What are the implications if an open source library is simply maintained in the US and consumed in the EU?
Does the EU company then need to handle the details of certifying it? Do you end up with an entire industry around companies "importing" open source libraries into essentially a library of usable verified things that companies are then allowed to consume?
Does this end up with EU companies using out of date things because it requires certification? How do you avoid it either becoming a rubber stamp with a fee attached or EU industry being behind insofar as its ability to use technology.
EG a US developer can use A B or C whereas EU dev can only use a 2 year old version of A which may be less secure for lack of improvements on further versions rather than more secure. Essentially a certified predictable level of inferiority.
> Some of the obligations are virtually impossible to meet: for example there is an obligation to “deliver a product without known exploitable vulnerabilities”.
Is it possible we actually CAN meet something a lot closer to that? There isn't infinite ways to use something and if the use is novel and out of scope of the library itself wouldn't that be something out of scope and part of the companies job to certify?
Consider languages and technology that obviate or drastically decrease entire classes of bugs from memory safe langues, to comprehensive testing, to static analysis, to more secure OS like seL4.
> EG a US developer can use A B or C whereas EU dev can only use a 2 year old version of A which may be less secure for lack of improvements on further versions rather than more secure.
That has been the natural consequence of every past effort to legislate security all over the world.
The fact that this one seems less attached to reality than the normal only reinforces that, so I'd expecting nothing else from it.
Does the EU company then need to handle the details of certifying it? Do you end up with an entire industry around companies "importing" open source libraries into essentially a library of usable verified things that companies are then allowed to consume?
Does this end up with EU companies using out of date things because it requires certification? How do you avoid it either becoming a rubber stamp with a fee attached or EU industry being behind insofar as its ability to use technology.
EG a US developer can use A B or C whereas EU dev can only use a 2 year old version of A which may be less secure for lack of improvements on further versions rather than more secure. Essentially a certified predictable level of inferiority.
> Some of the obligations are virtually impossible to meet: for example there is an obligation to “deliver a product without known exploitable vulnerabilities”.
Is it possible we actually CAN meet something a lot closer to that? There isn't infinite ways to use something and if the use is novel and out of scope of the library itself wouldn't that be something out of scope and part of the companies job to certify?
Consider languages and technology that obviate or drastically decrease entire classes of bugs from memory safe langues, to comprehensive testing, to static analysis, to more secure OS like seL4.