Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Open Source EU Technology

EU's Proposed CE Mark for Software Could Have Dire Impact on Open Source (devclass.com) 104

The EU's proposed Cyber Resilience Act (CRA), which aims to "bolster cybersecurity rules to ensure more secure hardware and software products," could have severe unintended consequences for open source software, according to leaders in the open source community. From a report: The proposed Act can be described as CE marking for software products and has four specific objectives. One is to require manufacturers to improve the security of products with digital elements "throughout the whole life cycle." Second is to offer a "coherent cybersecurity framework" by which to measure compliance. Third is to improve the transparency of digital security in products, and fourth is to enable customers to "use products with digital elements securely."

The draft legislation includes an impact assessment that says "for software developers and hardware manufacturers, it will increase the direct compliance costs for new cybersecurity requirements, conformity assessment, documentation and reporting obligations." This extra cost is part of a total cost of compliance, including the burden on businesses and public authorities, estimated at EUR 29 billion ($31.54 billion), and consequent higher prices for consumers. However, the legislators foresee a cost reduction from security incidents estimated at EUR 180 to 290 billion annually. The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects? Mike Milinkovich, director of the Eclipse Foundation, said it is "deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe."

This discussion has been archived. No new comments can be posted.

EU's Proposed CE Mark for Software Could Have Dire Impact on Open Source

Comments Filter:
  • Life without OSS (Score:5, Insightful)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday January 26, 2023 @10:29AM (#63242139) Homepage Journal

    How does the EU propose to function without the software that the internet runs on? How does the EU propose to function without timely security updates?

    • by timeOday ( 582209 ) on Thursday January 26, 2023 @10:42AM (#63242181)
      My guess is some company (RHEL?) would supplying the services and accountability/liability, for a price of course.

      The summary calls this an "unintended consequence," but it is intended, or at least inevitable, that everything gets a whole lot more restrictive if you truly want to eliminate unverified code [xkcd.com] all the way through your stack. Developers may end up with a restricted distribution with a small number of packages available for use as the cost of verifying each one is high.

      Everybody on the internet (slashdot) is always clamoring for heads to roll when bugs cause problems and nobody is accountable, but be careful what you wish for. If you've ever worked in a high-consequence software environment, it is not fun, and not productive. It is necessary sometimes. But carelessly applying all that process to everything would be a huge downer.

      • Honestly, I think it would be fantastic to have a solid well-reviewed software base. One of my biggest complaints about people who write OSS is that most seem to have zero problem with including a massive number of dependencies, obscure or otherwise.

        I would also love it if glibc would stop expanding because it keeps giving itself new CVEs.

      • Re:Life without OSS (Score:4, Informative)

        by laughingskeptic ( 1004414 ) on Thursday January 26, 2023 @08:33PM (#63243709)
        A lot of core, vetted open source software is available via the Air Force's Ironbank repo that is part of PlatformOne. https://p1.dso.mil/products/ir... [dso.mil] Their focus is containers for K8S, but source is available for everything in their pipeline.
    • Re:Life without OSS (Score:5, Interesting)

      by gweihir ( 88907 ) on Thursday January 26, 2023 @10:53AM (#63242203)

      It will not do any of those things. What happened is that some commercial OSS and closed-source providers got a story out that is grossly misstating the facts, because they see their profits threatened which they make by screwing over their customers. You can still use "absolutely no warranty" FOSS even in heavily regulated environments. You just need to declare it and do proper risk management. And that is a good thing.

      Incidentally, I happen to know from some large banks that FOSS is in heavy use and not just RHEL or SEL. What I had to do to get a specific piece of FOSS software into production in one of them was to declare what it is, where it comes from, how the sources will be archived and why I need it and what safeguards are in place to make sure it works as intended (i.e. does it go through regular testing?). All in all not hard to do as there already was an established procedure and FOSS decision board.

      • I get that the main packages (and dependencies) are archived in that kind of scenario, but how deep does dependency analysis go? Do they track that 5 internal projects all end up relying on some random library and the impact of a bug at that level?

        • Re:Life without OSS (Score:5, Informative)

          by gweihir ( 88907 ) on Thursday January 26, 2023 @12:09PM (#63242443)

          This is an excellent question. Especially in the context of web-frameworks where indirect dependencies are a massive problem.

          In this specific bank, there was an absolute prohibition against pulling in anything from outside. You had to get everything into the internal repositories and that meant getting it approved. That takes care of deep-dependencies. Yes, it also meant some frameworks were simply not available, but banks are places where you work with the computers and presentation is secondary.

          For my case, there were no external dependencies. It was a FOSS implementation of a not-quite so common numeric algorithm. My fallback would have been to charge them a week to implement it myself. This way, I spent maybe 2 hours of work to get it approved and waited a few weeks.

        • Something that gets the world of web development away from the current insane dependency hierarchies would not necessarily be a bad thing. They absolutely are a huge liability and a massive pile of security and legal problems waiting to happen. That absolutely does create a risk for anyone depending on them. And much of it absolutely isn't necessary and really is just down to the laziness or incompetence of the developers.

          The magic words in these discussions are always "reasonable" and "proportionate". That

          • A FOSS chart drawing tool is a little different to say zlib or OpenSSL. The latter two might indeed warrant certification given how theyâ(TM)re embedded everywhere. Image the liability if you depended on OpenSSL and it had another heart bleed.

          • The opposite end of the spectrum from "insane" large dependency hierarchies is a whole bunch of "unnecessarily expensively rewritten here and obviously generally bug-prone since low-use" code..

            The best compromise is tools that 1) give easy visibility into the structure of the dependency hierarchy and into all the code in the entire dependency hierarchy, and
            2) Maintain version management of dependencies explicitly, tightly, and easily inspectably.
            • No, there are other possibilities.

              One, which has worked well for a very long time in many languages, is having a good standard library available out of the box. JavaScript doesn't and that has probably cost the web development world many billions of dollars.

              Another is to have a culture around your language where third party libraries tend to be larger but self-contained. Then you probably only need a small number of dependencies covering major areas and the community and/or commercial suppliers can focus on

        • A snag here is that commercial software is usually just as bad. Someone claims you can get support, but the company goes bankrupt a year after you become dependent on it. If they're not out of business, you still don't get "support", instead you get access to newer versions, for a price, but if you're the only customer with a particular bug then chances are you'll never get it fixed and will have to do it yourself. You get source code much of the time with third party libraries, but then you get the heada

      • by AmiMoJo ( 196126 )

        Indeed, if you look at the current CE mark it only covers products sold in the EU. It is self certification, you don't have to pay anyone to do it if you have basic competency.

        Since OSS is not normally sold, it doesn't need a CE mark. If someone wants to sell it, they can add the CE mark on their distribution of it if they have bothered to do the basic cybersecurity checks.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Indeed, if you look at the current CE mark it only covers products sold in the EU. It is self certification, you don't have to pay anyone to do it if you have basic competency.

          Since OSS is not normally sold, it doesn't need a CE mark. If someone wants to sell it, they can add the CE mark on their distribution of it if they have bothered to do the basic cybersecurity checks.

          You are forgetting the next step, which will be that all EU organizations will only be able to run CE marked software, or their operations will not be insurable (or only at rates that are exorbitant). Individuals working on free software are not going to self-certify as the liabilities to themselves could be exorbitant.

        • by madsh ( 266758 )
          First one to actually understand what CE-like means.
      • I have written a fair bit of software as a hobby over years. Thinking of writing a linux version of some authorization control code I did for VMS years ago. The idea would be to allow access decisions based on more classes of info a computer might have (notably: what program is trying to open a file? where is it running? is it running on behalf of someone local?). I also want to be able to have the system respond to access denied conditions not only by returning an error, but optionally by opening another f
    • timely security updates? What's that? Even the major companies have issues with the word "timely.
    • Re:Life without OSS (Score:5, Informative)

      by thegarbz ( 1787294 ) on Thursday January 26, 2023 @05:51PM (#63243439)

      How does the EU propose to function without the software that the internet runs on? How does the EU propose to function without timely security updates?

      The EU proposes to function the way it always has by publishing a piece of legislation you just commented on without reading. I invite you to absorb clause 10:
      (10) In order not to hamper innovation or research, free and open-source software
      developed or supplied outside the course of a commercial activity should not be
      covered by this Regulation. This is in particular the case for software, including its
      source code and modified versions, that is openly shared and freely accessible, usable,
      modifiable and redistributable. In the context of software, a commercial activity might
      be characterized not only by charging a price for a product, but also by charging a
      price for technical support services, by providing a software platform through which
      the manufacturer monetises other services, or by the use of personal data for reasons
      other than exclusively for improving the security, compatibility or interoperability of
      the software.

      So, a big nothingburger. Poor ol' Redhat will need to meet the requirements when they sell their product or services, but your free functioning open source dependent internet will keep on internetting along just fine.

      • by catprog ( 849688 )

        But will web hosting companies who use open source have to get the mark?

        In the context of software, a commercial activity might be characterized by providing a software platform through which the manufacturer monetises other services

    • by mjwx ( 966435 )

      How does the EU propose to function without the software that the internet runs on? How does the EU propose to function without timely security updates?

      I suspect this is just another "I hate the EU" rant in disguise.

      Here's the actual EU Cyber Resilience Act:
      https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act [europa.eu]

      By a quick read, it's more a set of guidelines than a binding law. It doesn't mention anything about OSS, it seems more aimed at companies who knowingly keep flaws in their products, especially security products.

  • by gweihir ( 88907 ) on Thursday January 26, 2023 @10:33AM (#63242145)

    First, note that exceptions for FOSS are already in place. Then note that OSS which is not FOSS is, of course, fully subject to these provisions and that is as it should be. Hence the title of this story is grossly misleading. Yes, there may still be a need for some adjustment to the FOSS provisions, but there will be.

    The whole thing is a very good idea. The abysmally bad state of software security as currently exists cannot go on and I think the cost / benefit analysis is rather conservative. Of course, crapware makers like Microsoft do not like this at all, and I expect they will be heavily trying to influence this behind the curtains.

    Also note that all the requirements are a good idea for FOSS as well. The actual measures to be implemented will only be costly for those making significant profits of FOSS. No one person team will have to implement a full-blown ISMS or anything like it. At worst they will need to be open about what they do and not do about security and what their actual respective qualifications are. I cannot see anything bad with that.

    • Unless there is a penalty for failing a public long list of basic software security implementation flaws, nothing will change apart from raising the barrier for entry.

      • by gweihir ( 88907 )

        Bullshit. Have a look at the actual regulation before shooting your mouth off.

        • Charming you are. I did.

          In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines.

          should have and administrative

          • by gweihir ( 88907 )

            My "bullshit" referred to "nothing will change" and "raising the barrier to entry". Have a look at the actual measures you need to go through if you are doing commercial software. You need to have reasonable processes. If you have them, things become _cheaper_ and not only in the long run and this effect is stronger in smaller organizations because that does not mean tons of bureaucracy either (in small organizations). This can all be implemented very lean and mean if you are a small and efficient team. My

            • Administrative penalties are cost of doing business fines.

              Unless there are punitive fines mandated, there's no teeth to the regulation and it is pure posture.

              • by gweihir ( 88907 )

                Well. That may be how it works in the US. In the EU, these escalate until you fix things. The maximum is usually a prohibition on continuing the business behavior that uses non-conforming behavior, and that may be enforced by a variety of means, typically including preventative incarceration if nothing else helps. Still only administrative, but if you sit behind bars that becomes rather cold comfort.

            • When you're adding more work to be done, you're not making things cheaper. That will require more people be hired. It will likely require hiring lawyers to review. It adds costs which will be prohibitive to small startups consisting of 1-5 people with a great idea. There's a reason why the EU does not foster innovation -- heavy handed government regulations. The rise of such in the US due to Progressives gaining stature politically is also going hand in hand with a decline of innovation leadership.

              • by gweihir ( 88907 )

                When you're adding more work to be done, you're not making things cheaper.

                Untrue. When the additional work increases overall manufacturing quality and reliability, things can get a lot cheaper.

      • Medical softwares already need a CE Mark. The technical requirements are very low(at least for the kind of software you don't put in your body), in practice you write a ton of BS docs and pay a regulation company to get the mark and some regular BS audits. I can't imagine a small FOSS dev doing all these things.
    • by BoB235423424 ( 6928344 ) on Thursday January 26, 2023 @03:27PM (#63243049)

      Large software companies will love regulations like this. They can pass the costs on to their customers while at the same time, it creates a huge cost of entry price for small, innovative companies. All heavy government regulation usually accomplishes is decreasing innovation by costing out entry in to markets by newcomers.

    • by ljw1004 ( 764174 )

      @gweihir, thanks for all your responses to this thread. There was a disconnect between what I understood from reading the draft legislation, and from what the summary and article claimed. I was struck that the two links by OS advocates mentioned in the article were quite specific that (1) they thought the draft legislation could be made assuredly-OSS-friendly with only minor modifications, (2) overall they thought it good and important legislation, e.g.

      I agree with the commission that products and services which are sold and use open source software should be subject to the regulation. They either implement processes to test and validate the used libraries, or support open source developers to gain certification themselves. That way the regulation may give rise to voluntary certification of the most used, and highest quality open source software. A good thing.

      • by gweihir ( 88907 )

        You are welcome. And it is nice that some people still know how to look at the references when they find out that may be needed to get the whole story.

    • "This is a bombastic overstatement" seems to be SOP for headline writers these days. Click-bait has infected sites that were not formerly regarded as such. It's a sad state of affairs.

  • by ejaytee ( 186527 ) on Thursday January 26, 2023 @10:35AM (#63242147)

    Initiatives such as these are often sponsored by industry groups masquerading as consumer activists. ISO, SOC1/SO2/SOX have ostensibly noble goals, but in practice apply a layer of costs and process where they did not previously exist. The result is twofold - it costs more to deliver a capability, and one must have greater resources available to offer such a capability. Both benefit larger providers, such as big corporations.

    Nobody is against security, product safety, clean air and water, and so forth. (Well, that's not true - but ALMOST nobody). Unfortunately, special interests have become very skilled at co-opting these themes to capture greater revenue and profit while raising the barrier to competitor entry.

    • by gweihir ( 88907 )

      That is not what is happening here.

    • Initiatives such as these are often sponsored by industry groups masquerading as consumer activists.

      Just who are you talking about?
      Are you talking about a government pushing a standard? Or are you talking about someone masquerading as an advocate for open source despite the latter being specifically omitted by the former?

  • I do not view this idea as 'catastrophic' for OSS. Rather, it challenges OSS communities, producers and users, to look at funding mechanisms. In particular, government has a role to play here.

    From my experience with POSIX (which after all was built on the -Unix- open source foundation, once you signed the free license from ATT), governments can play substantial roles in enabling this. A government requirement for certification can be accompanied by funding to accomplish same. Government could set up gra

    • ...governments can play substantial roles in enabling this. A government requirement for certification can be accompanied by funding to accomplish same. Government could set up grant mechanisms or even 'conformance factories' to pay for or execute the necessary actions.

      Rather than whining about this, the OSS community needs to view this as a real opportunity to add substantial value to OSS efforts.

      True, but it's not government that should be paying for it. If OSS software is being used profitably by businesses subject to these regulations, those businesses should be paying the OSS developers to do the paperwork. They have the need, they have the money, and they are helping not just themselves but everyone else using the software.

      If the OSS software is extremely important to them and to a lot of other businesses, like the Linux kernel, then an organization like the Linux Foundation is good for spre

      • Governments are significant consumers of software, and of OSS. At one point maybe 20-25 years ago, there was an effort to ban "untrustworthy and commie-focused" :-) OSS. The call went out to the defense community, "Please report on your use of OSS, not just in delivered products but also development tools, etc." The result showed a substantial negative impact from that ill-considered policy, and it was quickly dropped.

  • ... hobbyists aren't interested in dicking around with security.
  • Let's see how all the Apple-Hating Slashdotters, incessantly cheering-on the EU in their efforts to "protect" consumers by legislating Charger Connectors, App Stores, Service Procedures, etc. feel about this one!

    • by gweihir ( 88907 )

      It is a good thing. Of course, I have just recently looked at the actual measures for an audit-customer and hence have a bit of a clue what is going on.

    • Let's see how all the Apple-Hating Slashdotters, incessantly cheering-on the EU in their efforts to "protect" consumers by legislating Charger Connectors, App Stores, Service Procedures, etc. feel about this one!

      I feel good, because despite your ignorance the EU do actually know what they are doing and specifically excluded FOSS from the regulation. Go read it, clause 10 covers open source software's exclusion.

      You got duped by "leaders of open source" who are spreading dishonest FUD. The only open source affected here are those companies who make money consulting on code, and those who make a shitton of money selling FOSS code. My heart bleeds for RedHat*.

      * It doesn't really, fuck the way they've treated the OSS co

      • by catprog ( 849688 )

        In the context of software, a commercial activity might be characterized by providing a software platform through which the manufacturer monetises other services

        I.e if a web hosting companies offers a LAMP stack does that mean it needs the mark?

  • If this is anything like the current CE Mark for products, it will be meaningless. Anyone can buy a sheet of these little stickers and put them on anything they want, saying they abide by the rules, and unless someone gets killed using it, nobody will bat an eye or even randomly check any of these products.

    • And considering that it's software and these stickers are probably just jpgs, it should be easier than ever.

      • Hmm.
        Maybe I can make some money selling links to those jpegs.
        Throw in a few jpegs of monkeys maybe.

        Nah, shurely noone would be stupid enftough to pay money for links?
      • by pjt33 ( 739471 )

        Anyone who uses a JPG for the CE mark needs a good explanation for why they're not using a vector graphics format. The one I use is a ligature in a custom TTF.

    • Rules don't make people do things, but they do potentially make it cheaper when they don't do them and it goes to court.

    • Re: (Score:2, Insightful)

      by gweihir ( 88907 )

      It is not. That "EC"-mark remark is either clueless or intentionally misleading.

      • by suss ( 158993 )

        You are either completely unfamiliar on the subject matter, or are trolling. Not sure why you got upvoted.

        • by gweihir ( 88907 )

          I got upvoted because I am right. Maybe look at what the "EC" mark does and what this proposed regulation would do and compare?

          • by suss ( 158993 )

            No, you are wrong. You can't even spell it right. It's a CE mark, not an EC mark.

            I can't be bothered to find an English article about the investigative report that the Dutch TV Programme Radar did concerning the CE mark. They managed to get tangerine orange netting approved as a pelvic floor mesh, and nobody even questioned it... It was a bit of a scandal.

            • by gweihir ( 88907 )

              Actually I am right. Yes it is a CE mark. The purpose of a CE mark is however very different from the purpose of the rules the story here is about. But, as you said, you cannot be bothered to find out what you are talking about but insist you are right.

              So to re-iterate: I got upvoted because I have a clue and you don't.

    • If this is anything like the current CE Mark for products, it will be meaningless. Anyone can buy a sheet of these little stickers and put them on anything they want

      There's nothing useless about a CE mark. It directs clear liability. While it's irrelevant for when you import some cheap shit from China, the reality is that mark places direct liability for the product covering the mark on the manufacturer with any addressable base in Europe that they've met the requirements for trading in Europe.

      If you are based in Europe either directly or have any business operations located in Europe and are caught using the mark inappropriately you can face a royal legal assfucking.

  • This "report" is fearmongering clickbait. This law is for "products", i.e. it applies to businesses that make money on selling software or something that contains software. Not to hobbyists developing opensource in their free time.

  • For decades now the EU has attempted to pretend they're like a country.
    They want to compete with the US and the FSU. Sadly, they just suck.

    FOSS will survive just fine. The EU will see Brexit times ten as other countries
    will be tired of the CJEU and the other small-side-of-the-pond isms.

    Go ahead, EU, do your worst. You've been soiling your sheets for decades,
    and you've accomplished nothing much. How's that GDPR working for you?

    Fuck the EU.

    E

  • by znrt ( 2424692 ) on Thursday January 26, 2023 @11:35AM (#63242337)

    The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects?

    it simply doesn't have to. free sw is provided "as is" and can proceed just fine. it's the software companies profiteering from free software who would have to comply, and that would be a good thing, specially if they did contribute any relevant finding back (but don't count on it).

    • by gweihir ( 88907 )

      Indeed. That said, FOSS devs can offer compliance, for example by doing a code-identical commercial version that is certified in some adequate way. Or by specific commercial releases that are certified. Or somebody else can do it. Also, there is a lot of financial EU support for FOSS projects and they could specifically also finance compliance aspects.

      This gives FOSS developers _more_ of a leg to stand on, not less.

      • by PPH ( 736903 )

        a code-identical commercial version that is certified in some adequate way

        But given the viral properties of some OS licenses, who is going to pour millions of dollars into certifying their code base only to have some other companies help themselves to it for free?

        • by gweihir ( 88907 )

          That is not how certification works. Even if somebody copies the repo bit-by-bit, the copy is not certified if they try to re-sell it under their own brand. Also. "millions of dollars"? This is not an EAL4 certification.

  • "Unintended".

  • I read the proposed Act and the Annexes. It is basically a lot of hot air and blathering that signifies nothing and will have zero impact on anything at all, other than expand the various Government Bureaucracies, and no other effect.

    It is a completely useless endeavour designed to bolster Government size and intrusiveness, yet does not address anything meaningful (for example, failure to disclose "spying" is not a "punishable by death" offence -- in fact, there is nothing whatsoever done to require disclo

  • What this Act is supposed to do, is provide *customers* who actually pay for stuff to have an expectation that the manufacturer is obligated to improve the security of the the software they produce.

    Since no one pays for Open Source/Free software, this does not apply. I know that the FOSS tries to pretend sometimes that they are a 'market'. They are not. FOSS is free stuff, that enables a services market around it.

    Think of it like this : Sunlight is not a market. No one pays for it. It is free. But it enabl

  • Why does me no good if I have no clue what you're talking about.

  • This law is anti-free speech and simply seeks to take away rights from people writing open source software, Under the false statement of securing the supply chain that already uses these as critical parts of its operations.

    It intentionally wants to increase the cost and burden of startups in order to make them intentionally more non competitive with entrenched providers.

    This law is being promoted by people who are simply not wanting others to compete with them, and it will kill the UK's ability to maintain

  • Because nobody is gonna pay for these certifications without passing the cost back to you. If you want an euro-certified linux/device/thingie, you will have to pay the certification tithe demanded by the bureaucrats.

    Even if you mock the euro-crats for their lack of foresight, and say "let them try to run the Internet without OSS. Because I'm not paying!", what this will make in practice is to force by law the use of commercial software only, regardless of the original license said software.

    This basicall
    • It indeed does sound like this. And of course, because all the people who'd normally oppose this are inundated by other issues...

      Only goes to show EU is a lapdog of financial interests.
  • "Innovation economy in Europe"?

    The last time Europe was innovative was the mid-20th century.

  • "can reasonably be expected to cause unintended consequences to the innovation economy in Europe."

    That's exactly the intended consequence of this legislation. The purported purpose is to improve security, but the intended consequence is to prevent competition from FOSS software.

  • Either this is a law built by people who don't know what they're doing, the law is bollocks and the EU IT industry will come to a grinding halt. They'll backpedal in a year or two and meanwhile experts will continue to do what they've always done when led by the clueless: Guerilla Guidance & Damage Control from below.

    Or the law and the regulations make sense, are feasible and we'll see a slew of toolkits and best practices pop up in FOSS in the weeks after and I wont have to smack every second guy codin

  • The rot set in when personal computers went mainstream and suddenly everyone could write code - you don't see hobbyists being allowed to build bridges over freeways do you? We need to restrict coding, even possession of computers, to licensed personnel only!
  • So, tell me you've never been involved in software development without saying "Never been involved in software development." This won't go beyond current SOC2 compliance. How do I know? SOC2 is already slightly beyond the limits of what's possible, the difference is made up on paper. This will just be another unenforceable paper hoop that software firms have to jump through so they can display a shiny badge on their app page.

Fast, cheap, good: pick two.

Working...