The European Cyber Resilience Act

Posted Sep 22, 2023 9:43 UTC (Fri) by farnz (subscriber, #17727)
In reply to: The European Cyber Resilience Act by wtarreau
Parent article: The European Cyber Resilience Act

Writing a bot to inform them of each backported patch is entirely in-scope and acceptable - one e-mail per patch, and let the authorities handle it.

The only reason you might consider being a little less eager to send such mails is that by doing so, you've ensured that commercial downstreams are legally liable if they haven't applied that patch and their install of your software is compromised. On the other hand, this might be a desirable effect - it forces them to keep close to upstream, for fear of being found liable for something.

to post comments

The European Cyber Resilience Act

Posted Sep 25, 2023 2:36 UTC (Mon) by wtarreau (subscriber, #51152) [Link] (1 responses)

Actually that might be a good solution to ensure that distros finally apply *all* fixes to software instead of cherry-picking random ones that they consider important because the stupidly irrelevant CVE word is associated with them.

The European Cyber Resilience Act

Posted Sep 25, 2023 9:40 UTC (Mon) by farnz (subscriber, #17727) [Link]

Yes, and this is intentional on the part of the CRA; one of the concerns in making you legally liable is that you need some way to say "if you don't apply the fixes I have said are critical, then I'm not liable when your house of cards falls apart". And that's what the notification mechanism is; the idea is that if your users don't like you notifying them of a need to patch every day or so, they'll find a commercial arrangement with you that makes you less eager to notify the authorities of "required" patches.

If they don't shower you with enough money to make you behave the way they want (and take on the liability that comes with that), then as far as the EU's concerned, that's their problem to deal with, either by switching to a different source of software, or by getting used to taking all your patches, not just the ones with a CVE tag, or just accepting that they are responsible for checking all of your bugfixes for security relevance, and paying the price if they erroneously deem a bugfix "not security relevant".

One of the reasons we're seeing FUD around the CRA is that if you do decide that you're going to notify every commit as a potentially security-relevant fix (which you're entitled to do under the proposals so far), the free ride comes to an end for your downstreams; they have to either take all of your commits within a short time of you making them (which results in them having to change maintenance schedules etc to support such frequent updates), or they have to deal with liability for bugs you've fixed since they took a copy in the software you give them, or they have to persuade you to stop doing that (which will almost certainly involve giving you money).