'EU's Cyber Resilience Act Contains a Poison Pill for Open Source Developers' (theregister.com) 86
Veteran open source report Steven J. Vaughan-Nichols, writing at The Register: We can all agree that securing our software is a good thing. Thanks to one security fiasco after another -- the SolarWinds software supply chain attack, the perpetual Log4j vulnerability, and the npm maintainer protest code gone wrong -- we know we must secure our code. But the European Union's proposed Cyber Resilience Act (CRA) goes way, way too far in trying to regulate software security. At the top level, it looks good. Brussels states that before "products with digital elements" are allowed on the EU market, manufacturers must follow best practices in four areas. Secure the product over its whole life; follow a coherent cybersecurity framework; show cybersecurity transparency; and ensure customers can use products securely. Sounds great, doesn't it? But the road to hell is paved with good intentions. The devil, as always, is in the details. Some of this has nothing to do with open source software. Good luck creating any program in any way that a clueless user can't screw up.
But the EU commissioners don't have a clue about how open source software works. Or, frankly, what it is. They think that open source is the same as proprietary software with a single company behind it that's responsible for the work and then monetizes it. Nope. Open source, as I've said over and over again, is not a business model. Sure, you can build businesses around it. Who doesn't these days? But just as the AWSes, Googles, and Facebooks of the world depend on open source software, they also use programs written by Tom, Denise, and Harry from around the world. The CRA's underlying assumption is that you can just add security to software, like adding a new color option to your car's paint job. We wish!
Securing software is a long, painful process. Many open source developers have neither the revenue nor resources to secure their programs to a government standard. The notional open source developer in Nebraska, thanklessly maintaining a vital small program, may not even know where Brussels is (it's in Belgium). They can't afford to secure their software to meet EU specifications. They often have no revenue. They certainly have no control over who uses their software. It's open source, for pity's sake! As open source developer Thomas Depierre recently blogged: "We are not suppliers. All the people writing and maintaining these projects, we are not suppliers. We do not have a business relationship with all these organizations. We are volunteers, writing code and putting it online under these Licenses." Exactly.
But the EU commissioners don't have a clue about how open source software works. Or, frankly, what it is. They think that open source is the same as proprietary software with a single company behind it that's responsible for the work and then monetizes it. Nope. Open source, as I've said over and over again, is not a business model. Sure, you can build businesses around it. Who doesn't these days? But just as the AWSes, Googles, and Facebooks of the world depend on open source software, they also use programs written by Tom, Denise, and Harry from around the world. The CRA's underlying assumption is that you can just add security to software, like adding a new color option to your car's paint job. We wish!
Securing software is a long, painful process. Many open source developers have neither the revenue nor resources to secure their programs to a government standard. The notional open source developer in Nebraska, thanklessly maintaining a vital small program, may not even know where Brussels is (it's in Belgium). They can't afford to secure their software to meet EU specifications. They often have no revenue. They certainly have no control over who uses their software. It's open source, for pity's sake! As open source developer Thomas Depierre recently blogged: "We are not suppliers. All the people writing and maintaining these projects, we are not suppliers. We do not have a business relationship with all these organizations. We are volunteers, writing code and putting it online under these Licenses." Exactly.
That again? (Score:5, Informative)
It is pretty simple: If you just publish software privately but are not a company and are not asking money for it, this does not apply to you. How often does this need to be stated?
This is just companies like Red Hat trying to avoid their responsibilities by lying by misdirection about how this is going to harm OSS. For FOSS this is simply not true. For commercial OSS, this is as it should be.
Re: That again? (Score:3)
Beat me to it, I was going to say pretty much the same thing. Random people writing software and publishing the source for free on the net are not subject to this sort of thing and are not subject to any standards for their non-professional, non-monetized hobby projects they share with others from hello_world all the way up to a full kernel+user land.
Re: (Score:3)
This is about assigning blame. If you as a company ship something, and 4 levels of dependencies down there is a security problem, which your usage of said dependency tree uncovered, who's to blame?
Say you, a "product with digital elements" vendor, used a framework that internally uses a language specific stdlib, and that your (and only your) usage of said framework triggers a bug in the stdlib which makes the underlying OS kernel belly up some security, who do you blame?
3 separate bugs create a security pro
Re: (Score:1)
EU laws are pretty clear for any commercial context: You ship it, you are responsible. You can delegate that responsibility by having a respective contract with your supplier, but that is it. That said, shipping a defective product does not automatically make you responsible for the damage. Otherwise Microsoft would have gone bankrupt a long time ago.
Re: (Score:2)
EU laws are pretty clear for any commercial context: You ship it, you are responsible. You can delegate that responsibility by having a respective contract with your supplier, but that is it. That said, shipping a defective product does not automatically make you responsible for the damage. Otherwise Microsoft would have gone bankrupt a long time ago.
The person that wrote the code and posted the software to some Internet-enabled repository could be argued in Court to be a "shipper".
By your own statement that poster would be responsible for what that code does.
Now spin the situation around another way...
How does the code written by some anonymous volunteer developer get posted to the Internet?
First, that developer has to RELEASE THAT CODE to the Internet by either posting to a repository themself or passing to someone that posted it; it does not magicall
Re: (Score:1)
EU laws are pretty clear for any commercial context: You ship it, you are responsible. You can delegate that responsibility by having a respective contract with your supplier, but that is it.
The person that wrote the code and posted the software to some Internet-enabled repository could be argued in Court to be a "shipper".
Shipper of what product to what customer? For what money?
We're discussing commercial product liability regulation. Redefining words in fanciful ways isn't useful.
Re: (Score:2)
The person that wrote the code and posted the software to some Internet-enabled repository could be argued in Court to be a "shipper".
Nope. This is the EU. We do not have jury-trials where complete nonsense like this can come out.
Re: That again? (Score:5, Insightful)
The company shipping the product is very clearly responsible.
If I post DIY videos on YouTube telling you how to fix plumbing and you take that information, open a plumbing business then fuck up someone's plumbing then you are 100% liable. My liability as the YouTube content creator of plumbing videos is absolutely zero.
If you know of a country where that isn't the case I'd love to hear about it, they must have some fascinating liability lawsuits I'd like to read about.
a nice example! (Score:2)
mod the parent up, someone...
Re: (Score:2)
Mostly. If you publish things knowingly that get people harmed or hurt you can be subject to criminal liability (i.e. you go to jail or get fined) and that can, in turn, also lead to civil liability as well.
That said, if it is clearly DIY (should be enough if you do not state or indicate that your advice is professional) and there are no specific laws against offering the advice you offer without being a licensed/certified/whatever professional, then you do indeed have no liability and the only responsibili
Re: (Score:2)
Publish things in the software sense or bad plumbing advice sense?
In the US that would be an extremely tough case to prosecute. Short of doing videos telling people how to make bombs and where to put them or writing ddos malware designed to take down infrastructure, the 1st amendment is a strong shield against most prosecutions.
My nephew publishes crypto "news". (Ugh, he's a total loss, just no talking sense into him). But I did get him to understand his potential liability and make clear statements on h
Re: (Score:2)
I think bad plumbing will not get you into hot water either, unless you deliberately advise something that causes, say, a methane buildup and people die in explosions as a result. Will still be difficult to prove you knew what you were doing in most cases.
Re: (Score:2)
Ok, got it, we're in agreement. I was just unclear on what you meant.
Re: (Score:2)
Indeed. The same is likely true for people that get paid to write and maintain FOSS and probably for non-profits.
Re:That again? (Score:5, Insightful)
I think that this is not enough. Consider an analogy.
If I walk down my local high street offering free food, which turns out to be badly kept and causes a lot of illness, that I was offering it for free should not absolve me of all harm. If I am a large supermarket and I sell food, which someone buys, keeps at room temp for three weeks, then eats and gets food poisoning, that I was offering it for cash should not make me guilty of all harm.
There needs to be a judgement about reasonableness here. The unfortunate thing is that in an area like software and supply chains working out what and what is not reasonable is difficult.
Conclusion: it is far from pretty simple.
Re: (Score:2)
This is food. I eat it. I don't mind you eating it, but don't come to me asking for any allergens.
It's not like I make you eat it. Eat it or not. I don't care. But I also won't care if you get sick of it. If you don't want to take the risk, simply don't eat it.
Yes, it is that simple.
Re: (Score:2)
This is food, I eat it.
You take it for free, season it, eat it, give a part of the rest to someone for free.
Turns out the combination of my food being badly kept and your seasoning is poisonous to the bloke with a weak digestive tract you gave it to.
Nothing would have happened if this swiss cheese model hadn't aligned like this.
Who's to blame?
With your description, when a hacked web page infects a computer with a virus, the person visiting it is responsible for that infection... Not how we think about thing
Re: (Score:2)
If a hacked webpage infects you with a virus, you were negligent with keeping your browser up to date.
Re: (Score:3)
Re: (Score:2)
I wouldn't worry about that lawsuit, if they can't be assed to update their webpage. If you happen to have an example where something like that actually worked out in favor of the tech illiterates, please present it so I can avoid that incompetent lawyer representing the person setting up the webpage.
Re: (Score:2)
Re: (Score:2)
That lawsuit won't happen. Because companies generally aren't as stupid as lawmakers are, which is also why the state of consumer protection is in the sorry state it's in. Instead, what will happen is what will always happen in EU: The laws will be ignored as the ivory tower bullshit they are and life will go on.
That's the thing about EU laws: Most of them, you can safely ignore as unenforceable and go on with your life, and everyone is happy. You can continue to do as you please, the politicians think they
Re: (Score:2)
Wrong use case. That would be liability for unpaid volunteer _services_. To become liable here, you generally need to have done something criminal. The source of that framework may be liable (or not) if it was bought.
Re: (Score:2)
Your analogy is flawed. Food is perishable and food can be a direct health risk _and_ food is something people need to survive. Incidentally, to be allowed to distribute food publicly, you need a license.
So, yes, for private citizens offering software for free, it is pretty simple: No assurance of quality, no liability. Get over it. Of course, if there is malware in there placed intentionally, criminal law comes into the picture and that "no liability" stops because there is intent to cause harm.
This whole
Re: (Score:2)
Incidentally, to be allowed to distribute food publicly, you need a license
Lol - in what country do y need a _license_ to sell food? Cooked or not?
I doubt I have ever been in a country where you needed a license to sell food from the field or sell it over the street cooked or in a restaurant.
Re: (Score:3)
Lol - in what country do y need a _license_ to sell food? Cooked or not?
For example in your country -- Germany.
The details are pretty fuzzy and depend a lot on your exact circumstances, but it's pretty tightly regulated. You need not only a certification that the persons performing the sell are safe ("Gesundheitszeugnis"), you need to demosntrate to your local authorities ("Gesundheitsamt") that your kitchen is safe. Sometimes this involves a certification in advance ("Abnahme"), sometimes it's based on regular controls and checks. If you sell it on the street, you might also n
Re: (Score:2)
Yes, you need to do that.
And all that: is not a license.
Re: That again? (Score:2)
And all that: is not a license.
That's arguing semantics.
You need permission from $authority one way or another. Whether you want to call it a "license", a "permit", a "registration requirement" or whatever is irrelevant. OP's point is that you can not simply just wake up on a Tuesday and sell omelette in front of your garage.
(If you're going to nitpick let's stop for a moment and consider that the "driver's license" in Germany is a "Fuehrerschein" - the same word used in "Fahrschein", which is the word for a [train or bus] ticket. Which
Re: (Score:2)
OP's point is that you can not simply just wake up on a Tuesday and sell omelette in front of your garage.
Actually: you can.
There are plenty of exceptions when a "license" is needed and when not. When you run a restaurant, you need a inspected/registered kitchen. If you sell over the street, especially as a one time event: nope. If you buy the omlette on the other side of the road from a bakery e.g. and resell it: nope.
And the main point was "food", we got sidetracked. Every farmer who so wants, sells his f
Re: (Score:3)
In Texas, USA, you need both a licensed kitchen and a licensed cook with a Food Handler's Permit to be able to sell prepared food to the public. For products coming directly from the field, you still need a Food Handler's Permit to sell in order to certify that the food has been stored correctly. The only way around this is allowing people onto your property to harvest the food directly themselves. I believe that similar regulations exist in all 50 states.
Re: (Score:2)
You need a kind of "license" for a/the kitchen in Germany, too.
But it is not a license. it is just a "we checked it and it looks oki" paper.
If you cook food at the road, and sell it over the street, you do not need a "license", as everyone sees your kitchen. Same for raw fruits from the field/garden.
As I mentioned to one above: a license means you have to go to a government agency and request a piece of parer, aka a license, as in "driving license". There is no such thing in Germany, France or Thailand. Wou
Re: (Score:2)
In Texas, it is a formal government application with training courses, for both the kitchen and the food handler. If you do not have one and are found to be selling food, you can be shut down, fined, and, if repeat offender, arrested. Again, I'm pretty sure this is the same in rest of USA. I am pretty sure it is true in Denmark also... I know that they have pretty strict policing of restaurants.
Re: (Score:2)
In Germany there are regular inspections.
You have to announce that you want to cook.
That basically is it.
Formal food handling education got abolished like 25 years ago, it is replaced by "watching a video" which tells you to wash your hands after visiting the toilet. You get a "certificate" after you watched it, which never needs to be renewed.
Re:That again? (Score:4)
Basically in every 1st or 2nd world country you need some form of permit to sell food and are subject to sell food. These regulations often also extend to giving food away for free, e.g. opening a free soup kitchen. That you are not aware of that does not change the requirements.
Here is a reference for the US: https://www.fda.gov/food/food-... [fda.gov]
Re: (Score:2)
Basically in every 1st or 2nd world country you need some form of permit to sell food and are subject to sell food.
So Germany, France, Thailand are not 1st world countries?
No: you do not need a "permit" or a "license" to sell food.
You need a permit to sell fire arms, or alcohol. And that's it. You could stretch your "permit" to "need special education" to sell pharmaceutics. Aka: run a pharmacy. BUT you do not need a license or a permit to run one, you are just in bad luck if you do not have the degree. S
Re: (Score:3)
Yes, but in this case it's not the health department where you actually live that will (or may not) regulate or punish you for that hypothetical dodgy food. In this case it's the health department in another city in an entirely different state that's noticed you didn't explicitly write down "cook the chicken to 165" in you recipe book, and someone over there got sick from failing to do so. And now that health department in that other city & state (Where you do not reside and which may not have ever vi
Re: (Score:3)
Consider an analogy.
If I walk down my local high street offering free food, which turns out to be badly kept and causes a lot of illness, that I was offering it for free should not absolve me of all harm. If I am a large supermarket and I sell food, which someone buys, keeps at room temp for three weeks, then eats and gets food poisoning, that I was offering it for cash should not make me guilty of all harm.
Lets improve your analogy:
I have an apple tree in my front yard. Some people pick an apple (or several) from the tree as they pass by. Some people even make pies with the apples they picked from my tree. One person sells a pie they made from the apples they picked from my tree. Someone gets sick after eating a piece of a pie that was made using apples picked from my tree.
I am an OSS developer. The Apples are my code, free to any who choose to take it. The pies are applications that other people made u
Re: (Score:2)
Indeed. Of course, the suppliers could have asked you for a contract that puts some or all responsibility on you in exchange for money. If they did not do that or you declined, then the responsibility is on them. EU law is really very simple in this regard: The one you bought it from is the one responsible. And if you did not buy it, nobody is. There are some exceptions. For example, somebody selling you a device and giving you the software for it "for free" will likely still be liable, as this really is a
Re: (Score:2)
You are. If the trash disposal you did was according to local health and safety standards.
The CRA however makes me legally responsible for your actions.
The CRA does no such thing. Maybe you also need to take into account that the CRA does not stand alone. There are other laws and legal standards that restrict it without any need to state that explicitly in the CRA.
Re: (Score:1)
Software is not food. It has almost nothing in common with food. This analogy might express your feelings about the topic, but how is an engineer supposed to do anything with that?
The article claims that the legislation being proposed by the EU is out of step with the reality of software development, and appears to be so poorly thought out that it would effectively make open source development illegal. Those claims should be addressed on their own merit. If the counter-argument involves comparing a github
Re:That again? (Score:5, Informative)
The EU is itself responsible for the ongoing debate. Take the explanatory graphic on the CRA info page [european-c...ce-act.com] for example, the only criteria they mention at all are criticality, intended use, and extent of impact. They say nothing about origin there. The text on the page also says "It is about bringing together the knowledge from all services and all sources. From space to police trainers, from open source to development agencies. Their work gives us a unique scope and depth of knowledge." But this isn't about bringing together knowledge at all, it's about creating regulations. Their bullshit marketspeak is confusing the issue.
The definitions are also at issue, for example "product" is defined as "any software or hardware product", which is typically pathetic. You can't use the word in its own definition and have it be meaningful! What's more, this is SOP for the EU. For example, in the General Product Safety Directive product is defined as "any product - including in the context of providing a service - which is intended for consumers or likely, under reasonably foreseeable conditions, to be used by consumers even if not intended for them". Again, the definition can't contain the word. That's circular.
In the section of the CRA on "scope" there are NO exemptions for open source, software developed not for profit, or anything else. THAT is the place to exempt software. There are only exemptions for medical devices, aviation devices, and military devices which are already covered by other laws. But those laws are not in fact as stringent as this law, so in addition to all of the other failings, the EU is literally mandating that the devices where safety is most critical should have the least security.
Moving on with the definitions, "manufacturerâ(TM) means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge;" so there's no exception there whatsoever.
Consequently the ONLY exception for OSS in the CRA applies to "software developed or supplied outside the course of a commercial activity" and this is not only not adequate, it is actively harmful [nlnetlabs.nl] because "developers of critical products may not perform self-assessment and need to involve third-party auditors". If your software is security critical, then you are not allowed to self-assess.
TL;DR: The carve-out is inadequate, in fact has deliberately has been made to not apply to all important cases, and if passed as written will have a chilling effect on OSS development as if you derive ANY benefit beyond code from the software, you will be a commercial manufacturer and subject to all of the provisions of the legislation.
Re: (Score:2)
Consequently the ONLY exception for OSS in the CRA applies to "software developed or supplied outside the course of a commercial activity"
Sounds perfectly reasonable to me. You sell it or otherwise make money off it, you are liable for product quality. Note that if the actual creator is doing this not for profit, then the liability goes only to the ones in the chain that make a profit of it. That is as it should be.
Re: (Score:3)
Sounds perfectly reasonable to me. You sell it or otherwise make money off it, you are liable for product quality.
What you're talking about here is the current developers of critical OSS no longer being able to work on it unless they are independently wealthy. It's the same exact wrongheaded logic as saying that politicians shouldn't be paid, which leads to rule purely by rich fucks. Important software will only be able to descend from ivory towers, or come from inside of corporations. If that's a good outcome to you, then you're actively supporting the de-democratization of OSS, which makes you the enemy.
Re: (Score:2)
Nope. If you get donations or some company pays you to work on it, that does not mean you profit off the product. For that you have to directly or indirectly sell it.
Example: GnuPG is nicely donation funded. This does not mean that GnuPG, if you download it from them, would fall under this regulation. If, on the other hand, you get GnuPG as part of a Red Hat distribution you paid for, then Red Hat is liable for quality.
That said, there is nothing wrong with anybody donating a security evaluation to GnuPG or
Re: (Score:2)
Nope. If you get donations or some company pays you to work on it, that does not mean you profit off the product.
are you sure? i wouldn't like to be in a place were i need to explain this to a judge who probably knows very little about this, specially not to defend myself from corporate lawyers trying to shift the blame of a fuck up on me.
i fully get your point, but while i think this is mostly hysteria from companies that specialize in parasiting open source and "journalists" fabricating "alarming news", i do see a murky area where a developer could get nailed just for a random donation, or even the opposite case whe
Re: (Score:2)
i fully get your point, but while i think this is mostly hysteria from companies that specialize in parasiting open source and "journalists" fabricating "alarming news", i do see a murky area where a developer could get nailed just for a random donation, or even the opposite case where a for profit company can mask a component as open source just to evade responsibility.
This is exactly the concern, and exactly why it will have a chilling effect, and [therefore] exactly why we all need to unite against it in its current form. They need to provide some explicit guidance and clarity on what is and is not excepted. This is not that. And it affects the entire world, so we should all be concerned.
Re: (Score:2)
i fully get your point, but while i think this is mostly hysteria from companies that specialize in parasiting open source and "journalists" fabricating "alarming news", i do see a murky area where a developer could get nailed just for a random donation, or even the opposite case where a for profit company can mask a component as open source just to evade responsibility.
This is exactly the concern, and exactly why it will have a chilling effect, and [therefore] exactly why we all need to unite against it in its current form. They need to provide some explicit guidance and clarity on what is and is not excepted. This is not that. And it affects the entire world, so we should all be concerned.
The wording of:
"software developed or supplied outside the course of a commercial activity"
could be interpreted as meaning that if you supply software _for_free_ to someone who themselves is _engaged_in_a_commercial activity_... then you're included.
Re: (Score:2)
It could be interpreted a whole bunch of ways. You could get done for having ads on your site or something stupid. They either need to clarify it, or if this is as clear as it gets, shove off. It can be fixed, maybe they plan to, who knows.
Re: (Score:2)
It could be interpreted a whole bunch of ways. You could get done for having ads on your site or something stupid. They either need to clarify it, or if this is as clear as it gets, shove off. It can be fixed, maybe they plan to, who knows.
Always assume:
1) anything you say online will be there forever
2) anything you say online can be used against you
Re: (Score:2)
Getting a donation does not cause you to have a sales contract with anybody and hence does not cause any liability. If it was a real donation.
I agree that some more clarity would be desirable. The panic that some assholes are trying to push is entirely misguided though or, as I strongly suspect, comes from some OSS vendors that do not want liability for their products.
Re: (Score:2)
Re: (Score:2)
do you have a point are you just acting out?
Re: (Score:2)
Re: (Score:2)
even if you outright win the case, the mere prospect of such a process will discourage you to share your work in the first place. this is what "chilling effect" means ;-)
but the process can get much worse and you might even have to appeal once or twice. judges buying into aggressive lawyer's misrepresentations of concepts like "sharing", "server", "algorithm", "profit", etc is not a rare occurrence at all, for sure not in europe and specially not in lower courts. there is a whole litany of such rulings rega
Re: (Score:2)
Re: (Score:2)
Pretty much. You only profit off a product if you sell it directly or indirectly, ("indirectly" for example as a "free" part of a non-free bundle or with non-free hardware). IANAL, but I think the way this goes is that you getting paid is different from you making a sale. When you make a sale, you always enter into a contract with the one you sold to. When you get a salary or effort compensation for working on something, you have no contract with the users of that something. Your organization (which pays yo
Re: (Score:2)
If you think that is true then you don't understand medical device/software laws.
Re: That again? (Score:2)
Re: (Score:2)
Associaço de Empresas de Software Open Source Portuguesas (ESOP)
CNLL, the French Open Source Business Association
The Document Foundation (TDF)
Eclipse Foundation
European Open Source
Re: (Score:2)
A look at who is behind these organizations and who finances them should nicely clear things up.
Re: (Score:2)
A look at who is behind these organizations and who finances them should nicely clear things up.
You can't be serious. Wow, your politics are...well...I think you just want people to suffer. If you don't understand it, it should burn right? I mean, you know nothing about energy production but yet you still have the certainty that should be reserved for mathematicians that you and only you know how we should make power. This is the same thing right? You don't make OSS software, you don't know organizations who make OSS software, which you use all the time for free. I think I will call your politic
Re: (Score:2)
Nope. I noticed a few absences of the organizations I would definitely expect to protest there and many I have never heard of being present. This thing "protest" stinks and not everybody is as gullible as you are.
Re: (Score:1)
I hope the EU can address this... (Score:5, Interesting)
In the early 2000s, after Sarbanes-Oxley in the US was enacted, a lot of places tore out working Linux installations to install Windows, solely because Windows was "SOX compliant", and Linux had no certifications like Red Book, C2, etc. Red Hat addressed this issue with FIPS and Common Criteria compliance, but until that was done, there was a time where Linux was being run out of the server room space, just because that bit of colored paper was more important than anything else.
I'm hoping this doesn't happen in the EU, because it will mean that companies will either resell F/OSS with a markup... or just enjoy the fact that F/OSS has major hurdles to climb.
What might be useful is a publicly available code scanner. If it matches everything, great. If it doesn't, explain the exception and move on. It may not catch everything, but it does due diligence, similar to scanning a file with ClamAV before uploading it.
Re: (Score:2)
Scanning source code for compliance is flawed because it is the binary built from the source code that actually runs on the hardware. In addition, source code typically has many different build options, and the binary usually has multiple different run-time options. Plus, there is more that 1 hardware architecture out there in the real-world.
Also, there are toolchains involved in the build process that will influence what machine code appears in the binary. Along with a long list of toolchain build and run-
Re: (Score:2)
Scanning source code for compliance is flawed because it is the binary built from the source code that actually runs on the hardware. In addition, source code typically has many different build options, and the binary usually has multiple different run-time options. Plus, there is more that 1 hardware architecture out there in the real-world.
Also, there are toolchains involved in the build process that will influence what machine code appears in the binary. Along with a long list of toolchain build and run-time options.
Modern embedded systems are deploying FPGA based configurable hardware to allow greater flexibility in using different "hardware" in-the-field from boot-up. FPGA is in the twilight zone of not quite being hardware or software, or it is both at the same. However, bugs in the FPGA design can cause compliant software to malfunction.
I guess root cause analysis of a security breach will blame something. But as we know, malfunctions can be cascade of events and if one link in that chain did not happen then a malfunction would be avoided.
'Shift left' has no meaning for this because its the stuff on the right thats exposed to adversaries and actually handles the transactions..
Is it ... (Score:2)
Certs cost money (Score:2)
>Securing software is a long, painful process. Many open source developers have neither the revenue nor resources to secure their programs to a government standard.
Neither do a number of actual companies that would otherwise do it.
Fees to certification labs and the government for a mix of CAVP, CMVP and ESV certifications for a product containing cryptography can easily exceed $100,000 in the US.
If you have many different products, you don't get to reuse that. It's "per platform". So that cost turns into
Re: (Score:2)
The requirement should be for responsibility, not certification. Just like with purely physical goods (like food, appliances, or cars), if the product I buy from you is broken, you fix it; if your product hurts someone or something, you pay.
No more "this is our most secure product ever" and then hiding behind EULAs disclaiming any liability. Or charging for support for safety fixes.
But TFA is about government regulations. That puts ISO19790 and related national profiles in scope. What should be and what will be are different.
So users are going to have to pony up developers (Score:2)
The solution seems obvious: the companies that are using the open source software are going to have to pay developers to add security to the software. Still cheaper than developing all thahttps://developers.slashdot.org/story/23/05/12/159217/eus-cyber-resilience-act-contains-a-poison-pill-for-open-source-developers#t software from scratch. I don't see why this is a poison pill.
Re: (Score:2)
In the open source world, some companies actively develop software fixes and code improvements using their own in-house developers and then give their source code to the community for free. The company gets the benefit of having their fixes and code improvements into the mainline tree of that open source project. When the company migrates to a newer codebase from the open source project, the company will get back their changes plus other people's changes. It can save companies effort over multiple product c
Isn't this what warranty disclaimers are for? (Score:2)
You know, that thing in all caps that takes up a third of the MIT/BSD/GPL copyright notices, keyboard-screaming at you about how you can't hold the author liable for how you use the software? I mean, correct me if I'm wrong, but it seems like if the EU started complaining about some company selling electronics that fell under scrutiny, and also went after the ImageMagick or OpenSSL devs because their software was in it, this is exactly what that clause is for.
Hu? perpetual Log4j vulnerability? (Score:2)
There is no perpetual vulnerability.
A single version was / is affected.
Switch to a different one.
Simple.
What? Proprietry software isn't single source (Score:4, Informative)
They think that open source is the same as proprietary software with a single company behind it that's responsible for the work and then monetizes it.
When was proprietary software a from single source company. I write for these companies they use libraries from other companies all the time, no software I know is written from scratch from the ground up. Closed source only removes "show cybersecurity transparency" part.
Can't agree (Score:2)
We can all agree that securing our software is a good thing.
No, we can't all agree, because we don't all agree on what "securing" means.
Not a 'Product' (Score:2)
Free, Open-Source software is not a product. It's a tool you're welcome to use, but you exchanged nothing for it, and it has no warranty of suitability for any particular purpose (by most license text). This law wouldn't (or at least shouldn't) apply to this kind of software in any way.
The EU needs to hire someone who knows anything at all about software and the internet to help with this kind of legislati
Securing software is only hard... (Score:2)
Securing software is only hard if you don't do it in the design phase.
The longer you wait to think about security, the harder and more expensive it becomes.
Re: (Score:2)
Indeed. Has been known for at least half a century, still ignored by wannabe software "professionals" all over the world. The EU is just getting sick and tired of that crap and so am I.
Geo block public repos of Gitlab and GitHub for 2 (Score:2)
Maybe blocking European access to Gitlab and GitHub for a few days might help highlight how much is dependent on open source?
Maybe too extreme, but how should these policy makers be made aware of the risk they are creating?