Nuova proposta EU "Cyber Resilience Act"

https://devclass.com/2023/01/24/eus-proposed-ce-mark-for-software-could-have-dire-impact-on-open-source/

L'articolo mi conferma che le leggi europee siano scritte da Google/MS per quanto riguarda il Software, dai fondi di investimento e dai fondi pensione USA in materia di energia ecc.

La Russia non e' piu' un porto sicuro. Se continua cosi' Cina, Taiwan, Singapore, Corea potrebbero diventare location interessanti per lo sviluppo di SW.

Gianguido

Il testo del CRA - Cyber Resilience Act รจ reperibile su https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act (traduzioni automatiche a cura EU sono presenti).

diego

The topic of security is interesting and more relevant than ever, nowadays.

In principle, free software and open source should be safer and more secure
than the other alternatives, because they are transparent and everyone is
able to look at their code. But this is not enough because the compilation
and distribution have to be done in a secure way as well.

And then there is the problem of trust. If I produce a vaccine and say "use
it at your own risk, I am not responsible if you harm yourself", would you
use it? There should be some trusted body who can test it independently,
and make sure that it is useful and does no harm, and certify it. Otherwise
people (who generally are not medical experts) have no way of trusting it.

I believe that a similar system should be used for software too, especially
for those that are widely used.
But I am not sure how such a system should work. And certainly I don't have
enough competence and expertise to comprehend, judge, and evaluate the
"Cyber Resilience Act", that is being discussed.

Regards,
Dashamir

attachment.html (2.76 KB)

I cannot read the whole text (it is too boring for me), but I found this
part by chance:

attachment.html (2.35 KB)

This was noted recently, but how do you interpret the wording?

I interpret this that any commercial activity that is even just using
OSS (developed in part or completely outside of the activity) would be
subject to the regulation.

In that case, the commercial activity will have to certify the software
by its own means, unless you go by a redistributor like RedHat that
certifies (aka: sells the certification) on your behalf.

I hope I'm understanding this wrong, but this reminds me of any of the
ISO certifications, which are effectively worthless (doing anything
except "bolstering security"), but at the same time just raise the
barrier to competition by outpricing small players.