EU CRA (Cyber Resilience Act)

Posted Jan 6, 2026 15:57 UTC (Tue) by pizza (subscriber, #46)
In reply to: EU CRA (Cyber Resilience Act) by hailfinger
Parent article: Kroah-Hartman: Linux kernel security work

> I know that various foundations have employed FUD tactics to get small FOSS projects to join them due to the perceived CRA threats.

Please keep in mind that nearly all of the "HOLY CRAP THIS IS BAD" reactions [1] were to the initial CRA drafts, which were every bit as bad as those early reactions claimed. The folks drafting the CRA listened to the feedback and did a very good job [2] addressing the concerns of F/OSS authors and maintainers, resulting in the final form of the CRA being vastly superior to what was first proposed.

Folks that only saw the final as-ratified version of the CRA will of course wonder what the big deal was, but as the saying goes, this is how sausage gets made. The final form looks pretty and clean but what goes into it is anything but.

[1] Quite a few of which were from EU-based entities
[2] I say that as a particularly loud critic of the initial draft

to post comments

EU CRA (Cyber Resilience Act)

Posted Jan 6, 2026 18:30 UTC (Tue) by pizza (subscriber, #46) [Link] (7 responses)

> The folks drafting the CRA listened to the feedback and did a very good job [2] addressing the concerns of F/OSS authors and maintainers,

I should add that the legislative _intent_ of the CRA was not really known until later drafts came out that positively incorporated this feedback. Up until that point, we had no way of knowing that the aformentioned problems were not an *intentional* feature (or an unfortunately necessary side effect) of the legislation.

EU CRA (Cyber Resilience Act)

Posted Jan 7, 2026 17:25 UTC (Wed) by kleptog (subscriber, #1183) [Link]

> I should add that the legislative _intent_ of the CRA was not really known until later drafts came out that positively incorporated this feedback.

The legislative intent of legislation is determined by the Parliament/Council on the basis of the amendments that are approved. There is no gatekeeping, the Commission cannot control which way the legislation evolves.

If anything, the process demonstrated (to me anyway) that the Open source/Free software movement has a wide base of support and the process works as designed. Even the Council amendments were largely pro-open source.

We (collectively) have more influence than we realise IMHO.

EU CRA (Cyber Resilience Act)

Posted Jan 14, 2026 0:43 UTC (Wed) by SLi (subscriber, #53131) [Link] (5 responses)

> I should add that the legislative _intent_ of the CRA was not really known until later drafts came out that positively incorporated this feedback.

I've come to believe that legislative intent is a myth and legal fiction that tries come up with the least damaging theory for why the law ended up the way it did.

Basically, any time you have three or more people voting for something, this is in play. We have the intents of the three people, and the output of the process, which at best reflects a found acceptable compromise that allowed two of the three people to say "I prefer that to no law; it does look a bit schizophrenic and I don't know what it means, but seems low-risk".

By no means applies only to law.

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 9:16 UTC (Thu) by taladar (subscriber, #68407) [Link] (4 responses)

If we gave up that fiction we would have to acknowledge that many laws are approved or rejected on reasons that are either not sane (e.g. biases) or self-serving (benefits your particular voting district or campaign donor or increases your personal career chances as a politician). And at that point we probably would have to question whether it is sensible at all to just vote on 1000 page laws at all by people who have first seen those laws the day before.

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 10:04 UTC (Thu) by kleptog (subscriber, #1183) [Link] (3 responses)

> And at that point we probably would have to question whether it is sensible at all to just vote on 1000 page laws at all by people who have first seen those laws the day before.

But why do lawmakers accept that bills are that large? AIUI it's mostly a US phenomenon. In Australia for example it is required by the constitution that budget/tax/tariff bills must only deal with that single thing and cannot be combined with any other bills. ISTM they learned from the American experience. And elsewhere it's at least a cultural expectation that you don't combine bills covering unrelated topics.

All it would take is for a group of lawmakers to refuse to vote for such combination bills and the problem would go away. That this doesn't happen just shows there are deeper problems.

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 12:08 UTC (Thu) by Wol (subscriber, #4433) [Link] (2 responses)

And this is why gutting the House of Lords is such a disaster. You had plenty of people who would go in to the House to debate bills, and they would take the effort to read them, and because they had ended up in the Lords by accident they would probably have had a lot of relevant experience.

The Commons precisely hated the Lords because so much legislation got voted down with "this isn't going to work", while the Commoners, with an eye on getting re-elected, just wanted it passed whether it made sense or not.

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 15:32 UTC (Thu) by taladar (subscriber, #68407) [Link] (1 responses)

Maybe we need the equivalent of a linter for legislation, some purely rule-based rejection mechanism that is non-political precisely because it just applies to purely factual objections and those objects have to be validated for every bill?

EU CRA (Cyber Resilience Act)

Posted Jan 15, 2026 15:45 UTC (Thu) by daroc (editor, #160859) [Link]

There are a handful of interesting projects along those lines, actually. The most complete and useful is probably Catala: https://github.com/CatalaLang/catala