Risks of misinformation

Posted Sep 25, 2023 6:29 UTC (Mon) by mrybczyn (subscriber, #81776)
In reply to: Risks of misinformation by jschrod
Parent article: The European Cyber Resilience Act

The author of the article here:

I'm also concerned by misinformation and lack of information on this subject. The article is based on my reading of the proposal and amendments, using only public sources (this is the general LWN policy). If you find any errors or omissions, please let me know. This is a complex matter, so they are possible.

For now, however, I can see nobody pointing out any factual errors in this discussion.

I think the CRA is too important to wait until all is set in stone. This is the reason for this writing. This is also why there are so many conditionals - the impact depends on standards yet to be written.

As probably everyone in the discussion, I have stakes in the outcome. I'm running a consulting business concentrated on embedded open-source security. My detailed bios are easy to find online.

And finally, if you want to discuss the subject more, there are various conferences with CFPs coming up. Submitting a panel is a possibility that could be really interesting.

Risks of misinformation

Posted Sep 25, 2023 11:09 UTC (Mon) by kleptog (subscriber, #1183) [Link]

I'd like to thank you for writing this article. I don't usually associate LWN with these kinds of topics, but for this I think it might be exactly the right audience to reach. I didn't see any factual inaccuracies, you do make the correct point that the original draft was unclear in a number of areas. The amended versions are much better, but there is also a process of awareness needed for people to understand what is actually intended and how the whole process is intended to work.

I think the EP committees and Council working parties are doing their level best to make this work and nobody is trying to kill open-source software. In fact, I feel both the Council and the Parliament went out of their way to clarify the impact on open-source projects and reduce work for small businesses. It doesn't help that much of the text is working who is responsible for a what, and what the powers and responsibilities of the Commission are, which means that it's somewhat vague on some details, because the point is they are worked out later. The EU doesn't generally write standards (it doesn't have the manpower), it adopts them from elsewhere which is why I think it's helpful for people to get ahead in thinking about how they'd like this to work and formalise it. Otherwise I fear we'll end up with Microsoft deploying an proprietary AI model on Github to determine the "security health" of projects, with no support if it produces strange results. We can do better.

Thanks again. I learned a lot from this article and ensuing discussion, and I hope others did too.