> EU lawmakers also realise that open source is often 95% or more of the software stack on which a typical European Small and Medium Enterprises (SME) operates or is licenced.
> it is that entire stack which the SME, as the party that places it on the market, is liable for.
> policy makers assume that these process improvements [...] are costly; on the order of 25% more in cost overhead
> for most European SMEs this extra effort over the full 100% would be several times their engineering effort and hence would not be feasible
> certifying the 5 or 10% of the code they build on top of the open source stack is a lot more achievable.
From what I understand of what the Apache Foundation has written, what the CRA does is to take the certification obligation from the entity that takes the open source products and profits from it, and push it on to the entity that produced the open source software.
So if I have a business that uses a tech stack built on top of Rocky Linux, for example, I only have to certify the part of the stack that I built, and I can push the liability for the rest of the stack to the Rocky Linux vendor, even if I never bought a support contract.
Well, the blog repeats and clarify that this is indeed the legislators idea, and they won't change their minds.
It's not clear to me how much knowledge the author has about the legislators opinion, but it's a very damning piece of text.
Pushing for the obligatory enforcement of unknown rules, extending the corporations embodiment into every action of their employees, and granting legislative power to private standard bodies are all very anti-democratic decisions.
Pushing for the obligatory enforcement of unknown rules, extending the corporations embodiment into every action of their employees, and granting legislative power to private standard bodies are all very anti-democratic decisions
I agree. But at the same time, this might indicate something.
Frustration.
Try to build a bridge, a building, a factory, and see how far one gets, without a lot of clear cut rules being followed.
Then look at ... say, Debian. Where every single piece of software follows guidelines, or it's in non-free.
Then look at the node ecosystem, where no one audits anything, or even cares if they're literally infringing, who wrote it, etc.
No one even checks, if any of the 25,000 packages, have just been replaced by malware, or if the license has changed.
And beyond that, we have endless orgs running code on deprecated compilers (eg php5), with no security updates.
These things are absurd, but we accept it, merely because prefer greed over security, safety, sustainability of code.
So, some of it may be frustration. I'm frustrated with it!
Well, reacting to an emotion is a pretty bad thing for a legislative body to do. What is it, some tribal government where a trio of elders command everybody?
I do agree that the situation is dire, and we should do something. Up to now, that something is almost completely on the "research" area and almost not on the "legislate" area, but some exceptions may already apply. Acting on those exceptions would be a good thing, but this is really not some "hey, this small action is proven to help" kind of law. Laws like that one always lead to less secure software and broken markets.
And anyway, no legislative body anywhere should even think on doing any of the things I listed on that paragraph. Any of that is already enough to dismiss the entire thing (IMO, it's enough to dismiss the entire body too and call for replacement) even if the actual rules would improve software security.
What's stopping Rocky Linux from stating that its products are not certified for usage in Europe and having a third party that specializes in certification handle that aspect for a percentage of revenue from support contracts for European markets with the net effect being that near zero such foundations end up based in Europe and European companies experience it as licenses being 10% more expensive with smaller set products available.
For open source libraries which presently are 100% free have the certification company charge companies who want to use those libraries to audit and certify them and pass a substantial amount of the cost on to the authors of those libraries.
If the legislator is so concerned that some random open source project with enough luck to become a foundation of something the EU relies on may be used to weaken its security... then why not just ... I don't know ... not use it and develop their own? It doesn't fit in my brain.
>----------------------------------------------------
The current CRA text only excludes OSS software that has no commercial activity around it. Unfortunately, it defines commercial activity in part, this way:
“where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature.”
This can be read to mean that if the main contributors are not unemployed, then the project is commercially tainted.
>----------------------------------------------------
It applies not just to foundations and companies but basically all software created or distributed within the EU so basically all software created by professional developers even outside of their employment.
Where the creator is beyond the reach of the EU the onus doesn't cease to exist it just falls on the company to certify as part of their due diligence for their product and this doesn't even make that version of that software or library itself certified out of scope of that usage so all non-certified software would need to be verified once per work unless someone stands up an entity to provide a certified version of whatever.
For open source software you are asking companies to write or buy their own everything.
The most reasonable scenario is probably European developers using a limited palette of software versions behind the US wherein in many cases the have to pay a European maintainer who pays the cheapest offshore labor it can find to give its rubber stamping of security a thin veneer of respectability while contributing nothing back to the people who write the software.
What it logically needs is a requirement that such labor come from the EU and a portion go back to the source project. We can call it the FULL EMPLOYMENT for EUROPEAN DEVS MAINTAINERS and ENGINEERS
aka FEEDME
In this fantasy land non-europeans would register for their portion of the money.
> it is that entire stack which the SME, as the party that places it on the market, is liable for.
> policy makers assume that these process improvements [...] are costly; on the order of 25% more in cost overhead
> for most European SMEs this extra effort over the full 100% would be several times their engineering effort and hence would not be feasible
> certifying the 5 or 10% of the code they build on top of the open source stack is a lot more achievable.
From what I understand of what the Apache Foundation has written, what the CRA does is to take the certification obligation from the entity that takes the open source products and profits from it, and push it on to the entity that produced the open source software.
So if I have a business that uses a tech stack built on top of Rocky Linux, for example, I only have to certify the part of the stack that I built, and I can push the liability for the rest of the stack to the Rocky Linux vendor, even if I never bought a support contract.