[go: up one dir, main page]
|
|
Log in / Subscribe / Register

The European Cyber Resilience Act

The European Cyber Resilience Act

Posted Sep 21, 2023 11:47 UTC (Thu) by kleptog (subscriber, #1183)
In reply to: The European Cyber Resilience Act by wtarreau
Parent article: The European Cyber Resilience Act

Come on, paper forms have been practically dead for a while now. I've signed two physical forms in the last decade, everything is online these days.

And if your product has an actively exploited vulnerability that's causing actual damage, a simple email to a ENISA telling them about it and how to mitigate it is the absolute least you can do. You don't have to notify them for evey bug, that would be silly (and they'll probably tell you off if you do).

If the bug reporter includes a working exploit, it's worth notifying about ASAP. Otherwise, you can probably just fix it and move on.

to post comments

The European Cyber Resilience Act

Posted Sep 21, 2023 12:53 UTC (Thu) by farnz (subscriber, #17727) [Link] (3 responses)

Every interaction I've had with the IRS in the USA has involved paper forms, which can either be sent by "certified international mail" (whatever local service turns into certified USPS mail in the USA - in my case, "International Tracked & Signed" from Royal Mail is the relevant service) or faxed. They will not accept e-mailed copies.

But my understanding of EU law is that EU governments can't do this - if they want paper copies of a form, they must be willing to print e-mailed versions out.

The European Cyber Resilience Act

Posted Sep 25, 2023 16:20 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

The problem in Europe, is that all too often the government will no longer accept paper forms.

I (as of this year) now have to fill in a tax return. Most European citizens don't - PAYE has removed that burden. I signed up for paper forms (web forms far too often are the work of the devil aka junior idiots who can't think straight and design things that are a nightmare / impossible to complete properly).

So, when my first return was due, I got an email telling me "You need to fill in the form online, we've scrapped paper". ARGGHHHH. I DON'T WANT ONLINE!!!

Cheers,
Wol

The European Cyber Resilience Act

Posted Feb 13, 2024 17:40 UTC (Tue) by nix (subscriber, #2304) [Link] (1 responses)

I'm very late, but you should note (if you're still reading this) that HMRC's online tax reporting systems are *lovely*. They do nearly all the work for you, every box is linked to help telling you in pretty clear terms what the heck it's for (and if you still don't understand the terminology you can pop open another tab and google for it), you can usually skip nearly all the boxes and it's usually obvious which, most of them are auto-skipped for you based on the general properties of where you get income from and never appear at all, and if you make mistakes there is a series of summaries you are forced to see which make it obvious you screwed up. And you can go back and change it repeatedly until the filing deadline.

IMHO in all ways the online reporting system is far preferable to the physical forms iff you can use it at all (not everyone can, e.g. people with large foreign shareholdings can't, but they probably have people to do their taxes for them anyway).

(And, of course, the UK's tax filing physical forms are massively better than the horrifying nightmare the US forces everyone to use.)

The European Cyber Resilience Act

Posted Feb 13, 2024 19:47 UTC (Tue) by Wol (subscriber, #4433) [Link]

The problem is HMRC now demands everyone file on line.

I recently had to sign up to filing taxes. I said I wanted paper, and even before I got my first set of forms, I got a message saying I had to file online :-(

And my experience was they were demanding all sorts of information (that I filled in with 0s), but the banks etc are supposed to give them that information. It's a complete pain ...

Cheers,
Wol

The European Cyber Resilience Act

Posted Sep 22, 2023 4:15 UTC (Fri) by wtarreau (subscriber, #51152) [Link] (3 responses)

This remains what I call paper forms. Even if they're online, it doesn't mean that suddenly it's quick to fill them. And actually I'd rather write a bot to inform them of every backported patch so that I don't have to do the extra work of figuring which ones might be relevant to them according to their own preference.

The European Cyber Resilience Act

Posted Sep 22, 2023 9:43 UTC (Fri) by farnz (subscriber, #17727) [Link] (2 responses)

Writing a bot to inform them of each backported patch is entirely in-scope and acceptable - one e-mail per patch, and let the authorities handle it.

The only reason you might consider being a little less eager to send such mails is that by doing so, you've ensured that commercial downstreams are legally liable if they haven't applied that patch and their install of your software is compromised. On the other hand, this might be a desirable effect - it forces them to keep close to upstream, for fear of being found liable for something.

The European Cyber Resilience Act

Posted Sep 25, 2023 2:36 UTC (Mon) by wtarreau (subscriber, #51152) [Link] (1 responses)

Actually that might be a good solution to ensure that distros finally apply *all* fixes to software instead of cherry-picking random ones that they consider important because the stupidly irrelevant CVE word is associated with them.

The European Cyber Resilience Act

Posted Sep 25, 2023 9:40 UTC (Mon) by farnz (subscriber, #17727) [Link]

Yes, and this is intentional on the part of the CRA; one of the concerns in making you legally liable is that you need some way to say "if you don't apply the fixes I have said are critical, then I'm not liable when your house of cards falls apart". And that's what the notification mechanism is; the idea is that if your users don't like you notifying them of a need to patch every day or so, they'll find a commercial arrangement with you that makes you less eager to notify the authorities of "required" patches.

If they don't shower you with enough money to make you behave the way they want (and take on the liability that comes with that), then as far as the EU's concerned, that's their problem to deal with, either by switching to a different source of software, or by getting used to taking all your patches, not just the ones with a CVE tag, or just accepting that they are responsible for checking all of your bugfixes for security relevance, and paying the price if they erroneously deem a bugfix "not security relevant".

One of the reasons we're seeing FUD around the CRA is that if you do decide that you're going to notify every commit as a potentially security-relevant fix (which you're entitled to do under the proposals so far), the free ride comes to an end for your downstreams; they have to either take all of your commits within a short time of you making them (which results in them having to change maintenance schedules etc to support such frequent updates), or they have to deal with liability for bugs you've fixed since they took a copy in the software you give them, or they have to persuade you to stop doing that (which will almost certainly involve giving you money).


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds