Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 15, 2022 16:12 UTC (Tue) by mgb (guest, #3226)
Parent article: Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Like many EU regulations this is designed to help big corporations over small businesses. It really has nothing to do with software quality.

Nobody will actually ship any bug free software - and I say this as someone who has shipped a few small scale commercial products in which no bugs were ever reported.

Small businesses will be overwhelmed by the paperwork or swatted like flies whenever they look set to compete on some behemoth's turf.

Big businesses will have somebody fill out some forms and when the inevitable bugs surface they can afford the lawyers to avoid any serious consequences.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 15, 2022 18:41 UTC (Tue) by mfuzzey (subscriber, #57966) [Link]

I'm not sure the legislation was *designed* favour large corporations.

But I fo agree it may have that effect.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 16, 2022 15:26 UTC (Wed) by nilsmeyer (guest, #122604) [Link] (1 responses)

This also seems to create more jobs for bureaucrats. I remember quite a few audits where all that happens is that people just look at all the "paperwork" (now digital) and nobody looks at the code. Then in the end the liability is so diluted that no one can be held responsible, especially not any government agency that on principle don't suffer consequences from mistakes.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 17, 2022 7:59 UTC (Thu) by eduperez (guest, #11232) [Link]

I think this law tries to combat the no-consequences issue: now the compay selling the device / service will be responsible for their safety.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 17, 2022 13:18 UTC (Thu) by zoobab (guest, #9945) [Link]

"Like many EU regulations this is designed to help big corporations over small businesses."

Same story for software patents.

The patent industry is about to launch the Unified Patent Court, where the judges are pro-software patents.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 19, 2022 16:24 UTC (Sat) by kleptog (subscriber, #1183) [Link] (1 responses)

To be honest, I don't see how small businesses would be unduly affected. It's not like anyone is promising code is bug-free. You just need to show you're making a best-effort to not ship *known* bugs. So:

* All code that is merged has been reviewed by another developer
* For any line of code you can work out who wrote it and when. And who reviewed it.
* Bugs that reported are tracked and fixes can be linked to them
* For all code you import from elsewhere you have an identifiable source
* For each of those sources you track any notices of security related issues
* You don't ship known obsolete software
* If you see one of the components you use has a published security issue, you fix it or determine it's not relevant.
* For your released product you provide a way to deliver timely updates to your customers
* (Bonus points) You've done an architectural review to identify the risky parts of your product and spent some extra effort securing those.

Frankly, in this day and age I would consider the above to be the *absolute minimum* for a business selling a software product. This isn't paperwork, it's basic checklist for "what's makes a good software development environment". With Linux distributions, things like "npm audit" and "pip-audit" there is no excuse for not knowing if you're shipping anything with known issues. Someone like the Linux Foundation could turn this into a template conformity notice which you could cut and paste and adjust to suit.

The above would almost get you through an ISO27001 audit if you do some extra work.

Here open source has a significant advantage, because all these steps are public and to an extent automated. If you're using some proprietary library you have to cross your fingers that they're telling you about any issues they have.

By the way, I disagree EU regulations are mostly for big businesses. If you look at Brexit, it's the small businesses being driven to the wall, not the big ones.

EU regulations versus business size

Posted Nov 20, 2022 11:12 UTC (Sun) by farnz (subscriber, #17727) [Link]

One thing people don't take into account when looking at regulations is that they result in it being simpler to sell to people with lots of choices. If you want to sell to Intel, or Sony, or Apple, or any other large buyer, they will impose "standard terms" on you that you must meet in order to sell to them. In the absence of regulation, those standard terms, while having the same objective, will each impose a different compliance burden on the seller to meet the buyer's conditions.

Regulations change that - everyone has to meet the regulations, and so big buyers replace pages and pages of requirements that you must meet with "you will comply with this regulation, and you will provide this indemnity against any costs we incur as a result of your non-compliance". As a small business, you're now able to compete much more easily - the job you do to comply with the regulations so that you can sell to Intel means that if the Intel deal falls through, you can reuse most of that work as part of trying to sell to Sony, or Apple, or another large buyer.

You see similar in hardware - if I have to write a driver for a chip for every OS out there (FreeBSD, OpenBSD, NetBSD, Linux, Android, macOS, iOS, Windows, QNX, VxWorks, Nucleus, and all the others) in order to sell it, it's hard to compete with established players who've already done all that work. If I just have to supply a source-form driver for Android and can rely on my customers porting to whatever OS they care about, it's a lot easier.