EU's Proposed CE Mark for Software Could Have Dire Impact on Open Source

The EU's proposed Cyber Resilience Act (CRA), which aims to "bolster cybersecurity rules to ensure more secure hardware and software products," could have severe unintended consequences for open source software, according to leaders in the open source community. From a report: The proposed Act can be described as CE marking for software products and has four specific objectives. One is to require manufacturers to improve the security of products with digital elements "throughout the whole life cycle." Second is to offer a "coherent cybersecurity framework" by which to measure compliance. Third is to improve the transparency of digital security in products, and fourth is to enable customers to "use products with digital elements securely."

The draft legislation includes an impact assessment that says "for software developers and hardware manufacturers, it will increase the direct compliance costs for new cybersecurity requirements, conformity assessment, documentation and reporting obligations." This extra cost is part of a total cost of compliance, including the burden on businesses and public authorities, estimated at EUR 29 billion ($31.54 billion), and consequent higher prices for consumers. However, the legislators foresee a cost reduction from security incidents estimated at EUR 180 to 290 billion annually. The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects? Mike Milinkovich, director of the Eclipse Foundation, said it is "deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe."

Life without OSS

[drinkypoo]

How does the EU propose to function without the software that the internet runs on? How does the EU propose to function without timely security updates?

Re:Life without OSS

[timeOday]

My guess is some company (RHEL?) would supplying the services and accountability/liability, for a price of course.

The summary calls this an "unintended consequence," but it is intended, or at least inevitable, that everything gets a whole lot more restrictive if you truly want to eliminate unverified code [xkcd.com] all the way through your stack. Developers may end up with a restricted distribution with a small number of packages available for use as the cost of verifying each one is high.

Everybody on the internet (slashdot) is always clamoring for heads to roll when bugs cause problems and nobody is accountable, but be careful what you wish for. If you've ever worked in a high-consequence software environment, it is not fun, and not productive. It is necessary sometimes. But carelessly applying all that process to everything would be a huge downer.

Re:

[Gravis Zero]

Honestly, I think it would be fantastic to have a solid well-reviewed software base. One of my biggest complaints about people who write OSS is that most seem to have zero problem with including a massive number of dependencies, obscure or otherwise.

I would also love it if glibc would stop expanding because it keeps giving itself new CVEs.

Re:Life without OSS

[laughingskeptic]

A lot of core, vetted open source software is available via the Air Force's Ironbank repo that is part of PlatformOne. https://p1.dso.mil/products/ir... [dso.mil] Their focus is containers for K8S, but source is available for everything in their pipeline.

Re:Life without OSS

[Darinbob]

You password must contain at least 2 upper case letters, 2 lower case letters, 3 numerals, 2 punctuation marks, and be 16 characters long. To further improve security your password must also be changed every 2 weeks, and you must memorize it because if we see any post-it note that looks like a password you will lose access to IT services (because sadly, we at IT can't fire you. yet.)

Re: Life without OSS

[saloomy]

The jokes on them.

Third is to improve the transparency of digital security in products

This means we can review all the source code. Right?

Re:Life without OSS

[gweihir]

It will not do any of those things. What happened is that some commercial OSS and closed-source providers got a story out that is grossly misstating the facts, because they see their profits threatened which they make by screwing over their customers. You can still use "absolutely no warranty" FOSS even in heavily regulated environments. You just need to declare it and do proper risk management. And that is a good thing.

Incidentally, I happen to know from some large banks that FOSS is in heavy use and not just RHEL or SEL. What I had to do to get a specific piece of FOSS software into production in one of them was to declare what it is, where it comes from, how the sources will be archived and why I need it and what safeguards are in place to make sure it works as intended (i.e. does it go through regular testing?). All in all not hard to do as there already was an established procedure and FOSS decision board.

Re:

[aaarrrgggh]

I get that the main packages (and dependencies) are archived in that kind of scenario, but how deep does dependency analysis go? Do they track that 5 internal projects all end up relying on some random library and the impact of a bug at that level?

Re:Life without OSS

[gweihir]

This is an excellent question. Especially in the context of web-frameworks where indirect dependencies are a massive problem.

In this specific bank, there was an absolute prohibition against pulling in anything from outside. You had to get everything into the internal repositories and that meant getting it approved. That takes care of deep-dependencies. Yes, it also meant some frameworks were simply not available, but banks are places where you work with the computers and presentation is secondary.

For my case, there were no external dependencies. It was a FOSS implementation of a not-quite so common numeric algorithm. My fallback would have been to charge them a week to implement it myself. This way, I spent maybe 2 hours of work to get it approved and waited a few weeks.

Re:

[Anonymous Brave Guy]

Something that gets the world of web development away from the current insane dependency hierarchies would not necessarily be a bad thing. They absolutely are a huge liability and a massive pile of security and legal problems waiting to happen. That absolutely does create a risk for anyone depending on them. And much of it absolutely isn't necessary and really is just down to the laziness or incompetence of the developers.

The magic words in these discussions are always "reasonable" and "proportionate". That

Re: Life without OSS

[Malc]

A FOSS chart drawing tool is a little different to say zlib or OpenSSL. The latter two might indeed warrant certification given how theyâ(TM)re embedded everywhere. Image the liability if you depended on OpenSSL and it had another heart bleed.

Re:

[presidenteloco]

The opposite end of the spectrum from "insane" large dependency hierarchies is a whole bunch of "unnecessarily expensively rewritten here and obviously generally bug-prone since low-use" code..

The best compromise is tools that 1) give easy visibility into the structure of the dependency hierarchy and into all the code in the entire dependency hierarchy, and
2) Maintain version management of dependencies explicitly, tightly, and easily inspectably.

Re:

[Anonymous Brave Guy]

No, there are other possibilities.

One, which has worked well for a very long time in many languages, is having a good standard library available out of the box. JavaScript doesn't and that has probably cost the web development world many billions of dollars.

Another is to have a culture around your language where third party libraries tend to be larger but self-contained. Then you probably only need a small number of dependencies covering major areas and the community and/or commercial suppliers can focus on

Re:

[Darinbob]

A snag here is that commercial software is usually just as bad. Someone claims you can get support, but the company goes bankrupt a year after you become dependent on it. If they're not out of business, you still don't get "support", instead you get access to newer versions, for a price, but if you're the only customer with a particular bug then chances are you'll never get it fixed and will have to do it yourself. You get source code much of the time with third party libraries, but then you get the heada

Re:

[AmiMoJo]

Indeed, if you look at the current CE mark it only covers products sold in the EU. It is self certification, you don't have to pay anyone to do it if you have basic competency.

Since OSS is not normally sold, it doesn't need a CE mark. If someone wants to sell it, they can add the CE mark on their distribution of it if they have bothered to do the basic cybersecurity checks.

Re:

[Anonymous Coward]

Indeed, if you look at the current CE mark it only covers products sold in the EU. It is self certification, you don't have to pay anyone to do it if you have basic competency.

Since OSS is not normally sold, it doesn't need a CE mark. If someone wants to sell it, they can add the CE mark on their distribution of it if they have bothered to do the basic cybersecurity checks.

You are forgetting the next step, which will be that all EU organizations will only be able to run CE marked software, or their operations will not be insurable (or only at rates that are exorbitant). Individuals working on free software are not going to self-certify as the liabilities to themselves could be exorbitant.

Re:

[guruevi]

You can just get your CE sticker in China, let the EU sue China for product liabilities.

Re:

[madsh]

First one to actually understand what CE-like means.

Re:

[ereshkigal20]

I have written a fair bit of software as a hobby over years. Thinking of writing a linux version of some authorization control code I did for VMS years ago. The idea would be to allow access decisions based on more classes of info a computer might have (notably: what program is trying to open a file? where is it running? is it running on behalf of someone local?). I also want to be able to have the system respond to access denied conditions not only by returning an error, but optionally by opening another f

Re:

[Blackjetta]

timely security updates? What's that? Even the major companies have issues with the word "timely.

Re:Life without OSS

[thegarbz]

How does the EU propose to function without the software that the internet runs on? How does the EU propose to function without timely security updates?

The EU proposes to function the way it always has by publishing a piece of legislation you just commented on without reading. I invite you to absorb clause 10:
(10) In order not to hamper innovation or research, free and open-source software
developed or supplied outside the course of a commercial activity should not be
covered by this Regulation. This is in particular the case for software, including its
source code and modified versions, that is openly shared and freely accessible, usable,
modifiable and redistributable. In the context of software, a commercial activity might
be characterized not only by charging a price for a product, but also by charging a
price for technical support services, by providing a software platform through which
the manufacturer monetises other services, or by the use of personal data for reasons
other than exclusively for improving the security, compatibility or interoperability of
the software.

So, a big nothingburger. Poor ol' Redhat will need to meet the requirements when they sell their product or services, but your free functioning open source dependent internet will keep on internetting along just fine.

Re:

[catprog]

But will web hosting companies who use open source have to get the mark?

In the context of software, a commercial activity might be characterized by providing a software platform through which the manufacturer monetises other services

Re:

[mjwx]

How does the EU propose to function without the software that the internet runs on? How does the EU propose to function without timely security updates?

I suspect this is just another "I hate the EU" rant in disguise.

Here's the actual EU Cyber Resilience Act:
https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act [europa.eu]

By a quick read, it's more a set of guidelines than a binding law. It doesn't mention anything about OSS, it seems more aimed at companies who knowingly keep flaws in their products, especially security products.

This is a bombastic overstatement

[gweihir]

First, note that exceptions for FOSS are already in place. Then note that OSS which is not FOSS is, of course, fully subject to these provisions and that is as it should be. Hence the title of this story is grossly misleading. Yes, there may still be a need for some adjustment to the FOSS provisions, but there will be.

The whole thing is a very good idea. The abysmally bad state of software security as currently exists cannot go on and I think the cost / benefit analysis is rather conservative. Of course, crapware makers like Microsoft do not like this at all, and I expect they will be heavily trying to influence this behind the curtains.

Also note that all the requirements are a good idea for FOSS as well. The actual measures to be implemented will only be costly for those making significant profits of FOSS. No one person team will have to implement a full-blown ISMS or anything like it. At worst they will need to be open about what they do and not do about security and what their actual respective qualifications are. I cannot see anything bad with that.

Re:

[gweihir]

Thanks.

The abysmally bad state of software security...

[bagofbeans]

Unless there is a penalty for failing a public long list of basic software security implementation flaws, nothing will change apart from raising the barrier for entry.

Re:

[gweihir]

Bullshit. Have a look at the actual regulation before shooting your mouth off.

Re:

[bagofbeans]

Charming you are. I did.

In order to ensure effective enforcement of the obligations laid down in this Regulation, each market surveillance authority should have the power to impose or request the imposition of administrative fines.

should have and administrative

Re:

[gweihir]

My "bullshit" referred to "nothing will change" and "raising the barrier to entry". Have a look at the actual measures you need to go through if you are doing commercial software. You need to have reasonable processes. If you have them, things become _cheaper_ and not only in the long run and this effect is stronger in smaller organizations because that does not mean tons of bureaucracy either (in small organizations). This can all be implemented very lean and mean if you are a small and efficient team. My

Re:

[bagofbeans]

Administrative penalties are cost of doing business fines.

Unless there are punitive fines mandated, there's no teeth to the regulation and it is pure posture.

Re:

[gweihir]

Well. That may be how it works in the US. In the EU, these escalate until you fix things. The maximum is usually a prohibition on continuing the business behavior that uses non-conforming behavior, and that may be enforced by a variety of means, typically including preventative incarceration if nothing else helps. Still only administrative, but if you sit behind bars that becomes rather cold comfort.

Re:

[BoB235423424]

When you're adding more work to be done, you're not making things cheaper. That will require more people be hired. It will likely require hiring lawyers to review. It adds costs which will be prohibitive to small startups consisting of 1-5 people with a great idea. There's a reason why the EU does not foster innovation -- heavy handed government regulations. The rise of such in the US due to Progressives gaining stature politically is also going hand in hand with a decline of innovation leadership.

Re:

[gweihir]

When you're adding more work to be done, you're not making things cheaper.

Untrue. When the additional work increases overall manufacturing quality and reliability, things can get a lot cheaper.

Re:

[real_nickname]

Medical softwares already need a CE Mark. The technical requirements are very low(at least for the kind of software you don't put in your body), in practice you write a ton of BS docs and pay a regulation company to get the mark and some regular BS audits. I can't imagine a small FOSS dev doing all these things.

Re:This is a bombastic overstatement

[BoB235423424]

Large software companies will love regulations like this. They can pass the costs on to their customers while at the same time, it creates a huge cost of entry price for small, innovative companies. All heavy government regulation usually accomplishes is decreasing innovation by costing out entry in to markets by newcomers.

Re:

[ljw1004]

@gweihir, thanks for all your responses to this thread. There was a disconnect between what I understood from reading the draft legislation, and from what the summary and article claimed. I was struck that the two links by OS advocates mentioned in the article were quite specific that (1) they thought the draft legislation could be made assuredly-OSS-friendly with only minor modifications, (2) overall they thought it good and important legislation, e.g.

I agree with the commission that products and services which are sold and use open source software should be subject to the regulation. They either implement processes to test and validate the used libraries, or support open source developers to gain certification themselves. That way the regulation may give rise to voluntary certification of the most used, and highest quality open source software. A good thing.

Re:

[gweihir]

You are welcome. And it is nice that some people still know how to look at the references when they find out that may be needed to get the whole story.

Re:

[istartedi]

"This is a bombastic overstatement" seems to be SOP for headline writers these days. Click-bait has infected sites that were not formerly regarded as such. It's a sad state of affairs.

Re:

[gweihir]

Indeed, it is.

It's not unintended

[ejaytee]

Initiatives such as these are often sponsored by industry groups masquerading as consumer activists. ISO, SOC1/SO2/SOX have ostensibly noble goals, but in practice apply a layer of costs and process where they did not previously exist. The result is twofold - it costs more to deliver a capability, and one must have greater resources available to offer such a capability. Both benefit larger providers, such as big corporations.

Nobody is against security, product safety, clean air and water, and so forth. (Well, that's not true - but ALMOST nobody). Unfortunately, special interests have become very skilled at co-opting these themes to capture greater revenue and profit while raising the barrier to competitor entry.

Re:

[gweihir]

That is not what is happening here.

Re:

[thegarbz]

Initiatives such as these are often sponsored by industry groups masquerading as consumer activists.

Just who are you talking about?
Are you talking about a government pushing a standard? Or are you talking about someone masquerading as an advocate for open source despite the latter being specifically omitted by the former?

How to fund

[david.emery]

I do not view this idea as 'catastrophic' for OSS. Rather, it challenges OSS communities, producers and users, to look at funding mechanisms. In particular, government has a role to play here.

From my experience with POSIX (which after all was built on the -Unix- open source foundation, once you signed the free license from ATT), governments can play substantial roles in enabling this. A government requirement for certification can be accompanied by funding to accomplish same. Government could set up gra

Re:

[Areyoukiddingme]

...governments can play substantial roles in enabling this. A government requirement for certification can be accompanied by funding to accomplish same. Government could set up grant mechanisms or even 'conformance factories' to pay for or execute the necessary actions.

Rather than whining about this, the OSS community needs to view this as a real opportunity to add substantial value to OSS efforts.

True, but it's not government that should be paying for it. If OSS software is being used profitably by businesses subject to these regulations, those businesses should be paying the OSS developers to do the paperwork. They have the need, they have the money, and they are helping not just themselves but everyone else using the software.

If the OSS software is extremely important to them and to a lot of other businesses, like the Linux kernel, then an organization like the Linux Foundation is good for spre

Re:

[david.emery]

Governments are significant consumers of software, and of OSS. At one point maybe 20-25 years ago, there was an effort to ban "untrustworthy and commie-focused" :-) OSS. The call went out to the defense community, "Please report on your use of OSS, not just in delivered products but also development tools, etc." The result showed a substantial negative impact from that ill-considered policy, and it was quickly dropped.

Who knew...

[AmazingRuss]

... hobbyists aren't interested in dicking around with security.

Re:Who knew...

[Opportunist]

You'll find that hobbyists are more often interested in perfecting their pet project than some salaried engineer under time pressure with a markedroid yelling "It compiles, ship it!" so he can make it to market before the Christmas sales are over.

Re:

[jimbobxxx]

"It compiles, ship it!"

Perfectionist.

Re:

[account_deleted]

Comment removed based on user account deletion

Shoe Meet Other Foot

[NoMoreACs]

Let's see how all the Apple-Hating Slashdotters, incessantly cheering-on the EU in their efforts to "protect" consumers by legislating Charger Connectors, App Stores, Service Procedures, etc. feel about this one!

Re:

[BoB235423424]

The charging standard was a huge mistake too. It's now much harder to push forward better charging methods. Vendors are now constrained to the USB C standard. It doesn't do much for e-waste either. Cables wear out within a couple years of plugging/unplugging. The standard does not change that. The standard also did nothing for the confusion of different USB specs which makes two cables that look identical support different power capacities. Or two chargers have completely different power outputs.

Re:

[NoMoreACs]

The charging standard was a huge mistake too. It's now much harder to push forward better charging methods. Vendors are now constrained to the USB C standard. It doesn't do much for e-waste either. Cables wear out within a couple years of plugging/unplugging. The standard does not change that. The standard also did nothing for the confusion of different USB specs which makes two cables that look identical support different power capacities. Or two chargers have completely different power outputs.

I agree completely!

The EU Cabal just thinks it knows better than its Citizenry, and won't stop until they have their stupid noses in every single aspect of life.

And the biggest problem for the rest of the world is that our Gummints aren't any smarter; so when they see some new asinine "EU Directive", they pile right on!

Re:

[NoMoreACs]

cost of compliance and potential impact to existing products/software are not even remotely similar. I'm perfectly happy to root for a common charging standard to avoid e-waste while fearing that this new regulation will be extremely difficult and expensive to conform to. There is no hypocrisy there.

So, what about the ewaste from literally millions of obsolete Lightning Chargers?

Apple already stopped gratuitously contributing to that pile, by not automatically including a new charger with each new iphone; encouraging the user to just use their old Lightning charger.

Sounds to me like Apple already solved that problem all on their own!

Re:

[gweihir]

It is a good thing. Of course, I have just recently looked at the actual measures for an audit-customer and hence have a bit of a clue what is going on.

Re:

[thegarbz]

Let's see how all the Apple-Hating Slashdotters, incessantly cheering-on the EU in their efforts to "protect" consumers by legislating Charger Connectors, App Stores, Service Procedures, etc. feel about this one!

I feel good, because despite your ignorance the EU do actually know what they are doing and specifically excluded FOSS from the regulation. Go read it, clause 10 covers open source software's exclusion.

You got duped by "leaders of open source" who are spreading dishonest FUD. The only open source affected here are those companies who make money consulting on code, and those who make a shitton of money selling FOSS code. My heart bleeds for RedHat*.

* It doesn't really, fuck the way they've treated the OSS co

Re:

[catprog]

In the context of software, a commercial activity might be characterized by providing a software platform through which the manufacturer monetises other services

I.e if a web hosting companies offers a LAMP stack does that mean it needs the mark?

CE Mark

[suss]

If this is anything like the current CE Mark for products, it will be meaningless. Anyone can buy a sheet of these little stickers and put them on anything they want, saying they abide by the rules, and unless someone gets killed using it, nobody will bat an eye or even randomly check any of these products.

Re:

[Opportunist]

And considering that it's software and these stickers are probably just jpgs, it should be easier than ever.

Re:

[greytree]

Hmm.
Maybe I can make some money selling links to those jpegs.
Throw in a few jpegs of monkeys maybe.

Nah, shurely noone would be stupid enftough to pay money for links?

Re:

[pjt33]

Anyone who uses a JPG for the CE mark needs a good explanation for why they're not using a vector graphics format. The one I use is a ligature in a custom TTF.

Re:

[drinkypoo]

Rules don't make people do things, but they do potentially make it cheaper when they don't do them and it goes to court.

Re:

[gweihir]

It is not. That "EC"-mark remark is either clueless or intentionally misleading.

Re:

[suss]

You are either completely unfamiliar on the subject matter, or are trolling. Not sure why you got upvoted.

Re:

[gweihir]

I got upvoted because I am right. Maybe look at what the "EC" mark does and what this proposed regulation would do and compare?

Re:

[suss]

No, you are wrong. You can't even spell it right. It's a CE mark, not an EC mark.

I can't be bothered to find an English article about the investigative report that the Dutch TV Programme Radar did concerning the CE mark. They managed to get tangerine orange netting approved as a pelvic floor mesh, and nobody even questioned it... It was a bit of a scandal.

Re:

[gweihir]

Actually I am right. Yes it is a CE mark. The purpose of a CE mark is however very different from the purpose of the rules the story here is about. But, as you said, you cannot be bothered to find out what you are talking about but insist you are right.

So to re-iterate: I got upvoted because I have a clue and you don't.

Re:

[thegarbz]

If this is anything like the current CE Mark for products, it will be meaningless. Anyone can buy a sheet of these little stickers and put them on anything they want

There's nothing useless about a CE mark. It directs clear liability. While it's irrelevant for when you import some cheap shit from China, the reality is that mark places direct liability for the product covering the mark on the manufacturer with any addressable base in Europe that they've met the requirements for trading in Europe.

If you are based in Europe either directly or have any business operations located in Europe and are caught using the mark inappropriately you can face a royal legal assfucking.

FUD

[critical-collapse]

This "report" is fearmongering clickbait. This law is for "products", i.e. it applies to businesses that make money on selling software or something that contains software. Not to hobbyists developing opensource in their free time.

Re:

[gweihir]

Yep, pretty much. And I expect the only impact on non-profits will be that they have to be open about their processes or lack thereof.

Re: FUD

[TJHook3r]

Let's hope one of those open source libraries doesn't find itself in a commercial product then

Re:

[catprog]

Does it apply to web hosting companies as well?

EU is worthless

[gavron]

For decades now the EU has attempted to pretend they're like a country.
They want to compete with the US and the FSU. Sadly, they just suck.

FOSS will survive just fine. The EU will see Brexit times ten as other countries
will be tired of the CJEU and the other small-side-of-the-pond isms.

Go ahead, EU, do your worst. You've been soiling your sheets for decades,
and you've accomplished nothing much. How's that GDPR working for you?

Fuck the EU.

E

Re:

[greytree]

You're drunk Nigel, go home.

Re:

[KlomDark]

FSU, what's that? I even googled, and saw only stuff about universities.

Re:

[gavron]

You even googled? Good job you!

Former Soviet Union.

You'll learn about it when you enter high school in two years.

Re: EU is worthless

[KlomDark]

What was that insult for? I've been out of high school since the 80s, back then it was USSR. Just because you kiddies have to make up abbreviations for everything doesn't mean everyone will know wtf you're talking about.

Even FUSSR would have left me wondering. Just say Former if you mean former.

Re:

[gavron]

My apologies. The Soviet Union which you call the USSR broke up in 1991 to become the Former Soviet Union (FSU). There is no "FUSSR" since nobody but the US called it USSR.

FSU countries include the more than 15 outlined here: https://en.wikipedia.org/wiki/... [wikipedia.org]
(You'll note that doesn't say USSR either.)

Congrats on getting out of high school in the 80's. Adam Sandler sends his regards.

Re: EU is worthless

[KlomDark]

YouRVerySmart? What's your angle here? Deep seated insecurities?

Get down with your bad self

Re: EU is worthless

[reanjr]

Funny. Wikipedia doesn't call it that either.

https://en.m.wikipedia.org/wik... [wikipedia.org]

wrong question

[znrt]

The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects?

it simply doesn't have to. free sw is provided "as is" and can proceed just fine. it's the software companies profiteering from free software who would have to comply, and that would be a good thing, specially if they did contribute any relevant finding back (but don't count on it).

Re:

[gweihir]

Indeed. That said, FOSS devs can offer compliance, for example by doing a code-identical commercial version that is certified in some adequate way. Or by specific commercial releases that are certified. Or somebody else can do it. Also, there is a lot of financial EU support for FOSS projects and they could specifically also finance compliance aspects.

This gives FOSS developers _more_ of a leg to stand on, not less.

Re:

[PPH]

a code-identical commercial version that is certified in some adequate way

But given the viral properties of some OS licenses, who is going to pour millions of dollars into certifying their code base only to have some other companies help themselves to it for free?

Re:

[gweihir]

That is not how certification works. Even if somebody copies the repo bit-by-bit, the copy is not certified if they try to re-sell it under their own brand. Also. "millions of dollars"? This is not an EAL4 certification.

Yeah right,

[Vlijmen Fileer]

"Unintended".

Hot Air and Blather Signifying Nothing

[Retired ICS]

I read the proposed Act and the Annexes. It is basically a lot of hot air and blathering that signifies nothing and will have zero impact on anything at all, other than expand the various Government Bureaucracies, and no other effect.

It is a completely useless endeavour designed to bolster Government size and intrusiveness, yet does not address anything meaningful (for example, failure to disclose "spying" is not a "punishable by death" offence -- in fact, there is nothing whatsoever done to require disclo

Gross misinterpretation...as usual

[nashv]

What this Act is supposed to do, is provide *customers* who actually pay for stuff to have an expectation that the manufacturer is obligated to improve the security of the the software they produce.

Since no one pays for Open Source/Free software, this does not apply. I know that the FOSS tries to pretend sometimes that they are a 'market'. They are not. FOSS is free stuff, that enables a services market around it.

Think of it like this : Sunlight is not a market. No one pays for it. It is free. But it enabl

CE? I have no clue what they're talking about...

[OneOfMany07]

Why does me no good if I have no clue what you're talking about.

Re:

[PPH]

It's that logo that all Chinese manufacturers put on their products.

This law is anti-free speech.

[pimpsoftcom]

This law is anti-free speech and simply seeks to take away rights from people writing open source software, Under the false statement of securing the supply chain that already uses these as critical parts of its operations.

It intentionally wants to increase the cost and burden of startups in order to make them intentionally more non competitive with entrenched providers.

This law is being promoted by people who are simply not wanting others to compete with them, and it will kill the UK's ability to maintain

More perverse than it seems

[bettodavis]

Because nobody is gonna pay for these certifications without passing the cost back to you. If you want an euro-certified linux/device/thingie, you will have to pay the certification tithe demanded by the bureaucrats.

Even if you mock the euro-crats for their lack of foresight, and say "let them try to run the Internet without OSS. Because I'm not paying!", what this will make in practice is to force by law the use of commercial software only, regardless of the original license said software.

This basicall

Re:

[VAElynx]

It indeed does sound like this. And of course, because all the people who'd normally oppose this are inundated by other issues...

Only goes to show EU is a lapdog of financial interests.

"innovation economy in Europe"?

[reanjr]

"Innovation economy in Europe"?

The last time Europe was innovative was the mid-20th century.

No unintended consequences

[gillbates]

"can reasonably be expected to cause unintended consequences to the innovation economy in Europe."

That's exactly the intended consequence of this legislation. The purported purpose is to improve security, but the intended consequence is to prevent competition from FOSS software.

Either way, no big deal.

[Qbertino]

Either this is a law built by people who don't know what they're doing, the law is bollocks and the EU IT industry will come to a grinding halt. They'll backpedal in a year or two and meanwhile experts will continue to do what they've always done when led by the clueless: Guerilla Guidance & Damage Control from below.

Or the law and the regulations make sense, are feasible and we'll see a slew of toolkits and best practices pop up in FOSS in the weeks after and I wont have to smack every second guy codin

Back to mainframes

[TJHook3r]

The rot set in when personal computers went mainstream and suddenly everyone could write code - you don't see hobbyists being allowed to build bridges over freeways do you? We need to restrict coding, even possession of computers, to licensed personnel only!

paper security

[bitterblackale]

So, tell me you've never been involved in software development without saying "Never been involved in software development." This won't go beyond current SOC2 compliance. How do I know? SOC2 is already slightly beyond the limits of what's possible, the difference is made up on paper. This will just be another unenforceable paper hoop that software firms have to jump through so they can display a shiny badge on their app page.