[opensource-wg] concern re: Cyber Resilience Act effects on open source?

Hello!

[ These are my personal opinions. I have some degree of understanding of 
law, yet I'm not a lawyer at all. I'm an employee of CZ.NIC, yet this is 
not an opinion of my employer, I'm writing on my own behalf. ]

> I would like to understand the number of people/organisations on this 
> list who are concerned about the European Commission's Cyber Resilience 
> Act proposal effects on open source software development.
> 
> This topic was presented at RIPE85 [1] and covered in a recent blog (see 
> below, should have cross-posted), which was republished at RIPE Labs 
> last week:
> 
> https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/ 
> 
> 
> You would help both me and RIPE NCC staff that are tracking the proposal 
> by speaking up on list. Answers by both developers and users are valuable.

Regarding the liability act, I think we may simply declare that only the 
cases covered by automated testing is the intended use case and if 
anybody wants to run BIRD outside these cases, they have to check it on 
their own risk or they have to pay us to implement and test these 
scenarios for them. It's just the wording in the documentation to be 
amended.

Regarding the CRA:

Definition of the exception in (10) is one thing, definition in article 
3 (18,23) doesn't exempt non-commercial development at all.

* article 13 (9) and 14 (6) doesn't work at all for open-source products 
where the manufacturer is a group of people and orgs all around the 
world; probably this may be covered by articles 15 and 16, yet the 
wording is quite fuzzy

* article 24 where it speaks about critical software is completely 
unreasonable even for fully commercial developers. Everybody uses some 
underlying technology, e.g. we'd have to assess LibSSH security 
probably, and who knows, maybe even the GCC / CLang security or the 
build system itself? Who's gonna assess Debian security?

Reading the CRA more thoroughly, if the audits are done strictly, I 
foresee this:

* RedHat and SUSE are going bankrupt as the amount of work needed to 
audit the whole Linux infrastructure is totally out of their scope.
* Everybody using Debian / Arch / whatever non-commercial distribution 
must be considered a software importer and therefore has the same 
liabilities as a manufacturer.
* Hardware router manufacturers go bankrupt as well or have to raise 
their prices significantly.

Or the audits can be done somehow to do the paperwork just to assure the 
Commision that something is being audited. In this interpretation, it's 
only the paperwork with no real impact on the actual security, and 
therefore it's probably just a waste of money and effort.

My suggestions for regulation amendments:

* the regulation should strictly exempt products distributed completely 
freely (for zero money and in exchange for nothing, not even a single 
bit of personal / user data) case-by-case
* if the software is both sold (e.g. with technical support) and 
distributed freely, the regulation applies only for cases it's sold → 
then we can explicitly state what features are covered by the contract
* if anybody uses a software which they got for free, they are 
responsible for that and possibly also for auditing

We may also create an NCC which would perform all the necessary audits 
for open-source software in a reasonable (non-profit) price range.

To be honest, while thinking about it more, I'm starting to see the 
proposed acts as a kind-of way how to push the (big commercial) users to 
contribute more with real money to open-source development, yet it must 
be stated strictly enough that everybody can either contribute to have 
the audit done by the manufacturer, or they are responsible for auditing 
their intended use of the software completely themselves.

We may also simply stop selling technical support for BIRD and also stop 
releasing any final versions. All BIRD versions will be only testing 
releases and we can simply sell another product "based on" BIRD, with 
all the audits needed and marked CE, completely commercial.

In all cases, I think that the regulation needs much more care regarding 
open-source software as it looks like the authors don't know much about 
that. The regulation also doesn't care much about the sole fact that IT 
systems are typically built from multiple blocks joined together and the 
liability and auditing responsibility is not well defined in these cases.

Thank you for raising this issue.

Maria
developer of BIRD
on my own behalf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2839 bytes
Desc: S/MIME Cryptographic Signature
URL: </ripe/mail/archives/opensource-wg/attachments/20221128/106d7743/attachment.p7s>