With the new law that will be voted in by the end of the month, the Cyber Resilience Act, security constraints will be placed on the open source world, and therefore also on Linux.
For all those living in Europe, write to your country’s MPs to prevent it from being passed without the appropriate changes.
I took the liberty of writing in this forum because I think this is something really important for Europe.
Thank you all
This is EU not UK we are no longer in the EU
I skimmed through the 80-page-long draft. Besides the matter of whether it may or may not apply to open-source – which seems to be sole point quoted above – i could only grasp that it asks software and hardware manufacturers to declare (or simply document?) how their products includes security. So this doesn’t feel much harmful to open-source…
What did i miss?
It depends which kind of software it is, there are different levels of requirements. But this is not the problem. There is an exception for open-source software, but many developer of open-source software are employed by companies that provide support or extras for this open-source software. With the compliance requirements, these companies might stop doing that.
A article formt the view of a company that develops open-soure software (unbound DNS).
But at the moment, it might end like the Radio Equipment Directive. A lot of fuss, but in the ende there was no real downside for customers. I can still install OpenWRT, but there are more proprietary firmware parts.
1 Like
Rather, from the post you linked, the issue i understand is:
Given an open-source project is used in a commercialized critical product, it may itself be subject to the associated security requirements – depending on the interpretation of “commercialized”, e.g. whether it extends to the said project – such as (costly) audits, which aren’t affordable to the (non-profit) project developers. Hence the legal uncertainty.
Yes, but if the project is non-profit it would fall under the expectation or could simply not care about it.
But if a company wants to use the code, it musst comply with the regulations. Which means a company might don’t integrate this specific project. (Which might not be bad at all.) Personally I like the idea behind the Cyber Resilience Act.
Unfortunately the lines between an open source project and a company that uses this project is often not that clear. For example, the lead developer of an open source project, is also employed by a company that provides support and maybe sells an special enterprise versions of this software. The employed developer contributes 100% of it’s time to the open source project. With the new regulations, the company would need to comply, but can’t afford it. The developer might get fired, or can’t contribute work time to the project. Often these companies are just one-man operations.
1 Like
I agree, however this is the official Manjaro support forum and that news is not directly related to Manjaro. Notice the Non-technical Questions section is only for Questions about the project and the distribution.
General discussion is welcome in our official Telegram channel and unofficial subreddit .
1 Like
This is the official Manjaro support forum The Non-technical Questions section is only for Questions about the project and the distribution.
General discussion is welcome in our official Telegram channel and unofficial subreddit .