More from ISC and others
More from ISC and others
Posted Apr 22, 2023 13:46 UTC (Sat) by fanf (guest, #124752)Parent article: The Python Software Foundation on European cybersecurity
ISC’s earlier blog post on the CRA has many links to comments from others. The main topic is a longer statement with more analysis and nuance than would fit in the more recent letter.
(I work for ISC but I am not involved in the CRA discussions.)
Posted Apr 22, 2023 15:00 UTC (Sat)
by kleptog (subscriber, #1183)
[Link] (2 responses)
That blog post is very nice and makes many good points, including some I hadn't seen before. But near the end it makes some stumbles:
> The regulation will take effect in 24 months.
No it won't, it isn't anywhere near adoption, it's not even guaranteed to reach the finish line. This appears to misunderstand the legislative process.
> Consult with the open source community in developing a plan to regulate it. Perhaps this should have been my first suggestion?
That's what's been happening the last few months, isn't it? Before this no doubt several people associated with the open source community would have been consulted, but unless you have an actual draft text those conversations tend to be quite abstract and fuzzy. Now there is a draft text the conversions become much more productive.
This is no different from the process of writing software for a customer. You don't get any useful feedback before the first mock-up/proof of concept.
> Nothing in this regulation will improve the cybersecurity of open source.
That wasn't the goal, I think the authors wanted to exclude open source altogether and make cybersecurity the problem of businesses selling products/services to customers (since that's the area where the EU actually has a mandate). This cuts both ways, since it would free open source developers from regulation, but also mean no effort would be made to improve the security of open-source.
If the feedback over the last few months has demonstrated anything, it's that the boundary between open-source and commercial software is much more complicated and nuanced than the authors of the CRA expected. The solution is probably not to exclude open-source from consideration altogether, but to explicitly describe its role in the whole cybersecurity environment.
Posted Apr 22, 2023 20:32 UTC (Sat)
by kleptog (subscriber, #1183)
[Link] (1 responses)
> Consult with the open source community in developing a plan to regulate it. Perhaps this should have been my first suggestion?
There was first a public consultation 16 March 2022 - 25 May 2022 with 108 submissions.
Number of submissions from open-source organisations: zero
But ok, maybe it wasn't clear that open-source projects would be impacted here. Given this input it's clear why open-source projects weren't a major part of the proposal. However, in September the actual proposal was released and the second public consultation ran till 23 January 2023 with 131 submissions.
Number of submissions from open-source(-ish) organisations: OpenForum Europe, OSSF, TDF, OSI.
This kinda shocked me actually. The excellent ISC blog references a number of other excellent comments. How many of those made a submission as part of the public consultation? ZERO. (That I could recognise, I didn't actually open them all).
This indicates to me that as a community we're very good at talking to each other but very bad at dealing with the regulatory environment around us. Where are the submissions from Redhat and Suse? Why didn't the ISC paste their blog into a document and submit it? Hell, why didn't someone just copy and paste a whole bunch of the better blogs and submit it on their behalf. The Python Software Foundation writes about it, only 3 months too late.
It's good that some open-source organisations made the effort, but we really need to get better at this. Ignoring the rest of the world and hoping they ignore you isn't going to work forever.
Source: https://ec.europa.eu/info/law/better-regulation/have-your...
Posted Apr 23, 2023 23:26 UTC (Sun)
by comex (subscriber, #71521)
[Link]
More from ISC and others
More from ISC and others
Number of submissions businesses primarily earning money from open-source: zero
On the other hand, IBM, Huawei, Broadcom, Microsoft made submissions.
Number of submissions businesses primarily earning money from open-source: zero (didn't recognise any)
There were submissions from the Internet Infrastructure Coalition and RIPE.
And of course: Github, Apple, Blackberry, Huawei, Microsoft, IBM, Google all made submissions.
More from ISC and others