Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
source link: https://lwn.net/Articles/914840/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
We feel the current proposal misses a major opportunity. At a high level the 'essential cybersecurity requirements' are not unreasonable, but the compliance overhead can range from tough to impossible for small, or cash-strapped developers. The CRA could bring support to open-source developers maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support via the CRA, the current proposal will overload small developers with compliance work.
(Log in to post comments)
Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
Posted Nov 14, 2022 16:35 UTC (Mon) by jmclnx (subscriber, #72456) [Link]
To me, if it does pass as is, I can see development moving out of the EU, leaving the EU stuck with proprietary environments. Maybe UK will be positioned well for this ?
Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
Posted Nov 14, 2022 17:36 UTC (Mon) by dvrabel (subscriber, #9500) [Link]
I have not read the regulations in detail but from a quick skim (particularly of Annex V and VI), the requirements are what I would expect a company producing such products to be doing anyway -- the requirements are pretty basic (design docs, threat assement, test evidence etc.). If you're a company cobbling together a product from random open source components and claiming security in marketing material without any of the required engineering to ensure actual security, then, well, you're a company that deserves to fail.
Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
Posted Nov 14, 2022 18:28 UTC (Mon) by Tov (subscriber, #61080) [Link]
Maybe the software industry will also produce better products, if challenged a bit to do so.
Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
Posted Nov 14, 2022 17:31 UTC (Mon) by kleptog (subscriber, #1183) [Link]
It does propose an exemption for open-source software, but doesn't answer the question of who will do the work instead. We can make regulations that say something should happen, but it's all pointless unless someone actually does the work. We don't want to swamp start-ups in compliance work, but giving them a free-pass to produce shitty products isn't really a good alternative either.
One approach would be to turn such "critical software" into a public good. The regular auditing of such product would be something undertaken or funded by a central authority. Or perhaps companies that do audits of open source software they use could actually publish the results. But that doesn't really help, because audits for complex software don't tend to find all the bugs. In general you're better off ensuring a good update mechanism than proving your software is bug-free.
Overall, I'm glad people are thinking about these issues, but I don't think it's going to be solved by regulation at this point. But you know, hammers and nails and all that.
Direct link to proposal: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
Posted Nov 14, 2022 21:35 UTC (Mon) by mat2 (guest, #100235) [Link]
Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
Posted Nov 14, 2022 22:07 UTC (Mon) by mtaht (subscriber, #11087) [Link]
Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
Posted Nov 15, 2022 1:24 UTC (Tue) by tialaramex (subscriber, #21167) [Link]
The medium term impact of EO 14028 was stuff like P2687R0 which is the first step of a proposal for C++ 26 describing this as an "Emergency" because of course the agencies said if you want secure software you should stop writing C and C++ (this draft proposal was written by Bjarne Stroustrup whose name might ring a bell)
I see P2687 and similar efforts as mostly an attempt to say "We're doing something" in the hope that politicians will quickly forget about this, the proposed work can then be abandoned, or at least limited to documentation which is then abandoned, and life goes on. It is certainly the case that there's lots of C and C++ Free Software. On the other hand though, there's also a LOT of Free Software written in languages which these reports say you should consider instead, such as Java and Python and most relevantly in this context (and to LWN) Rust.
So this has that crisis property where aspects of danger and opportunity combine. To the extent that Free Software prefers C to something safer like Java, there are risks that world governments will decide they value safety more heavily than before and choose non-free alternatives which don't have use-after-free bugs. On the other hand, to the extent Free Software communities embrace safety features more readily than big slow proprietary behemoths there's a chance worthy Free Software solutions dominate inferior but widespread and commercially successful alternatives that can't make themselves safer enough, quickly enough.
It is unclear to me, and perhaps somebody with the right perspective can explain, why both the US and EU decided they want their computers to be secure specifically in the last 2-3 years but not say, in the 1990s or 2000s.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK