Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
EU Open Source

'EU's Cyber Resilience Act Contains a Poison Pill for Open Source Developers' (theregister.com) 86

Veteran open source report Steven J. Vaughan-Nichols, writing at The Register: We can all agree that securing our software is a good thing. Thanks to one security fiasco after another -- the SolarWinds software supply chain attack, the perpetual Log4j vulnerability, and the npm maintainer protest code gone wrong -- we know we must secure our code. But the European Union's proposed Cyber Resilience Act (CRA) goes way, way too far in trying to regulate software security. At the top level, it looks good. Brussels states that before "products with digital elements" are allowed on the EU market, manufacturers must follow best practices in four areas. Secure the product over its whole life; follow a coherent cybersecurity framework; show cybersecurity transparency; and ensure customers can use products securely. Sounds great, doesn't it? But the road to hell is paved with good intentions. The devil, as always, is in the details. Some of this has nothing to do with open source software. Good luck creating any program in any way that a clueless user can't screw up.

But the EU commissioners don't have a clue about how open source software works. Or, frankly, what it is. They think that open source is the same as proprietary software with a single company behind it that's responsible for the work and then monetizes it. Nope. Open source, as I've said over and over again, is not a business model. Sure, you can build businesses around it. Who doesn't these days? But just as the AWSes, Googles, and Facebooks of the world depend on open source software, they also use programs written by Tom, Denise, and Harry from around the world. The CRA's underlying assumption is that you can just add security to software, like adding a new color option to your car's paint job. We wish!

Securing software is a long, painful process. Many open source developers have neither the revenue nor resources to secure their programs to a government standard. The notional open source developer in Nebraska, thanklessly maintaining a vital small program, may not even know where Brussels is (it's in Belgium). They can't afford to secure their software to meet EU specifications. They often have no revenue. They certainly have no control over who uses their software. It's open source, for pity's sake! As open source developer Thomas Depierre recently blogged: "We are not suppliers. All the people writing and maintaining these projects, we are not suppliers. We do not have a business relationship with all these organizations. We are volunteers, writing code and putting it online under these Licenses." Exactly.

This discussion has been archived. No new comments can be posted.

'EU's Cyber Resilience Act Contains a Poison Pill for Open Source Developers'

Comments Filter:
  • That again? (Score:5, Informative)

    by gweihir ( 88907 ) on Friday May 12, 2023 @11:05AM (#63516669)

    It is pretty simple: If you just publish software privately but are not a company and are not asking money for it, this does not apply to you. How often does this need to be stated?

    This is just companies like Red Hat trying to avoid their responsibilities by lying by misdirection about how this is going to harm OSS. For FOSS this is simply not true. For commercial OSS, this is as it should be.

    • Beat me to it, I was going to say pretty much the same thing. Random people writing software and publishing the source for free on the net are not subject to this sort of thing and are not subject to any standards for their non-professional, non-monetized hobby projects they share with others from hello_world all the way up to a full kernel+user land.

      • This is about assigning blame. If you as a company ship something, and 4 levels of dependencies down there is a security problem, which your usage of said dependency tree uncovered, who's to blame?
        Say you, a "product with digital elements" vendor, used a framework that internally uses a language specific stdlib, and that your (and only your) usage of said framework triggers a bug in the stdlib which makes the underlying OS kernel belly up some security, who do you blame?
        3 separate bugs create a security pro

        • by gweihir ( 88907 )

          EU laws are pretty clear for any commercial context: You ship it, you are responsible. You can delegate that responsibility by having a respective contract with your supplier, but that is it. That said, shipping a defective product does not automatically make you responsible for the damage. Otherwise Microsoft would have gone bankrupt a long time ago.

          • EU laws are pretty clear for any commercial context: You ship it, you are responsible. You can delegate that responsibility by having a respective contract with your supplier, but that is it. That said, shipping a defective product does not automatically make you responsible for the damage. Otherwise Microsoft would have gone bankrupt a long time ago.

            The person that wrote the code and posted the software to some Internet-enabled repository could be argued in Court to be a "shipper".

            By your own statement that poster would be responsible for what that code does.

            Now spin the situation around another way...

            How does the code written by some anonymous volunteer developer get posted to the Internet?

            First, that developer has to RELEASE THAT CODE to the Internet by either posting to a repository themself or passing to someone that posted it; it does not magicall

            • by Anonymous Coward

              EU laws are pretty clear for any commercial context: You ship it, you are responsible. You can delegate that responsibility by having a respective contract with your supplier, but that is it.

              The person that wrote the code and posted the software to some Internet-enabled repository could be argued in Court to be a "shipper".

              Shipper of what product to what customer? For what money?

              We're discussing commercial product liability regulation. Redefining words in fanciful ways isn't useful.

            • by gweihir ( 88907 )

              The person that wrote the code and posted the software to some Internet-enabled repository could be argued in Court to be a "shipper".

              Nope. This is the EU. We do not have jury-trials where complete nonsense like this can come out.

        • Re: That again? (Score:5, Insightful)

          by iAmWaySmarterThanYou ( 10095012 ) on Friday May 12, 2023 @01:52PM (#63517227)

          The company shipping the product is very clearly responsible.

          If I post DIY videos on YouTube telling you how to fix plumbing and you take that information, open a plumbing business then fuck up someone's plumbing then you are 100% liable. My liability as the YouTube content creator of plumbing videos is absolutely zero.

          If you know of a country where that isn't the case I'd love to hear about it, they must have some fascinating liability lawsuits I'd like to read about.

          • mod the parent up, someone...

          • by gweihir ( 88907 )

            Mostly. If you publish things knowingly that get people harmed or hurt you can be subject to criminal liability (i.e. you go to jail or get fined) and that can, in turn, also lead to civil liability as well.

            That said, if it is clearly DIY (should be enough if you do not state or indicate that your advice is professional) and there are no specific laws against offering the advice you offer without being a licensed/certified/whatever professional, then you do indeed have no liability and the only responsibili

            • Publish things in the software sense or bad plumbing advice sense?

              In the US that would be an extremely tough case to prosecute. Short of doing videos telling people how to make bombs and where to put them or writing ddos malware designed to take down infrastructure, the 1st amendment is a strong shield against most prosecutions.

              My nephew publishes crypto "news". (Ugh, he's a total loss, just no talking sense into him). But I did get him to understand his potential liability and make clear statements on h

              • by gweihir ( 88907 )

                I think bad plumbing will not get you into hot water either, unless you deliberately advise something that causes, say, a methane buildup and people die in explosions as a result. Will still be difficult to prove you knew what you were doing in most cases.

      • by gweihir ( 88907 )

        Indeed. The same is likely true for people that get paid to write and maintain FOSS and probably for non-profits.

    • Re:That again? (Score:5, Insightful)

      by Phillip2 ( 203612 ) on Friday May 12, 2023 @11:15AM (#63516711)

      I think that this is not enough. Consider an analogy.

      If I walk down my local high street offering free food, which turns out to be badly kept and causes a lot of illness, that I was offering it for free should not absolve me of all harm. If I am a large supermarket and I sell food, which someone buys, keeps at room temp for three weeks, then eats and gets food poisoning, that I was offering it for cash should not make me guilty of all harm.

      There needs to be a judgement about reasonableness here. The unfortunate thing is that in an area like software and supply chains working out what and what is not reasonable is difficult.

      Conclusion: it is far from pretty simple.

      • This is food. I eat it. I don't mind you eating it, but don't come to me asking for any allergens.

        It's not like I make you eat it. Eat it or not. I don't care. But I also won't care if you get sick of it. If you don't want to take the risk, simply don't eat it.

        Yes, it is that simple.

        • This is food, I eat it.
          You take it for free, season it, eat it, give a part of the rest to someone for free.

          Turns out the combination of my food being badly kept and your seasoning is poisonous to the bloke with a weak digestive tract you gave it to.
          Nothing would have happened if this swiss cheese model hadn't aligned like this.
          Who's to blame?

          With your description, when a hacked web page infects a computer with a virus, the person visiting it is responsible for that infection... Not how we think about thing

          • If a hacked webpage infects you with a virus, you were negligent with keeping your browser up to date.

            • by sfcat ( 872532 )
              Say you setup a website for a non-profit in your spare time. You tell them how to update it but they aren't very technical. Several years later you get sued over some security bug in the web framework you used. If you create liability for software developers in this case, you will have no more software developers. Who would give away their work for free (which is a bit crazy) but add to that legal liability? This law will be the mother of unintended consequences. Say good bye to any sort of good Samar
              • I wouldn't worry about that lawsuit, if they can't be assed to update their webpage. If you happen to have an example where something like that actually worked out in favor of the tech illiterates, please present it so I can avoid that incompetent lawyer representing the person setting up the webpage.

                • by sfcat ( 872532 )
                  Missing the point I see. I guess you like throwing a few months of salary at a lawyer for no real reason. The rest of the world will simply move as Europe continues its slide into irrelevancy. Just being able to win the lawsuit is besides the point. Just the threat of legal action is enough to keep people from doing things they might otherwise. This is well founded in just about every industry in the economy. Just because you are naive enough to ignore what the other 99% of people will take into accou
                  • That lawsuit won't happen. Because companies generally aren't as stupid as lawmakers are, which is also why the state of consumer protection is in the sorry state it's in. Instead, what will happen is what will always happen in EU: The laws will be ignored as the ivory tower bullshit they are and life will go on.

                    That's the thing about EU laws: Most of them, you can safely ignore as unenforceable and go on with your life, and everyone is happy. You can continue to do as you please, the politicians think they

              • by gweihir ( 88907 )

                Wrong use case. That would be liability for unpaid volunteer _services_. To become liable here, you generally need to have done something criminal. The source of that framework may be liable (or not) if it was bought.

      • by gweihir ( 88907 )

        Your analogy is flawed. Food is perishable and food can be a direct health risk _and_ food is something people need to survive. Incidentally, to be allowed to distribute food publicly, you need a license.

        So, yes, for private citizens offering software for free, it is pretty simple: No assurance of quality, no liability. Get over it. Of course, if there is malware in there placed intentionally, criminal law comes into the picture and that "no liability" stops because there is intent to cause harm.

        This whole

        • Incidentally, to be allowed to distribute food publicly, you need a license
          Lol - in what country do y need a _license_ to sell food? Cooked or not?

          I doubt I have ever been in a country where you needed a license to sell food from the field or sell it over the street cooked or in a restaurant.

          • Lol - in what country do y need a _license_ to sell food? Cooked or not?

            For example in your country -- Germany.

            The details are pretty fuzzy and depend a lot on your exact circumstances, but it's pretty tightly regulated. You need not only a certification that the persons performing the sell are safe ("Gesundheitszeugnis"), you need to demosntrate to your local authorities ("Gesundheitsamt") that your kitchen is safe. Sometimes this involves a certification in advance ("Abnahme"), sometimes it's based on regular controls and checks. If you sell it on the street, you might also n

            • Yes, you need to do that.

              And all that: is not a license.

              • And all that: is not a license.

                That's arguing semantics.

                You need permission from $authority one way or another. Whether you want to call it a "license", a "permit", a "registration requirement" or whatever is irrelevant. OP's point is that you can not simply just wake up on a Tuesday and sell omelette in front of your garage.

                (If you're going to nitpick let's stop for a moment and consider that the "driver's license" in Germany is a "Fuehrerschein" - the same word used in "Fahrschein", which is the word for a [train or bus] ticket. Which

                • OP's point is that you can not simply just wake up on a Tuesday and sell omelette in front of your garage.
                  Actually: you can.

                  There are plenty of exceptions when a "license" is needed and when not. When you run a restaurant, you need a inspected/registered kitchen. If you sell over the street, especially as a one time event: nope. If you buy the omlette on the other side of the road from a bakery e.g. and resell it: nope.

                  And the main point was "food", we got sidetracked. Every farmer who so wants, sells his f

          • In Texas, USA, you need both a licensed kitchen and a licensed cook with a Food Handler's Permit to be able to sell prepared food to the public. For products coming directly from the field, you still need a Food Handler's Permit to sell in order to certify that the food has been stored correctly. The only way around this is allowing people onto your property to harvest the food directly themselves. I believe that similar regulations exist in all 50 states.

            • You need a kind of "license" for a/the kitchen in Germany, too.
              But it is not a license. it is just a "we checked it and it looks oki" paper.

              If you cook food at the road, and sell it over the street, you do not need a "license", as everyone sees your kitchen. Same for raw fruits from the field/garden.

              As I mentioned to one above: a license means you have to go to a government agency and request a piece of parer, aka a license, as in "driving license". There is no such thing in Germany, France or Thailand. Wou

              • In Texas, it is a formal government application with training courses, for both the kitchen and the food handler. If you do not have one and are found to be selling food, you can be shut down, fined, and, if repeat offender, arrested. Again, I'm pretty sure this is the same in rest of USA. I am pretty sure it is true in Denmark also... I know that they have pretty strict policing of restaurants.

                • In Germany there are regular inspections.
                  You have to announce that you want to cook.
                  That basically is it.

                  Formal food handling education got abolished like 25 years ago, it is replaced by "watching a video" which tells you to wash your hands after visiting the toilet. You get a "certificate" after you watched it, which never needs to be renewed.

          • by gweihir ( 88907 ) on Friday May 12, 2023 @01:00PM (#63517069)

            Basically in every 1st or 2nd world country you need some form of permit to sell food and are subject to sell food. These regulations often also extend to giving food away for free, e.g. opening a free soup kitchen. That you are not aware of that does not change the requirements.

            Here is a reference for the US: https://www.fda.gov/food/food-... [fda.gov]

            • Basically in every 1st or 2nd world country you need some form of permit to sell food and are subject to sell food.
              So Germany, France, Thailand are not 1st world countries?

              No: you do not need a "permit" or a "license" to sell food.

              You need a permit to sell fire arms, or alcohol. And that's it. You could stretch your "permit" to "need special education" to sell pharmaceutics. Aka: run a pharmacy. BUT you do not need a license or a permit to run one, you are just in bad luck if you do not have the degree. S

      • Yes, but in this case it's not the health department where you actually live that will (or may not) regulate or punish you for that hypothetical dodgy food. In this case it's the health department in another city in an entirely different state that's noticed you didn't explicitly write down "cook the chicken to 165" in you recipe book, and someone over there got sick from failing to do so. And now that health department in that other city & state (Where you do not reside and which may not have ever vi

      • Consider an analogy.

        If I walk down my local high street offering free food, which turns out to be badly kept and causes a lot of illness, that I was offering it for free should not absolve me of all harm. If I am a large supermarket and I sell food, which someone buys, keeps at room temp for three weeks, then eats and gets food poisoning, that I was offering it for cash should not make me guilty of all harm.

        Lets improve your analogy:

        I have an apple tree in my front yard. Some people pick an apple (or several) from the tree as they pass by. Some people even make pies with the apples they picked from my tree. One person sells a pie they made from the apples they picked from my tree. Someone gets sick after eating a piece of a pie that was made using apples picked from my tree.

        I am an OSS developer. The Apples are my code, free to any who choose to take it. The pies are applications that other people made u

        • by gweihir ( 88907 )

          Indeed. Of course, the suppliers could have asked you for a contract that puts some or all responsibility on you in exchange for money. If they did not do that or you declined, then the responsibility is on them. EU law is really very simple in this regard: The one you bought it from is the one responsible. And if you did not buy it, nobody is. There are some exceptions. For example, somebody selling you a device and giving you the software for it "for free" will likely still be liable, as this really is a

      • Software is not food. It has almost nothing in common with food. This analogy might express your feelings about the topic, but how is an engineer supposed to do anything with that?

        The article claims that the legislation being proposed by the EU is out of step with the reality of software development, and appears to be so poorly thought out that it would effectively make open source development illegal. Those claims should be addressed on their own merit. If the counter-argument involves comparing a github

    • Re:That again? (Score:5, Informative)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Friday May 12, 2023 @11:41AM (#63516805) Homepage Journal

      The EU is itself responsible for the ongoing debate. Take the explanatory graphic on the CRA info page [european-c...ce-act.com] for example, the only criteria they mention at all are criticality, intended use, and extent of impact. They say nothing about origin there. The text on the page also says "It is about bringing together the knowledge from all services and all sources. From space to police trainers, from open source to development agencies. Their work gives us a unique scope and depth of knowledge." But this isn't about bringing together knowledge at all, it's about creating regulations. Their bullshit marketspeak is confusing the issue.

      The definitions are also at issue, for example "product" is defined as "any software or hardware product", which is typically pathetic. You can't use the word in its own definition and have it be meaningful! What's more, this is SOP for the EU. For example, in the General Product Safety Directive product is defined as "any product - including in the context of providing a service - which is intended for consumers or likely, under reasonably foreseeable conditions, to be used by consumers even if not intended for them". Again, the definition can't contain the word. That's circular.

      In the section of the CRA on "scope" there are NO exemptions for open source, software developed not for profit, or anything else. THAT is the place to exempt software. There are only exemptions for medical devices, aviation devices, and military devices which are already covered by other laws. But those laws are not in fact as stringent as this law, so in addition to all of the other failings, the EU is literally mandating that the devices where safety is most critical should have the least security.

      Moving on with the definitions, "manufacturerâ(TM) means any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge;" so there's no exception there whatsoever.

      Consequently the ONLY exception for OSS in the CRA applies to "software developed or supplied outside the course of a commercial activity" and this is not only not adequate, it is actively harmful [nlnetlabs.nl] because "developers of critical products may not perform self-assessment and need to involve third-party auditors". If your software is security critical, then you are not allowed to self-assess.

      TL;DR: The carve-out is inadequate, in fact has deliberately has been made to not apply to all important cases, and if passed as written will have a chilling effect on OSS development as if you derive ANY benefit beyond code from the software, you will be a commercial manufacturer and subject to all of the provisions of the legislation.

      • by gweihir ( 88907 )

        Consequently the ONLY exception for OSS in the CRA applies to "software developed or supplied outside the course of a commercial activity"

        Sounds perfectly reasonable to me. You sell it or otherwise make money off it, you are liable for product quality. Note that if the actual creator is doing this not for profit, then the liability goes only to the ones in the chain that make a profit of it. That is as it should be.

        • Sounds perfectly reasonable to me. You sell it or otherwise make money off it, you are liable for product quality.

          What you're talking about here is the current developers of critical OSS no longer being able to work on it unless they are independently wealthy. It's the same exact wrongheaded logic as saying that politicians shouldn't be paid, which leads to rule purely by rich fucks. Important software will only be able to descend from ivory towers, or come from inside of corporations. If that's a good outcome to you, then you're actively supporting the de-democratization of OSS, which makes you the enemy.

          • by gweihir ( 88907 )

            Nope. If you get donations or some company pays you to work on it, that does not mean you profit off the product. For that you have to directly or indirectly sell it.

            Example: GnuPG is nicely donation funded. This does not mean that GnuPG, if you download it from them, would fall under this regulation. If, on the other hand, you get GnuPG as part of a Red Hat distribution you paid for, then Red Hat is liable for quality.

            That said, there is nothing wrong with anybody donating a security evaluation to GnuPG or

            • by znrt ( 2424692 )

              Nope. If you get donations or some company pays you to work on it, that does not mean you profit off the product.

              are you sure? i wouldn't like to be in a place were i need to explain this to a judge who probably knows very little about this, specially not to defend myself from corporate lawyers trying to shift the blame of a fuck up on me.

              i fully get your point, but while i think this is mostly hysteria from companies that specialize in parasiting open source and "journalists" fabricating "alarming news", i do see a murky area where a developer could get nailed just for a random donation, or even the opposite case whe

              • i fully get your point, but while i think this is mostly hysteria from companies that specialize in parasiting open source and "journalists" fabricating "alarming news", i do see a murky area where a developer could get nailed just for a random donation, or even the opposite case where a for profit company can mask a component as open source just to evade responsibility.

                This is exactly the concern, and exactly why it will have a chilling effect, and [therefore] exactly why we all need to unite against it in its current form. They need to provide some explicit guidance and clarity on what is and is not excepted. This is not that. And it affects the entire world, so we should all be concerned.

                • i fully get your point, but while i think this is mostly hysteria from companies that specialize in parasiting open source and "journalists" fabricating "alarming news", i do see a murky area where a developer could get nailed just for a random donation, or even the opposite case where a for profit company can mask a component as open source just to evade responsibility.

                  This is exactly the concern, and exactly why it will have a chilling effect, and [therefore] exactly why we all need to unite against it in its current form. They need to provide some explicit guidance and clarity on what is and is not excepted. This is not that. And it affects the entire world, so we should all be concerned.

                  The wording of:
                  "software developed or supplied outside the course of a commercial activity"
                  could be interpreted as meaning that if you supply software _for_free_ to someone who themselves is _engaged_in_a_commercial activity_... then you're included.

                  • It could be interpreted a whole bunch of ways. You could get done for having ads on your site or something stupid. They either need to clarify it, or if this is as clear as it gets, shove off. It can be fixed, maybe they plan to, who knows.

                    • It could be interpreted a whole bunch of ways. You could get done for having ads on your site or something stupid. They either need to clarify it, or if this is as clear as it gets, shove off. It can be fixed, maybe they plan to, who knows.

                      Always assume:
                      1) anything you say online will be there forever
                      2) anything you say online can be used against you

                • by gweihir ( 88907 )

                  Getting a donation does not cause you to have a sales contract with anybody and hence does not cause any liability. If it was a real donation.

                  I agree that some more clarity would be desirable. The panic that some assholes are trying to push is entirely misguided though or, as I strongly suspect, comes from some OSS vendors that do not want liability for their products.

              • by sfcat ( 872532 )
                Tell me you don't develop OSS software without telling me you don't develop OSS software.
              • Where will you find a judge that doesn't understand the difference between you operating a commercial business and you living of donations? That is the only distinction, how FOSS works or how compilers work will not be an issue in any such court case.
                • by znrt ( 2424692 )

                  even if you outright win the case, the mere prospect of such a process will discourage you to share your work in the first place. this is what "chilling effect" means ;-)

                  but the process can get much worse and you might even have to appeal once or twice. judges buying into aggressive lawyer's misrepresentations of concepts like "sharing", "server", "algorithm", "profit", etc is not a rare occurrence at all, for sure not in europe and specially not in lower courts. there is a whole litany of such rulings rega

                  • We are not talking about US courts here. We are most likely not even talking about any court at all, this will be a fine from the EU and they will just have to look in their registry to see if you are a registered business or not.
              • by gweihir ( 88907 )

                Pretty much. You only profit off a product if you sell it directly or indirectly, ("indirectly" for example as a "free" part of a non-free bundle or with non-free hardware). IANAL, but I think the way this goes is that you getting paid is different from you making a sale. When you make a sale, you always enter into a contract with the one you sold to. When you get a salary or effort compensation for working on something, you have no contract with the users of that something. Your organization (which pays yo

      • But those laws are not in fact as stringent as this law, so in addition to all of the other failings, the EU is literally mandating that the devices where safety is most critical should have the least security.

        If you think that is true then you don't understand medical device/software laws.

      • You missed that you need to distribute it under a trade mark (i.e. you're using it in a business). If you have a repo and you're just putting your name on it, it's not a trademark and are therefore not covered under this law
    • The following Executive Directors, Board Chairs, and Presidents on behalf of the following organizations disagree with your interpretation, which is why they wrote an open letter to the European Parliament last month (https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act):

      Associaço de Empresas de Software Open Source Portuguesas (ESOP)
      CNLL, the French Open Source Business Association
      The Document Foundation (TDF)
      Eclipse Foundation
      European Open Source
      • by gweihir ( 88907 )

        A look at who is behind these organizations and who finances them should nicely clear things up.

        • by sfcat ( 872532 )

          A look at who is behind these organizations and who finances them should nicely clear things up.

          You can't be serious. Wow, your politics are...well...I think you just want people to suffer. If you don't understand it, it should burn right? I mean, you know nothing about energy production but yet you still have the certainty that should be reserved for mathematicians that you and only you know how we should make power. This is the same thing right? You don't make OSS software, you don't know organizations who make OSS software, which you use all the time for free. I think I will call your politic

          • by gweihir ( 88907 )

            Nope. I noticed a few absences of the organizations I would definitely expect to protest there and many I have never heard of being present. This thing "protest" stinks and not everybody is as gullible as you are.

    • by poaky ( 1254926 )
      From the Proposal for a Regulation on Cybersecurity Requirements for Products with Digital Elements [europa.eu]:

      In order not to hamper innovation or research, free and open-source software
      developed or supplied outside the course of a commercial activity should not be
      covered by this Regulation. This is in particular the case for software, including its
      source code and modified versions, that is openly shared and freely accessible, usable,
      modifiable and redistributable. In the context of software, a commercial activit

  • by ctilsie242 ( 4841247 ) on Friday May 12, 2023 @11:09AM (#63516689)

    In the early 2000s, after Sarbanes-Oxley in the US was enacted, a lot of places tore out working Linux installations to install Windows, solely because Windows was "SOX compliant", and Linux had no certifications like Red Book, C2, etc. Red Hat addressed this issue with FIPS and Common Criteria compliance, but until that was done, there was a time where Linux was being run out of the server room space, just because that bit of colored paper was more important than anything else.

    I'm hoping this doesn't happen in the EU, because it will mean that companies will either resell F/OSS with a markup... or just enjoy the fact that F/OSS has major hurdles to climb.

    What might be useful is a publicly available code scanner. If it matches everything, great. If it doesn't, explain the exception and move on. It may not catch everything, but it does due diligence, similar to scanning a file with ClamAV before uploading it.

    • Scanning source code for compliance is flawed because it is the binary built from the source code that actually runs on the hardware. In addition, source code typically has many different build options, and the binary usually has multiple different run-time options. Plus, there is more that 1 hardware architecture out there in the real-world.

      Also, there are toolchains involved in the build process that will influence what machine code appears in the binary. Along with a long list of toolchain build and run-

      • Scanning source code for compliance is flawed because it is the binary built from the source code that actually runs on the hardware. In addition, source code typically has many different build options, and the binary usually has multiple different run-time options. Plus, there is more that 1 hardware architecture out there in the real-world.

        Also, there are toolchains involved in the build process that will influence what machine code appears in the binary. Along with a long list of toolchain build and run-time options.

        Modern embedded systems are deploying FPGA based configurable hardware to allow greater flexibility in using different "hardware" in-the-field from boot-up. FPGA is in the twilight zone of not quite being hardware or software, or it is both at the same. However, bugs in the FPGA design can cause compliant software to malfunction.

        I guess root cause analysis of a security breach will blame something. But as we know, malfunctions can be cascade of events and if one link in that chain did not happen then a malfunction would be avoided.

        'Shift left' has no meaning for this because its the stuff on the right thats exposed to adversaries and actually handles the transactions..

  • ... a market if you give it away?

  • >Securing software is a long, painful process. Many open source developers have neither the revenue nor resources to secure their programs to a government standard.

    Neither do a number of actual companies that would otherwise do it.
    Fees to certification labs and the government for a mix of CAVP, CMVP and ESV certifications for a product containing cryptography can easily exceed $100,000 in the US.
    If you have many different products, you don't get to reuse that. It's "per platform". So that cost turns into

  • The solution seems obvious: the companies that are using the open source software are going to have to pay developers to add security to the software. Still cheaper than developing all thahttps://developers.slashdot.org/story/23/05/12/159217/eus-cyber-resilience-act-contains-a-poison-pill-for-open-source-developers#t software from scratch. I don't see why this is a poison pill.

    • In the open source world, some companies actively develop software fixes and code improvements using their own in-house developers and then give their source code to the community for free. The company gets the benefit of having their fixes and code improvements into the mainline tree of that open source project. When the company migrates to a newer codebase from the open source project, the company will get back their changes plus other people's changes. It can save companies effort over multiple product c

  • You know, that thing in all caps that takes up a third of the MIT/BSD/GPL copyright notices, keyboard-screaming at you about how you can't hold the author liable for how you use the software? I mean, correct me if I'm wrong, but it seems like if the EU started complaining about some company selling electronics that fell under scrutiny, and also went after the ImageMagick or OpenSSL devs because their software was in it, this is exactly what that clause is for.

  • There is no perpetual vulnerability.
    A single version was / is affected.
    Switch to a different one.

    Simple.

  • by ewibble ( 1655195 ) on Friday May 12, 2023 @12:36PM (#63517001)

    They think that open source is the same as proprietary software with a single company behind it that's responsible for the work and then monetizes it.

    When was proprietary software a from single source company. I write for these companies they use libraries from other companies all the time, no software I know is written from scratch from the ground up. Closed source only removes "show cybersecurity transparency" part.

  • We can all agree that securing our software is a good thing.

    No, we can't all agree, because we don't all agree on what "securing" means.

  • You pay for or exchange something for a product. A product is an element of commerce or exchenge.

    Free, Open-Source software is not a product. It's a tool you're welcome to use, but you exchanged nothing for it, and it has no warranty of suitability for any particular purpose (by most license text). This law wouldn't (or at least shouldn't) apply to this kind of software in any way.

    The EU needs to hire someone who knows anything at all about software and the internet to help with this kind of legislati
  • Securing software is only hard if you don't do it in the design phase.

    The longer you wait to think about security, the harder and more expensive it becomes.

    • by gweihir ( 88907 )

      Indeed. Has been known for at least half a century, still ignored by wannabe software "professionals" all over the world. The EU is just getting sick and tired of that crap and so am I.

  • Maybe blocking European access to Gitlab and GitHub for a few days might help highlight how much is dependent on open source?

    Maybe too extreme, but how should these policy makers be made aware of the risk they are creating?

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...