Hi all, I just browsed the ISOC article linked below and it sounds wrong to me. While it is correct to note that "certification will not eradicate bugs even when a manufacturer is fully compliant", trying to exempt FOSS is not the right approach. What software would you use, a fully certified, professional OS, or a run-at-your-risk product by hobbyists who are exempted from security regulations by a compassionate exception to the Cyber Resilience Act? If the point is certification costs, I'd recommend that certification agencies be required to work for a percentage of the cover price of the product they're certifying, which is 0 for most FOSS packages. No exceptions. Best Ale On Tue 25/Oct/2022 10:53:39 +0200 Johan Helsingius wrote:
Hi Maarten,
Thank you for the heads-up - it is definitely a proposal that needs to be followed.
Julf
On 24-10-2022 14:58, Maarten Aertsen wrote:
Dear cooperation working group,
I'd like to call your attention to my talk on the draft agenda of the open source wg this Wednesday, because I believe it may be of interest to members of this group:
On 10/10/2022 18:47, Marcos Sanz wrote:
Agenda RIPE 85 Open Source WG Session Wednesday, October 26, 10:30 - 11:30 (CEST) [..] B. "Cyber Resilience Act effects on OSS", Maarten Aertsen, NLnet Labs
NLnet Labs is closely following a legislative proposal by the European Commission affecting almost all hardware and software on the European market. The Cyber Resilience Act intends to ensure cybersecurity of products with digital elements by laying down requirements and obligation for economic operators.
In this short talk you'll learn what to expect in the Cyber Resilience Act and why this proposal may matter to you as a developer or user of open source software. If so, let's make sure that policy makers take into account its effects on open source development by professional organisations and volunteers alike.
Do get in touch with Maarten when you have similar concerns, want to team up or can help us to provide technical expertise in the right places.
If you would like to read a little more on the topic, Olaf Kolkman has just published a blog post on the same topic at the Internet Society blog [1].
I'm new to this community: don't be shy and talk to me :-)
kind regards, Maarten
[1] https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilien...