SOSSA and CRA Spell Trouble for Open Source Software
Even though I’m no longer writing full time, I do have a “bucket list” of publications I’d still like to write for, and Dark Reading has been one of those publications for many years. Happily for me, I get to cross that one off (though I’d do it again!) with this article, “SOSSA and CRA Spell Trouble for Open Source Software.”
Short version: Some ill-considered legislation that’s coming in the wake of Log4Shell poses a threat to open source software, particularly the Cyber Resilience Act (CRA). From the article:
What’s at Stake With the EU’s CRA
A number of organizations and smart people have already written about the impacts of the CRA in its current form. In short, it wants to impose compliance requirements on hardware and software that include performing updates, following development practices, assessing risks, and so on.
Like SOSSA, the CRA puts the burden on producers of software and looks to producers/manufacturers to secure software. And while it tries to exempt open source software “supplied outside the course of commercial activity,” where exactly that line is drawn remains unclear. For example, does a not-for-profit entity that offers some form of support become obligated to comply with these rules?