6

EU's Proposed CE Mark for Software Could Have Dire Impact on Open Source - Slash...

 1 year ago
source link: https://news.slashdot.org/story/23/01/26/1211223/eus-proposed-ce-mark-for-software-could-have-dire-impact-on-open-source
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

EU's Proposed CE Mark for Software Could Have Dire Impact on Open Source

Do you develop on GitHub? You can keep using GitHub but automatically sync your GitHub releases to SourceForge quickly and easily with this tool so your projects have a backup location, and get your project in front of SourceForge's nearly 30 million monthly users. It takes less than a minute. Get new users downloading your project releases today!Sign up for the Slashdot newsletter! or check out the new Slashdot job board to browse remote jobs or jobs in your area.
×

The EU's proposed Cyber Resilience Act (CRA), which aims to "bolster cybersecurity rules to ensure more secure hardware and software products," could have severe unintended consequences for open source software, according to leaders in the open source community. From a report: The proposed Act can be described as CE marking for software products and has four specific objectives. One is to require manufacturers to improve the security of products with digital elements "throughout the whole life cycle." Second is to offer a "coherent cybersecurity framework" by which to measure compliance. Third is to improve the transparency of digital security in products, and fourth is to enable customers to "use products with digital elements securely." The draft legislation includes an impact assessment that says "for software developers and hardware manufacturers, it will increase the direct compliance costs for new cybersecurity requirements, conformity assessment, documentation and reporting obligations." This extra cost is part of a total cost of compliance, including the burden on businesses and public authorities, estimated at EUR 29 billion ($31.54 billion), and consequent higher prices for consumers. However, the legislators foresee a cost reduction from security incidents estimated at EUR 180 to 290 billion annually. The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects? Mike Milinkovich, director of the Eclipse Foundation, said it is "deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe."

How does the EU propose to function without the software that the internet runs on? How does the EU propose to function without timely security updates?

  • My guess is some company (RHEL?) would supplying the services and accountability/liability, for a price of course.

    The summary calls this an "unintended consequence," but it is intended, or at least inevitable, that everything gets a whole lot more restrictive if you truly want to eliminate unverified code [xkcd.com] all the way through your stack. Developers may end up with a restricted distribution with a small number of packages available for use as the cost of verifying each one is high.

    Everybody on the internet (slashdot) is always clamoring for heads to roll when bugs cause problems and nobody is accountable, but be careful what you wish for. If you've ever worked in a high-consequence software environment, it is not fun, and not productive. It is necessary sometimes. But carelessly applying all that process to everything would be a huge downer.

      • You password must contain at least 2 upper case letters, 2 lower case letters, 3 numerals, 2 punctuation marks, and be 16 characters long. To further improve security your password must also be changed every 2 weeks, and you must memorize it because if we see any post-it note that looks like a password you will lose access to IT services (because sadly, we at IT can't fire you. yet.)

    • Re:

      Honestly, I think it would be fantastic to have a solid well-reviewed software base. One of my biggest complaints about people who write OSS is that most seem to have zero problem with including a massive number of dependencies, obscure or otherwise.

      I would also love it if glibc would stop expanding because it keeps giving itself new CVEs.

  • by gweihir ( 88907 ) on Thursday January 26, 2023 @10:53AM (#63242203)

    It will not do any of those things. What happened is that some commercial OSS and closed-source providers got a story out that is grossly misstating the facts, because they see their profits threatened which they make by screwing over their customers. You can still use "absolutely no warranty" FOSS even in heavily regulated environments. You just need to declare it and do proper risk management. And that is a good thing.

    Incidentally, I happen to know from some large banks that FOSS is in heavy use and not just RHEL or SEL. What I had to do to get a specific piece of FOSS software into production in one of them was to declare what it is, where it comes from, how the sources will be archived and why I need it and what safeguards are in place to make sure it works as intended (i.e. does it go through regular testing?). All in all not hard to do as there already was an established procedure and FOSS decision board.

    • Re:

      I get that the main packages (and dependencies) are archived in that kind of scenario, but how deep does dependency analysis go? Do they track that 5 internal projects all end up relying on some random library and the impact of a bug at that level?

      • Re:

        This is an excellent question. Especially in the context of web-frameworks where indirect dependencies are a massive problem.

        In this specific bank, there was an absolute prohibition against pulling in anything from outside. You had to get everything into the internal repositories and that meant getting it approved. That takes care of deep-dependencies. Yes, it also meant some frameworks were simply not available, but banks are places where you work with the computers and presentation is secondary.

        For my cas

      • Re:

        Something that gets the world of web development away from the current insane dependency hierarchies would not necessarily be a bad thing. They absolutely are a huge liability and a massive pile of security and legal problems waiting to happen. That absolutely does create a risk for anyone depending on them. And much of it absolutely isn't necessary and really is just down to the laziness or incompetence of the developers.

        The magic words in these discussions are always "reasonable" and "proportionate". That

        • A FOSS chart drawing tool is a little different to say zlib or OpenSSL. The latter two might indeed warrant certification given how theyâ(TM)re embedded everywhere. Image the liability if you depended on OpenSSL and it had another heart bleed.

        • Re:

          The opposite end of the spectrum from "insane" large dependency hierarchies is a whole bunch of "unnecessarily expensively rewritten here and obviously generally bug-prone since low-use" code..

          The best compromise is tools that 1) give easy visibility into the structure of the dependency hierarchy and into all the code in the entire dependency hierarchy, and
          2) Maintain version management of dependencies explicitly, tightly, and easily inspectably.

          • Re:

            No, there are other possibilities.

            One, which has worked well for a very long time in many languages, is having a good standard library available out of the box. JavaScript doesn't and that has probably cost the web development world many billions of dollars.

            Another is to have a culture around your language where third party libraries tend to be larger but self-contained. Then you probably only need a small number of dependencies covering major areas and the community and/or commercial suppliers can focus on

      • Re:

        A snag here is that commercial software is usually just as bad. Someone claims you can get support, but the company goes bankrupt a year after you become dependent on it. If they're not out of business, you still don't get "support", instead you get access to newer versions, for a price, but if you're the only customer with a particular bug then chances are you'll never get it fixed and will have to do it yourself. You get source code much of the time with third party libraries, but then you get the heada

    • Re:

      Indeed, if you look at the current CE mark it only covers products sold in the EU. It is self certification, you don't have to pay anyone to do it if you have basic competency.

      Since OSS is not normally sold, it doesn't need a CE mark. If someone wants to sell it, they can add the CE mark on their distribution of it if they have bothered to do the basic cybersecurity checks.

      • Re:

        You are forgetting the next step, which will be that all EU organizations will only be able to run CE marked software, or their operations will not be insurable (or only at rates that are exorbitant). Individuals working on free software are not going to self-certify as the liabilities to themselves could be exorbitant.

        • Re:

          You can just get your CE sticker in China, let the EU sue China for product liabilities.

      • Re:

        First one to actually understand what CE-like means.

  • Re:

    timely security updates?

    What's that? Even the major companies have issues with the word "timely.

  • How does the EU propose to function without the software that the internet runs on? How does the EU propose to function without timely security updates?

    The EU proposes to function the way it always has by publishing a piece of legislation you just commented on without reading. I invite you to absorb clause 10:
    (10) In order not to hamper innovation or research, free and open-source software
    developed or supplied outside the course of a commercial activity should not be
    covered by this Regulation. This is in particular the case for software, including its
    source code and modified versions, that is openly shared and freely accessible, usable,
    modifiable and redistributable. In the context of software, a commercial activity might
    be characterized not only by charging a price for a product, but also by charging a
    price for technical support services, by providing a software platform through which
    the manufacturer monetises other services, or by the use of personal data for reasons
    other than exclusively for improving the security, compatibility or interoperability of
    the software.

    So, a big nothingburger. Poor ol' Redhat will need to meet the requirements when they sell their product or services, but your free functioning open source dependent internet will keep on internetting along just fine.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK