Has the FreeBSD Foundation commented on the EU Cyber Resilience Act?

G

gpatrick

Is there concern what the EU CRA could mean to FreeBSD regarding open source software being used in FreeBSD and how that may impact commercial companies such as Netflix that use FreeBSD downstream and contribute back to upstream?

Debian has released a public statement on the CRA

The Linux Foundation Europe has released a statement on the CRA and voicing their concerns

The EFF has voiced concerns about open source software due to the CRA

The big unknown seems to be, "What if Stanley J Developer creates an open source piece of software that some entity, such as FreeBSD, then embeds in their software and then it becomes responsible for a hacking incident." Who is held accountable? FreeBSD? Stanley J Developer?

Ostensibly it sounds like Stanley J Developer is not supposed to be held liable if there wasn't any commercial aspect. That being it was pure open source; but if it was open source and also has a paid version then does it have to abide by the CRA? Probably. The other question unknown is that of accepting donations and does it make them commercial and have to follow the CRA? Take Zig. They accept donations. What if a company uses Zig and a vulnerability leads to compromise; can the company go after Zig for damages since it was accepting donations?

I was using an open source application and the website was suddenly inaccessible, so I emailed the developer/creator asking about it. He replied the EU CRA and potential looming laws in the U.S. have caused him to make it private. He replied that the odds of him being held liable are minimal, but not zero, so to protect himself, for the time being, development is personal.
 
Why not amend the license to wiave liability for the developer? Don't most licenses already use these terms? How do the EU propose legal liability can apply when upon license acceptance liability has been waived? Is there some kind of precedent that allows them to bypass a license agreement and amend their own terms post acceptance between two parties? Granted I am unfamiliar with the CRA, but sounds like nonsense to me. Do they intend retroactive legal action for previously deployed software? What a mess.
 
Hi everyone. I have been keeping a close eye on the CRA, primarily by following and, when I am able, participating in calls organized by the Open Forum Europe. In December, they put out this statement, which I will let folks here read for themselves and draw their own conclusions from. My read is the final version of the CRA adequately shields open source projects and communities from the obligations and fines that caused a lot of the initial concern.


Bert Hubert wrote this more detailed blog that arrives at the same conclusion: https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/

Eclipse Foundation ED Mike Milinkovich says this in his blog that also concludes that the final version of the CRA will not interfere with open source communities: "we are happy to report the open source community has been listened to. The revised legislation has vastly improved its exclusion of open source projects, communities, foundations, and their development and package distribution platforms."

All this said, I will work with my Foundation colleagues to put a statement together and will share the link here when done.
 
gpatrick said:
Is there concern what the EU CRA could mean to FreeBSD regarding open source software being used in FreeBSD and how that may impact commercial companies such as Netflix that use FreeBSD downstream and contribute back to upstream?

Debian has released a public statement on the CRA

The Linux Foundation Europe has released a statement on the CRA and voicing their concerns

The EFF has voiced concerns about open source software due to the CRA

The big unknown seems to be, "What if Stanley J Developer creates an open source piece of software that some entity, such as FreeBSD, then embeds in their software and then it becomes responsible for a hacking incident." Who is held accountable? FreeBSD? Stanley J Developer?

Ostensibly it sounds like Stanley J Developer is not supposed to be held liable if there wasn't any commercial aspect. That being it was pure open source; but if it was open source and also has a paid version then does it have to abide by the CRA? Probably. The other question unknown is that of accepting donations and does it make them commercial and have to follow the CRA? Take Zig. They accept donations. What if a company uses Zig and a vulnerability leads to compromise; can the company go after Zig for damages since it was accepting donations?

I was using an open source application and the website was suddenly inaccessible, so I emailed the developer/creator asking about it. He replied the EU CRA and potential looming laws in the U.S. have caused him to make it private. He replied that the odds of him being held liable are minimal, but not zero, so to protect himself, for the time being, development is personal.
Click to expand...
In the Stanley J Developer scenario, the CRA does not apply to them. I highly recommend this article and this operative section: "if you are not “monetizing” your open source product...the CRA does not apply to you. And if you submit any PRs or code or patches to other people’s open source, you are also completely in the clear, no matter what they are up to."
 
Complementary to the PDF:

openforumeurope.org

EU Cyber Resilience Act Takes a Leap Forward - OpenForum Europe

PRESS RELEASE For immediate release: 4/12/2023 EU Cyber Resilience Act Takes a Leap Forward: Further Clarifying Responsibilities for FOSS Next Step Major improvements with regard to the scope of applying […]
openforumeurope.org openforumeurope.org

gpatrick said:
The Linux Foundation Europe has released a statement on the CRA and voicing their concerns
Click to expand...

Via <https://linuxfoundation.eu/newsroom/linux-foundation-europe-newsletter-january-2024#top-reads>:

www.thestack.technology

Europe's controversial cyber resilience law gets a rewrite

A rewritten EU cyber resiliency act removes the biggest threats to open source but much standards work still to be done, says Linux Foundation Europe
www.thestack.technology www.thestack.technology
Also in the newsletter:

Beyond the Hype: A discussion of the latest CRA with Rust Foundation and LF Europe

Discover the latest episode of "Beyond the Hype" with Colin Eberhardt, featuring discussions with Rebecca Rumbul, CEO of Rust Foundation, and Mirko Boehm, Senior Community Director of Linux Foundation Europe. Explore the vital role of open source in the software realm and the challenges it faces due to increasing complexity. The episode delves into the Cyber Resilience Act (CRA), initially raising concerns by placing obligations on open source maintainers. However, the podcast highlights the latest CRA update, addressing these concerns and sparking a conversation about its effectiveness in enhancing product security. Don't miss this insightful exploration of open source dynamics and legislative impact.
Click to expand...

The linked podcast (48 minutes, no transcript):

blog.scottlogic.com

Beyond the Hype: Was the threat the CRA seemed to pose to open source just hype?

In this episode, I'm joined by Rebecca Rumbul, CEO of Rust Foundation, and Mirko Boehm from Linux Foundation Europe. We discuss the Cyber Resilience Act (CRA), a piece of EU legislation that is actively under development, designed to make end-user products more secure. Early drafts of this act...
blog.scottlogic.com blog.scottlogic.com
 
grahamperrin said:
Complementary to the PDF:

openforumeurope.org

EU Cyber Resilience Act Takes a Leap Forward - OpenForum Europe

PRESS RELEASE For immediate release: 4/12/2023 EU Cyber Resilience Act Takes a Leap Forward: Further Clarifying Responsibilities for FOSS Next Step Major improvements with regard to the scope of applying […]
openforumeurope.org openforumeurope.org



Via <https://linuxfoundation.eu/newsroom/linux-foundation-europe-newsletter-january-2024#top-reads>:

www.thestack.technology

Europe's controversial cyber resilience law gets a rewrite

A rewritten EU cyber resiliency act removes the biggest threats to open source but much standards work still to be done, says Linux Foundation Europe
www.thestack.technology www.thestack.technology
Also in the newsletter:



The linked podcast (48 minutes, no transcript):

blog.scottlogic.com

Beyond the Hype: Was the threat the CRA seemed to pose to open source just hype?

In this episode, I'm joined by Rebecca Rumbul, CEO of Rust Foundation, and Mirko Boehm from Linux Foundation Europe. We discuss the Cyber Resilience Act (CRA), a piece of EU legislation that is actively under development, designed to make end-user products more secure. Early drafts of this act...
blog.scottlogic.com blog.scottlogic.com
Click to expand...
excellent resources! thank you
 
Thanks,

gtewallace said:
Look forward to any feedback.
Click to expand...

It gets the key message(s) across, one hundred percent ☑


Two nits, I would have:
  1. omitted the word package
  2. said collaboration that is fundamental to (instead of collaboration foundational to).
<https://www.thesaurus.com/browse/foundational?s=t#elementary>, YMMV.


I see a handful of weasel words, only because I'm proofreading, and because I'm sensitised to the Project's historic, ongoing, emerging and innovative use of opportune weasel words in many and sundry documentations of various different sorts and types, all of which are undoubtedly very well-suited to planned and ad-hoc elevator pitches. Yer average reader is not likely to notice the handful :)

I'll use private conversation here for a couple of substantial things that probably don't lend themselves to public discussion.

Thanks again
 
You must log in or register to reply here.
Back
Top