207 comments

[ 4.0 ms ] story [ 266 ms ] thread
Considering the pile of untested and mostly garbage devices and software produced by some companies, this is amazing !

For those who will not bother reading the article :

> I think having a CRA is long overdue, but I hope we can get to something that doesn’t further clamp down on innovation in Europe.

GDPR had the same warning label, and yet, today, it's wholeheartedly accepted as a great improvement over the previous status quo.

By who? The people I know who have had to deal with GDPR still regard it as a disastrous piece of legislation, a textbook example of how not to write civilized law. It's achieved nothing obvious or concrete, and meanwhile many Americans now perceive the EU as using privacy legislation to extort massive fines from them. Fines that are levied regardless of how much effort they put into compliance.
I'm going to stay sceptical of this proposal until some precedence on how it will be used by EU courts exists

With that said, I think this is overall a step in the right direction. Security is in many places still a secondary concern, so regulation is in my opinion needed to improve the status quo

We got vastly better at security over the last three decades. Windows SMB shares completely open to the internet, networked code written in C without sanitisers, widely exploitable bugs in OSes - none of this is a regular occurrence anymore. There is no need to have bureaucrats get involved and line the pockets of "auditors" with ultimately useless checkbox exercises. We've seen all of this before, it never turns out as planned.
At the same time, the amount of software running on devices around the world has also grown and attackers have gotten better tools

30 years ago the electronic warfare was not seen as much of a security risk. Today these kinds of attacks against critical infrastructure are regular occurrences

This has become a very real safety risk for citizens and needs to be addressed

There are already regulations for important infrastructure such as powerplants, or safety criteria machinery such as planes and medical devices. We don’t need this kind of red tape in e-commerce startups.
I honestly think this is good. Almost every other engineering profession needs to adhere to a variety of standards and is subject to certifications and review, except for software engineers. it is kinda weird that a ventilator needs to go through a wide variety of regulatory checks but the software systems that control power in the hospital do not, even if they would allow hackers to shut down electricity to all ventilators.

A lot of the author's criticism is centered on the lack of a designated standards body and software standards. That seems slightly unfair, given the fact that this is still a draft law, so obviously it is still waiting to be implemented and further specified through a standardization process. In general, it should be seen as a positive when a law doesn't set out specific requirements - which might be out of date - a few years later - but rather leaves it up to a body filled with industry representatives and experts to figure out the exact standards.

The problem is certifications, standards, reviews are strong barriers to entry and destroy competition and startup opportunities. EU already lacks big tech compared to US, China and Russia. EU can easily regulate that to write software one needs to have a masters degree in CS.
Or, you know, simply fine companies that have data breaches. They will figure out how to secure their systems on their own if sufficiently motivated. No need for heavy handed bureaucracy and red tape.
My preference here would be for civil actions for damages rather than fines paid to bureaucrats.
I think that would hurt startups much more. It will require that the degrees are accredited, which is a lot of work for both the institution that provides certification and for people applying

Secondly, a large percentage of developers do not have a CS degree. There's also a significant number of educations that are not specified as a CS degree, but still teach people skills with the aim of them entering the workforce to work as developers

It's also unclear how domains where software is developed as a tool, but isn't a primary focus (i.e. bioinformatics)

> EU already lacks big tech compared to US, China and Russia

US has next to zero privacy protections, and unlimited investor money with zero expectations for a company to ever turn profitable. E.g. all of YCombinator's "top companies" lose hundreds of millions and billions dollars a year.

China and Russia have cheap labor and yes, zero privacy.

Edit: the same people who clamor for Russia and China-style big companies will immediately shout for government to step in if any company ever gets to the size and influence of Yandex or AliBaba.

I love privacy, but the majority of people in the world seem not to understand it's importance.

No, there are no "zero expectations for a company to ever turn profitable". If you ever tried to get investor money you'll know how hard is to prove to them you have a good path to profitability. Even if all of YCombinat companies except one lose hundreds of millions, the last one can turn into a Facebook, worth hundreds of billions.

> No, there are no "zero expectations for a company to ever turn profitable". If you ever tried to get investor money you'll know how hard is to prove to them you have a good path to profitability.

And yet, YCombinator's top companies lose billions for years and keep getting the money. What's the "proven path to profitability"? The flimsy belief that "just wait a bit and we'll have a next Facebook?"

Most of the companies that get mentioned as "big innovative companies" in HN threads have been around for 5+ or even 10+ years, lost incalculable amounts of money, never turned a profit, and we're led to believe that there's an expectation to turn a profit in any of these scenarios.

dmitriid, you seem to not understand the simple fact that if one of a hundred startups an investor financed turns into a big success he can make big profits overall, despite 99% of the companies lost him money.
> US has next to zero privacy protections

One in five US citizens is protected by a regulation that looks an awful lot like GDPR. And if history is any guide, it won't be long before that number gets a lot closer to 100%.

You mean California. And California laws do not apply to companies located in, say, Delaware.

EU laws apply to all member states and even entities just dealing with EU members (which is why Privacy Shield is dead again, USA lied).

> You mean California. And Californiaaws do not apply to companies located in, say, Delaware.

They do, in fact, when it does business in California. (Also, California is less than 1/5 of the country, so the reference is not just to California law.)

The problem here is that having remote customers does not count as "doing business in". So it only applies to brick and mortar located in Cali.

Otherwise it's illegal as due to fun laws only FED can regulate interstate commerce.

> The problem here is that having remote customers does not count as "doing business in". So it only applies to brick and mortar located in California

Physical presence is not a requirement for commerce clause nexus (though it definitely satisfies it.) I’m not sure it ever was viewed as a requirement outside of sales taxes, and the precedent establishing it as a requirement for sales taxes was overturned by the Supreme Court in South Dakota v. Wayfair (2018).

> Otherwise it's illegal as due to fun laws only FED can regulate interstate commerce.

The “fun law” is the Constitution's Commerce Clause, and that’s not actually how it works.

it is a nightmare for us big companies to be compliant exactly because we have millions of lines of code that we now are expected to clean up, or remove decades of security debt.

from where I sit being a start-up, or SME that can make quick decisions and consolidate their security debt is a lot easier on them and worse for us big guys.

I don't want to use a phrase as "level the playing field" but the upcoming expectations of RED and CRA means most of us are praying this isn't enforced as quickly as it is written into law.

I'm totally rooting for this because its the only thing that will improve security.

All the extra red tape and auditing doesn't come for free, so startups and SMEs without huge amounts of cash somehow lying around will struggle.

Also, nothing about compliance is actually about "consolidating security debt" or "quick decisions". It's about paying someone to go through checklists and, like a reviewer of a scientific paper, find something, anything, no matter how inane, to criticize, before handing you a certification. Any slightly unconventional new idea to improve security in your product will be suffocated beneath the blanket of compliance.

> I'm totally rooting for this because its the only thing that will improve security.

So does the author. Well, they strongly endorse a sensible version without the vague phrases and open-source-killing blanket statements, and without brain-dead sentences like "your product must be un-DDoS-able". I do wonder, though, why you're rooting for legislation that would kill any open source project that might, conceivably, be used in a commercial setting?

it is in fact only US companies that have been screaming loudest against better security baselines in IoT. every on of the EU member companies is welcoming this (along with RED coming in 2024) ... for US companies it presents an additional cost or even barrier of entry because they don't need to implement the same security controls in products sold back in the US.
> regulate that to write software one needs to have a masters degree in CS

It's already hard enough to hire software engineers, how hard would it be after further restricting to only software engineers with a relevant masters? I know I'd be entirely forced out of the field, and would have to undertake a 4 year course (abroad, because here it would be 6 years) to be eligible for employment again, if that happened in my country.

You wish the masters would teach you anything about these new regulations. Universities lag 10 years or more behind the research edge in teaching, if not more...
Well as someone that has had the "joy" of implementing a lot of the ones that exist in the US: SOC*, HIPAA, HITRUST, PCI-DSS, a handful of DoD ones. I think if they seriously taught them in schools it would cause a lot change of majors when students realize what an absolute clown car of regulation they are getting themselves into. Its also probably the most boring subject availible.
Something to keep in mind is that this is about certification of products, not people. This is not a regulation for the profession of Software Developer, but a regulation for software products. The EU knows very well that it needs more people from all backgrounds writing and understanding software, not less.

As it is, I think this is going to be very similar to what is already required for some specific industries like healthcare or finance. Startups that want to operate in these industries already need to go through some certification processes of their products and services. Most startups will probably fall under the "low risk status" category until they are a big enough. If self-assessment is anything similar to what it is already required for things like PCI DSS or GDPR, then most small companies will be fine until they are big enough to care.

And by the way, there is no easy way for the EU to regulate that to write software you need a specific degree.

Computer science is not the same as software development (or "engineering").
Honestly, you should. Europe isn't America. We have free education here. If you leave academia and enter the workforce willingly at a lower level than society offers you for free, should you really get to do the work you refused to train for?
> I honestly think this is good

There is absolutely nothing good with that.

> but the software systems that control power in the hospital do not, even if they would allow hackers to shut down electricity for all ventilators

This is straight out false.

> Almost every other engineering profession needs to adhere to a variety of standards and is subject to certifications and review, except for software engineers.

This isn't a engineer certification process to begin with. This is just government overreach and regulatory capture which is going to siffle innovation because of all the legal liability created by the EU. This will burden open source projects with bureaucracy and effectively kill open source in Europe. Apple, Microsoft, they have the money to comply to all that garbage, and it will also put a huge legal burden on independent developers. Big consultancies are Big Tech are the only one happy to get rid of all the competition.

Imagine if all EU startups, the little that EU has, were forced to run their whole stack products from corporations that have the means to comply to all these regulations, do you really think that any of these startups would use open source projects like Linux, PHP, Ruby, Python, framework X or Z that didn't pay for a compliance review at first place? Startups are a thing because entrepreneurs don't have to pay big bucks to Microsoft, Accenture, Cap Gemini, ...

This is a bureaucratic Diktat under pretense of "cyber security".

The problem is the runaway complexity of modern computing. If you want review and certification, you have to wade through millions of lines of code, even for projects with a well defined "contact surface", like an OS kernel.

"Traditional" engineering never had to deal with this much complexity. We make do, because our tooling (which itself suffers from said complexity) is somewhat decent at catching many classes of problems before they cause IRL harm: a compiler is somewhat likely to yell at you before you push the broken code to production, CI makes sure you actually ran the tests, etc. Working *on* these tools also requires a broadly similar skillset as working *with* them, whereas e.g. an architect needs an incredibly different skillset from someone building CAD software. So the tools get "better", so the software can continue growing more complex.

So all of this (and much more) effectively lets us get away with much more complexity, and I think it's the crucial bit that people calling for more regulation miss. I am a software development professional, 15 years in the industry. I am scared shitless with how all of my tools, libraries, "supply chain" - are so complex, indecipherable, opaque, impossible to understand. I've been working on this one project for over 4 years now, and I'm yet finding bugs that were introduced 3 years ago. How can *you*, as an independent outside reviewer, help me in any capacity, if it takes several months just to onboard someone, and additional domain expert knowledge (video delivery) to fully understand? If you can do it, well, I'm gonna hire you to work for me instead.

But if you can't understand it - what are you certifying? That it didn't break in your lab? We already run a staging system - thanks for double-checking, I guess?

> Almost every other engineering profession needs to adhere to a variety of standards and is subject to certifications and review, except for software engineers

Every other engineering profession has actual physical phenomenon that governs them, leading to concrete standards that can be applied.

Software doesnt. Debates on whether OOP or functional being 'the thing', client-side vs server-side delivery, typing or not typing, TDD or not and many more are still ongoing without any objective resolution. No side of any specific debate can objectively demonstrate their argument. Its all based on preference and biases. Even the concept of 'good practices' in any given field changes every 2 years.

In this environment, attempting to bring concrete standards in software like other engineering fields would just end up in whichever group getting the upper hand in the regulatory body or political parties enforcing their own paradigm on everyone else, at the cost of innovation and productivity.

...

This is before the fact that German business interests dominate the Euparl at this moment, and this law seems to have been crafted to cater to their interests - crippling and pushing out Open Source and private small software producers by ambiguous, brutal fines that they can never afford but the big business can. The users of these Open Source and private small software producers will have to go and become the users of the software and SaaS of these big corporations when those Open Source and small private software producers are bankrupt or pushed out.

The biggest and most evil attack on Open Source in decades.

And if the compiler of your ${favourite_lang} doesn't conform to these hypothetical arbitrary standards (Or maybe it does but Deloitte doesn't have a sales rep in ${compiler_dev_home_country} allowing them to buy the certification software? What then?
https://eclipse-foundation.blog/2023/02/23/cyber-resilience-...

As many well-known open source foundations have warned, this will bring unintended consequences.

This means Europe will cut itself off from a lot of software as an unintended consequence. The whole point of open source software, a lot of the time, is that contributions are done incrementally by people without the means to certify this software to the level they want.

Given enough time and distribution, open source software often becomes much more resilient than its closed counterparts, not due to any government regulations, but because it is run in so many environments and there are so many critical eyes on the project, able to submit a patch. In fact, most of the infrastructure on the Internet runs on open source software.

That said, the package managers we use do have a problem — they rely on packages maintained by individual developers, and gradually update hundreds of versions, opposed to, say, the way operating systems are released.

Commercial releases like RedHat etc. can be certified! They should go after companies that make actual promises.

Having said that, a robust process in place for peer review in open source projects is good, same as in science or Wikipedia.

For the longest time, software development has grown by leaps and bounds, and software security is hardly the most costly thing to society. Proprietary software behind large Big Tech companies externalizes cost to society. Consider how the world looked for instance before the open Web: we had AOL, MSN, etc. and everyone had to pay to play.

Yes, it’s easy to regulate, but also increases the dependency on giant, centralized corporations and governments.

Many people felt that networked software and technology empowers people and frees people up to organize in ways that don’t rely on institutions. For example:

  E-Mail vs the post office
  The Web vs newspapers, radio
  Ethereum vs banks, corporations
Now you will only be able to run things approved by the government. Because people won’t be able to develop or update anything else.

MY BIGGEST WORRY IS THAT THEY WILL REPURPOSE AND EXPAND THIS LICENSING REGIME TO EXCLUDE SOFTWARE THEY DON’T LIKE, SUCH AS FILE SHARING SOFTWARE OR END-TO-END ENCRYPTED MESSAGING SOFTWARE BECAUSE THEY WILL SAY THE “SECURITY” OF THE STATE WILL BE COMPROMISED.

Once you have an effective licensing regime in place, you tighten the noose. They are doing this with rolling out DIGITAL IDs for everyone too… https://m.youtube.com/watch?v=uwRSzNTp2ko

It’s a process that can take 10 years but you’re like the proverbial frogs in the pot.

I think there's a version of this that could actually be beneficial for open-source software

Many large companies are dependent on open-source libraries. With these regulations they now have (more) incentive to get bugs and vulnerabilities in their dependencies fixed

They can't ship with known vulnerabilities, so if a project is suffering from a vulnerability, they might realise they need to provide a financial incentive to maintainers so issues are fixed quickly

Of course there's also a lot of other ways it could play out, but I don't think it's necessarily a given the result will be negative

But a lot of newer open source software doesn’t have the resources to do this to the level they require. Plus, there will be gatekeepers established by the government (listed in the article) that can allow some software or not. These gatekeepers should exist, but in the form of certification companies, rather than taking on this ridiculous character:

https://www.forbes.com/sites/jennyodegard/2017/09/06/whats-t...

(this is how it looks in my home state of NY — not only is the requirement outdated but each county has a favored newspaper that you must use so it can charge a large amount for a useless service).

As a left-libertarian, I agree with a lot of arguments from right-libertarians and ancaps, one of them being that regulations are welcomed by the big boys because they provide a government-enforced barrier to entry for all the smaller guys.

Think of Facebook’s threat to “buy or copy” competitors, but now it would be “buy or put out of business with government force”. Sounds a lot more menacing when you put it that way, no?

I think the difference in how government enforces regulations is very different between the EU and US

Overall I don't think EU will go after smaller projects, since that would hurt the economy in an undesirable way. I think it's more likely that they'll use this to go after bigger corporations since that's an actual security risks for member states

That's also why there's a statement about proportionality in the proposal. The more critical the software is, the more you'll need to ensure safety

And I predict there will be a lot more pseudonyms like Satoshi cropping up soon.
>Overall I don't think EU will go after smaller projects...

Sure keeping your head down is always a smart choice. But willfully living at the whims of capricious bureaucrats? Given the choice I'd prefer to not have that sword of Damocles in play.

I prefer having strong governmental institutions with elected officials who answers to their voters compared to large corporations who answer to shareholders

Taking GDPR as an example, it shows that enforcement is done in proportion to the size of the corporation. Big corporations get fined, smaller companies receive warnings

And what of the failure mode when these institutions are swayed by malign incentives?

If there are tangible harms, why have judicial institutions not entertained civil suits? If there are tangible harms, yet the institutions have not entertained civil suits, could it be that malign incentives are already in play?

Would you trust voters in your locality to vote on how you create your next software project? Shall we vote on what you eat for lunch?

Ultimately these discussions boil down to our core premises. Doubtful either of us will convince the other to change those.

To me it's not about convincing anyone. I'm sharing my views on the topic because I'm interested in hearing other opinions and broaden my perspective

I can understand why some people are worried when looking at how many governmental institutions have failed in their duty to serve the public. The EU has definitely got its share off bad decisions, but overall I think it has a good track record

Politically I'd probably identify myself as an anarchist, so if I could change the world to look exactly like I thought best, I'd probably get rid of nation states and governments all together

That's however not how the world works and I'd rather work with the tools I have available right now

There's a war going on not far away from where I live and cyber attacks against critical infrastructure are happening almost daily

Even on this site, where I think discussions are generally pretty civilised, I'm starting to see a lot of retoric that's suspiciously similar to the alt-right retoric in many other places on the web

It makes me think that there's a growing number of users here on this site who are only here to further their political agenda of authoritarianism and violence

That scares me much more than having to make sure that the code I write doesn't have security vulnerabilities

I think it's worth considering what actions can be taken to preserve society the best under these circumstances (society is different from government and states in this context)

I just like to have the discussion, but the disclaimer helps to keep it civil.

>Politically I'd probably identify myself as an anarchist, so if I could change the world to look exactly like I thought best, I'd probably get rid of nation states and governments all together

For me it doesn't matter if the final stop is minarchism or ancaptistan. Steps towards either are an improvement. Bureaucrats regulating software development isn't it.

>Alt-right...

Maybe you could be more specific here? There was recently an article and video submitted here which accused Murray Rothbard of being a "right-wing extremist". It was yet another sloppily argued anti-cryptocurrency hit piece. Similarly we can call anarchists of all flavors extremists. The term alt-right or extremist is mostly a scare word from my perspective. It is hard to find meaning behind it.

>It makes me think that there's a growing number of users here on this site who are only here to further their political agenda of authoritarianism and violence

>Authoritarianism...

Isn't an authority dictating which kinds of software you may publish authoritarian by definition?

>That scares me much more than having to make sure that the code I write doesn't have security vulnerabilities

Agreed 100%, authoritarianism and individual autonomy is a bigger concern. Which is why I'm not a fan of these regulations. Furthermore, I suspect most users here already put forth an effort to avoid security issues.

In the US there is a bureau called the EPA. When polluters pollute within the guidelines, they have no liability. Perhaps now that software development is regulated we will see similar protections for incompetence.

None of the people involved with this law are elected. Even once it reaches the so-called Parliament, the people there don't have any real power. At best they can provide opinions and hope the Commission listens. In practice and exactly because they have no power the EUP is full of cheerleaders who never saw a new EU power they didn't like.
I'm in disagreement with this. It's simply factually wrong

You seem to mix the purpose of the Commission with that of the Council of the European Union, which is a body that has the power to make decisions. It consists of elected representatives from member states

The European Parliament, which is again all elected representatives, makes decisions that the Commission must implement, not the other way around

The Commission are the ones who draws up proposals and that they hope the Parliament will pass

Please educate yourself on this, as this kind of misinformation is undermining trust in the democratic process

You're describing the way a normal democratic government works. The EU parliament can't force the commission to do anything other than a mass resignation, which hasn't happened for decades. The "parliament" can't even propose changes to the law, let alone arbitrarily command the Commission like in a virtual government. That means it's not even really a Parliament!
I'm pointing out that your post is factually wrong. Now I'm moving on
You're using a (hopefully not deliberately) very deceptive set of phrasings to make it sounds like the EP or even the Council is in charge. Almost nobody tries to make that argument because it's clearly not the case and that situation is written into the treaties. All this stuff starts and ends with the Commission which is where all the actual decisions get made, the not-really-a-"Parliament" is just along for the ride and asked to rubber-stamp things from time to time. As for the council, it also cannot actually propose changes to EU law. He who makes the law ... makes the law, it's as simple as that.
> I don't think EU will go after smaller projects, since that would hurt the economy in an undesirable way

The EU institutions pretty regularly do things that hurt the economy in order to prioritize their own political or social goals, so that doesn't mean much.

I used the word "undesirable" purposefully. The economy is not the be all end all metric of a successful society; in my opinion at least
It renders your statement meaningless then. "The EU won't hurt the economy unless it thinks there's a reason to do so". So what, that statement boils down to nothing.
Or I simply deemed that you were not worth the effort needed for writing a longer response with an explanation of the cultural and historical context of European political landscape
>Overall I don't think EU will go after smaller projects, since that would hurt the economy in an undesirable way. I think it's more likely that they'll use this to go after bigger corporations since that's an actual security risks for member states

That is a very rose-tinted view of EU regulators. Europeans are people like everywhere else on the planet, we're not somehow immune to regulatory capture (though I feel it might help the institutions that we haven't yet powerful blocs like the GOP that set out to destroy any kind of regulation in order to prove it's infeasible). Heck, German industry giants are practically married to the state here, there's absolutely no fucking way a company like VW or Opel will go under if a rich government like Germany can do anything about it.

More to the point, the author themself is pro-CRA for a range of things that seem to have purely positive effects, as they spell out quite clearly in the article. The points brought up are nevertheless important: we shouldn't be okay with legislator making objectively shitty laws devoid of any technical comprehension or economical realism and hope it'll kinda be fine when the bureaucracy and courts actually implement it. Just having the danger of having to pay 15M€ for my open source project because it might be used commercially is a horrendous imposition.

I agree that the authors points are important - can't see that I've said otherwise anywhere

Looking at the history of GDPR fines, big corporations have been fined large amounts, small companies have gotten warnings

Given that legal precedence I think saying that open-source maintainers risk 15M euro fines is blowing things out of proportion

European law is a lot less precedence driven that common law (though it still is a bit), so why shouldn't we demand clear rules instead of dangerous vagueness?

And for a small open source project, a 500€ fine is enough to make development and publication unattractive, a percentage of a devs yearly income is painful, and tens of thousands of Euros would be dangerous to the long-term financial well-being of the developers. Even if the fines are a lot lower than 15M€, this proposal stays shit as written.

> Many large companies are dependent on open-source libraries. With these regulations they now have (more) incentive to get bugs and vulnerabilities in their dependencies fixed

This is not what is going to happen, what is going to happen is that open source will be deemed a legal liability and every institution will turn to Microsoft proprietary solutions. Nobody is going to put more money into hiring people to fix bugs or vulnerabilities in open source projects.

How much are you willing to bet on that? I'm happy to put down $1000 that this will not happen

Germany has for instance transitioned to using significantly more open-source software in the governmental institutions, as has many other EU member states

They would not support this proposal if it would result in an expensive reversal of these efforts

Governments having standards for themselves and their contractors is just fine: https://www.whitehouse.gov/briefing-room/presidential-action...

Imposing gatekeepers on the rest of the public with penalties even in private use cases is not.

That's your personal opinion and you're of course welcome to that, though I'm curios why you take such an offence to other regions with a different political situation, cultural history, and most importantly security concerns, implementing laws that you're not subjected to.

Could you expand on that?

Simple: this law will affect me as a software developer. Any software “made available” in Europe can be subject to this, just like with GDPR. And most open source software is designed to be “made available” anywhere!

This is the first time the developers of such free software can be hit with massive fines.

And frankly, even if that wasn’t the case, I care about human beings elsewhere.

Why not just set a centralized repository of "industry best practices" and have the law require programmers follow it. If they codify the best practices into law, then they have to change and update the law every time there is an update to the best practices.
A collection of government __enforced__ libraries does not sound good to me, for obvious reasons, unless I misunderstood your idea.
I would trust it more than whatever corporate nonsense private sector would come up with
People out here saying they would hate to let the government dictate what libraries their software uses and then turn around and NPM install 2 gigs of dependencies that they can't even name.
libcompliance v2.0 was released. All corporations are required to upgrade by March 31. All requests to download older versions will be prosecuted.
> have the law require programmers follow it

Because that would create a certified profession like doctors and lawyer have to be and that would be bad for 98% of coders out there who don't know the difference between compiler and interpreter.

Have you considered that we certify doctors and lawyers for good reasons and that maybe we should certify software engineers for the same reasons?

"But muh startups, muh innovations!" If the price we have to pay for some fucking accountability in the field is no more techbro startups the contribute to the ruin of society, good. The certification requirements would be doing their jobs.

Yes, I considered that to be a good thing, but I also considered that we're standing on shoulders of giant tech debt. All banks, hospitals, governments and dishwashers run on software now and this needs to be maintained and kept alive.
More useless bureaucracy that will harm start-ups (and side-projects becoming proto-startups).

I don't understand why people want more bureaucracy, it never works out well. Now the established companies like SAP will just pay expensive lawyers to check boxes for the certification, and European startups will face another massive obstacle (just like the GDPR, Cookie law, etc.)

A better law would be pushing for repairability - ban locked down bootloaders and closed firmware, force published schematics, component lists and replacements, open bootloaders, etc. - this would help solve a lot of electronic waste and also drive a new sector for startups.

I don't understand why people want more bureaucracy, it never works out well.

I don't think I even need to list counter-examples to falsify this statement. Sure, we all remember examples of bureaucracy gone wrong, and get amnesia when we step onto an airplane.

As to the topic at hand, I dunno, a mostly-unregulated industry as it is now has such egregious examples that I'd be willing to see how this goes.

That's nice, but my side-project isn't a passenger airline.

This will just kill innovation and startups in the EU. It's already a nightmare of bureaucracy for taxes and permits, etc.

First we're all akin to lawyers and doctors, now each software developer is effectively working to build an airplane...

Everyone here seems to forget that we regulate these industries so finely because they are in a uniquely dangerous position to harm people, and act as if this is a blanket statement that's true for any kind of software development. This is most definitely not true, and we should think hard and long before regulating a thriving industry out of the world in order to feel superior to all those rubes over there obviously doing it wrong.

Regulation is a necessary evil, not a positive good in itself.

Customers who care about their data care that it's protected regardless of the size of the business. They care about availability regardless of the size of business.

If customers could make more informed decisions about these risks, i.e. if they could get access to company intellectual property and privileged information about operations, maybe we wouldn't need to consider this type of of legislation. But customers continue to be on the end of information asymmetry about company operations, so now customers need other ways to find protection. Maybe it's the case that there are economies of scale to resilience, and we have to accept some level of difficulty to disrupt because of that.

Yes, as a bootstrapped lifestyle startup founder, I have no idea how I would comply with this if I were serving Europe. I can see this limiting European startup founders to the independently wealthy or those who can get VC funding.

Meanwhile, large corporations who can easily afford the lawyers will further entrench their monopolies.

So they decided to clamp down one of the last fields of business where there still is some dynamism left. This will probably turn out to be the same well-intended but ultimately stupid thing they did with the GDPR, giving more power to big corporations and adding yet another bureaucratic hoop to jump through for small companies. Tired of clicking those cookie consent banners yet? The UK was right to exit the EU.
You are mostly right, but the UK was extremely stupid to exit EU. They lost free access to their biggest market. And they made it harder and more expensive for their biggest suppliers to sell to them.
I used to think that too, I don't believe it anymore. It will become increasingly painful to exit the EU, but there are long-term gains to be had.
All EU states, including the UK, agreed with the GDPR, with the exception of Austria who didn't think it went far enough. The democratically elected EU Parliament also agreed to it.
Oh yeah, it caused a million problems for people and businesses, but in the far far future the NHS will get 300 trilion pounds a week...

Used to work in the Department for International Trade - not a single one of their international trade experts tought Brexit is even remotely a good idea, long, medium of short term.

The UK still sells lots of stuff to the EU, and they especially did not lose "free" access because the EU charged on the order of £300 million per WEEK in fees in order to get that "free" access.
The UK did not object to the GDPR. The cookie banners are not a consequence of the GDPR, they are a consequence of companies using personal information without the users knowledge. The banners are not required at all, as long as you don't keep or used personal data other than for limited allowed technical/security reasons and you have a page somewhere on your site explaining that. There's certainly no need to ask permission from users to do things.
In fact, many of the banners are just illegal, much like shrink wrap agreements. You are not allowed to process data without affirmative agreement. There's no implied agreement possible.
The only problem with the GDPR is the (limited) enforcement of it
The UK wants to diverge from the GDPR:

https://www.euractiv.com/section/digital/news/new-uk-governm...

It's one of the things that came up relatively early.

> The banners are not required at all

Yet every site disagrees with you.

> The UK wants to diverge from the GDPR

Having voted just a few years ago to create it.

> Yet every site disagrees with you.

There's no banner on this site. You don't need a banner if you aren't trying to use take peoples private data.

This site is purely American and doesn't have to care what the EU thinks. It's also subsidized by a VC firm and doesn't have to directly make money. Not a good example.
> giving more power to big corporations and adding yet another bureaucratic hoop to jump through for small companies

Exactly. Customers need to be safe, but there also need to be paths for the mom-and-pop shops, the equivalents of your local farmer's market or grocery store.

Indiscriminate regulation can crush smaller players. Think of the indive dev accepting donations or the bootstrapped startup founder. Not everyone can get VC funding and hire a team of lawyers to keep up with it.

We need to protect small businesses AND consumers. Revenue thresholds are a good start.

Rob Graham on the National Cybersecurity Strategy: https://twitter.com/ErrataRob/status/1631368039668252672
How does he simultaneously believe "only the top 1% do Agile well" and "Software development practices have steadily improved year by year without government help."?

A lot of the industry is self-regulating. Self-regulation is more vulnerable to corruption than government regulation. Most startup self-regulation is essentially "does it work? did you get paid/acquired?". If so, you did the software right.

This exact same sentiment came through in the National Cyber Security Strategy the US released. It describes a minimum acceptable level of software development, called safe harbours, based on e.g. the NIST Secure Development Standards.

Whether we like it or not, it seems legislation is forming on how to code and ship software.

https://www.whitehouse.gov/briefing-room/statements-releases...

If I remember correctly, it says that memory unsafety is not tolerated anymore, which is far the most important issue we have.

The ,,rewrite in Rust'' crowd was mocked here, but there are just too many cyber attacks with growing damage and targeting politicians in power that memory unsafe code shouldn't be accepted anymore.

Oh no! People expect us to do our jobs well and have absolute minimum legal standards and expectations of outcome? What a horror! What if we write code full of bugs, fail to write good unit tests, fail to do any manual dev testing, fail to find those bugs in QA (because we fired all of them or don't let them have any power to stop broken stuff from being pushed out), fail to find those bugs in integration testing, fail to have robust systems that can tolerate that kind of bug, and then people actually hold us accountable for that POS?

Gosh, can you imagine if other industries had to deal with such oppressive requirements, like if the local taco truck had to abide by some minimum standards of food safety, or if engineers would be held accountable for a bad bridge, or if accountants were expected to actually do their job correctly?

What a terrible world that would be.

You didn't read the article, right? Go check it out, it brings up some good points. There's definitely stuff in that Act that's more than "absolute minimum legal standards", some even impossible to achieve.
can you paste one that you feel goes beyond minimum or even "impossible"? otherwise this comment is just he said she said.
Yeah, literally the entire 2nd half of the article. Go read it, I'm not your tldr bot.
I'm deeply familiar with the actual draft proposal of the law and no person working in security would consider these outrageous. this shit really is just best practice and good security hygiene.

refusing to quote what you mean is bad faith. and you're not really contributing to the conversation

So you didn't read the article, you have no idea what you're talking about and you call me "being in bad faith". Is this Reddit now?
> The CRA describes ’essential cybersecurity requirements’ which are well intended, and mostly ok, but leave a lot of room for interpretation. These requirements tell us to implement adequate denial of service & exploit mitigation techniques, for example, and no one can be certain what that means

Service exploit mitigation techniques? Really why didn't I just think about not writing bugs, and vulnerable code.

a shame that he is unfamiliar with RED. It's meaning is literally just system hardening as it is also defined in RED (CRA is just an expansion of RED to the rest of the ecosystem), which is in this contexts outgoing firewalls rules on devices, system hardening, anomaly detection, ... It is not a definitiv list of things because this would change based on what makes sense on a system. Instead you need to demonstrate that you've considered a threat model when applying the mitigation. And the mitigation is sufficient for the intended purpose.

One example could be limit what the system can and can't do. And don't allow it to communicate with the whole world when your only required endpoints are api.samsung.com, an ntp server, DNS and MQTT.

A shame that he had to write this hit-piece when he could have asked what notified bodies are testing _today_ to meetx requirements for RED.

Here's one part:

>(f) protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks;

>Did the EU just require me to make software that can withstand (unspecified) denial of service attacks? Something that is mathematically proven impossible?

That does not seem like the intent of the paragraph. My first thought is that it's a poorly worded (though legalese oftentimes needs to be) way of saying that devices should not easily be turned into DDOS nodes. But it might also just say that even if it's under DDOS attack, there should be a way to operate essential functions still, which is very much possible with some compartmentalization.

Would be nice, but I think since (a-e) weren't in that line and that (g) is directly addressing that, that would be incredibly bad wording.

Regardless, I can imagine there are some products with 'essential functions' which require the channel that could be DDOSd, no?

My stance here is that it's very broad, and I think it's easy to create an exploitable system from these directives. But unfortunately the problem is real and the mitigations complex. I was buying into this initially because of that, it seems reasonable without much thought on what the exact solutions look like, which I think makes it more dangerous.

If other engineering fields have seen this process, and the involved regulatory bodies have stayed independent of large corporate interests, I guess we should have a good shot. But with my lack of knowledge on that topic, I hold some trepidation for the future of smaller software shops and individual developers.

> (g) minimise their own negative impact on the availability of services provided by other devices or networks;

Of course, as per usual, this will come with entirely unfair and unproductive enforcement. Multinational corporate violators will be left alone or get sent on their way with a slap on their wrists, and small one-time hobbyist violators will get prosecuted into dissolution.
Source: I made it up

This is not what has happened with previous regulations. In fact, it's mostly weaponized against US companies, but that's mostly because it's fun and deserved.

Source I have experienced this with my own business, and saw it happen to other commercial as well as non-commercial entities with previously implemented acts and directives.

It's not dissimilar to how the tax authorities always seem to pick small timers for a random extensive audit.

there is nothing in history that could be used as a precedent to predict how this will be enforced. big companies will be in the news very hard for violating these laws. no-name small timers might get a slap on the wrist. but pretty sure fines will be proportional. about time companies are held accountable
As previously implied this does not conform to my own observations

The idea is good and I'm all for it, but mostly due to said observations I'm not convinced its practical implementation will be very effective at all

Won't someone think of the poor oppressed small business owners.

It's not like they're the cause of half of regulations or anything due to all the scummy small business owners...

You are missing the point entirely.

Yes think of smaller entities - which are not all commercial, mind you - just don't think of them more often and more thoroughly than the multinational megacorporations that have been racking up endless violations, most of which they are continuously worsening rather than fixing, and are in many cases actively trying to litigate into oblivion.

That is the modus operandi of US regulatory apparatus. Example: Glaxo Smith Klein !knowingly! killed ~150,000 Americans by pushing Avandia for a purpose that it was not approved for. They knew that it would kill a lot of people before they launched it, and they started bribing and coercing medical professionals and institutions, including top names in the US to lie about it. They kept an information siege of lies up until whistleblowers protected by Qui Tam principle blow the cover, protected by the government.

The result?

GSK paid $4 bn in fines. They made $11 bn in profits from that drug. Net $7 bn even with the fine.

...

This is the way regulation works in the US. And this is why the Americans dislike it: Small businesses can never risk that. Big businesses dont need to care about that. Its designed to kill the small for the sake of the big.

The Eu used to be different. But judging from how this law is crafted, it might be changing.

this is "GOOD BUSINESS" and bad (evil) everything else. oh the humanity
Yep. One person among the US authority that led this prosecution explained very well what GSK did was in an Al Jazeera documentary. He said: "This wasn't a mistake. This was a good business plan."
Do you have any examples of something like this happening in Europe.

I understand that Americans tend to think like this. But proportionality works quite well in Europe: Large companies get more scrutiny and higher fines while small companies get a warning.

Yes (see my reply to your sibling comment 1) but these are not large cases and I'd rather not connect this HN account to my real life activities.

All but one of the cases ended in a warning, but it does show the increased scrutiny that smaller entities seem to enjoy.

Edit: just to clarify me or my business were not directly involved with all those cases, but in the one that we were, it was something we had simply overlooked with regards to GDPR and all was good immediately when the auditor determined we had resolved the problem

1 https://news.ycombinator.com/item?id=35012128

Not so since GDPR. GDPR is enforced at every level, including the individual. Whereas 10% of the global revenue of a megacorp only upsets the shareholders a little without ever risking the megacorps power, it can literally bankrupt or starve individuals and small businesses, most of which operate with thin margins.

https://www.enforcementtracker.com/

This trend is similar to how the megacorps block out competition in the US by killing small businesses and making it very difficult to engage in economic or engineering activity through the regulations they sponsor.

This law in particular seems to be the product of the private German interests which at the moment dominate the Euparl. So, yeah, its happening in Europe now too.

Per your link, proportionality seems to be working. Big fines are directed towards big companies (cf. Fines Statistics). For individuals (“private person” or “private individual”), it seems they mostly are fined 3-digits amounts, with some in the 4-digits, and 3 at 10-11k.
> proportionality seems to be working

The fine is arbitrarily decided. There isnt anything solid governing the amount if the fine is not % of revenue. So it totally depends on the whim of the regulator. Which is totally in lieu of the principles of civil law that Europe uses. Its more like the common law practice in which the authority can interpret things and can act arbitrarily without solid, inviolable, democratically-made laws governing its behavior.

This may look like working today. Tomorrow you may find it disproportionately hitting whichever segment or sector that the interests behind the incumbent regulatory appointees target.

> The fine is arbitrarily decided. There isnt anything solid governing the amount if the fine is not % of revenue

This is wrong. See GDPR article 83, and https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_...

> This is done by evaluating the classification of the infringement in the GDPR, evaluating the seriousness of the infringement in light of the circumstances of the case, and evaluating the turnover of the undertaking. The third step is the evaluation of aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly

How is 'evaluation' done and who does the 'evaluating' you think...

There is no solid legal directive defined in GDPR regarding static amounts. They hinge on on the regulators' interpretations.

Thankfully, there is still 38 pages left after that quote. You will have a hard time finding a flowchart in a law though…

Anyway, my point was that the fines dispensed nowadays are sensible. As for the future, DPAs know very well that the instant they go rogue, ie. distribute disproportionate fines or misinterpret the law, their decisions will be reversed by an appeal court. It already happened, in fact.

edit: I just read this on the website of my govt:

> The court that sentences the offender is free to set the amount of the fine, but not to exceed the maximum amount set for that offence.

Turns out judges here have even more leeway than my DPA! The finepocalypse should come any day from now. And don't get me started on courts of assizes.

The static fines' maximums are defined in the 'Legal Maximums' section. The other 38 pages are not needed. Next time, do read the reference you are sharing.

> Anyway, my point was that the fines dispensed nowadays are sensible.

The sensible fines of today do not guarantee the fines of the future. The precedent concept does not apply to civil law. When an authority is given free range interpretation power like this, the next batch of regulators can interpret it in however they want. Which is in itself a violation of civil law principles.

> ie. distribute disproportionate fines or misinterpret the law, their decisions will be reversed by an appeal court

No Open Source contributor will risk getting such a fine, then going through a lengthy court battle to revert it. They will just stop contributing.

Good afternoon.

> in which the authority can interpret things and can act arbitrarily without solid, inviolable, democratically-made laws governing its behavior.

A speeding ticket has a fixed fine, anything more complex than that has some level of arbitrariness.

This is how things work in pretty much every other country of the world.

And of course fines are appealable, etc

i can say with quite some confidence that huge companies in europe do not get the same level of scrutiny from the tax department as some regular joe does.

They will come after the little guy with the full force of the state, with their lackeys wearing a pistol belt, and you had better comply, or else. Meanwhile they dont have resources to perform audits on the big guys

That's not how regulations work. Big corporations are targeted first, because they're big obvious targets and have auditable paper trails. Small-time hobbyists are the ones who fly under the radar.
The distribution of consequences rather than discovery of violations is what I expressed my cynicism about.
(comment deleted)
The negative comments are indeed a bit hypocritical. It's as if the profession that ships faulty products almost by definition throws a fit because a (legal) product might not be perfect on the first attempt.
Why is this downvoted? Did it hurt someone's ego?
A lot of people's paycheck on this forum depends on having zero standards of quality in the entire industry.
It violates HN guidelines [0]:

> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.

> Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.

> When disagreeing, please reply to the argument instead of calling names.

It's okay to disagree with someone, but saying their comments are hypocritical and that they're throwing a fit is not okay.

0: https://news.ycombinator.com/newsguidelines.html

That's all fantastic, but this guy actually has a point. Software quality at large is pathetic, anybody who uses technology knows this, and especially those who develop it for a living. The lack of regulation plays a big role in this. The field can barely call itself engineering. Yet the guy's comment also just happens to make the fanboys uncomfortable, so he gets immediately down-voted (didn't even last two minutes). On the other hand, look at that motherfucker up there who dismissed my comment saying that all I do is type too fast. Now that is clearly against the guidelines, yet no down-votes? Fascists, too, are very good at applying double standards.
Unimaginable horror can come from stopping the endless pursuit of profit and the cutting of costs at the expense of quality in engineering. And to hold companies accountable? That is just over the top. Can you imagine if, next, people had... the right to repair? Or the right to look at source code? Terrible consequences.
This article points out that this doesn't just apply to companies. If you maintain an open-source project and accept donations, then you're potentially affected as well.
Adoption of open source, most open source licenses already come with broad waivers so compliance would fall mostly on the adopters.
that's not how the act works, sorry.
(comment deleted)
Article 6, Numeral 2 "In determining the level of cybersecurity risk, one or several of the following criteria shall be taken into account" seems very reasonable in scope and wouldn't include most open source/free software.
This. It's about time software is treated like any other engineering: lives depend on it. Not enough heads are rolling.
All software or just important software?
All software storing user details that would be a problem if they were leaked, I'd assume. That would include basically all software with a login.
Until proven irrelevant I'd say.
Proven irrelevant by actual de facto use or by the license? In other words, would adding "this software is not certified or fit for medical, aviation, nuclear, etc…" suffice to exempt it (assuming it is not then sold to medical or airplane manufacturers)?
The real question is if execs and management are going to allocate the extra time and resources required to make consistently meeting these standards reasonably achievable or if they're just going to squeeze harder and expect more without any adjustments.

I would bet that a lot of devs actually want to write high quality, well-tested code and engage in proper project hygiene but simply aren't given the bandwidth required to do so. In my experience everything is so tilted towards "ship now, fix later (maybe)" that any IC's efforts to do things more correctly is a bit like trying to swim upstream.

Ill place my bet that the squeeze will get harder on developers and there will be new "compliance officers" in the office that dont actually do anything but make silly demands to waste peoples time. So pretty much the same as every other security regulation...
Yeah just like the complete ISO bullshit we have to deal with already.
How many story points is that
Can you imagine if taco trucks gave away food for free, or if engineers built and maintained some of the biggest bridges in the world out of their own pockets and didn’t ask for a dime, or if accountants did their job without charging any fees?
You might have missed the part where this is already scaring Theo de Raadt, to the point of recommending EU users not use openSSH anymore.

How many here are confident of writing software as securely as Theo?

edit: I still think this is going in a good direction, but at this stage this kills a lot of small businesses, startups and open source.

Requiring certification for every release means killing off most software, let alone the fees. Forget multiple supported releases or LTS, everything will be rolling release.

And who gets to say what these good practices are? Until recently everyone thought Clean Code was a wonderful book full of great coding advice, now we see that it's full of really crap examples.

Does all public code on GitHub need to be audited?

I would love legislation that mandated static typing for large/public companies (or any companies that took federal funding, etc). I think dynamic typing is one of the worst software engineering practices in common use today, and I'd like to see it go into the trash heap of history.

It's already happening with the massive adoption of Mypy/Pyre, the JS -> TS switch, etc.; but if we can use the power of government / the force of law to hurry up the extinction of dynamic typing as an industry practice, that would be a huge huge thing.

The next step after it would be requiring the nullability be an explicit part of the type (like in Kotlin, TypeScript, etc), or mandating the use of Optionals everywhere that nullability is needed in languages like Java.

The death of dynamic typing and default-nullability would probably save the industry society billions of dollars in the long run.

> The death of dynamic typing and default-nullability would probably save the industry society billions of dollars in the long run.

I'm not sure a ban on software coded using PHP, plain Javascript, legacy Python, C/C++ or assembler would be cheap for "society"...

Come and take i[null pointer exception]
I don't think it's enough. Java without null would still have Log4Shell. The current model where any piece of code can do anything it likes needs to be abandoned before we can expect any kind of security from our systems.
This is never going to happen. Do you forbid shell scripting? What about turing-complete configuration formats?

How do you define static typing? Is TS `Any` allowed? Is C# `dynamic` allowed? Are you allowed to use reflection?

How are you going to enforce this at scale?

This would make it impossible to use languages such as Clojure, Erlang and Elixir, which have been proven to be helpful to build robust software.

Do you also know that there are disadvantages to type systems? And advantages to dynamically type languages?

It's not all black and white.

> I would love legislation that mandated static typing for large/public companies (or any companies that took federal funding, etc)

You want the government to start dictating what language developers can choose? And before you say "just static typing" the fact of the matter is that there can be different interpretations of "static typing" what if I use a library that forces static typing in a non statically typed language? What about when they extend this to other features of programming languages. I guarentee you that the Sun and MS execs would've been jizzing their paints at the thought of forcing everyone to use OOP Languages, because "They are secure and supported."

Technical excellence should win out in the end not government fiat, that's one of the worst things that could happen.

> You want the government to start dictating what language developers can choose?

Do you want Ada? That's how you get Ada.

For what it's worth, Ada is actually a really well-designed and well-thought-out language (for the 1980s era), from a pure programming language design perspective. Definitely better than the popular languages (C, C++, Pascal, etc) of its era.
> (k) ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.

jwz was wrong: instead of being able to send mail, all software will now include its own networked update mechanism.

Seriously - this is the package manager's job.

Unfortunately the EU has no understanding of technology, and is just trying to regulate to protect the establishment aristocrats from disruption.

It'd be funny to see C, C++, Java, PHP and friends outlawed. Learning Rust, Ada or FP now seems like a good way to have job security in the EU in a couple years.

But who am I kidding, it'll be mandatory Java, Waterfall, and a metric ton of "Requirements analysis" documents for everybody.

Who's going to pay to ensure Rust's web stack compliance? Do you really think that companies will magically start using Rust instead of C++ just because it's deemed it "safer"? No Microsoft, IBM or whatever will come with its own version of Rust, pay 100 millions for compliance reviews and this is what other companies will be forced to use, not Rust, of course companies will have to pay millions in license cost to use Microsoft's Rust.

How can anybody here not see where this is going and what is going to happen? We'll be back to the 80's/90's IT era where free software was deemed a legal liability. This isn't scare mongering, this is precisely what is going to happen. Who was in their 20's in the 80's here, working in IT? Not a lot of people it seems...

Also, who would update their compiler version every week or at every iteration? They will be stuck using a version from 10 years ago because it’s the one that was certified.

Not even mention all the crates that need to be certified too.

Follow it up with Python, Ruby, and friends being carbon credit taxed out of use by the eco-friendly energy laws.
Why Java in the list of obviously-bad languages? IIRC, Java doesn't do manual memory management nor is it full of old insecure implementations kept merely not to break existing code.
Java still hasn't fixed its null-safety issues, which have been lamented widely for two decades.

And you're right, that' it's this way so as not to break existing code. It's easy to add a feature to a language, but removing a mistake usually can't be done without breaking backward compatibility.

It's a good (and very nuanced) read

But again, it seems people are overreacting (not the author). Yes, I think the warnings are valid, especially for the perception

You might go and check how many companies did get those 10Mi euro "scary" GDPR fines before panicking again. Did any of the 'we value your privacy (not)' popups get big fines?

> Products with digital elements shall be delivered without any known exploitable vulnerabilities;

This sound more like the equivalent of not releasing a Digital Ford Pinto than an Inquisition tribunal on open source developers

> In terms of liabilities, it is not clear where those lie. Are the opportunities for that ’exhausted’ (a legal term) when you hit the vendor who marketed the product? Or could the author of an open source security library be exposed to bugs shipped by a vendor of IP cameras?

> We really should know, but it appears that we don’t.

Yeah this seems to be the main detail

> You might go and check how many companies did get those 10Mi euro "scary" GDPR fines before panicking again

The EU has levied over 2.7 BILLION euros worth of GDPR fines in the past 5 years alone, and possibly much more as not all fines are made public. It is distributed over more than 1,500 separate fines. That is a staggering amount of money that went straight into its own treasury based on the enforcement of a very vague law, for example the top category of fine is "Non-compliance with general data processing principles".

More relevant to the CRA, there have been over 375 million EUR worth of fines for "Insufficient technical and organisational measures to ensure information security".

There's background to all this. The EU is incredibly hungry for money which it can then use to expand its own power. Historically it was restrained by the member states refusal to give it more, as they were wary of exactly that outcome. In recent years the Commission has found ways around the treaties to unlock new revenue sources, specifically:

- Megafines that are impossible to avoid. How much money do you think the big tech firms spent on GDPR compliance? A massive effort. All for nothing because the EU can simply declare your efforts "inadequate" in their subjective estimation and please hand over a few hundred million more.

- Issuing debt. This is a plain-as-day treaty violation but the EU does not have the rule of law, so the institutions and member states just ignore it. Dystopically the EU Council website was even updated after they started doing this to remove the references to Commission debt issuance being illegal.

You do not want to hand these people even more ways to tax the software industry, because they will use it regardless of what the written rules appear to say.

I am sympathetic to companies caught on a technicality, not to most of the non-compliance cases

> How much money do you think the big tech firms spent on GDPR compliance?

A lot. They spent more in pretending they were compliant with it though

Here's a better idea, don't actually capture data you don't need and it will be very cheap

Meanwhile I have little sympathy for those who abuse user data collection

You'll understand how the game is played one day, I just fear it'll be too late for the EU by then. Here's the trick: "need" is utterly subjective, along with "consent". No matter what definition you think is reasonable and obvious, the EU officials have a billion Euro payoff waiting for them if they just interpret these words differently.

There is no amount of money or business changes these firms can ever make that will stop them being fined because using them as piggy banks to evade the treaties is the goal. The EU doesn't give a crap about your privacy and never has, see how keen it is on vaccine passports for just one example of how quickly their rhetoric vanishes the moment it gets in the way of more power.

There needs to be a carve-out for open source software. The difference between open source software and other industries is that OSS is not "the bridge" -- it's the "blueprint for the bridge". Until it's in the process of getting deployed, it shouldn't be subject to fines or audits.
The amount of certifications to go through for a physical products is insane - here's a brief overview of just one of the standards - https://youtu.be/fL-Yz9b1eMk - frankly it's amazing (both good and bad) that to sell software you can put out almost anything and declare no liability. With CE for example you are required to accept liability. We're in the Wild West phase with software industry that sometimes reminds me of the John Brinkley radio station.
I hate that we feel the need to make everything boring and difficult, as though it's some sort of end-game goal to reach in every industry. Why must this be our default outlook on things?
Good to have standards, best practices, warranties, accreditations etc.

But then there's a whole industries of middle-men who don't build and by most accounts don't add any value (other than keeping you out of jail due to the laws they themselves pushed) -- who love the boring and start licking their lips at the possibilities. Combine with revolving door, regulatory capture, lawfare etc to take your competitors out.

So that's what this article is about. We need details to know which side of the line we're walking on. Maybe this was better not as a response to you but I already started typing it lol.

The most concerted and dangerous attack on Open Source since a long while. Even as it is, it will kill a lot of Open Source projects due to the risk of not only ambiguous, but !unbounded! fines. There isnt a cap on the fines like 'X% of your revenue' like in GDPR.

Not that the majority of Open Source projects have any revenue. Only the biggest ones that are like Linux etc, who are sponsored by major corporations that use them can be at ease with this law.

And in that you can understand how evil this law is:

Its carefully crafted to avoid risking the major software that megacorps are using. But it cripples & bankrupts all Open Source and also private small software producers. Whose users will have to turn to big corp apps and SaaS as a result. Whereas the large Open Source projects that are sponsored by corporations as a foundation will become totally beholden to those corporations as if they were external product organizations of those corporations because they cant risk funding themselves in any other way...

It looks like something that is crafted by the German private interests that currently dominate the Euparl.

From the second sentence of the article:

> Non-adherence comes with Significant Fines (15 million euros or 2.5% of annual turnover, whichever is higher)

I don't know where you got the idea that this proposal suggest unbounded fines. Do you have a source for it?

Whichever is higher implies no upper bound no?
No, it implies that there's a minimum upper bound for all companies, but that it scales based on the size of the company at a certain point

It can never be higher than either 15M euro or 2.5% of global annual revenue depending on the size of the company

Are you aware that an Open Source project with scarce revenue or small private software maker will get fined up to 15 million Euros if they found to be non-compliant, based on however the regulator interprets the legal maximum like in GDPR? Uncharacteristically outside the civil law principles that require solid, written guidelines for everything.

Which Open Source software project or small software producer has the funds to fork out from tens of thousands to millions of Euros? That's as unbounded as it gets.

Its a great risk to take. Solely this law going out would kill a lot of Open Source projects or move them out of the Eu. Considering how most projects are just collection of a few people without any organization and the individuals would be legally responsible, it would definitely kill any participation in an Open Source project by a Eu resident.

Given the track record of how the EU has administered fines for GDPR violations there's a legal precedence for large corporations being given large fines and smaller companies being given warnings

Claiming that open-source maintainers will get fined 15M euro is scaremongering and is not supported by legal practice in the EU

> there's a legal precedence

"Precedent" is not a concept that applies to civil law. Its a common law tenet.

> Claiming that open-source maintainers will get fined 15M euro is scaremongering

Read the actual legal document. The static, non % amounts are totally left to the interpretation of the regulator in the 'legal maximums' section of the draft law.

It doesnt need to be full 15 million. No Open Source contributor would risk getting fined a few dozen thousand euros. Even a few thousand is too much for anyone who contributes to Open Source.

Something to keep in mind when comparing CS with traditional engineering: http://thecodelesscode.com/case/154

Excerpt: When they had reached the other side, Kaimu asked the first monk: “What have you learned from the bridge-builder?”

The first monk said: “The determination of a true engineer is an enviable thing. But if we were to work in such an inflexible fashion, the Emperor would surely drown us in our own Waterfalls.”

Kaimu asked the second monk: “What have you learned from the bridge-builder?”

The second monk said: “The frugality of a true engineer is an enviable thing. But if we were to cling so hard to yesterday’s technology, the Web would not exist for another thousand years.”

Kaimu asked the third monk: “What have you learned from the bridge-builder?”

The third monk said: “The predictability of a true engineer’s world is an enviable thing. But ours is a world always in flux, where the laws of physics change weekly. If we did not quickly adapt to the unforeseen, the only forseeable event would be our own destruction.”

The first monk asked: “Master... what has the bridge-builder learned from us?”

Said Kaimu: “Nothing yet. But when I touch a lit candle to the oil I sprinkled from my lantern during our crossing, he will learn the reason to plan for the absurd, the virtue of rebuilding in stone, and the wisdom of not insulting your customers.”

I am a programmer that cares about quality software. I think we should professionalize the industry with certifications. I am also starting a business where I accept some liability for my Open Source software.

So this is a good step.

The only criticism I have is that the carve out for Open Source needs to be well-defined. I agree that FOSS like mine, where it's the basis of my business, should be required to be certified.

That said, I'm not sure I'll be able to afford the required certification. Will Curl or SQLite?

I think SQLite might, since it's already certified for flight. Curl might since it's been used in NASA flight.

But in both cases, the cost of certification, if it happened, was borne by the "customer." In the case of SQLite, it was Airbus. In the case of Curl, it would've been NASA. In both cases, the original authors did enough testing to make it possible, which would be a major cost for them.

I want my software to reach the same quality, but I couldn't, by myself, get it certified. It would take an outside entity that wanted my software certified for their use in Europe.

Edit: I also only have a Bachelor's degree. If I needed a Master's, that would be untenable.

This thread is beginning to read like a transatlantic culture war.

There's also a dichotomy between employees and entrepreneurs. This one is a bit simpler in that it can be evaluated from first principles. There are no private employees without entrepreneurship.

How it will actually go.

Legislator: "I don't understand all this stuff what does pointers and registers mean?"

Helpful Industry Partner (Also rep of massive corp): "Well here this is what we consider "secure development practices". Also did you know Firefox is a tool used by hackers, using Firefox is insecure.

"New Bill Requires Standardization in Web Browsers to Ensure Europe's digital security and to protect the children."

This literally happened in South Korea already.
Do you have a link with more details?
My position is simple...An unelected and non-adjudicated EU commission bureaucrat can't micro-manage my software -- or tell me how to write it -- just like I can't open source all of their calendars and tell them how to manage their -- unlikely -- busy days and off-the-books meetings.
Regulatory capture and let all small companies and self employed people die or go to work for big companies at a fraction of the profit.
I'm glad there's a carve-out for open source and homebrew stuff otherwise this would kill an entire scope of software in the EU.

Obviously some student in his bedroom is not going to be thanklessly maintaining some piece of software people rely on if it comes with a huge administration burden and the possibility of mega fines.

Referring to this kind of thing: https://xkcd.com/2347/

The carve-out of FOSS is rather weak. Anything that involves money can be a commercial activity. And suddenly some haskell core dev is on the hook because there are companies using it in prod. We can hope that it won't end that way, but there's nothing in the text suggesting that this should not happen.
I think the one being on the hook then would be the company using it. Not the dev, right? If the dev is not selling it, it wouldn't be commercial from their end.

But indeed, it's all very very vague.

For the time being, the solution is simple: just market to the US and completely ignore Europe. If you get hit by a GDPR or one of these audits, do not respond until they threat, and if they do simply drop all business there.

What I'm worried about is not that. As a non-European who doesn't live in Europe I'm worried about what it's happening over there. The non-elected EU bureaucrats will soon control and regulate every aspect of your lives, and I can forsee the future: cash will be banned (terrorists use it!), the internet will be severily restricted and monitored (think of the children!), hate speech laws will dictate what you can or what you cannot say (this already happens). Everything else will be done in the name of regulation for regulation's sake, banning sales of new fossil fuel cars due to "climate change" (and they will eventually ban your existing car), and so much more.

I think this is the result of extended peace and prosperity, it leads to people acting weirdly and relying too much on abstractions. Weird results ensue and eventually it all crumbles under its own weight. And yes, the same will happen to the US.