Re: European Union Cyber Resilience Act (CRA)

[Solar Designer <solar () openwall com>]

On Sun, Oct 08, 2023 at 01:56:15PM -0700, Jean Luc Picard wrote:
> These people are not developers live & govern a part of earth ripe with
> anti-communist/socialist sentiment.

Let's avoid non-essential references to political sentiments here.

> If you were to explain to them that
> their cellphones security is protected by things like 'community' &
> 'sharing', they'd likely blow a gasket.

Oh, they're well aware of that.  From the Apache Foundation blog post:

https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act

"The current definitions3 are such that the CRA applies to the ASF, all
of its (volunteer) developers, and all our output. And, as the ASF
understands from its meeting with policy makers, this was intentional."

"As the regulation of open source is intentional, and there is also a
lot of common sense, good (open source) practices, in the CRA: the
expectation is that we are past the point where asking for a blanket
exception is productive."

> It appears it's too late to bring
> in the real industry experts into the committee meetings but not too late
> to make a meaningful difference.  That said, the community at large needs
> to prepare for a lull in rights & freedoms.  Perhaps if it got to a point
> to where, like the cookie law, some vital repositories start geoip blocking
> in protest, things might move along.  One thing for sure, things are about
> to get weird.

I advise against premature protests by people who haven't even bothered
to read the available material on the topic.

Alexander