[go: up one dir, main page]
|
|
Log in / Subscribe / Register

The European Cyber Resilience Act

The European Cyber Resilience Act

Posted Sep 20, 2023 21:39 UTC (Wed) by kleptog (subscriber, #1183)
In reply to: The European Cyber Resilience Act by ringerc
Parent article: The European Cyber Resilience Act

> PostgreSQL for example is a genuinely independent open source project. EntrrpriseDB currently employs a significant proportion of the most active devs and committers and core team (steering group).

Not a bad example actually. The obvious answer is that EnterpriseDB is responsible for what it sells. If there's a security issue that needs to be patched, EnterpriseDB can apply it to the version they ship. That they may not get the fix into the mainline PostgreSQL release is neither here nor there.

What responsibility does the PostgreSQL project have? Strictly speaking, none. But the people distributing PostgreSQL for money have a interest in working together with the project to make this work. In a sense this happens already, so I expect this law to formalise that process a bit more (if necessary).

> It's pretty clear that much of the ambiguity in the proposal is there to prevent companies from evading the law using faux-open-source "projects", open-core models etc.

One of the differences between US and EU regulation is that the US tends to formulate lots of precise rules, whereas EU regulation tends to be higher level leaving room for regulators to apply the intent of the regulation to specific examples. For example, the Italian regulators had banned subprime mortgages early despite there being no explicit rule against it, on the basis they looked like a bad idea. If people are expecting the CRA to provide detailed rules about who are or are not targetted they're going to be disappointed. That's not the way we roll.

If you're worried this might lead to selective enforcement, the flip side of this is that if a regulator targets a single open-source project, the fact they're not also going after every project with the same issues is actually a defence. So all you need to do is do a better job than the average commercial product (which isn't hard) and you've got nothing to worry about.

I think the discussions about this all being a huge amount of work for open-source projects is exaggerated. Nothing in the Act suggest things companies shouldn't be doing already. If you're deploying a product in 2023 without even doing the minimal cybersecurity checks, you ought to be shot. For a lot of open-source software there are standard Github CI/CD pipelines and bots which check for security issues. Tools like Coverity check lots of open source projects for free. I honestly think the average popular open-source project is in a much better state that most proprietary software and can trivially prove it too.

to post comments

The European Cyber Resilience Act

Posted Sep 21, 2023 2:37 UTC (Thu) by wtarreau (subscriber, #51152) [Link] (9 responses)

> If there's a security issue that needs to be patched, EnterpriseDB can apply it to the version they ship.

Sure but there's a huge difference between "having to apply a patch", and "spend one month filling stupid paper form describing the possible impacts of the issue and its remediation". A bug needs to be fixed, period. No need to add bureaucracy to make the development halt after the first bug, and impossible to restart.

They could put the effort on the bug reporter for example: make it possible for a bug reporter whose bug report has been ignored to fill that form so that EU can ask the company if it really poses a security threat and why it's not fixed, and if the company doesn't respond in a few weeks/months, then deny it the right to sell the product in the EU until it responds. It would be more effective and limit the amount of bureaucracy inflicted on those who are already busy trying to fix the problem.

The European Cyber Resilience Act

Posted Sep 21, 2023 11:47 UTC (Thu) by kleptog (subscriber, #1183) [Link] (8 responses)

Come on, paper forms have been practically dead for a while now. I've signed two physical forms in the last decade, everything is online these days.

And if your product has an actively exploited vulnerability that's causing actual damage, a simple email to a ENISA telling them about it and how to mitigate it is the absolute least you can do. You don't have to notify them for evey bug, that would be silly (and they'll probably tell you off if you do).

If the bug reporter includes a working exploit, it's worth notifying about ASAP. Otherwise, you can probably just fix it and move on.

The European Cyber Resilience Act

Posted Sep 21, 2023 12:53 UTC (Thu) by farnz (subscriber, #17727) [Link] (3 responses)

Every interaction I've had with the IRS in the USA has involved paper forms, which can either be sent by "certified international mail" (whatever local service turns into certified USPS mail in the USA - in my case, "International Tracked & Signed" from Royal Mail is the relevant service) or faxed. They will not accept e-mailed copies.

But my understanding of EU law is that EU governments can't do this - if they want paper copies of a form, they must be willing to print e-mailed versions out.

The European Cyber Resilience Act

Posted Sep 25, 2023 16:20 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

The problem in Europe, is that all too often the government will no longer accept paper forms.

I (as of this year) now have to fill in a tax return. Most European citizens don't - PAYE has removed that burden. I signed up for paper forms (web forms far too often are the work of the devil aka junior idiots who can't think straight and design things that are a nightmare / impossible to complete properly).

So, when my first return was due, I got an email telling me "You need to fill in the form online, we've scrapped paper". ARGGHHHH. I DON'T WANT ONLINE!!!

Cheers,
Wol

The European Cyber Resilience Act

Posted Feb 13, 2024 17:40 UTC (Tue) by nix (subscriber, #2304) [Link] (1 responses)

I'm very late, but you should note (if you're still reading this) that HMRC's online tax reporting systems are *lovely*. They do nearly all the work for you, every box is linked to help telling you in pretty clear terms what the heck it's for (and if you still don't understand the terminology you can pop open another tab and google for it), you can usually skip nearly all the boxes and it's usually obvious which, most of them are auto-skipped for you based on the general properties of where you get income from and never appear at all, and if you make mistakes there is a series of summaries you are forced to see which make it obvious you screwed up. And you can go back and change it repeatedly until the filing deadline.

IMHO in all ways the online reporting system is far preferable to the physical forms iff you can use it at all (not everyone can, e.g. people with large foreign shareholdings can't, but they probably have people to do their taxes for them anyway).

(And, of course, the UK's tax filing physical forms are massively better than the horrifying nightmare the US forces everyone to use.)

The European Cyber Resilience Act

Posted Feb 13, 2024 19:47 UTC (Tue) by Wol (subscriber, #4433) [Link]

The problem is HMRC now demands everyone file on line.

I recently had to sign up to filing taxes. I said I wanted paper, and even before I got my first set of forms, I got a message saying I had to file online :-(

And my experience was they were demanding all sorts of information (that I filled in with 0s), but the banks etc are supposed to give them that information. It's a complete pain ...

Cheers,
Wol

The European Cyber Resilience Act

Posted Sep 22, 2023 4:15 UTC (Fri) by wtarreau (subscriber, #51152) [Link] (3 responses)

This remains what I call paper forms. Even if they're online, it doesn't mean that suddenly it's quick to fill them. And actually I'd rather write a bot to inform them of every backported patch so that I don't have to do the extra work of figuring which ones might be relevant to them according to their own preference.

The European Cyber Resilience Act

Posted Sep 22, 2023 9:43 UTC (Fri) by farnz (subscriber, #17727) [Link] (2 responses)

Writing a bot to inform them of each backported patch is entirely in-scope and acceptable - one e-mail per patch, and let the authorities handle it.

The only reason you might consider being a little less eager to send such mails is that by doing so, you've ensured that commercial downstreams are legally liable if they haven't applied that patch and their install of your software is compromised. On the other hand, this might be a desirable effect - it forces them to keep close to upstream, for fear of being found liable for something.

The European Cyber Resilience Act

Posted Sep 25, 2023 2:36 UTC (Mon) by wtarreau (subscriber, #51152) [Link] (1 responses)

Actually that might be a good solution to ensure that distros finally apply *all* fixes to software instead of cherry-picking random ones that they consider important because the stupidly irrelevant CVE word is associated with them.

The European Cyber Resilience Act

Posted Sep 25, 2023 9:40 UTC (Mon) by farnz (subscriber, #17727) [Link]

Yes, and this is intentional on the part of the CRA; one of the concerns in making you legally liable is that you need some way to say "if you don't apply the fixes I have said are critical, then I'm not liable when your house of cards falls apart". And that's what the notification mechanism is; the idea is that if your users don't like you notifying them of a need to patch every day or so, they'll find a commercial arrangement with you that makes you less eager to notify the authorities of "required" patches.

If they don't shower you with enough money to make you behave the way they want (and take on the liability that comes with that), then as far as the EU's concerned, that's their problem to deal with, either by switching to a different source of software, or by getting used to taking all your patches, not just the ones with a CVE tag, or just accepting that they are responsible for checking all of your bugfixes for security relevance, and paying the price if they erroneously deem a bugfix "not security relevant".

One of the reasons we're seeing FUD around the CRA is that if you do decide that you're going to notify every commit as a potentially security-relevant fix (which you're entitled to do under the proposals so far), the free ride comes to an end for your downstreams; they have to either take all of your commits within a short time of you making them (which results in them having to change maintenance schedules etc to support such frequent updates), or they have to deal with liability for bugs you've fixed since they took a copy in the software you give them, or they have to persuade you to stop doing that (which will almost certainly involve giving you money).


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds