wp-plugin-hostgator domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home4/scienrds/scienceandnerds/wp-includes/functions.php on line 6114ol-scrapes domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home4/scienrds/scienceandnerds/wp-includes/functions.php on line 6114Source:https:\/\/techcrunch.com\/2023\/04\/18\/in-letter-to-european-commission-open-source-bodies-say-cyber-resilience-act-could-have-chilling-effect-on-software-development\/<\/a><\/br> More than a dozen open source industry bodies have published an open letter<\/a>\u00a0asking the European Commission (EC) to reconsider aspects of its proposed Cyber Resilience Act<\/a> (CRA), saying it will have a \u201cchilling effect\u201d on open source software development if implemented in its current form.<\/p>\n Thirteen organizations, including the\u00a0Eclipse Foundation, Linux Foundation Europe, and the Open Source Initiative (OSI), also note that the Cyber Resilience Act as its written \u201cposes an unnecessary economic and technological risk to the EU.\u201d<\/p>\n The purpose of the letter, it seems, is for the open source community to garner a bigger say in the evolution of the CRA as it progresses through the European Parliament.<\/p>\n The letter reads:<\/p>\n We write to express our concern that the greater open source community has been underrepresented during the development of the Cyber Resilience Act to date, and wish to ensure this is remedied throughout the co-legislative process by lending our support. Open source software represents more than 70% of the software present in products with digital elements in Europe. Yet, our community does not have the benefit of an established relationship with the co-legislators. <\/em><\/p>\n The software and other technical artefacts produced by us are unprecedented in their contribution to the technology industry along with our digital sovereignty and associated economic benefits on many levels. With the CRA, more than 70% of the software in Europe is about to be regulated without an in-depth consultation.<\/em><\/p>\n<\/blockquote>\n First unveiled in draft from back in September<\/a>, the Cyber Resilience Act strives to codify into law best cybersecurity practices for connected products sold in the European Union. The legislation is designed to strong-arm internet-connected hardware and software makers, for example those who manufacture internet-enabled toys or \u201csmart\u201d refrigerators, into ensuring their products are robust and kept up-to-date with the latest security updates.<\/p>\n Penalties for non-compliance may include fines of up to \u20ac15M, or 2.5% of global turnover.<\/p>\n While the Cyber Resilience Act is still in its early-stages, with nothing set to pass into actual law in the immediate future, the legislation has already set some alarm bells ringing<\/a> in the open source world. It\u2019s estimated<\/a> that open source components constitute between 70-90% of most modern software products, from web browsers to servers, yet many open source projects are developed by individuals or small teams in their spare time. Thus, the CRA\u2019s intentions of extending the CE marking<\/a> self-certification system to software, whereby all software developers will have to testify that their software is ship-shape, could stifle open source development for fear of contravening the new legislation.<\/p>\n The draft legislation<\/a> as it stands does in fact go some way toward addressing some of these concerns. It says (emphasis ours):<\/p>\n In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be <\/strong><\/em>covered by this Regulation<\/strong>. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.<\/em><\/p>\n<\/blockquote>\n However, the language as it stands has prompted concerns from the open source world. While the text does seem to exempt non-commercial open source software from its scope, trying to define what is meant by \u201cnon-commercial\u201d is not a straight forward endeavor. As GitHub policy director Mike Linksvayer noted<\/a> in a blog post last month, developers often \u201ccreate and maintain open source in a variety of paid and unpaid contexts,\u201d which may include corporate, government, non-profit, academic, and more.<\/p>\n \u201cNon-profit organizations offer paid consulting services as technical support for their open source software,\u201d Linksvayer wrote. \u201cAnd increasingly, developers receive sponsorships, grants, and other forms of financial support for their efforts. These nuances require a different exemption for open source.\u201d<\/p>\n So really, it all comes down to language \u2014 clarifying that open source software developers won\u2019t be held responsible for any security slipups of a downstream product that uses a particular component.<\/p>\n \u201cThe Cyber Resilience Act can be improved by focusing on finished products,\u201d Linksvayer added. \u201cIf open source software is not offered as a paid or monetized product, it should be exempt.\u201d<\/p>\n A growing number of proposed regulations in Europe is raising concerns across the technological landscape, with open source software a recurring theme. Indeed, the issues around the CRA are somewhat reminiscent of those facing the EU\u2019s upcoming AI Act<\/a>, which seeks to govern AI applications based on their perceived risks. GitHub CEO Thomas Dohmke recently opined<\/a> that open source software developers should be exempt from the scope of that legislation when it comes into effect, as it could create burdensome legal liability for general purpose AI systems (GPAI) and give greater power to well-financed big tech companies.<\/p>\n As for the Cyber Resilience Act, the message from the open source software community is pretty clear \u2014 they feel that their voices are not being heard, and if changes are not made to the proposed legislation then it could have a major long-tail impact.<\/p>\n \u201cOur voices and expertise should be heard and have an opportunity to inform public authorities\u2019 decisions,\u201d the letter reads. \u201cIf the CRA is, in fact, implemented as written, it will have a chilling effect on open source software development as a global endeavour, with the net effect of undermining the EU\u2019s own expressed goals for innovation, digital sovereignty, and future prosperity.\u201d<\/p>\n The full list of signatories includes: The Eclipse Foundation; Linux Foundation Europe; Open Source Initiative (OSI); OpenForum Europe (OFE); Associa\u00e7\u0101o de Empresas de Software Open Source Portuguesas (ESOP); CNLL; The Document Foundation (TDF); European Open Source Software Business Associations (APELL); COSS \u2013 Finnish Centre for Open Systems and Solutions; Open Source Business Alliance (OSBA); Open Systems and Solutions (COSS); OW2, and Software Heritage Foundation.<\/p>\n<\/p><\/div>\n <\/br><\/br><\/br><\/p>\n
\nIn letter to EU, open source bodies say Cyber Resilience Act could have \u2018chilling effect\u2019 on software development<\/br>
\n2023-04-18 22:19:45<\/br><\/p>\n\n
Early stages<\/h2>\n
\n
\u201cChilling effect\u201d<\/h2>\n