Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

It is just a proposal, I doubt it will go anywhere as is, but worth for people to take action.

To me, if it does pass as is, I can see development moving out of the EU, leaving the EU stuck with proprietary environments. Maybe UK will be positioned well for this ?

The problem is: we all agree that it would be really nice if all the software systems we used were secure, but we'd prefer if the costs for making that happen weren't borne by open-source software developers. But the question is: who will do it instead? The tooth fairy? The invisible hand of the market?

It does propose an exemption for open-source software, but doesn't answer the question of who will do the work instead. We can make regulations that say something should happen, but it's all pointless unless someone actually does the work. We don't want to swamp start-ups in compliance work, but giving them a free-pass to produce shitty products isn't really a good alternative either.

One approach would be to turn such "critical software" into a public good. The regular auditing of such product would be something undertaken or funded by a central authority. Or perhaps companies that do audits of open source software they use could actually publish the results. But that doesn't really help, because audits for complex software don't tend to find all the bugs. In general you're better off ensuring a good update mechanism than proving your software is bug-free.

Overall, I'm glad people are thinking about these issues, but I don't think it's going to be solved by regulation at this point. But you know, hammers and nails and all that.

Direct link to proposal: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

I'm also concerned about the continued possibility of replacing proprietary firmware found on many devices with free variants, for example by installing OpenWRT on routers and LineageOS on Android devices. Vendors and auditors may consider replacing firmware on their devices as problematic (what if a hacker replaced the software with one containing a backdoor!) and block it.

It strikes me that EO 14028 (a US Executive Order Improving the Nation's Cybersecurity, about 18 months ago) is a similar context. An EO is as its name might imply if you understand the crazy US government structure, something from the Executive, thus the US President, which feeds into US Federal agencies, such as NIST and the NSA in this case.

The medium term impact of EO 14028 was stuff like P2687R0 which is the first step of a proposal for C++ 26 describing this as an "Emergency" because of course the agencies said if you want secure software you should stop writing C and C++ (this draft proposal was written by Bjarne Stroustrup whose name might ring a bell)

I see P2687 and similar efforts as mostly an attempt to say "We're doing something" in the hope that politicians will quickly forget about this, the proposed work can then be abandoned, or at least limited to documentation which is then abandoned, and life goes on. It is certainly the case that there's lots of C and C++ Free Software. On the other hand though, there's also a LOT of Free Software written in languages which these reports say you should consider instead, such as Java and Python and most relevantly in this context (and to LWN) Rust.

So this has that crisis property where aspects of danger and opportunity combine. To the extent that Free Software prefers C to something safer like Java, there are risks that world governments will decide they value safety more heavily than before and choose non-free alternatives which don't have use-after-free bugs. On the other hand, to the extent Free Software communities embrace safety features more readily than big slow proprietary behemoths there's a chance worthy Free Software solutions dominate inferior but widespread and commercially successful alternatives that can't make themselves safer enough, quickly enough.

It is unclear to me, and perhaps somebody with the right perspective can explain, why both the US and EU decided they want their computers to be secure specifically in the last 2-3 years but not say, in the 1990s or 2000s.

There's an online session on 22 November by the European Commission about the Cyber Resilience Act:

https://digital-strategy.ec.europa.eu/en/events/cyber-resilience-act-new-eu-cybersecurity-rules-ensure-safer-hardware-and-software

Where I work, buildroot is used to build a base image, on which we add our own software / Web UI.
We don't have the resources to assess the security property of this 'base image bundle'. Is the buildroot project able to provide some kind of security assessment ?
I guess the same questions goes for openEmbedded based images, or distro based embedded systems.
Beyond looking at the software project, and saying "looks like they do stable release, should be ok for us" there is not much more i can do given my limited skills :)

Like many EU regulations this is designed to help big corporations over small businesses. It really has nothing to do with software quality.

Nobody will actually ship any bug free software - and I say this as someone who has shipped a few small scale commercial products in which no bugs were ever reported.

Small businesses will be overwhelmed by the paperwork or swatted like flies whenever they look set to compete on some behemoth's turf.

Big businesses will have somebody fill out some forms and when the inevitable bugs surface they can afford the lawyers to avoid any serious consequences.

Find out who is in support of the regulation and choose your side accordingly. As a general rule, if Google, Meta, and Microsoft are in favor of a rule, I will be against it, regardless of what people tell me the regulation does. I need more details that a press release to pick a side on this one.

Maybe I've missed it but I didn't find a definition of "essential requirements".

So it makes me wonder if the proposed regulation (will) take into account the threat models and use cases?

In many cases security is very subjective or dependent on the context.

For instance Damn Vulnerable Linux ( https://en.wikipedia.org/wiki/Damn_Vulnerable_Linux ) has been made vulnerable on purpose but it's not a threat for users unless it's misused.

Another example is with booting: Having a bootrom exploit is often a good thing for free software as we can then have free software bootloaders on devices[1], etc. Restricted boot is also not desirable from a user freedom point of view.

If I understood right it may apply on these cases because the software "is designed to run with elevated privilege or manage privileges;", and the commercial activities isn't clearly defined. The question here is what is these "essential requirements"?

I also wonder if they (will) have exceptions for the second hand market because there are often known security vulnerabilities in older devices. For instance for smartphones there are many security flaws in the modem of older devices like remotely exploitable bugs (like a bug in some ASN-1 related software[2]) and you could also see the support of older protocols as broken because their encryption is too weak from today's point of view. And here that assumes that there is some community distribution that is up to date when the devices are sold. If there isn't (which is probably the case most of the time) then the devices are vulnerable.

And here too proper funding can be part of the solution. For instance the EU has funds to improve privacy and work on free software projects with that through organizations like NLnet (https://nlnet.nl/)[3]. So here funding people to upstream support for devices in Linux and various other projects could help.

References:
---------------
[1]https://switch.homebrew.guide/hacking/fuseegelee/sdsetup
[2]https://neo900.org/news/about-the-asn1-vulnerability
[3]I've no idea if that's related to NLnet labs or not.

Denis.