What has (can) the EU Cyber Resilience Act done (do) for you?
18 points by tomhukins
18 points by tomhukins
Yeah when this goes into force I'm probably shutting down all my software development operations and public services. I can't bare the Damocles sword of risking a random 15 million EUR fine for not developing my software in a fashion that adequately pleases Von Der Leyen. That is not a reasonable risk, nor an acceptable burden for a single person to bear.
Do you even fall into the category of manufacturer/would your operations even be consisidered commerical activity? If so, Ok, fair, might be too much of a risk for you. If not, then there are very clear carve outs in this law for you. Only upstream consumers of your open source software are even affected.
Yes, I would fall under commercial activity. I run a search engine with a commercial API offering. I do have non-profit elements of the operation, but operating a search engine costs money, so I can't do the latter without the former.
Depending on specifics, you might still be covered under recital 18, if all revenue is just to operate the engine:
Finally, for the purposes of this Regulation, the development of products with digital elements qualifying as free and open-source software by not-for-profit organisations should not be considered to be a commercial activity provided that the organisation is set up in such a way that ensures that all earnings after costs are used to achieve not-for-profit objectives.
I can understand your worry, but the CRA isn’t exactly onerous. The requirements for SBOMs or similar is something a lot of organizations already comply with just fine, I would be shocked if you can’t produce them for your service with one line of build script.
I'm a single person though. The risk of being fined 300 annual salaries for missing some requirement in the huge wall of dense legalese is quite a lot to palate..
I am not a lawyer, and I am definitely not your lawyer, but everything you’ve said, and that I’ve been told about the CRA, suggests you’ll be fine, or can put yourself in a position where you are definitely fine fairly easily.
Having said that I recommend finding talks by lawyers on this, somebody recommended the best way to write a CRA talk for FOSDEM is to listen to all the preceding talks and correct everything people said which was confidently wrong.
So actually, no, it is onerous. But that noone has yet realised it.
In particular, you actually take the liability for problems from the FOSS you use and we are really far from standard that make sense there. People have not yet come to realise the sheer size of the problem is all.
So what it says about the implications of the CRA are right.
The rest of the screed about what "engineering" is and QA and how you need to do the work on your dependencies and how the SBOM will be helpful read like wishful thinking combined with a really spherical cow understanding of the domains it talks about.
Hell, this is even the nice reading, if I was nasty I would say that it talks of a totally different society that live in Alpha Centauri. I understand how this became the narrative, it is hopeful and it matches the (old) narrative of Software not being up to par with "Bridge Engineering".
But it is not really reflecting reality. I really hope at some point we look at reality as it is and started offering solution that can actually move the needle, instead of rehashing the same models and solutions that have not worked for the past 3 decades.
And we know the one I talk about work! We have proof. Rust exists. Cargo-semver-checks exists. We know how to do this. The research on most of the tools we need exists, at least enough to have a base.
But we prefer to think that this is a moral failure.
The software engineering not being up to par with bridge engineering has never been more true than it is now. Imagine if civil engineers used genai to produce blueprints? That is literally software engineers are doing now.
Honestly I think a lot of people underestimate what a shit show civil engineering can be. Like in one of the office buildings I worked a few years ago, they had in one corner of the building a sort of stage. This stage had to be there because they'd made an oopsie when designing the building, so an elevator shaft kinda accidentally stuck up into the floor.
Imagine if the blueprint really had nearly nothing to do with the final product and was mostly an intermediary discussion and research tool...
This doesn't... actually talk about what the upsides are?
The thing I'm hoping happens is for legislation like the CRA to create an obligation for certain moneyed but non-contributing consumers of open-source software to ask for support from its developers, which will in turn present an opportunity for those developers to refrain from offering support without remuneration.
That will not happen. I understand why people hope for it, but it will not happen. It is not something the law pushes for, it is not something the maintainers actually support and it is not something the industry is planning on doing.