Seems like the most lucrative part of this proposal is to become the auditor. /s
This reminds me of the Gaia-X / IDSA certification and approval framework blanketing the whole software industry in the EU. I am not sure yet what to think about it.
On one side, it looks a bit like proprietary software vendors trying to cut out SMEs who can match the quality with the same open-source software the big players use, but have no funds to go through the certification. The really funny part of this legislation is: the big players who can afford certification will be able to use ANY open-source component for free but the people who built it will have a tough time to go to the market because they will require the funds they don't necessarily have. Crazy situation.
On the other hand, if this is applied to everyone, well, it will get rolled into the cost of providing a service. You want to buy this from me? Sure, I'll charge you for compliance report.
> The initiative is expected to have positive economic impacts.
That section completely misses to mention that increased compliance cost will inevitably lead to increased software and services pricing, thus will lead to decreased competitiveness of European SMEs on the international market.
Hot take: I can see two options to cripple this: 1) Drown the legislator in compliance requests for minor code. 2) Dual-licensing: AGPLv3 + commercial license.
Long ago I remember talking with colleague working for big brand anti-burglary alarm manufacturer. They had to obtain CE certification of their equipment releases, and once they have put a hair across box seal taped it. The hair came back uncut...
It seems to be time for this. There's a war on. We're now seeing regular attempts to sneak backdoors into open source code.[1][2] And those are the ones that have been found. There was a Linux kernel bug where someone put a test for root in as "if (uid = 0)" instead of "if (uid == 0)", so that when a rarely used system call was made, the process became root.[3]
The EU is most concerned about "Class II software". The stuff that runs industry.
> There was a Linux kernel bug where someone put a test for root in as "if (uid = 0)" instead of "if (uid == 0)", so that when a rarely used system call was made, the process became root.[3]
No there was not!
Someone in 2003 submitted a patch. To the wrong repo. The patch was looked at anyway and rejected for this reason. It was never merged. No machine ever had this bug.
Once again, we have dictates and rules based security policy and no solutions provided.
If the EU is so concerned about cyber security they should:
1) provide A LOT of funding and support for Linux / BSD and other operating systems and flavors for testing, hardening, and rapid patch rollout
2) provide infrastructure to support such activities
3) use open source software actively in government with a focus on providing feedback and patches from government IT back to the mainline projects
A founding tenet of security is that open systems and techniques are the ones that will be most battle tested and therefore resilient.
Alas open source has terrible lobbying, so the closed source vendors can lobby politicians and policy to go the opposite way: prescribe closed source solutions and additional onus on open source.
If first world economies were serious about cyberdefense and hardening, there would be 10 billion dollars annually invested into the foundations of open source software: Linux/BSD, databases, webservers, browsers, programming languages, etc. The militaries alone should be dedicating this level of funding to defend our infrastructure, economies, and whatever technological edge we have over China.
And the EU in particular should like Linux: it originated there, and has strong roots throughout the EU, and most importantly isn't controlled by a major US corporation (unlike Apple/Microsoft) and therefore indirectly controlled by the US government.
> the legislation and its (unintended) negative effects on developers of open-source software.
The negative effects seem pretty intended to me. The legislators are aware of open source software and have an exception for non-commercial activities, but intentionally penalize OSS related to commercial activities, by leaving them out of that exception.
And, at this point, I don't believe that these legislators are so stupid that they can't see the consequences of their proposals. They probably just don't care about the negative consequences, or the "negative consequences" (negative for us) are actually what they're striving for.
I wonder where would be the boundaries in case such legislation was pushed through. If my software is python-based then would python itself would have to be audited too? If I run my software in Podman containers then should Podman be audited too? What about operating system I execute my software on? Lets say thousand of companies use dependency X - would that dependency have to be audited 1000 times independently? That would be huge waste in my opinion..
Usually only the original producer of each component has to do the certification and apply the CE stamp. Any conglomerate doesn't need to reevaluate all the components themselves, only their interactions in the conglomerate.
So for your Python software you are fine either just providing the software alone, without an interpreter, having the customer get a Python-standard-compliant (if there were such a thing...) interpreter for themselves. Or you could provide a CE-certified Python interpreter that you got somewhere else along with your software, provided you do not change the interpreter you got and the interaction between your software and the interpreter is standard, run-of-the-mill, unsurprising normal use as intended and certified.
3) large rich American closed source companies will very happy to comply
4) where will they find all the auditors to check the zillion of small open source projects inside node_modules for a commercial project? And who's going to pay them? Again, closed source companies are very happy.
HN crowd is completely missing the intent. Nobody wants to chase open source developers. The problem is that right now a person can go buy a smartphone or WiFi router which uses obsolete software components already and will never receive any updates. Hopefully it gets fixed through this legislation.
Not sure if it's literally regulatory capture, but it certainly has the same effects, as you've mentioned. Except I think it's actually the established, non-tech EU companies that benefit more than big US tech but I could see them benefiting too.
edit: apparently there is a similar bill in the US. So that does sound like regulatory capture.
The level of vitriol from the commenters here is honestly frightening.
If the Commission was proposing a law mandating that cars have seat-belts, people would be jumping in to shout "Europe is destroying free enterprise, they're trying to destroy small car-makers!"
Seriously, when you look at the list of concerned software, you have password managers, operating systems, certificate infrastructure, remote access software, industrial IoT, etc. For any software in these categories, it's not completely insane to think that "This software is provided as-is with no warranty whatsoever, good luck!" doesn't quite cut it.
And yes, open-source is concerned as well, when it's part of a commercial activity. Again, if you're being paid to provide software, it seems fair to say you're leaving the "lobbyist" category and entering the "paid professional" category and you have to worry about security requirements. Especially given that, outside of the critical projects mentioned above, you're allowed to display the CE mark if you self-audit.
Are there deeper discussions to be had here, concerns to be addressed, etc? Absolutely. I think a critical point is how "commercial activity" is defined. A threshold of gross revenue could be an interesting solution.
Are these deeper discussion happening in this thread? No. It's all "Europe hates innovation" and "I hate the EC and cookie banners so much!" Most commenters seem to automatically assume that any level of regulation is automatically going to drown small businesses and favor FAANG-scale corporations, which is more extreme than even the article calling out the regulation.
I think the fundamental problem here is that it's all about avoiding mistakes, not about doing good things. This attitude in general is a pox on humanity. Once you start to see the pattern it's everywhere. Schools, science funding, hospitals, building codes, policing, banking, aerospace, and on and on.
No one cares if you improve anything. They just care if you make a mistake. This attitude is a disaster.
As an european I do believe that the European Comission really hates innovation and they believe everyting should be regulated as if only the politicians know what's best for every one. Like they're trying to regulate what kind of chargers we can use, the maximum speed cars can reach, what you can say on the internet and so on. All in the name of safety, terrorism and all other buzzwords politicians throw around to make it sound important. If we'd had the EC 30-40 years ago, most probably would all still be using dial-up for internet or maybe DSL at best and still have BBSs.
And PoignardAzure, yes, I do believe seatbelts and motorcycle helmets should be optional. If you die because you're too cool for them, you die - simple as that.
I'm an American that sells software to clients in the EU that this legislation considers a Class I critical product (https://vuplex.com). If this law is passed, what would be the consequence of not hiring an auditor to comply with it? Depending on the cost of an auditor, compliance may cost more than the revenue generated from the EU. If that's the case, it may no longer be economical for me to sell to clients in the EU.
Usually CE regulations do not care if you hired an auditor or not. They only care about the regulations being obeyed. My understanding is that warning the users of the level of security they can expect, and handling security flaws reasonably is probably going to be enough.
Certainly; that's the idea. Regulation is usually designed to favor large incumbents with some fig leaf of justification, in this case hand waving about security.
The CRA is intended to protect the EU from pooling all its critical eggs in too few baskets, especially if those baskets are not EU based companies. I'm not sure what duplex does, but I'll use AWS or Azure as an example. This is where a lot of our critical software, like stuff that operates our public sector, banking and what not is put, because that's basically where everything is put these days. With the CRA, the EU is going to identify a range of businesses of a certain size, I work for one such business since green energy production is critical, and potentially demand that half of us leave Azure within 3-6 months because the EU can't function if Azure somehow becomes hostile to us. As with the GDPR, this actually has very little to do with software or development itself. It mostly have to do with bureaucracy, so we're not expected to build things that can take us out of Azure and put os into X, not technically, but we are required to plan for the eventuality and to get those plans audited. As I see it, it will be on your customers to handle these audits, not you, and it's not a contingency that is likely to ever actually happen, unless America goes full Right Wing populist, which frankly seems less likely than the EU doing it judging by this years elections.
Anyway, where this will become sort of an issue in regards to open source software and actual development, as the article points out, is when too many companies rely on the same business critical piece of software. I'm not sure I agree that this will be such a big issue, however, as most organisations that I know of tend to in-source the most vital open source projects exactly because it's too dangerous to rely on some random person.
We've done this our selves. We needed an ODATA package for TypeScript projects, and while there were a few options out there, none of them were great. Some of them would've been "good enough", sort of, but they were either maintained by one or two people or not at all. So instead of using these, we wrote our own. Which is frankly how I suspect a lot of Open Source projects happen, because while you can use GORM as your GO ORM and where we could have used one of these packages and even made it better, it was simply easier to make our own.
The CRA doesn't really change this, however, at least not if you're already taking security seriously.
I personally think the only area that will actually be interesting to follow the CRA on is what the EU intended to do with all the public sector smartphone Apps. Here in Denmark we can have things like our drivers licence in apps, but these apps are only available through either Google or Apple, and those aren't European companies. :p For everything else, I think this will mostly be bureaucracy, bureaucracy, bureaucracy, which is sort of fine, because as the GDPR has shown us, not every organisation can be trusted to do security that impacts the EU.
I am not an author of popular OSS project so my view is probably distorted, but as OSS develpper would you give a dime about legislation like this?
Edit:
It made me thinking, how would legislator ensure legislation is implemented? Would they start requiring escrow so they can check by themselves if software is developed to the correct security standard?
As long as you‘re not financially profiting from the project, the legislation does not affect you. The moment you do financially profit of it (for example, if you have a business around it, or the software is developed by a business), then things get a little more complicated - if you have no clients in the EU and don‘t market or sell to the EU, you can mostly just ignore this. If you do, then you probably have to care about this.
Supposedely, if this legislation passes then the EU will be in its rights to ask GitHub or any such platform to remove completely or to block OS projects that do not meet EU’s new security criteria.
Take what I’m saying with a huge grain of salt, cause I’m also not a OSS contributor nor do I work with tech-related legislation.
I'd guess large producers of commercial software. BigCo doesn't have any problem having an entire compliance & audit b.s. department. However, all the smaller companies, independent developers and OSS software will be regulated out of the market.
It's interesting that EC is not looking at addressing the obvious loophole big corporations are using - that is they are saving on R&D and tax by using open source software without paying the developers for their time.
If these big corporations were paying up the fair share of profit generated by the open source software they use, I am sure the developers behind it would have funds essential to ensure the security of the software they make.
That being said, even if above was not feasible (shame!), then it should be up to corporation using the software to ensure it is secure (and possibly contributing any fixes back to the software).
This kind of reminds me of when encryption became a munition in some countries—development moved to countries where encryption wasn’t outlawed. Something tells me a bit of a brain drain will happen if this comes to fruition as groups will go out of their way to develop software outside of the EU. Either that or the EU will be full of undesirable software that has been audited, but is still vulnerable.
I think this is long overdue and virtually all posts in this thread seem to be generic, entirely contentless 'EU bureaucracy' rants. From the article:
(i) it is designed to run with elevated privilege or manage privileges;
(ii) it has direct or privileged access to networking or computing resources;
(iii) it is designed to control access to data or operational technology;
(iv) it performs a function critical to trust, in particular security functions such as network control, endpoint security, and network protection.
(b) the intended use in sensitive environments, including in industrial settings[...]
There's a clear distinction here between what the EU labels 'critical products' and non-critical software. Seeing the increasingly insecure global situation, the importance of software in infrastructure and the potential threats I think it's wild that something like this hasn't passed a decade ago. Digital infrastructure needs to be as secure as physical infrastructure.
I wonder what would happen if some Heartbleed-esque bug that went undiscovered for years took out a huge chunk of a nation's electricity grid in a military conflict. What the EU needs in addition is if course also more funding for software security, but they're already doing a halfway decent job. If you didn't know, if you fix open source bugs in the EU you can get paid for doing just that: https://ec.europa.eu/info/news/european-commissions-open-sou...
The OSS community thought that Microsoft would destroy OSS, but the real danger is throwing some legislators in the game.. I always thought that the way that we would destroy OSS was making it political, but making it bureaucratic is a easier and cheaper way to destroy OSS.
Red Hat has been providing indemnification for patents for RHEL. This seems like another regulatory bag they will have to carry. Everybody will just use Red Hat, because it is already certified so they can just pass the certification along.
"outside the course of a commercial activity should not be covered by this Regulation" Is this kind of wording normal In EU laws? Why use "Should" in the law, since we are in the middle of defining what is going to happen shouldn't it be "is"?
[+] [-] rad_gruchalski|3 years ago|reply
This reminds me of the Gaia-X / IDSA certification and approval framework blanketing the whole software industry in the EU. I am not sure yet what to think about it.
On one side, it looks a bit like proprietary software vendors trying to cut out SMEs who can match the quality with the same open-source software the big players use, but have no funds to go through the certification. The really funny part of this legislation is: the big players who can afford certification will be able to use ANY open-source component for free but the people who built it will have a tough time to go to the market because they will require the funds they don't necessarily have. Crazy situation.
On the other hand, if this is applied to everyone, well, it will get rolled into the cost of providing a service. You want to buy this from me? Sure, I'll charge you for compliance report.
The really funny part of the "Call for evidence for an impact assessment - Ares(2022)1955751" document (section C.) from https://ec.europa.eu/info/law/better-regulation/have-your-sa... reads:
> The initiative is expected to have positive economic impacts.
That section completely misses to mention that increased compliance cost will inevitably lead to increased software and services pricing, thus will lead to decreased competitiveness of European SMEs on the international market.
Hot take: I can see two options to cripple this: 1) Drown the legislator in compliance requests for minor code. 2) Dual-licensing: AGPLv3 + commercial license.
[+] [-] stefanfisk|3 years ago|reply
[+] [-] gwnywg|3 years ago|reply
[+] [-] creshal|3 years ago|reply
Emphasis on "proposed", the current edited title sounds like it's already in effect.
[+] [-] UltraViolence|3 years ago|reply
So yes, this is something to be concerned about.
[+] [-] NoboruWataya|3 years ago|reply
[+] [-] pvg|3 years ago|reply
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
[+] [-] Animats|3 years ago|reply
The EU is most concerned about "Class II software". The stuff that runs industry.
[1] https://acronisscs.com/blog-open-source-backdoors-in-the-wil...
[2] https://www.zdnet.com/article/open-source-software-how-many-...
[3] https://www.infoq.com/news/2013/10/Linux-Backdoor/
[+] [-] light_hue_1|3 years ago|reply
No there was not!
Someone in 2003 submitted a patch. To the wrong repo. The patch was looked at anyway and rejected for this reason. It was never merged. No machine ever had this bug.
[+] [-] djbebs|3 years ago|reply
Make no mistake this will just be used to implement those backdoors.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] AtlasBarfed|3 years ago|reply
If the EU is so concerned about cyber security they should:
1) provide A LOT of funding and support for Linux / BSD and other operating systems and flavors for testing, hardening, and rapid patch rollout
2) provide infrastructure to support such activities
3) use open source software actively in government with a focus on providing feedback and patches from government IT back to the mainline projects
A founding tenet of security is that open systems and techniques are the ones that will be most battle tested and therefore resilient.
Alas open source has terrible lobbying, so the closed source vendors can lobby politicians and policy to go the opposite way: prescribe closed source solutions and additional onus on open source.
If first world economies were serious about cyberdefense and hardening, there would be 10 billion dollars annually invested into the foundations of open source software: Linux/BSD, databases, webservers, browsers, programming languages, etc. The militaries alone should be dedicating this level of funding to defend our infrastructure, economies, and whatever technological edge we have over China.
And the EU in particular should like Linux: it originated there, and has strong roots throughout the EU, and most importantly isn't controlled by a major US corporation (unlike Apple/Microsoft) and therefore indirectly controlled by the US government.
[+] [-] diego_sandoval|3 years ago|reply
The negative effects seem pretty intended to me. The legislators are aware of open source software and have an exception for non-commercial activities, but intentionally penalize OSS related to commercial activities, by leaving them out of that exception.
And, at this point, I don't believe that these legislators are so stupid that they can't see the consequences of their proposals. They probably just don't care about the negative consequences, or the "negative consequences" (negative for us) are actually what they're striving for.
[+] [-] Kenji|3 years ago|reply
[deleted]
[+] [-] ramtatatam|3 years ago|reply
[+] [-] throwaway294566|3 years ago|reply
So for your Python software you are fine either just providing the software alone, without an interpreter, having the customer get a Python-standard-compliant (if there were such a thing...) interpreter for themselves. Or you could provide a CE-certified Python interpreter that you got somewhere else along with your software, provided you do not change the interpreter you got and the interaction between your software and the interpreter is standard, run-of-the-mill, unsurprising normal use as intended and certified.
[+] [-] pmontra|3 years ago|reply
1) commendable, but
2) the EU shooting in its foot, because
3) large rich American closed source companies will very happy to comply
4) where will they find all the auditors to check the zillion of small open source projects inside node_modules for a commercial project? And who's going to pay them? Again, closed source companies are very happy.
[+] [-] execveat|3 years ago|reply
[+] [-] nonethewiser|3 years ago|reply
edit: apparently there is a similar bill in the US. So that does sound like regulatory capture.
[+] [-] seydor|3 years ago|reply
[+] [-] PoignardAzur|3 years ago|reply
If the Commission was proposing a law mandating that cars have seat-belts, people would be jumping in to shout "Europe is destroying free enterprise, they're trying to destroy small car-makers!"
Seriously, when you look at the list of concerned software, you have password managers, operating systems, certificate infrastructure, remote access software, industrial IoT, etc. For any software in these categories, it's not completely insane to think that "This software is provided as-is with no warranty whatsoever, good luck!" doesn't quite cut it.
And yes, open-source is concerned as well, when it's part of a commercial activity. Again, if you're being paid to provide software, it seems fair to say you're leaving the "lobbyist" category and entering the "paid professional" category and you have to worry about security requirements. Especially given that, outside of the critical projects mentioned above, you're allowed to display the CE mark if you self-audit.
Are there deeper discussions to be had here, concerns to be addressed, etc? Absolutely. I think a critical point is how "commercial activity" is defined. A threshold of gross revenue could be an interesting solution.
Are these deeper discussion happening in this thread? No. It's all "Europe hates innovation" and "I hate the EC and cookie banners so much!" Most commenters seem to automatically assume that any level of regulation is automatically going to drown small businesses and favor FAANG-scale corporations, which is more extreme than even the article calling out the regulation.
[+] [-] boxed|3 years ago|reply
No one cares if you improve anything. They just care if you make a mistake. This attitude is a disaster.
[+] [-] ExoticPearTree|3 years ago|reply
And PoignardAzure, yes, I do believe seatbelts and motorcycle helmets should be optional. If you die because you're too cool for them, you die - simple as that.
[+] [-] binarynate|3 years ago|reply
[+] [-] nonethewiser|3 years ago|reply
For more context, a "critical" product cannot be self-assessed. He would have to hire the auditor.
[+] [-] Iv|3 years ago|reply
[+] [-] baggy_trough|3 years ago|reply
[+] [-] Archelaos|3 years ago|reply
[+] [-] EnKopVand|3 years ago|reply
Anyway, where this will become sort of an issue in regards to open source software and actual development, as the article points out, is when too many companies rely on the same business critical piece of software. I'm not sure I agree that this will be such a big issue, however, as most organisations that I know of tend to in-source the most vital open source projects exactly because it's too dangerous to rely on some random person.
We've done this our selves. We needed an ODATA package for TypeScript projects, and while there were a few options out there, none of them were great. Some of them would've been "good enough", sort of, but they were either maintained by one or two people or not at all. So instead of using these, we wrote our own. Which is frankly how I suspect a lot of Open Source projects happen, because while you can use GORM as your GO ORM and where we could have used one of these packages and even made it better, it was simply easier to make our own.
The CRA doesn't really change this, however, at least not if you're already taking security seriously.
I personally think the only area that will actually be interesting to follow the CRA on is what the EU intended to do with all the public sector smartphone Apps. Here in Denmark we can have things like our drivers licence in apps, but these apps are only available through either Google or Apple, and those aren't European companies. :p For everything else, I think this will mostly be bureaucracy, bureaucracy, bureaucracy, which is sort of fine, because as the GDPR has shown us, not every organisation can be trusted to do security that impacts the EU.
[+] [-] gwnywg|3 years ago|reply
Edit: It made me thinking, how would legislator ensure legislation is implemented? Would they start requiring escrow so they can check by themselves if software is developed to the correct security standard?
[+] [-] ISL|3 years ago|reply
[+] [-] Xylakant|3 years ago|reply
[+] [-] paganel|3 years ago|reply
Take what I’m saying with a huge grain of salt, cause I’m also not a OSS contributor nor do I work with tech-related legislation.
[+] [-] readsadhours|3 years ago|reply
[1] https://news.ycombinator.com/item?id=32956218
[+] [-] throwaway294566|3 years ago|reply
[+] [-] binkHN|3 years ago|reply
[+] [-] varispeed|3 years ago|reply
If these big corporations were paying up the fair share of profit generated by the open source software they use, I am sure the developers behind it would have funds essential to ensure the security of the software they make.
That being said, even if above was not feasible (shame!), then it should be up to corporation using the software to ensure it is secure (and possibly contributing any fixes back to the software).
[+] [-] UncleEntity|3 years ago|reply
[+] [-] continuational|3 years ago|reply
[+] [-] binkHN|3 years ago|reply
[+] [-] Barrin92|3 years ago|reply
(i) it is designed to run with elevated privilege or manage privileges; (ii) it has direct or privileged access to networking or computing resources; (iii) it is designed to control access to data or operational technology; (iv) it performs a function critical to trust, in particular security functions such as network control, endpoint security, and network protection. (b) the intended use in sensitive environments, including in industrial settings[...]
There's a clear distinction here between what the EU labels 'critical products' and non-critical software. Seeing the increasingly insecure global situation, the importance of software in infrastructure and the potential threats I think it's wild that something like this hasn't passed a decade ago. Digital infrastructure needs to be as secure as physical infrastructure.
I wonder what would happen if some Heartbleed-esque bug that went undiscovered for years took out a huge chunk of a nation's electricity grid in a military conflict. What the EU needs in addition is if course also more funding for software security, but they're already doing a halfway decent job. If you didn't know, if you fix open source bugs in the EU you can get paid for doing just that: https://ec.europa.eu/info/news/european-commissions-open-sou...
[+] [-] nonethewiser|3 years ago|reply
[+] [-] pelasaco|3 years ago|reply
[+] [-] hulitu|3 years ago|reply
[+] [-] kazinator|3 years ago|reply
[+] [-] seydor|3 years ago|reply
[+] [-] bjornsing|3 years ago|reply
1. https://sv.m.wikipedia.org/wiki/Tankeförbudet
[+] [-] stonemetal12|3 years ago|reply
"outside the course of a commercial activity should not be covered by this Regulation" Is this kind of wording normal In EU laws? Why use "Should" in the law, since we are in the middle of defining what is going to happen shouldn't it be "is"?