"When the news of the EU's Cyber Resilience Act (CRA) first emerged, open source software developers and companies were worried sick. As the Python Software Foundation (PSF) executive director Deb Nicholson said at the time, "Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products." Ouch!"
"Well, according to Greg Kroah-Hartman, a top Linux kernel maintainer and member of the CRA working group of experts, "for open source contributors and maintainers, ... [the] CRA is a good thing. I think it's gonna help us. Speaking in Paris at the Linux Kernel Recipes conference, Kroah-Hartman started by saying, "You never expect to be dealing with lawyers and things like that when you start out programming. But here I am. This is all my personal opinion.""
"Kroah-Hartman explained that the CRA introduces a legal requirement for producers of products with digital elements (PDE). This is a broad category that includes nearly all software-driven devices and programs to document, secure, and maintain their software supply chain. This means companies must now generate a Software Bill of Materials (SBOM), tracking vulnerabilities, responding to newly discovered issues, and being transparent about security practices"
Open-source contributors and maintainers face little direct legal impact from the CRA as currently written. Organizations that produce products with digital elements must comply with new CRA requirements. Producers of such products must document, secure, and maintain their software supply chains and generate Software Bills of Materials (SBOMs). Companies must track vulnerabilities, respond to newly discovered issues, and be transparent about security practices. Initial concerns included potential financial liability for foundations when code appears in third-party products. Subsequent CRA revisions provide clearer boundaries that reduce legal exposure for individual contributors while increasing organizational security obligations.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]