"This blog concludes a 17-month journey to understand the #EU's attempt to regulate software with the #CRA. I engaged in this policy process in an effort to minimise damage to the practice of free and #opensource software development.
"#FOSS policy engagement: a #CyberResilienceAct retrospective" features my struggle to understand how Brussels works, roughly on a chronological timeline."
#cyberresilienceact Regulation does not cover non-commercial projects. Regarding conformity assessment: For #foss self-assessment possible unless critical products (only hardware), open-source software is excluded. #fosdem2024
#cyberresilienceact is nearly finished. Much more open-source elements in the final version. Closed several holes of the law. CE mark will also cover security mechanisms in near future. #fosdem#fosdem2024
Come experiment with us at #FOSDEM: we’re bringing policy makers and developers together in an EU policy devroom to discuss impending legislation with relevance to #foss. There are four two-hour blocks you can attend, on Sunday Feb 4th.
Toller Artikel bei #Heise: "#Linux: Kernel-Entwickler drücken freie Grafiktreiber durch
Selbst Schwergewichte der Grafikchip-Branche sind eingeknickt und bieten mittlerweile quelloffene #Kernel-Treiber an. Anwendern verschafft das Freiraum."
@fj I love Debian to bits. But its statement on the #CyberResilienceAct is based on old text. I suppose that's inherent in commenting on a draft that is evolving behind closed doors. But now the actual text is public, a number of worries in the Debian statement are no longer an accurate reflection of reality.
This doesn't mean we won't have a major step in security requirements coming from users and devs, raising their expectations.
In #QGIS project, we already see a lot more messages to forward vulnerabilities.
I am still unsure if open source with open core model will be concerned though.
The #EU has been making a lot of bad decisions recently (#eIDAS#ChatControl, #CyberResilienceAct and others...) in particular when it comes to the open source community.
I've been working in the institutions for two years and am considering launching a wiki to explain how to better influence EU decision making, would this interest anyone?
EDIT: I somehow managed to make the poll 5 minutes, sorry!
According to @euractiv_global a final #CyberResilienceAct text will be ready already next week. There are good news and bad news. Legislators seem to recognise the nature of #OpenSource as a novel industrial process. However, projects under the umbrella of supporting organisations (e.g. foundations) are still required to comply with parts of the #CRA. To see if the dangerous upstream certification requirement remains.
Arrived on my doorstep today! I blame the #CyberResilienceAct for my curiosity in more things #EU and @StevePeers for sharing he worked on this update on Mastodon.
@StevePeers And while we are on the subject of EU law, if anyone knows an expert on the #NewLegislativeFramework familiar with the jurisprudence on what constitutes “making available on the market in the course of a commercial activity”, me and several others #opensource people would like to better understand the (legal?) underpinnings of the writing in the Blue Guide on the matter. You would help us make sense of the #CyberResilienceAct. Sharing encouraged.
1/6 A short thread on the current status of the #EU#CyberResilienceAct. This is a digest of information conveyed through social media, the Linux Foundation and The Free Software Foundation Europe.
More appeals for a better position for open-source software in the Cyber Resilience Act, this time from the Dutch "Vrijschrift" (member of EDRi). They call for including the exemption (with changes from Council) in the provisions of the Act, instead of the Recitals.
This does indeed occur in other EU legislation, for instance in the Digital Content & Services Directive, where open-source software is exempted in Article 3(5)(f).
"Cybersecurity experts have urged EU policymakers to reconsider a crucial part of the Cyber Resilience Act (CRA), the vulnerability disclosure requirements, in an open letter published on Tuesday (3 October)."
Heard quite some similar concerns at the ONE Conference...