Kroah-Hartman: Linux kernel security work

[Posted January 2, 2026 by corbet]

Greg Kroah-Hartman has written an overview of how the kernel's security team works.

The members of the security team contain a handful of core kernel developers that have experience dealing with security bugs, and represent different major subsystems of the kernel. They do this work as individuals, and specifically can NOT tell their employer, or anyone else, anything that is discussed on the security alias before it is resolved. This arrangement has allowed the kernel security team to remain independent and continue to operate across the different governments that the members operate in, and it looks to become the normal way project security teams work with the advent of the European Union's new CRA law coming into effect.

to post comments

Nice post!

Posted Jan 2, 2026 16:53 UTC (Fri) by wtarreau (subscriber, #51152) [Link]

It's great that Greg took the time to re-explain this, as there seems to always be some interest expressed by lots of people about that process which, by the nature of discrete exchanges, can easily lead to incorrect speculations.

I remember that about 8-10 years ago at Kernel Recipes, I don't remember what recent security activity there had been just before the conference, but during the first morning I got 3 questions from different people about that process and the team's role. People appeared quite confused in fact. I talked to Greg about this during lunch and in the afternoon we took 10mn to improvise a talk on the topic, explaining how the team works (Greg is amazingly at ease to speak about any topic without even preparing anything). It was very much appreciated, led to some questions/responses sessions, and I got some thanks after that for initiating this.

I think that people just don't dare asking, but their interrogations are legitimate. The kernel's security is only something if it's correctly handled by everyone in the chain, and it's natural that end users constantly wonder if they might be missing anything or doing anything wrong.

By the way I'm always impressed by how seriously subsystem maintainers handle issues that we forward to them. We could expect that sometimes they would get bored or annoyed by the low importance of certain reports, but that's never the case, every single time they quickly respond and take the issue very seriously, with topmost priority. Some maintainers who get their first report are even extra careful, trying to make sure not to make any mistake nor disclose anything too early by accident.

Overall it works so well that I roughly copied the process for haproxy :-) No need to reinvent something that is already proven!

CRA

Posted Jan 2, 2026 19:44 UTC (Fri) by linuxrocks123 (subscriber, #34648) [Link] (10 responses)

The first thing I thought when reading this was, "What is the CRA? Did the EU do something stupid again?", and I looked it up and yes, the EU did something stupid again. I think I had probably heard about the CRA before but had forgotten.

Anyway, slightly off-topic, but things are getting to where I would really, very much like it if there were an organization maintaining a "countries, states, and provinces with stupid Internet laws" banlist. It could be subdivided into "hostile to websites that maintain user state" (California + EU), "hostile to websites dedicated to sexual content" (Texas, I'm disappointed to say, and probably other conservative US states thanks to a recent terrible Supreme Court decision), and perhaps other categories. Then, if I'm a webmaster, I can download a ready-made "f* these people" geoblock file which allows me to get on with my mission while ignoring these statist morons' edicts and punishing them and those who enable them with denial of service.

EFF would normally be a good organization to do this type of thing, but they aren't and won't be because they think their mission is to protect lusers instead of website operators. They were on the right side of the Texas sexual speech restrictions, at least. Maybe one day I'll maintain such lists if no one else steps up, but I thought I'd throw the idea out there in case these lists already exist and I'm just not aware of it, or in case someone wants to take the time to make it exist more than I do. My enthusiasm is at the level of "not a lot, but I'll do it if I have to for my own use, and, if I have to do it anyway, I'll make sure to share it."

CRA

Posted Jan 2, 2026 20:42 UTC (Fri) by dskoll (subscriber, #1630) [Link] (7 responses)

Your comment reminds me of the Malibal guy, Matt DeVillier, who banned entire countries because someone annoyed him. I guess he realized he was being silly because he took down the bans from the Malibal website and got it excluded from The Internet Archive.

CRA

Posted Jan 2, 2026 21:34 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

Yes, I was reminded of this as well, but my search-fu failed me. Thanks for the reference :) .

CRA

Posted Jan 4, 2026 14:49 UTC (Sun) by linuxrocks123 (subscriber, #34648) [Link] (5 responses)

Matt DeVillier's actions were just petty. This wouldn't be to help people be petty. Rather, it would be to help people avoid subjecting themselves to hostile jurisdictions.

Like, let's say I have a message board hosted in Texas, and France wants to sue me because someone in France visited my website and I didn't annoy the hell out of him with the EU's required "I USE COOKIES" bullshit. Applying Zippo, a court may actually enforce a stupid EU judgment based on that against me ... BUT not if I geoblock the EU. And, while California's "cookie law" isn't as brain-damaged as the EU's, it's still pretty brain-damaged, so I'd want to geoblock them to avoid Zippo jurisdiction there, too.

In addition to California, I may want to make it a triple play by blocking New York and Florida, too, to avoid being sued by the human skid marks who abuse the ADA to suck settlement money out of random small businesses: https://instituteforlegalreform.com/blog/small-businesses...

A well-run jurisdiction monitoring organization could help me decide who to block and when to stop blocking them based on my particular website's needs.

CRA

Posted Jan 4, 2026 14:53 UTC (Sun) by dskoll (subscriber, #1630) [Link] (2 responses)

Everything you've posted is hypothetical. Care to cite any case where an individual running a personal website has been subjected to punishment under the laws you mentioned?

It's simply Malibal all over again, mixed in with a healthy dose of dog-whistle politics.

CRA

Posted Jan 5, 2026 2:41 UTC (Mon) by linuxrocks123 (subscriber, #34648) [Link] (1 responses)

Many of these stupid Internet laws, such as California's, allow civil suits for monetary damages. I'd prefer to make the first move by blocking the hostile jurisdictions at the outset than wait for a blood-sucking parasite to try to make a quick buck off of me with an abusive lawsuit about how I manage cookies.

Be reactive if you want, but I'll bet all the family-owned restaurants that didn't put alt text in their images wish they'd taken my approach.

CRA

Posted Jan 5, 2026 9:49 UTC (Mon) by kleptog (subscriber, #1183) [Link]

> Many of these stupid Internet laws, such as California's, allow civil suits for monetary damages.

I looked this up and it's interesting. The California law has statutory damages (which the EU doesn't) and allows for class actions (which we don't really have here in most member states*) and the combination leads to the interesting business case where you can start a class action against some site and claim statutory damages for a whole bunch of people who don't care and have no actual damages.

So yeah, the statutory damages thing does make California especially risky.

* We don't have class actions in NL, the way this is handled is to start a non-profit association that does a test case on behalf of its members and if they win they use that as leverage to settle the rest of the cases. This is the implementation of the Representative Actions Directive (2020/1828)

CRA

Posted Jan 5, 2026 18:26 UTC (Mon) by NYKevin (subscriber, #129325) [Link] (1 responses)

> In addition to California, I may want to make it a triple play by blocking New York and Florida, too, to avoid being sued by the human skid marks who abuse the ADA to suck settlement money out of random small businesses: [link]

The ADA is a federal law. Lawsuits under the ADA may be brought in any state, if there is personal jurisdiction over the defendant and venue is proper in that state. The Second Circuit case Bensusan Restaurant Corp. v. King suggests that merely having a website accessible from the forum state is probably not enough for personal jurisdiction, but it was decided in 1997, so things may have changed since then. See also International Shoe Company v. Washington.

Regardless, geoblocking one state will not prevent lawsuits from other states. If geoblocking is necessary (contrary to the Second Circuit's ruling), then you have to block the whole US (and avoid doing business in the US, which probably has implications for hosting etc.).

CRA

Posted Jan 8, 2026 15:57 UTC (Thu) by linuxrocks123 (subscriber, #34648) [Link]

> The ADA is a federal law.

Yes, but there's a huge-ass circuit split as to whether websites are always subject to the ADA, only subject to the ADA if there is a physical brick-and-mortar business they're connected to, or never subject to the ADA. If you can force the bottom-feeder into a circuit that says websites are never subject to the ADA, the bottom-feeder will drop the case and leave you alone because he and you both know he can't possibly win.

I hope the current Supreme Court takes up a case on this issue soon, because the current Court will probably decide "never," and I think that's the right answer because anything else is an unacceptable speech regulation. Or would it be constitutional for Congress to pass a law that says newspapers must be printed in Braille upon request?

> The Second Circuit case Bensusan Restaurant Corp. v. King suggests that merely having a website accessible from the forum state is probably not enough for personal jurisdiction

No, Bensusan v. King decided that New York hadn't given its own courts that jurisdiction under New York state law. The federal question the district court answered in violation of constitutional avoidance was not affirmed by the circuit. A better case to look at is Zippo v. Zippo:

https://en.wikipedia.org/wiki/Zippo_Manufacturing_Co._v._...

It's a district court case but was adopted by several circuits in the years following its decision. It promulgates a "sliding scale" test that says you're not subject to jurisdiction if your website is purely passive, are if your website is "extremely interactive," and might or might not be if your website is somewhere in the middle, depending on where in the middle you are.

CRA

Posted Jan 2, 2026 21:58 UTC (Fri) by fenncruz (subscriber, #81417) [Link] (1 responses)

I think the CRA is a good thing. Even though it's making alot of work for me at the moment (in a large software company) it's finally made upper management care about security. It's amazing how much developer time I can get allocated to fix technical debt when there's the possibility of fines on the line.

Sure some it is just paperwork and box tickings, but we are also getting resources to fix actual issues we've been fighting for, for years.

CRA

Posted Jan 4, 2026 14:18 UTC (Sun) by raven667 (subscriber, #5198) [Link]

I too think the EU CRA has a lot of positive benefit, and I'm happy when a compliance effort can produce real fruit because orgs actually do the work to fix things rather than malicious faux-compliance (like adding cookie banners instead of fixing privacy practices).

I'm rather enjoying the focus my org has on compliance with new US ADA enforcement rules (which to be honest are never going to be invoked because the Trump regime doesn't care about civil rights/accessibility and would only prosecute if the bribe check didn't clear) which has given me the opportunity to bring all the web apps up to the same HTML theme/template and coding style instead of three different ones depending on the era when the app was made and how maintained it is. I also got to make a mini web-app server-side framework to factor out duplicate code from the CGIs without taking a large dependency on something like Dancer or Mojolicious, so it's all still simple enough to fit into one persons head but benefits from standardization of how extensibility is performed.

EU CRA (Cyber Resilience Act)

Posted Jan 2, 2026 21:21 UTC (Fri) by hailfinger (subscriber, #76962) [Link] (23 responses)

The CRA reference in Greg's document is not applicable to community FOSS projects unless they happen to be part of a larger organization ("steward" in CRA-speak) or steered by a company.

I know that various foundations have employed FUD tactics to get small FOSS projects to join them due to the perceived CRA threats. Unless you're a FOSS project the size of Debian, Mozilla or the Linux kernel, joining a larger organization is completely stupid from a CRA perspective.
Why, you ask? Simple. If you're a small FOSS project and don't make a profit from it, you're exempt from the obligations of the CRA (but you still get all the benefits from the CRA). Join a larger org (foundation, whatever) and suddenly you're subject to the CRA.
Now if you enjoy being regulated, feel free to join some of the foundations. Otherwise, steer clear of them.

EU CRA (Cyber Resilience Act)

Posted Jan 2, 2026 21:34 UTC (Fri) by Wol (subscriber, #4433) [Link] (10 responses)

Stewards aren't affected by the CRA either! READ THE CRA.

Companies have contracts with suppliers. In order for a component to be legal as part of a product, IT MUST HAVE A CRA MARK. And in order to have a CRA mark, there MUST be contracts in place to say who is legally liable.

So as a company, you either pay the foundation, or the project, or the maintainer, for a support contract that includes a CRA mark, or you provide your own CRA mark.

Simply put, without a contract in place the CRA can't touch you. It will, however, clobber any company that uses your product thinking they can offload the responsibility off to you at no cost to themselves. That's by design ...

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 2, 2026 22:05 UTC (Fri) by hailfinger (subscriber, #76962) [Link] (9 responses)

> Stewards aren't affected by the CRA either! READ THE CRA.
I did read the CRA. I even commented on it before it became the law and some of my suggestions ended up in the CRA. So yes, I think I can claim that I did read it.

And yes, despite your claims, stewards are affected by the CRA.
Please look at the official text of the CRA, Chapter II, Article 24: "Obligations of open-source software stewards".
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=...

> [...] IT MUST HAVE A CRA MARK
There is no such thing as a CRA mark. Sorry.

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 9:31 UTC (Sat) by kleptog (subscriber, #1183) [Link] (4 responses)

I really hope we can avoid a massive discussion CRA here again. This horse has been quite beaten to death. Especially since the whole discussion tends to get mired in the fundamentally different way Europe and the US regulate markets. Europe tends to write out a description of how they want the market to work and then rely on the market participants to keep each other honest. The US tends to be more prescriptive and sets the government up as judge, jury and executioner, and the market participants spend their time trying to figure out how to avoid scrutiny.

Case in point: open source stewards. Who decides who is one? No-one. Don't give yourself that label and you're all set. That text is largely aspirational, it describes how the EP expects open source to work within the CRA framework. Its value is largely in making clear to the CxOs that all those people doing unpaid open-source work are not responsible for their bonuses. For extra clarity, Article 64.10b says stewards can't be fined, even if you could figure out who they are.

European law is largely written by people with no legal training, which means you get a lot of text of dubious legal value. A significant chunk of the Parliament and Council are very careful to make sure the EU (and governments in general) don't actually gain any powers that aren't strictly required. Concentrated executive power (we know from experience) is very risky. Read any contracts before you sign them, that's the most important lesson.

But I can say from personal experience that CRA also has for me also made it way easier to get time for security and software maintenance. Suddenly SBOMs are on the agenda, after years of being summarily dismissed.

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 15:12 UTC (Mon) by poruid (subscriber, #15924) [Link] (3 responses)

Excuse me, but stating that EU law is written by legal nitwits is baseless.

Besides that, the CRA as far as FOSS is concerned, has been modelled to ensure that downstream free riders MUST upstream fixes that the CRA obliges them to provide. That is good, very good.

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 16:09 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

And while it's a hobby horse of mine, assuming that a lawyer understands the law - even in his own specialty! - is a dangerous thing to do. As a doctor mate of mine once said - "50% of people are below average intelligence, so what does that say about doctors?". The same could be said about lawyers - and once you assume that all your hot-shots are in high powered jobs, what does that say about your average high street doctor or lawyer!!!

Mix a high intelligence, and a good grasp of the detail, and you don't need to be a professional to outperform your typical high-street practitioner.

Mind you, you also need my attitude to electrics - as an okay amateur sparky, my FIRST response to any job is "if I don't understand it, get a professional involved". You can then assess the professional's competence ...

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 16:39 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (1 responses)

> As a doctor mate of mine once said - "50% of people are below average intelligence, so what does that say about doctors?".

My gripe with this is that they're actually talking about the median. It also assumes doctors are uniformly sampled across the "intelligence spectrum" (as measured by, presumably, IQ) and all the faults with that.

I don't think anyone would say "50% of people at IAS in the 1930's and 1940's were below average intelligence" without also having a footnote of "but all are sampled from the top 1% of the world population". And the internal rankings would certainly differ from those on the outside (cf. Einstein and him ranking Gödel as above himself, IIRC).

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 17:37 UTC (Mon) by Wol (subscriber, #4433) [Link]

I don't know that intelligence *should* be a factor in sampling people to become doctors (other than filtering out the subnormal). Certainly in my case intelligence seems to have been a DEselection criteria. I got grades A, B, B, your typical offer iirc was about C, D, D, and your successful candidate typically achieved B, C, C. Certainly I think only ONE of my successful fellow candidates from school got a higher grade.

Absent reliable information one way or the other, I'm happy to assume reasonably random selection (although of course I've missed the fact that school leavers rig the criteria somewhat. That said, so do English Public Schools in the opposite direction, where a lot of people who get good grades come over as "rich and stupid".

However you play it though, my experience of legal work leaves me inclined to put the two letters "in" in front of your average lawyer's competence.

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 10:04 UTC (Sat) by lynxlynxlynx (guest, #90121) [Link]

Yes and no. Consider the definition of a steward:

> (14) ‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

It's a long list of conditions that all have to be true for the article to come into play. For the vast majority of small projects using stewards to just host their secrets, a donation account and similar, the criteria won't be met.

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 10:17 UTC (Sat) by Wol (subscriber, #4433) [Link] (2 responses)

> (14)

> ‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

Which pretty much describes a business that supports open source as its business ... like Red Hat, SUSE or Ubuntu

And your reference basically says they have to have a security policy, which they have to provide to the regulator on request.

To my mind, it's not at all clear what the liabilities of a steward are, beyond providing the said security policy.

> (24) 3. The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.

So what happens if the Open Source Steward provides support services but not development resources for Open Source Projects? Take Apache for example, it doesn't look as if they're affected by this ... from what little I know, Apache projects all have their own teams, and Apache just provides an umbrella - which this clause appears NOT to catch.

I'll need to read it again, but I don't see what difference a project joining a foundation would make to the project. It might make a difference to the foundation ...

> There is no such thing as a CRA mark. Sorry.

My bad - but it must have something. There must be some sort of B2B agreement in place which I've taken to calling a CRA mark. The CRA will not look kindly on a business - selling software as part of their product - that does not have a formal agreement in place for its maintenance.

I'll read the CRA again ...

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 12:16 UTC (Sat) by hailfinger (subscriber, #76962) [Link] (1 responses)

The CE mark is probably what you were looking for. With the CRA a CE mark is also required for "products with digital elements", i.e. (in very simplified terms) anything which can run code or can interact with code or is code.

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 13:10 UTC (Sat) by Wol (subscriber, #4433) [Link]

That's where I took it from. In effect what I call the CRA mark, is a CE mark applied to software, no?

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 22:46 UTC (Sat) by andrewaylett (guest, #181673) [Link] (1 responses)

Is it not more that the maintainers' employers may have responsibilities under the CRA, and the intent is that reporting to the security team does not by itself trigger any obligations or deadlines for the employers?

EU CRA (Cyber Resilience Act)

Posted Jan 4, 2026 10:27 UTC (Sun) by Wol (subscriber, #4433) [Link]

How?

Either the security problem exists within an employer's product "placed on the market" in which case an employee reporting a problem DOES trigger obligations - the employee knows therefore - as far as the law is concerned - the manufacturer/importer/whoever also knows, or

The employer is not connected with the product at risk, and unless they are the steward for the software in question (not the case if the employee is either (a) working in his own time, or (b) working using time donated by the employer for projects of the employee's choice) the employer has no obligations at all. If they are the steward, and their employees work on the project, then they have to follow their declared guidelines.

Since this particular discussion started, it seems to me that the "steward" wording is aimed clearly at people like Google, Red Hat, Oracle, et al - the commercial distros and support-sellers.

Let's take Google, they provide a lot of services, under service contracts, to other companies. My company uses a lot of them ... One of those services, for example, is Gsheets. As far as our use of it is concerned, it's covered by the CRA because we have a support contract. But the whole point of the steward wording is to say that if I as a private individual (as opposed to a company employee) make use of Gsheets for my own personal use, any bugs I find are reported to Google in their role of steward. AND NO LEGAL LIABILITY RESULTS. Google, however, are now aware of the bug, and are expected to follow their declared procedures. Failure to do that *probably* *will* trigger liability, because combine a known bug, declared procedures, *and* *support* *contracts*, the regulator will say "you should have fixed it under the support contracts". Coupled with the requirement under the CRA to report any bugs and fixes upstream, that means I as a private individual get to see the bug fixed, otherwise Google forfeit their legal protection as steward.

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 6, 2026 15:02 UTC (Tue) by coriordan (guest, #7544) [Link]

> I know that various foundations have employed FUD tactics to get
> small FOSS projects to join them due to the perceived CRA threats.

No they haven't.

EU CRA (Cyber Resilience Act)

Posted Jan 6, 2026 15:57 UTC (Tue) by pizza (subscriber, #46) [Link] (8 responses)

> I know that various foundations have employed FUD tactics to get small FOSS projects to join them due to the perceived CRA threats.

Please keep in mind that nearly all of the "HOLY CRAP THIS IS BAD" reactions [1] were to the initial CRA drafts, which were every bit as bad as those early reactions claimed. The folks drafting the CRA listened to the feedback and did a very good job [2] addressing the concerns of F/OSS authors and maintainers, resulting in the final form of the CRA being vastly superior to what was first proposed.

Folks that only saw the final as-ratified version of the CRA will of course wonder what the big deal was, but as the saying goes, this is how sausage gets made. The final form looks pretty and clean but what goes into it is anything but.

[1] Quite a few of which were from EU-based entities
[2] I say that as a particularly loud critic of the initial draft

EU CRA (Cyber Resilience Act)

Posted Jan 6, 2026 18:30 UTC (Tue) by pizza (subscriber, #46) [Link] (7 responses)

> The folks drafting the CRA listened to the feedback and did a very good job [2] addressing the concerns of F/OSS authors and maintainers,

I should add that the legislative _intent_ of the CRA was not really known until later drafts came out that positively incorporated this feedback. Up until that point, we had no way of knowing that the aformentioned problems were not an *intentional* feature (or an unfortunately necessary side effect) of the legislation.

EU CRA (Cyber Resilience Act)

Posted Jan 7, 2026 17:25 UTC (Wed) by kleptog (subscriber, #1183) [Link]

> I should add that the legislative _intent_ of the CRA was not really known until later drafts came out that positively incorporated this feedback.

The legislative intent of legislation is determined by the Parliament/Council on the basis of the amendments that are approved. There is no gatekeeping, the Commission cannot control which way the legislation evolves.

If anything, the process demonstrated (to me anyway) that the Open source/Free software movement has a wide base of support and the process works as designed. Even the Council amendments were largely pro-open source.

We (collectively) have more influence than we realise IMHO.

EU CRA (Cyber Resilience Act)

Posted Jan 14, 2026 0:43 UTC (Wed) by SLi (subscriber, #53131) [Link] (5 responses)

> I should add that the legislative _intent_ of the CRA was not really known until later drafts came out that positively incorporated this feedback.

I've come to believe that legislative intent is a myth and legal fiction that tries come up with the least damaging theory for why the law ended up the way it did.

Basically, any time you have three or more people voting for something, this is in play. We have the intents of the three people, and the output of the process, which at best reflects a found acceptable compromise that allowed two of the three people to say "I prefer that to no law; it does look a bit schizophrenic and I don't know what it means, but seems low-risk".

By no means applies only to law.

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 9:16 UTC (Thu) by taladar (subscriber, #68407) [Link] (4 responses)

If we gave up that fiction we would have to acknowledge that many laws are approved or rejected on reasons that are either not sane (e.g. biases) or self-serving (benefits your particular voting district or campaign donor or increases your personal career chances as a politician). And at that point we probably would have to question whether it is sensible at all to just vote on 1000 page laws at all by people who have first seen those laws the day before.

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 10:04 UTC (Thu) by kleptog (subscriber, #1183) [Link] (3 responses)

> And at that point we probably would have to question whether it is sensible at all to just vote on 1000 page laws at all by people who have first seen those laws the day before.

But why do lawmakers accept that bills are that large? AIUI it's mostly a US phenomenon. In Australia for example it is required by the constitution that budget/tax/tariff bills must only deal with that single thing and cannot be combined with any other bills. ISTM they learned from the American experience. And elsewhere it's at least a cultural expectation that you don't combine bills covering unrelated topics.

All it would take is for a group of lawmakers to refuse to vote for such combination bills and the problem would go away. That this doesn't happen just shows there are deeper problems.

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 12:08 UTC (Thu) by Wol (subscriber, #4433) [Link] (2 responses)

And this is why gutting the House of Lords is such a disaster. You had plenty of people who would go in to the House to debate bills, and they would take the effort to read them, and because they had ended up in the Lords by accident they would probably have had a lot of relevant experience.

The Commons precisely hated the Lords because so much legislation got voted down with "this isn't going to work", while the Commoners, with an eye on getting re-elected, just wanted it passed whether it made sense or not.

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 15:32 UTC (Thu) by taladar (subscriber, #68407) [Link] (1 responses)

Maybe we need the equivalent of a linter for legislation, some purely rule-based rejection mechanism that is non-political precisely because it just applies to purely factual objections and those objects have to be validated for every bill?

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 15:45 UTC (Thu) by daroc (editor, #160859) [Link]

There are a handful of interesting projects along those lines, actually. The most complete and useful is probably Catala: https://github.com/CatalaLang/catala