[cooperation-wg] Cyber Resilience Act effects on OSS on agenda of open source-wg

On Thu 10/Nov/2022 19:41:21 +0100 Niall O'Reilly wrote:
> On 31 Oct 2022, at 10:14, Alessandro Vesely wrote:
> 
>> What software would you use, a fully certified, professional OS, or a run-at-your-risk 
>> product by hobbyists who are exempted from security regulations by a compassionate 
>> exception to the Cyber Resilience Act?
>
> I don't understand what the point of this (perhaps rhetorical) question is.
>
> In a former day-job, I've had to deal with a "professional" Linux distro, 
> whose provider was so risk-averse, and who operated such an ossified 
> acceptance process for integrating upstream FOSS packages, that the distro 
> was operationally unfit for purpose unless I chose to do without the 
> "protection" supposedly provided by the "professional" packaging. 


Yup, it may well be that the Cyber Resilience Act is going to result in a 
grossly scatterbrained attempt at imposing rules that nobody will follow. 
However, I fear the act can be orchestrated with big software producers in such 
a way that their products only will be able to advertise the certification.


> I also know some hobbyists whom I would trust with my personal physical 
> safety, or even my life.


Users at large, however, don't know how software is produced.  Branding 
certification can have an impact on their decisions.  A captivating campaign 
could reduce FOSS market share by a great deal.


> The only thing one can be sure of with certification is that the holder 
> of a certificate managed to pass the test.


For fairness, all software producers should have equal opportunities to have 
their software pass the test.  Free software should be tested for free, 
regardless of what its authors do for a living.


> https://dilbert.com/strip/2000-08-31


:-)


Best
Ale
--