back to article Can open source be saved from the EU's Cyber Resilience Act?

When I was in Bilbao recently for the Open Source Summit Europe event, the main topic of conversation was the European Union's (EU) Cyber Resilience Act (CRA). Everyone – and I mean everyone – mentioned it. Why? Because pretty much everyone with an open source clue sees it as strangling open source software development. As I' …

  1. Primus Secundus Tertius

    GB left the EU

    Various commenters on el Reg have been sniffy about Britain's decision to leave the EU. This article shows how badly the EU behaves to small groups, and that attitude by the EU was a major factor in Britain's decision to leave.

    1. John Robson Silver badge

      Re: GB left the EU

      What are you smoking?

    2. Anonymous Coward
      Anonymous Coward

      Re: GB left the EU

      This is the same GB that - despite a lot of bunny - still passed the Online Safety Bill to require encryption be breakable to the state ?

      Or a different GB ?

    3. Munehaus

      Re: GB left the EU

      If the UK was still in the EU we would at least have had some say in these rules and might even have been able to stop or change them. As stated in the article, we now have to stick to them with zero political representation.

    4. mpi Silver badge

      Re: GB left the EU

      If one bad decision makes an entire organisation bad, then i know how many good organizations there are on this planet at any given time: Zero.

    5. veti Silver badge

      Re: GB left the EU

      When the Brexit vote happened, the UK immediately withdrew from all the EU decision making processes, except the parliament. From that moment the quality of EU decision making turned sharply downhill, proving that the UK was a strong and beneficial participant in those processes.

      Granted that the UK itself is quite capable of fucking up its own laws, it was still a strong moderating influence on EU. And vice versa. Brexit has been disastrous for decision making on both sides.

      1. anonymous boring coward Silver badge

        Re: GB left the EU

        "Sharply downhill" may be overstating it a bit?

    6. anonymous boring coward Silver badge

      Re: GB left the EU

      If only the caring and amazing GB could have had any way to influence things, rather than just being a rule taker...

  2. heyrick Silver badge

    I haven't read the entire thing, like most legalese things it's quite long winded, however, clause 10...

    "In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable."

    Which means that "free" and "open source" software isn't normally covered by this, with a particular fig leaf to that which is properly open source.

    However, it continues... "In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software."

    Which means that open source companies (that are monetising the software) have to apply these new rules, but individual authors that are releasing stuff for free (with or without source, but better with) are exonerated.

    I'm guessing they feel that bedroom/weekend programmers wouldn't be able to afford any certification, which is especially egregious for stuff given away for free, plus they probably don't want a bunch of random people claiming their stuff is CRA compliant and slapping on a self-certified CE mark...

    ...whereas those making money from software (directly or indirectly) have a revenue stream thus can afford CRA compliance.

    The problem is, any such exemptions (such as for open source companies) would have to be very carefully worded in order to stop certain other companies bending the description to fit them, thus defeating the purpose of what this is being set out to achieve. I mean, you did notice the very pointed "making use of personal information in a way they doesn't involve improving the software counts as commercial", right? I think we all know where that shot is aimed towards.

    1. Handy Plough

      I rarely, if ever agree with what you say - but you are on the money (if you'll excuse the pun) with this! If you're making money out of open source, then take responsibility for what you're monetising!

      Vaughn-Nichols has always been an awful journalist.

      1. Yet Another Anonymous coward Silver badge

        Are you just responsible for your own flaws or for security flaws in your app due to other components?

        So if you accept a € donation for your little utility but it uses Log4J you are responsible for knowing about, reporting and fixing the Log4J security hole as well?

      2. Anonymous Coward
        Anonymous Coward

        Handy Plough: "Vaughn-Nichols has always been an awful journalist."

        Then we're lucky this article was written by Steven Vaughan-Nichols rather than the chap or chapess that you disapprove of.

        1. Handy Plough

          Steve, have the courage to post publicly. Also, my copy-editing is as good as this site's, it would appear.

      3. veti Silver badge

        Never mind open source, the regulation as written will virtually destroy small software companies regardless of their copyright stance.

        Notification within 24 hours? Not "one working day", mark you, but 24 hours by the clock? Who can afford to comply with that?

        1. Tomato42
          Facepalm

          You're unable to write a single email for 24 hours after learning that your software has a currently exploited security vulnerability? Yeah... maybe you shouldn't be in the software business.

          The draft states "The manufacturer shall, without undue delay and in any event within 24 hours of becoming aware of it, notify to ENISA any actively exploited vulnerability contained in the product with digital elements." becoming aware. So, no, you don't have to check your bug tracker every day when out on holidays.

          1. Yet Another Anonymous coward Silver badge

            Until a court rules on what the standard for 'becoming aware' means.

            Boeing can't claim it didn't know about 737max crashes because it only checks an accident loss once per year.

            For a medical device sold in Europe we have to have an official notifying body with contact details that we have to put on every product and in every manual. Don't know what their rules are about being staffed 24*7 and having backup phone systems but they aren't cheap!

          2. veti Silver badge

            Scenario: you receive a report of a hack against a system where your software may have been deployed, and it sounds like it may have been exploiting a vulnerability in your software. You're not sure about either of those points, but circumstances are suspicious.

            What exactly is your responsibility at that point? Are you "aware of an exploit" yet? Can you afford to simply ignore the report and wait for someone else to do the hard work investigating?

            OK, so it's three days later, and someone publishes a preliminary investigation into the hack. No one has actually pinpointed your component yet, but the circumstances are piling up. You're now about 80% sure it was present on the system, and if it was vulnerable that would explain what happened.

            Are you "aware" yet?

            And whenever you are "aware", what on earth makes you think just sending an email is going to cut any ice? Name an official notification system anywhere in the world that relies on email. No, there will be a form, requiring you to specify the program, the version, the component and other details that will require serious expert investigation to uncover. So whenever you are "aware", you've got a ticking clock to discover enough about it to fill in this form, whatever it's going to look like.

            1. Tomato42

              > Name an official notification system anywhere in the world that relies on email.

              cve-assign @ mitre.org

            2. Blazde Silver badge

              What exactly is your responsibility at that point? Are you "aware of an exploit" yet? Can you afford to simply ignore the report and wait for someone else to do the hard work investigating?

              I don't mean to be flippant(*) but the situation mirrors current GDPR legislation where there's a duty to report data breaches within 72 hours of becoming aware. The guidance is simple: Section IV of the Article 29 Working Party guidelines on personal data breach notification contains a variety of potentially conflicting 'ideas' about what constitutes a breach worthy of notification. It's very clear that where there's any uncertainty, an assessment of the likelihood of a breach having taken place should be made. Implicitly you are wished good luck figuring out how to deal with that uncertainty. The 27 page, 10 year old working document 'Recommendations for a methodology of the assessment of severity of personal data breaches' is also required reading and may or may not be of any help. Finally you should familiarise yourself with the relevant GDPR Recitals, and subtle differences in application of the rules between your member state's regulatory office and what the law actually says, and pay particular note to recent rulings that you are considered aware of a breach as soon as parties you've outsourced aspects of your business to become aware of it. Was Janine the cleaner in the server room when the fax first came through about the suspicious logs and did she sneak-a-peak? What will the CCTV records show?

              (*) Okay I do

            3. BOFH in Training

              And what if you happen to be away on a sabbatical for a month and did not check your emails / bug tracker?

              Will it matter if someone reported an issue during the first week of your holiday but you did not see it for another 3 weeks? Even if it was being actively exploited from the very first day it was reported?

              There are many questions about this that has to be answered.

          3. Justthefacts Silver badge

            Legal?

            So, ah….you don’t feel the need to discuss with a lawyer, beforehand, to understand your rights and potential liabilities? I think you’ll find that if you need to retain a lawyer with expertise on this narrow area of law, it will take you rather longer than 24 hours to do so, from cold. You’ll be lucky to get one within a week, unless you already have a specialised team on retainer.

            For reference, if you send a normal legal letter on IPR issues, it’s standard practice to allow 14 days for response. If the plaintiff doesn’t allow such a reasonable response time, the respondent can ask the court to throw it out for vexatious litigation, and automatically find against the plaintiff with costs, even if the case is otherwise well-founded. The fact that you don’t know this *demonstrates exactly why you need a lawyer before you send that email*.

        2. garwhale Bronze badge

          It could probably be automated or outsourced, so no real problem.

          Form for reporting vulnerabilities ⇒ email to developer + EU authorities.

          1. This post has been deleted by its author

    2. localzuk

      Problem is, not only companies do those activities.

      There's plenty of individual consultants out there who provide technical support services, or host a platform for a client.

      That's part of the problem here - too many people consider commercial activity to only be done in the context of companies. Rather than by freelancers who are experts in their field etc...

  3. t245t Silver badge
    Linux

    Will the European Cyber Resilience Act Kill Open Source Software?

    Gaël Duval, the founder of /e/OS, as well as founder and CEO at Murena (but you may remember him best as the founder of Mandrake Linux), explains why the EU’s proposed Cyber Resilience Act as written would have a damaging effect on open-source.”

  4. M E H

    EC <> European Council in this context

    At least I doubt that it does. It probably refers to the European Commission, the EU's civil service.

    Remember - the US innovates, China replicates, the EU regulates, which is why the EU is rapidly becoming a tech backwater.

    1. Claverhouse Silver badge

      Re: EC <> European Council in this context

      What does the USA innovate ?

      1. Yet Another Anonymous coward Silver badge

        Re: EC <> European Council in this context

        Are you typing this on a phone with a US OS or are you using a Nokia 3310?

        1. Lurko

          Re: EC <> European Council in this context

          "Are you typing this on a phone with a US OS or are you using a Nokia 3310?"

          Well, if you're using any Android phone, that's basically Linux which in terms of origination is an EU OS, irrespective of Google's power grab. If it's Apple IOS, then that's UNIX, and therefore a US OS not because of Jobby Jobs, but because it originated at AT&T.

          Globally Android has about 73% market share, I'd say that was a very clear EU win, albeit purloined and commercialised by the Merkins.

          1. Yet Another Anonymous coward Silver badge

            Re: EC <> European Council in this context

            That's like saying 99% of Holywood is in English, so the global cinema market is basically down to the innovation of Oxford University Press

            1. Handy Plough

              Re: EC <> European Council in this context

              It is, despite your constant attempts at butchering the language.

          2. Justthefacts Silver badge

            Re: EC <> European Council in this context

            Linux v1.0 was released in 1994, the year *before* Finland joined the EU. The EU has no part in this.

            1. Doctor Syntax Silver badge

              Re: EC <> European Council in this context

              OTOH I've not heard of Finland joining the US.

            2. Anonymous Coward
              Anonymous Coward

              Re: EC <> European Council in this context

              Are you still running Linux kernel 1.0? You've got a few security updates to install, to remain free of unclean EU influences you can update all the way up to 1.1.

              1. Justthefacts Silver badge
                Facepalm

                Re: EC <> European Council in this context

                For comparison: “The EU invented sanitation”. Ummm, no, I think you’ll find that was the Romans. Italy may now be a member state of the EU, but the EU did not invent sanitation.

                “Yeah well, the latest sanitation standards are maintained by the EU. I’m lucky Rome signed up to the EU, otherwise I couldn’t have any of the new sanitation standards”.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: EC <> European Council in this context

                  Well they do say the quality of the UK's water has turned to shit after Brexit.

  5. M.V. Lipvig Silver badge

    I see a LOT of software developers

    including a disclaimer in the future.

    "NOT FOR USE WITHIN THE EUROPEAN UNION"

    That should eliminate the issue, as the EU should not be able to go after a non-EU developer whose software is not licensed for use in the EU. EU based developers, on the other hand, get to enjoy being done over.

    1. Simian Surprise

      Re: I see a LOT of software developers

      Well, that's no longer free software, then, assuming it's intended to be legally binding.

      And if it's not, it can't be much of a CYA (I'm not a lawyer and haven't read all the legalese, but I wouldn't be surprised if just saying "they used it in violation of the license" isn't a good enough defense).

      So in the former case FOSS is just dead, and in the latter case devs are just as fucked.

      1. garwhale Bronze badge

        Re: I see a LOT of software developers

        The license defense is perfectly valid, as long as you have to agree to the license before accessing and using the software.

        1. Yet Another Anonymous coward Silver badge

          Re: I see a LOT of software developers

          And as long as you aren't using any other software with a different licence. I can't take GPL software, add my bits and say 'GPL but not for use in Eu'

          1. Dan 55 Silver badge

            Re: I see a LOT of software developers

            That's a distribution restriction, not allowed under the GPL.

            Ot so we were reliably informed after the RH saga.

  6. mpi Silver badge

    Unpopular opinion: The act isn't that bad.

    Essentially it boils down to this:

    The "programmer in nebraska", who just gives away stuff for free, is not who needs to be concerned about this.

    The company offering "open source" and monetizing it in some way, has to comply. As it should, because "open source" should be a way to freely share, test and crowd-develop new ideas and drive projects through community effort. It should NOT be a fig leaf that let's people ignore security flaws for years, putting the consumers of said software, who often have no realistic way of fixing the "open source" systems they use at risk.

    And let's be honest: Looking at the number of FOSS projects who apparently can afford to pay for huge events and giant marketing departments, I think doing a bit of paperwork to comply with such an act, is not an unreasonable requirement, nor drag on their finances.

    And btw. lets not forget that this act doesn't just put the onus on open source developers: It clamps down HARD on the oh so loveable mega-corporations.

    Is the act ideal? No. For example, reporting zero days immediately to government agencies, which includes governments with a less than stellar reputation, is a really bad idea. But is it all bad? No. No it is not. Because I don't see why end consumers security should be put at risk just because some vendor of a software decided that: "hey, our shareholders want a third yacht, so, ya know, we're cutting costs, and are not gonna update that thingamajig we sold you recently any more, lol".

    1. OttoMashun

      Re: Unpopular opinion: The act isn't that bad.

      The CRA is the proverbial "camel's nose under the tent" scenario.

      No bureaucracy ever puts the brakes on any power acquisition.

      The EU seems to love totalitarianism, and lusts after power, as witnessed over the past couple of years.

      1. Adair Silver badge

        Re: Unpopular opinion: The act isn't that bad.

        'The EU seems to love totalitarianism, and lusts after power, as witnessed over the past couple of years.'

        You are, of course, entitled to your opinion, however ignorant, prejudiced, self-serving, or just plain wrong it may be. As am I.

        I wonder what an ideal piece of legislation would look like—that genuinely protects end-users from exploitation and abuse, whilst also upholding the interests of FOSS and commercial entities?

        Alternatively, we could all sit on our hands and let an unregulated 'market' do its thing. To the max.

        1. aerogems Silver badge
          Facepalm

          Re: Unpopular opinion: The act isn't that bad.

          That's a dirty trick, countering a foaming at the mouth, tinfoil hat brigade, knee-jerk reactionary post by requesting logic and reason!

      2. mpi Silver badge

        Re: Unpopular opinion: The act isn't that bad.

        > The EU seems to love totalitarianism

        Is that so? Tell me, how many totalitarian countries are in the EU?

        Regulating how a society works is not totalitarianism, it's a way to avoid anarchy and unnecessary damage. Regulations are why we no longer have lead in the paint of childrens toys. They are the reason why workers are entitled to safety gear and adequate rest periods. They are the reason why the entire EU has less gun deaths in a year, than some other nations in a week.

        No this act is not an ideal law. Almost no law in the world is an ideal solution. And that's fine. Laws can be changed, amended, expanded, or abolished. That's what happens in the EU all the time. And judging by the standard of living they have over there, the safety their citizens take for granted, their functional social safety nets, and their overall happiness on indices measuring these things, it seems to work pretty darn well.

        1. Tomato42

          Re: Unpopular opinion: The act isn't that bad.

          He's probably one of those people that are like house cats: fiercely independent while in reality oblivious of the systems that they depend on and don't appreciate. You know: libertarians.

          He's completely unaware that without regulation his bread would be full of sawdust or chalk as that would make it cheaper to produce. Or maybe he's one of the crazy people that likes using gas chromatograph to see if the food he's eating includes arsenic or heavy metals.

          1. Doctor Syntax Silver badge

            Re: Unpopular opinion: The act isn't that bad.

            "Or maybe he's one of the crazy people that likes using gas chromatograph to see if the food he's eating includes arsenic or heavy metals."

            Well played, sir.

            1. Yet Another Anonymous coward Silver badge

              Re: Unpopular opinion: The act isn't that bad.

              Or maybe he's one of the crazy people that likes using gas chromatograph to see if the food he's eating includes arsenic or heavy metals."

              That's ridiculous. For heavy metals you would use HPTLC or ideally, plasma coupled mass spectrometry

        2. aerogems Silver badge

          Re: Unpopular opinion: The act isn't that bad.

          "Tell me, how many totalitarian countries are in the EU?"

          *Looks at Hungary*

    2. Tomato42

      Re: Unpopular opinion: The act isn't that bad.

      The act asks for actively exploited vulnerabilities to be reported to gov offices. If the situation gets this bad, then the cat is clearly out of the bag already and giving even less than stellar governments info about them won't change much (not to mention that the act actively encourages ENISA to filter that information before disseminating it further).

      The act also asks for the information to be provided to the users of said components and devices, including possible mitigations.

      So, even if you're a small software shop, I really don't think those requirements are too onerous. If you're serious about security, you'll need to get a CVE number and submit a description of the vulnerability anyway, it just asks for the submission to also be provided to ENISA, not just MITRE, and gives you 24h when the manure already hit the air circulation device.

  7. Anonymous Coward
    Anonymous Coward

    It's not a security flaw if it's a feature of the software..I see the number of reported flaws dropping to zero.

  8. glennsills

    If you are charging for it, you should be responsible for it.

    1. Roland6 Silver badge

      But to level…

      Some aspects of the CRA seem to have been influenced by the SAP approach, so yes you can use my software but I only certified it for use on a system that uses the same hardware and software build as the system I tested it on.

  9. aerogems Silver badge

    Seems like a simple fix

    Put the onus on the seller of the IoT devices this law is clearly targeting. They have to conduct some kind of security audit before launching the device, or are at least on the hook for making sure security fixes are rolled out if found later. If that means hiring someone to create a custom patch, so be it. I understand some may see that as heavy handed, but the alternative is bajillions of IoT devices out there with gaping security holes. It's like how everyone hates the fact that Windows forces you to install updates now, but at the same time the number of issues that are directly related to unpatched Windows systems has gone down significantly since Microsoft implemented the policy. It's a minor annoyance now to prevent a much larger issue later.

    I'd also probably take this opportunity to address some of the other failings of large companies. If someone reports a security flaw to a company, they have to at least acknowledge that they got it and provide periodic feedback on efforts to fix it. None of this crap where companies just go radio-silent and the bug never gets fixed unless the person who found the flaw goes public to name and shame the company into action. Not sure on the specific mechanism, but off the cuff I'd think maybe give the company 6-months from the time an issue is reported to them to fix it. If they don't fix it within that time, not only can fines be levied, but if the flaw resulted in a customer being financially harmed, liability would automatically attach to the vendor in a lawsuit unless they can show they issued a patch and the customer didn't apply it or something.

    1. Roland6 Silver badge

      Re: Seems like a simple fix

      >” Put the onus on the seller of the IoT devices this law is clearly targeting.”

      Doing some skim reading and dipping in, a question arises over AI and self-driving cars. In the case of self-driving cars it is possible the CRA puts the legal liability for accidents on the vehicle manufacturer…

      1. Doctor Syntax Silver badge

        Re: Seems like a simple fix

        The paragraph spanning pp 9 & 10 excludes motor vehicles and trailers subject to type approval under existing regulation. Pity, but there it is.

        1. Yet Another Anonymous coward Silver badge

          Re: Seems like a simple fix

          That's surprising. It's almost like there are a number of large car companies in the Eu with a lot of lobbying power.

          Strangely electric cars are also exempt from the repairable / battery replacement rules that apply to phones

  10. Roland6 Silver badge

    “… that program you wrote in 2019”

    “ you find an EU notification in your email box from some agency you've never heard of informing you that you must comply or pay a penalty of €10,000 for that program you wrote in 2019”

    Not come across any authoritative source for what software actually qualifies ie. Falls under the CRA. So is that software from 2019 something actively being sold today or something sold in 2019 and no longer advertised.

    As there should be some clarity on what software is included, a quick Google shows the source code to AT&T Unix v6 (1975) is still available for download. Also what does this mean for BSD licensed code? Ie. Does this mean source is as is, but a compiled distribution must comply with CRA?

    As for that email notification, I expect we will see many scammers trying to exploit this opportunity.

    1. Simian Surprise

      Re: “… that program you wrote in 2019”

      I've contributed large amounts of work to a rather well-known libre program which is commercially supported (by an EU-based company). I've never and won't ever be paid, but they've given me things of nominal value as unsolicited thanks.

      Do I fall under the law? My code is used by many companies who pay the aforementioned company for support. I obviously can't retroactively change my license terms, and (more importantly) neither can they, as I own the copyright still.

      1. Tomato42

        Re: “… that program you wrote in 2019”

        If you haven't charged money for the software or for support and you don't use it to collect personally identifiable data (except stuff like interoperability and bug reporting), then you're exempt.

        1. Yet Another Anonymous coward Silver badge

          Re: “… that program you wrote in 2019”

          Has there been a court case creating an opinion on that ?

        2. Brewster's Angle Grinder Silver badge

          Re: “… that program you wrote in 2019”

          "...but they've given me things of nominal value as unsolicited thank..."

          He was remunerated for his work. It doesn't have to be cash; benefits in kind count. (And it should have been declared on a tax return.)

  11. IceC0ld

    SO, reading through this thread, it would appear that in essence, people are for the idea of the act, but NOT as it is written at the moment, and the big one is the 24 hour response time, which, even to my non coder / developer eyes is WAY too short a heads up ffs

    so, are the EU open to some form of dialogue ?

    NO, seriously :o)

    or does the EU just throw it's cap into the ring about anything it fancies, and expect everyone to kowtow and accept ?

    maybe there is an opening for one of those UK type QUANGO's out there, one that has powers to set up the framework, and accept input, like, ooh, I don't know, an IRC :o)

    that seemed to work for the entire net for quite some time IIRC :o)

    I may be off centre here, but I really do not think the EU has ANYONE'S best interests at heart, but they DO like to hear their own trumpets being blown :o(

    1. Anonymous Coward
      Anonymous Coward

      Erm...

      "I really do not think the EU has ANYONE'S best interests at heart" in the same post as "it would appear that in essence, people are for the idea of the act,"

      Typical Brexit supporter. Also, you can look up how the EU decides what issues to look into (each member government sends commissioners to regular meetings), but that should really be part of your general knowledge.

    2. Doctor Syntax Silver badge

      "maybe there is an opening for one of those UK type QUANGO's out there, one that has powers to set up the framework, and accept input, like, ooh, I don't know, an IRC :o)"

      You really think the current UK govt. - the one that perpetrated the Online Safety Act - would do a thing like that? Or HM's loyal opposition?

  12. The Central Scrutinizer

    So how does the EU think they are going to "enforce" this on people outside the EU? It seems to be classic arrogant EU overreach.

    1. Filippo Silver badge

      They aren't, but they can prevent non-compliant vendors from selling in the EU. Because of how big the EU is, most vendors will have to comply. It's not like the US doesn't do this sort of thing.

  13. Anonymous Coward
    Anonymous Coward

    The usual quality of EU news reporting....

    ...for a start, this is proposed legislation, so who knows what this will target in the end.

    Even if you publish code, updates would need to be part of a support contract. All this legislation means is that the support contract becomes very expensive. So pay me $1m a day, and I'll follow the legislation. Or opt out.

    This'll end up just like the cookie tracking laws: with every single website popping up an "we use cookies" message. That's basically telling the website "I'm opting out, you can sell my details everywhere"... That's government for you!

    1. Tomato42

      Re: The usual quality of EU news reporting....

      You do know that dark patterns for cookie dialogues have been illegal, are illegal, and will remain illegal?

      Just one example of work happening in EU to squash them: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf

    2. Yet Another Anonymous coward Silver badge

      Re: The usual quality of EU news reporting....

      >So pay me $1m a day, and I'll follow the legislation.

      That's why open source is so concerned. SAP can say this , I can't say this if I add to some GPL software and you use it. The GPL says I give it to you and you can give to anyone else.

      But I'm responsible for reporting any security that affect you, and anyone you gave the software to and anyone using any derived work and possibly for any flaws in any work I derived from that affect my work.

  14. Anonymous Coward
    Anonymous Coward

    4000+ open source packages from dozens or hundreds of sources to create your small but "modern" commercial web application? Yeah, that model might have to change if you want to do business in the EU. But is that bad?

    With the exceptions to CRA, it appears that the random person from Nebraska who is thanklessly - so, without remuneration - maintaining their package since 2003 is not going to be affected, except that their freely available, non-CRAd code can't be a critical part of commercial apps any more. Might even be a load off their shoulders not to have to worry about being the target of open source supply chain attacks any more.

    Or alternatively, if the package is so critical that your app can't replace it or do without, well then. That open source developer is just going to have to be given some hard cash to fulfill the CRA requirements for your app instead of the current model of (perhaps) recurring donations - now that's pretty much just charity/patronage, a way to show you are "a good member of the community", being a tax on your ethics compared to the more "unscrupulous" (in your estimation) companies that do not contribute back.

    From my perspective, many open source dependency trees have become something horrible under the care of "free innovation" in the absence of these sorts of regulations for commercial use. One method from here, one from there, just use the automated tools to package it up and automate updates - just see if anything breaks in the CI, and worry about introducing new security vulnerabilities into your app only after the fact, once they are public, and hope you were not the target of this particular one... and if there are never any security advisories for a package (because there is no vulnerability reporting at all for it), well, that just means it must be a high quality package and certainly should never replaced by something that is *documented*, *risk assessed* or - worst of all - can occasionally generate those annoying advisories that just create extra work at the worst of times.

    Now, I'm sure there are a huge amount of bad details and perhaps even bad philosophy to go with the good in the CRA. And I can't see how this could be ever implemented without a lengthy transition period. It's certainly not an ideal time for the EU to create reasonable, flexible security regulations, considering there is serious time pressure due to the amped-up risks of well funded attacks.

    But in the big picture, for me, the commercialized open source community has gradually become an example of tragedy of the commons - exercising voluntary restraint in curating what open source you use has not been a rational choice for startups (except insofar as the unwieldy mass of OSS starts to actually impact developer productivity).

    1. Tomato42

      > And I can't see how this could be ever implemented without a lengthy transition period.

      The CRA already calls for 24 month transition period. And that's on top of the usual delay that the governments take in implementing the EU regulation.

      Not that it will stop the megacorps from doing absolutely nothing about it till the eve of when the regulation goes into force and then trying to litigate. Exactly what they did for GDPR. And exactly what El Reg is still not compliant with (the button to deny and accept all cookies has to be presented with equal prominence, but dark pattens are like heroin for markedroids).

    2. Andy The Hat Silver badge

      "instead of the current model of (perhaps) recurring donations"

      If open source developers accept donations for their work (whether or not they actually get any), does that not commercialise the product thus make it subject to CRA?

      What if a tool was developed by a commercial entity because they needed something to test their own hardware in-house, thought it was useful and open sourced it? Would that product be regarded as "free open source non commercial" or, because it was produced as part of commercial activity would it fall under CRA?

      Legal can of worms if you ask me.

  15. Doctor Syntax Silver badge

    The Act defines the following:

    ‘economic operator’ means the manufacturer, the authorised representative, the importer, the distributor, or any other natural or legal person who is subject to obligations laid down by this Regulation;

    ‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately;

    ‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge;

    Is the lone developer in Nebraska's (a term likely to become as much part of legal debate as the man on the Clapham omnibus) library a product or just a digital element used in others' products and/or marketing them under his or her name or trademark?

    Is source code as opposed to a compiled binary a product? The binary is subject to any errors that the compiler produces and, in the case of the final running code, the linker.

    ‘authorised representative’ means any natural or legal person established within the Union who has received a written mandate from a manufacturer to act on his or her behalf in relation to specified tasks;

    Does a general licence constitute a written mandate?

    ‘importer’ means any natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;

    ‘distributor’ means any natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties;

    ‘placing on the market’ means the first making available of a product with digital elements on the Union market;

    ‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;

    If a product is made available other than with a contract for supply is it commercial activity? If not then can this regulation apply?

  16. garwhale Bronze badge

    This proposal will force software creators to spend more on testing and maintenance, which is surely not bad. The focus on exploits is perhaps misplaced, ordinary bugs in critical software can also affect resilience.

    I would also like to have a longer period for software support/updates/upgrades to prevent devices being discarded solely due to software obsolescence. Mobile phone manufacturers outside of Google and Apple don't provide OS updates.

    1. Yet Another Anonymous coward Silver badge

      Or it will force companies in the Eu to use Windows instead of Linux because their lawyers will be afraid that they are responsible for fixing Firefox bugs in their point of sale system, while Microsoft will (for a fee) handle bug reporting in Edge.

  17. Groo The Wanderer Silver badge

    Governments are clueless, and the bigger the government, the less of a clue it has. And the EU is a VERY large bureaucratic nightmare indeed....

  18. Filippo Silver badge

    I make bespoke MES software for industrial plants. I'm pretty sure my activity is going to be covered by this. I haven't yet read the whole thing in detail, but I suspect that means I'm going to have to get some very expensive paperwork done, for every single project.

    Obviously, they way this should work in practice is that I'd pass the cost on to my customers. Ever since I've started this, I've been complaining that plant owners are never willing to pay for security; now they'll have to.

    Or will they? I'm concerned about cowboys flaunting this and stealing my lunch. How's the talk around enforcement? Because, currently, small companies can pretty much ignore GDPR and get away with it. If this works out the same way, I know competitors who will definitely ignore it outright, and they'll force me to do the same or get undercut by like 40%. If customers don't get liability, they won't care about my explanations.

  19. Anonymous Coward
    Anonymous Coward

    If you hear from some stuffy wotsit in a suit tell them to F off. Why does nobody take this approach? A law only exists if you comply with it.

    1. The Central Scrutinizer

      What metaverse do you live in?

  20. Dbeltz

    Need a new License

    We need a new license that says software used in the EU is not allowed and subject to users own risk of used. We take no responsibility for the use of such software blah blah ECT ECT. Basically FU EU. I live in the US and have done coding in the US. If my code makes it to the EU it is without my knowledge or consent. Let the EU and US/Canada/Australia and other Open Source supporting countries fight it out among treaties and keep the open source over seas from the EU. Better yet update the licenses so that EU government agencies must upload all edits updates batchesto software regardless of department or classification to the general repositories for said software or discontinue use immediately of said software. Get the latest patches from from the EU military agencies and spy departments. Make it so open source can't be used in EU.

  21. Grogan Silver badge

    These countries that think they have jurisdiction over everybody... fuck you, I don't follow (all of) anybody's laws, so my heart just pumps purple piss for your jumped up authority. What's next, do we have to follow North Korea's laws? Why not... because you don't recognize their authority?

    This will very much stifle creativity and innovation, it will make it so only the big boys get to play, which is what the twats engineering these bills want. Don't think that they don't know what they are trying to destroy.

    Time to go back to being anonymous... server and VPN connection in some country that doesn't cooperate.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like