Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 16, 2022 12:11 UTC (Wed) by farnz (subscriber, #17727)
In reply to: Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs) by pabs
Parent article: Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

The notice of conformity applies to the device as sold, and obliges the supplier to meet the obligations set out in the notice of conformity. It does not extend beyond that.

If you're selling a device without software, you'd be crazy to have your notice of conformity cover any arbitrary software that's installed; instead, your notice would cover just the hardware, and you're only on the hook if the user can show that the hardware does not comply with the notice of conformity.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 17, 2022 4:25 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

Excellent, so this law incentivizes selling devices without an OS and giving consumers choice over which OS they install. Sounds exactly what the Free Software movement wants, although I expect many consumers will really dislike having to choose and install an OS.

Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)

Posted Nov 17, 2022 11:36 UTC (Thu) by farnz (subscriber, #17727) [Link]

Yes, just as it incentivizs selling engines, wheels, fuel tanks, chassis, steering etc separately over selling cars, and giving consumers a choice of how they put their car together.

In practice, the consumer pressure to sell a complete car, with more obligations on the seller than car components have in aggregate (since you're also responsible now for the way the parts are put together, and for interaction between parts) results in companies not going down that route. I suspect that the same will be true of computers, phones etc - selling a complete device, and taking responsibility for the whole thing, is easier than selling hardware without an OS (but with lesser guarantees) and a separate OS that make guarantees on the assumption of hardware functioning in certain ways, thus not being responsible if the OS requirements to be secure aren't met by the guarantees the hardware offers.