My only fear is that every vendor will now have to implement secure boot and other mechanisms in order to make sure that only signed software runs on their devices, while providing no way for the customer to take ownership of the device back, so that they can run their own software.
I really hope that we eventually get a mandate so that every device, that requires an internet connection for any and all features, will also have to allow the customer to overwrite and use their own software in case they have to make any software/security repairs themselves.
Since this regulation is happening, necessary and welcome, it's good to see some of the most respected FOSS groups taking the lead. Hopefully many others representing smaller development communities will join the Eclipse initiative. I would characterise "Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation" as BigFOSS. :) Joe Hacker also needs a seat at this table.
> establishment of common specifications for secure software > development based on existing open source best practices.
The problem with "best practices" is that there are always better practices. Hopefully this group don't ossify around "best practices" that are already out of date but become research focused. To be blunt, a problem is not that "best practices" are never followed, but that we have about 30 years of technical security debt to catch up with.
This foundation is also going to be a money pit, because it needs to help other developers. It cannot rule, dictate or enforce anything. Since most European devs are going to want to join in, it's going to be paying out for conferences, education, development grants and T-shirts. It'll need a pipeline of money from EU and commerce - and there's the danger of corruption.
I guess the foundations are hyped because CRA basically forces companies to pay for security of OS projects (which the foundations try to be the main receiver of the money) But in the end the OS ecosystem becomes much more secure.
Otherwise all the SV dudes complaining about the over burocratics: How to improve Software security? Only alternative I can think of, is the goverment pays for the security. For me thats a worser solution.
Suppose that applies to your open source because you are using a commercial split license and / or providing premium support or otherwise clearly commercialising the activity.
If you comply with all the CRA requirements (whatever they are) but the (free) USER of your software (user, not customer) gets hacked because of a security hole in one of your dependencies (that was not known) or a security hole in your own code (after all, is it possible to create something bulletproof) - are you liable for damages and what does it mean exactly in practice?
How does it differ from a situation where you offer proprietary software free of charge as a commercial activity? Can the right EULA protect you from receiving such damages. In order words, does it make the "THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND..." well-known license even worse from the liability standpoint than a proprietary license agreement?
Would it not even invalidate those licenses since the license text cannot comply with the law? This is a big blow to open source. It does not matter whether it's monetised or not, open source is open source. They are messing with the definition. And to achieve what effect? The biggest cybersecurity problem that dwarfs all others combined and one that especially governments should worry about is the fact that memory vulnerabilities are everywhere, everything from the OS, the web browser and most popular GCed language interpreters are built on C++. And someone as determined as the people behind xz could probably bypass this regulation, if it could be of any help (obstacle to the attacker) at all in the first place.
It does potentially shut down a project I have considered commercialising (like, I may release, as "hobby open source" and dump it because I otherwise have no incentive to give my free time). If for every paying customer I am to be liable for 100 - 1,000 non-paying users, no thanks. Maybe I would not do it anyway, I have something else in sight, but I was very serious to experiment with it since I have most of it built anyway and it's just this opportunity to try it out as a side gig for a couple years, taken away by some bureaucrats. I have yet to do some more research on this (check my question in the second paragraph) but it does not sound like fun.
I'm thinking about Maw Gergel's Isopropyl book, and how in the 1960'sthey basically threw dangerous chemical waste out the window or buried it after a fire, scarring a kid.
That's the state of our industry today. In some ways, Open source seems among the better students of the class. In other ways, Open source is like a million people each contributing a few parts to a society critical factory, nobody noticing how big we grew. Of course that makes people uneasy.
I think something like this is unavoidable. How to get the max impact with minimal overhead is the most important discussion now, so I applaud apache's initiative.
Am I getting older? On a modern display... reading that text is awful. Had to zoom it to 150%. At 'default' it's damn near 'fuzzy' looking. Apache, omg, use a readable font and size for goodness sake.
Slightly off topic but this is potentially a disaster for desktop apps and anything not SaaS. Correct me if I am wrong, the law requires to provide 5 years of security updates for apps. Some apps can leverage models such as "use it forever, but you only get updates for certain time without renewing". That allows companies *that ship apps where you can own your data* use a yearly subscription model and remain profitable. Now the desktop app vendor will be required to support users 5 years back, possibly shipping multiple builds (legacy versions with security updates and new version with features). Meanwhile the SaaS vendor charges a monthly fee and only has to care about security for the period of the subscription. I wonder how JetBrains is going to deal with that, I am pretty sure that their perpetual fallback is not updated for 5 years. But it's a big company, a small startup wanting to ship a desktop app will cry and despite the best intentions may as well change the direction to ship SaaS... The act provides the incentive to enshittify everything.
Meanwhile, US reduced funding for the NVD database that the software world depends upon for vulnerability analysis, https://nvd.nist.gov/general/news/nvd-program-transition-ann...
NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure. There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.
> Starting February 12th, thousands of CVE IDs have been published without any record of analysis by NVD. Since the start of 2024 there have been a total of 6,171 total CVE IDs with only 3,625 being enriched by NVD. That leaves a gap of 2,546 (42%!) IDs.
Private/paid offerings? https://www.darkreading.com/vulnerabilities-threats/nist-nee...
> NIST is going to open up the program to a consortia of vetted organizations from the industry in order to deal with the backlog of vulnerabilities that need to be analyzed.. Budget cuts happening for the first time in a decade.. hopefully a pivot to a private-public sector partnership can be reached quickly to scale up the program
OSS alternative to paid offerings? April 2024 open letter from Yocto, https://github.com/yoctoproject/cve-cna-open-letter/blob/mai...
Processes/tooling to easily allow CNAs to adopt enhancements to CVEs would also encourage improving the data, ideally as easy as something like a GitHub pull request. We, as projects that need to respond to security issues, could all do things in our own ways. Many of us have open source backgrounds and realise the power of collaboration and would much prefer to work together and build something none of us alone could achieve. We need the tools, processes and core support from the CVE project to make it happen.This just further incentivises over-regulatory EU to keep making burdensome regulation that slows down innovation for everyone.
It is better for open source projects to just pass a license claiming, software is not available for free in EU and to make EU companies pay sky high fees to use the software that is freely available for everyone else.
That way EU bureaucrats will stop trying to be the World Police without paying the price that USA has to pay to keep its global influence (like funding military of other nations while americans die in hospitals, in homelessness , intentionally making american exports disadvantageous just to keep its global reserve currency status, etc).
It is absolutely insane to me how EU thinks it can decide what charging port everyone should use USB-C , cookie banners for everyone, GDPR nightmare for everyone, and now this new government rule on opensource contributors to software being held liable for security breaches.
Absolutely crazy. They just want free lunch while trying to control everyone and everything.
In case anyone is interested: The EU did publish the draft "standardization request" recently https://ec.europa.eu/docsroom/documents/58974
This is the request which will allow the three european standardization organizations (CEN, CENELEC, ETSI) to draft the required 41 standards for the Cyber Resilience Act (CRA). See page 17 and following for the list.
To participate in the standardization you have to be part of a "national body" and they will "send" you to participate in EU standardization. I know no one from my FOSS circles who has any experience there, as most relevant standards for us are written outside of these organizations (W3C, IETF etc.)
So we're currently trying to get an official seat at the table via the established ways (e.g. DIN in Germany, https://standards.cencenelec.eu/dyn/www/f?p=CEN:5 see this for your own country).
If you are interested in this please send me an email, we're trying to put together a guide on how to engage in "official" standardization efforts as Open Source people.
The effort from this blog post is (amongst other things) trying to establish a whole new way of engaging with the EU. We need both approaches.