covered in a recent blog (see below, should have cross-posted), which was republished at RIPE Labs last week:
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-pro...
You would help both me and RIPE NCC staff that are tracking the proposal by speaking up on list. Answers by both developers and users are valuable.
A simple +1 is fine. Thanks.
kind regards, Maarten
-------- Forwarded Message -------- Subject: Re: [cooperation-wg] Cyber Resilience Act effects on OSS on agenda of open source-wg Date: Mon, 14 Nov 2022 09:38:00 +0100 From: Maarten Aertsen <maarten@nlnetlabs.nl> To: cooperation-wg@ripe.net
Good morning,
I just published an extended, written version of my RIPE talk in the open-source wg [1] with NLnet Labs' perspective on the European Commission's proposal for a Cyber Resilience Act vs. Open Source:
https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/
We feel the current proposal misses a major opportunity. The CRA could bring support to open-source developers maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support, the current proposal will overload small developers with compliance work.
At the same time, this is only the Commission's proposal. I hope there is opportunity to raise awareness and influence the coming positions and negotations.
I'm very grateful to the many people in the RIPE community that talked to me after my presentation. I feel my understanding of the issue is improving. Curious to hear what you think, how you feel this affects the projects you rely on and what we have yet to learn about the implications.
kind regards, Maarten
[1] https://ripe85.ripe.net/archives/video/911
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/cooperation-wg
_______________________________________________ opensource-wg mailing list opensource-wg@ripe.net https://lists.ripe.net/mailman/listinfo/opensource-wg
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/opensource-wg
Maarten Maybe I’m missing something, but the draft language *excludes* open source software: “In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.” Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: opensource-wg <opensource-wg-bounces@ripe.net> on behalf of Maarten Aertsen <maarten@nlnetlabs.nl> Date: Monday, 28 November 2022 at 14:59 To: opensource-wg@ripe.net <opensource-wg@ripe.net> Subject: [opensource-wg] concern re: Cyber Resilience Act effects on open source? [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. good afternoon list, I would like to understand the number of people/organisations on this list who are concerned about the European Commission's Cyber Resilience Act proposal effects on open source software development. This topic was presented at RIPE85 [1] and covered in a recent blog (see below, should have cross-posted), which was republished at RIPE Labs last week: https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-pro... You would help both me and RIPE NCC staff that are tracking the proposal by speaking up on list. Answers by both developers and users are valuable. A simple +1 is fine. Thanks. kind regards, Maarten -------- Forwarded Message -------- Subject: Re: [cooperation-wg] Cyber Resilience Act effects on OSS on agenda of open source-wg Date: Mon, 14 Nov 2022 09:38:00 +0100 From: Maarten Aertsen <maarten@nlnetlabs.nl> To: cooperation-wg@ripe.net Good morning, I just published an extended, written version of my RIPE talk in the open-source wg [1] with NLnet Labs' perspective on the European Commission's proposal for a Cyber Resilience Act vs. Open Source: https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/ We feel the current proposal misses a major opportunity. The CRA could bring support to open-source developers maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support, the current proposal will overload small developers with compliance work. At the same time, this is only the Commission's proposal. I hope there is opportunity to raise awareness and influence the coming positions and negotations. I'm very grateful to the many people in the RIPE community that talked to me after my presentation. I feel my understanding of the issue is improving. Curious to hear what you think, how you feel this affects the projects you rely on and what we have yet to learn about the implications. kind regards, Maarten [1] https://ripe85.ripe.net/archives/video/911 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/cooperation-wg _______________________________________________ opensource-wg mailing list opensource-wg@ripe.net https://lists.ripe.net/mailman/listinfo/opensource-wg To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/opensource-wg
hi Michele, Thanks for taking the time to respond, I really appreciate that. On 28/11/2022 18:09, Michele Neylon - Blacknight wrote:
Maybe I’m missing something, but the draft language **excludes** open source software [..]
"Yes*, but with a /very big asterisk/" (quoting from [1]) I am really thankful that an exception, even a limited one, made it at all. And at the same time, this may draw our attention away from the facts that the current proposal: 1. misses an opportunity to actually support the open source work our society depends on (in any way: acknowledgement, incentives to contribute, financial, liability, ..) 2. creates a new barrier to people or projects that move from 100% volunteer-effort to having some income by introducing compliance work that may be hard to be met by small or cash-strapped developers. I'm curious about your thoughts on the concept of "commercial activity" as it applies to software you write or use. I hope my writing on its role in the CRA is of any help. kind regards, Maarten [1] https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#... -- Maarten Aertsen senior internet technologist, NLnet Labs
Maarteen I think the way they’ve framed commercial activity is problematic. It’s also inconsistent with other EU legislation where they’ve specifically carved out smaller businesses, which they should be doing here as well. TLDR – I’m not going to lose sleep if RedHat have to do something, but I really don’t want a small open source software company with a handful of staff to be forced to meet the same criteria as a multi-billion dollar company. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Maarten Aertsen <maarten@nlnetlabs.nl> Date: Tuesday, 29 November 2022 at 11:30 To: Michele Neylon - Blacknight <michele@blacknight.com>, opensource-wg@ripe.net <opensource-wg@ripe.net> Subject: Re: [opensource-wg] concern re: Cyber Resilience Act effects on open source? [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. hi Michele, Thanks for taking the time to respond, I really appreciate that. On 28/11/2022 18:09, Michele Neylon - Blacknight wrote:
Maybe I’m missing something, but the draft language **excludes** open source software [..]
"Yes*, but with a /very big asterisk/" (quoting from [1]) I am really thankful that an exception, even a limited one, made it at all. And at the same time, this may draw our attention away from the facts that the current proposal: 1. misses an opportunity to actually support the open source work our society depends on (in any way: acknowledgement, incentives to contribute, financial, liability, ..) 2. creates a new barrier to people or projects that move from 100% volunteer-effort to having some income by introducing compliance work that may be hard to be met by small or cash-strapped developers. I'm curious about your thoughts on the concept of "commercial activity" as it applies to software you write or use. I hope my writing on its role in the CRA is of any help. kind regards, Maarten [1] https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#... -- Maarten Aertsen senior internet technologist, NLnet Labs
On Nov 29, 2022, at 6:56 AM, Michele Neylon - Blacknight via opensource-wg <opensource-wg@ripe.net> wrote:
Maarteen
I think the way they’ve framed commercial activity is problematic. It’s also inconsistent with other EU legislation where they’ve specifically carved out smaller businesses, which they should be doing here as well. TLDR – I’m not going to lose sleep if RedHat have to do something, but I really don’t want a small open source software company with a handful of staff to be forced to meet the same criteria as a multi-billion dollar company.
Michele, Amen! This is exactly my concern. The CRA could have the effect of putting the small open source companies out of business in Europe. ISC, my employer, is ~35 people, so not *tiny*, but we would certainly struggle to meet all of the CRA requirements for our two major open source projects, BIND 9 and Kea DHCP. The impact would be to take resources away from other important work, such as fixing bugs, writing useful documentation, etc. We have been reporting vulnerabilities responsibly for years, signing our code, etc, so most of the provisions would not be new to us, but … Currently we do monthly development releases - would we have to go through some rigamarole for each release?? It would certainly be the end of monthly updates. Regards, Vicky Risk, isc.org
Regards
Michele
-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ <https://www.blacknight.com/> https://blacknight.blog/ <https://blacknight.blog/> Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ <https://michele.blog/> Some thoughts: https://ceo.hosting/ <https://ceo.hosting/> ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
Hello! [ These are my personal opinions. I have some degree of understanding of law, yet I'm not a lawyer at all. I'm an employee of CZ.NIC, yet this is not an opinion of my employer, I'm writing on my own behalf. ]
I would like to understand the number of people/organisations on this list who are concerned about the European Commission's Cyber Resilience Act proposal effects on open source software development.
This topic was presented at RIPE85 [1] and covered in a recent blog (see below, should have cross-posted), which was republished at RIPE Labs last week:
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-pro...
You would help both me and RIPE NCC staff that are tracking the proposal by speaking up on list. Answers by both developers and users are valuable.
Regarding the liability act, I think we may simply declare that only the cases covered by automated testing is the intended use case and if anybody wants to run BIRD outside these cases, they have to check it on their own risk or they have to pay us to implement and test these scenarios for them. It's just the wording in the documentation to be amended. Regarding the CRA: Definition of the exception in (10) is one thing, definition in article 3 (18,23) doesn't exempt non-commercial development at all. * article 13 (9) and 14 (6) doesn't work at all for open-source products where the manufacturer is a group of people and orgs all around the world; probably this may be covered by articles 15 and 16, yet the wording is quite fuzzy * article 24 where it speaks about critical software is completely unreasonable even for fully commercial developers. Everybody uses some underlying technology, e.g. we'd have to assess LibSSH security probably, and who knows, maybe even the GCC / CLang security or the build system itself? Who's gonna assess Debian security? Reading the CRA more thoroughly, if the audits are done strictly, I foresee this: * RedHat and SUSE are going bankrupt as the amount of work needed to audit the whole Linux infrastructure is totally out of their scope. * Everybody using Debian / Arch / whatever non-commercial distribution must be considered a software importer and therefore has the same liabilities as a manufacturer. * Hardware router manufacturers go bankrupt as well or have to raise their prices significantly. Or the audits can be done somehow to do the paperwork just to assure the Commision that something is being audited. In this interpretation, it's only the paperwork with no real impact on the actual security, and therefore it's probably just a waste of money and effort. My suggestions for regulation amendments: * the regulation should strictly exempt products distributed completely freely (for zero money and in exchange for nothing, not even a single bit of personal / user data) case-by-case * if the software is both sold (e.g. with technical support) and distributed freely, the regulation applies only for cases it's sold → then we can explicitly state what features are covered by the contract * if anybody uses a software which they got for free, they are responsible for that and possibly also for auditing We may also create an NCC which would perform all the necessary audits for open-source software in a reasonable (non-profit) price range. To be honest, while thinking about it more, I'm starting to see the proposed acts as a kind-of way how to push the (big commercial) users to contribute more with real money to open-source development, yet it must be stated strictly enough that everybody can either contribute to have the audit done by the manufacturer, or they are responsible for auditing their intended use of the software completely themselves. We may also simply stop selling technical support for BIRD and also stop releasing any final versions. All BIRD versions will be only testing releases and we can simply sell another product "based on" BIRD, with all the audits needed and marked CE, completely commercial. In all cases, I think that the regulation needs much more care regarding open-source software as it looks like the authors don't know much about that. The regulation also doesn't care much about the sole fact that IT systems are typically built from multiple blocks joined together and the liability and auditing responsibility is not well defined in these cases. Thank you for raising this issue. Maria developer of BIRD on my own behalf
participants (5)
-
Julius ter Pelkwijk
-
Maarten Aertsen
-
Maria Matejka
-
Michele Neylon - Blacknight
-
Victoria Risk