Cybersecurity Risk Assessment Request
22 points by spetz
22 points by spetz
That’s precisely how it should work. You’ve got questions that you’d like to be answered? Pay for someone to answer them :)
I wonder if there’ll be a follow-up.
A positive externality- companies now have to engage with open source maintainers. Everyone with popular open source should probably be ready to start selling support contacts.
Couple of throughts …
I think it would be more productive to add a section to the FAQ to answer most of these questions. The CRA is annoying but if you run a popular open source project, and I assume that your goal is to get it in the hands of as many people as possible, then it is in your best interest to at least have some answers.
I’m not saying to comply with the CRA or give detailed answers or meet some “demands”, but these questions are legit and normal for anyone in compliance or infosec to ask when doing a risk assessment for some third party component that your company uses. The CRA is now making that even more important. Companies will drop projects if the status is unclear.
The reason projects don’t get these question directly very often is because usually a GRC or InfoSec team just puts in the work to find answers on their own. Many of us in that space have a basic process to assess third party dependencies to answer the same questions. In this case the sender was definitely a lazy because there is quite a bit of detail on the Curl website to answer many of those questions already.
The CRA is big deal and I think instead of turning every request into a blog post with a tone of “how dare you” it is probably better to just write the project’s position on it in the FAQ and be done with it.
I do think “go here for commercial support” is really great of course and I hope the CRA will give Curl a boost there. It is a good incentive for companies to support open source and it will hopefully result in even better governance of projects.
Lastly noting that the Curl project does so many things really really well. It is a prime example of a well governed open source project. There is so much to be super proud of and many of the questions I saw in that list can be confidently answered with Yes! So you can also see it as an opportunity to make that known to the world.
The CRA is now making that even more important. Companies will drop projects if the status is unclear.
Then the curl project will get fewer asinine letters demanding them to work for free. Sounds like a win-win for everyone.
The global CSRA effort is a shift from big entities away from relying on mysterious suppliers of open source code towards a DRM-like “web of trust” which has no written definition. I think the bean counters have strayed too far from people that can actually help build a better system. What would a better system look like? why not a manifest published with open source software that specifies this kind of information? perhaps we need to re-think how the software dependency ecosystem works as a whole.
I am working for a security vendor and I am see those things everyday. It’s just bureaucracy applied to security, usually made by people that don’t have any kind of ideas about technical skills, they just muse ensure that checkboxs are marked.
Maybe should have tag security also, but can’t find where to edit after the post
you can hit “suggest” and add the security tag. if enough users do that it’ll be added. not sure what the exact threshold is.
Seems I can’t do that on my post, only on others. Well well
Once suggestions have already met the threshold one time, it takes mod intervention to apply others. In the case of this post, if you look at the moderation log:
you can see that:
Action: changed tags from “c law” to “law”
happened for this reason:
Reason: Automatically changed from user suggestions
at:
2025-07-12 01:34
so to further change the tags, a moderator would need to intervene now. I can’t suggest them on this story either. I can imagine one or two good reasons for this limit, but don’t have any first hand knowledge of why it’s so.