MagazinesNewspapersBuy Gift CardRedeem Gift Card
GB flagUnited Kingdom

Europe

Austria Belgium Bulgaria Croatia Czech Republic Denmark Estonia Finland France Germany Greece Guernsey Hungary Ireland Isle of Man Italy Jersey Latvia Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden Switzerland Ukraine United Kingdom

Asia

China Cyprus Hong Kong Indonesia Japan Philippines Saudi Arabia Singapore Thailand

Oceania

Australia New Zealand

Americas

Canada United States

Africa

South Africa
Magazines Linux Format Magazine 22 August 2023Newsdesk

Newsdesk

9 min read

THIS ISSUE: EU threat to open source Plasma features face chop Gnome opens window plans Debian embraces RISC-V

SECURITY

EU states have agreed to draft legislation, despite opposition from the Linux Foundation and others. Is this the end of open source in Europe?

The Cyber Resilience Act was proposed in September 2022 and mostly seems to target interconnected equipment such as IoT devices. In theory, it ensures minimum standards for connected devices as well as requiring mandatory security updates. As well meaning as the legislation is, the impact on open source development could be devastating. In April, more than a dozen open source industry bodies, including the Linux Foundation Europe, wrote an open letter to EU legislators asking them to reconsider the current wording (https://newsroom.eclipse.org/ news/announcements/open-letter-europeancommission-cyber-resilience-act).

In theory, the Act exempts “free and open source software developed or supplied outside the course of a commercial activity”.

In practice, many open source projects would be considered commercial if any contributors were paid for their work. This would encompass most major versions of Linux, as well as popular open source apps such as LibreOffice.

Some aspects of the Act would also be almost impossible to guarantee. In January, GitHub pointed out that Annex I, for instance, would require software to be delivered “without any known exploitable vulnerabilities”. The company points out that vulnerabilities exist on a “continuum of risk” and new ones are being discovered all the time.

The open letter points this out, as well as making a tongue-in-cheek reference to the fact that most open source projects don’t have the “benefit of an established relationship with the co-legislators”.

Joe Brockmeier, head of community at open source development company Percona, points out more chilling effects of the legislation for the community: “The CRA wants to force projects to report vulnerabilities within ‘hours’ of reporting to an EU institution, which flies in the face of industry practices and will have severe unintended consequences. Open source projects are frequently combined in ways that are unpredictable and may cause vulnerabilities that were unforeseeable to the original authors.”

Brockmeier cites the zero-day vulnerability Log4Shell as a good example of this. He also points out that onerous requirements like these could force open source software development out of Europe entirely.

Amanda Brock, CEO of OpenUK, a not-for-profit that supports open source, opined: “The EU’s persistent focus on purely giving carve-outs to SMEs and failing to do the same for foundations shows a complete lack of understanding of how open source software works. This is extremely short-sighted and feeds into a cycle of perpetuating the lack of growth of European tech compani

This article is from...

Related Articles

Related Articles