3 comments

[ 2.9 ms ] story [ 19.9 ms ] thread
As context, the ASF summarized current legislative efforts in

https://news.apache.org/foundation/entry/save-open-source-th...

- EU Cyber-Resilience Act (CRA)

- EU product liability

- US executive orders, legislation...

The CRA committee's March draft showing changes is

https://www.europarl.europa.eu/doceo/document/ITRE-PR-745538...

Most concerning would be language enabling authorities to inspect secure enclaves, which I believe China and Russia will likely adopt. I couldn't find that.

Some other notable provisions:

The new draft says "only free and open-source software supplied in the course of a commercial activity should be covered by this Regulation" and puts the onus entirely on the manufacturer adopting it (i.e., off the developer or the sponsoring agency like ASF or eclipse.org): [10] "...manufacturers that incorporate such software in their products with digital elements should take all the necessary steps..."

[12a] It excludes national security and military electronics.

[14b] It excludes "leasing companies" from being considered as distributors.

[18a] It requires governments to prioritize vendors in compliance and to drive vendors to fix holes urgently.

[32a] Security updates must be automatic, but users can disable them. Once unsupported, users must be notified, and [32b] the source code should be given to companies seeking to offer ongoing support.

[34] Mandatory notification of vulnerabilities does not apply when "discovered by ethical security hackers operating with no malicious intent and with the manufacturer’s consent"

[61] In market enforcement sweeps for entire product categories, "Specific attention should be given to products with digital elements placed on the market by manufacturers that might present a security risk for the Union, including in light of the geopolitical context"