|
|
Log in / Subscribe / Register

EU CRA (Cyber Resilience Act)

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 9:31 UTC (Sat) by kleptog (subscriber, #1183)
In reply to: EU CRA (Cyber Resilience Act) by hailfinger
Parent article: Kroah-Hartman: Linux kernel security work

I really hope we can avoid a massive discussion CRA here again. This horse has been quite beaten to death. Especially since the whole discussion tends to get mired in the fundamentally different way Europe and the US regulate markets. Europe tends to write out a description of how they want the market to work and then rely on the market participants to keep each other honest. The US tends to be more prescriptive and sets the government up as judge, jury and executioner, and the market participants spend their time trying to figure out how to avoid scrutiny.

Case in point: open source stewards. Who decides who is one? No-one. Don't give yourself that label and you're all set. That text is largely aspirational, it describes how the EP expects open source to work within the CRA framework. Its value is largely in making clear to the CxOs that all those people doing unpaid open-source work are not responsible for their bonuses. For extra clarity, Article 64.10b says stewards can't be fined, even if you could figure out who they are.

European law is largely written by people with no legal training, which means you get a lot of text of dubious legal value. A significant chunk of the Parliament and Council are very careful to make sure the EU (and governments in general) don't actually gain any powers that aren't strictly required. Concentrated executive power (we know from experience) is very risky. Read any contracts before you sign them, that's the most important lesson.

But I can say from personal experience that CRA also has for me also made it way easier to get time for security and software maintenance. Suddenly SBOMs are on the agenda, after years of being summarily dismissed.

to post comments

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 15:12 UTC (Mon) by poruid (subscriber, #15924) [Link] (3 responses)

Excuse me, but stating that EU law is written by legal nitwits is baseless.

Besides that, the CRA as far as FOSS is concerned, has been modelled to ensure that downstream free riders MUST upstream fixes that the CRA obliges them to provide. That is good, very good.

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 16:09 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

And while it's a hobby horse of mine, assuming that a lawyer understands the law - even in his own specialty! - is a dangerous thing to do. As a doctor mate of mine once said - "50% of people are below average intelligence, so what does that say about doctors?". The same could be said about lawyers - and once you assume that all your hot-shots are in high powered jobs, what does that say about your average high street doctor or lawyer!!!

Mix a high intelligence, and a good grasp of the detail, and you don't need to be a professional to outperform your typical high-street practitioner.

Mind you, you also need my attitude to electrics - as an okay amateur sparky, my FIRST response to any job is "if I don't understand it, get a professional involved". You can then assess the professional's competence ...

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 16:39 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (1 responses)

> As a doctor mate of mine once said - "50% of people are below average intelligence, so what does that say about doctors?".

My gripe with this is that they're actually talking about the median. It also assumes doctors are uniformly sampled across the "intelligence spectrum" (as measured by, presumably, IQ) and all the faults with that.

I don't think anyone would say "50% of people at IAS in the 1930's and 1940's were below average intelligence" without also having a footnote of "but all are sampled from the top 1% of the world population". And the internal rankings would certainly differ from those on the outside (cf. Einstein and him ranking Gödel as above himself, IIRC).

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 17:37 UTC (Mon) by Wol (subscriber, #4433) [Link]

I don't know that intelligence *should* be a factor in sampling people to become doctors (other than filtering out the subnormal). Certainly in my case intelligence seems to have been a DEselection criteria. I got grades A, B, B, your typical offer iirc was about C, D, D, and your successful candidate typically achieved B, C, C. Certainly I think only ONE of my successful fellow candidates from school got a higher grade.

Absent reliable information one way or the other, I'm happy to assume reasonably random selection (although of course I've missed the fact that school leavers rig the criteria somewhat. That said, so do English Public Schools in the opposite direction, where a lot of people who get good grades come over as "rich and stupid".

However you play it though, my experience of legal work leaves me inclined to put the two letters "in" in front of your average lawyer's competence.

Cheers,
Wol


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds