Open Source Development Threatened in Europe
It’s a topic we only hear a little about. Still, the existential crisis about a debilitating blow to open source is entirely accurate, with the most significant blow to companies that employ developers for open source work and the foundations that manage open source projects.
The matter at hand: Europe’s Cyber Resilience Act, designed to prevent security intrusions but with enough restrictions on open source to provide technologists with much to consider.
European developers would stop contributing upstream to open source software projects in the event of the passage of the CRA, said Greg Kroah-Hartman, a fellow at the Linux Foundation and the maintainer of the stable branch for Linux. Furthermore, it may mean the use of Linux in Europe is untenable.
For example, Linux contributors receive payment to work on open source contributions, said Kroah-Hartman in a September panel discussion at the Open Source Summit in Bilbao, Spain. Any company with any influence or standing in Europe would stop contributing, or Linux would be unable to be used.
“If you can’t use this stuff in your products, you just won’t use it,” Kroah-Hartman said. “So no open source will be available, even for them to use. So then you lose all the contributors from the European Union as well because we have a huge contingency of contributors. I mean, it would just stop development.”
It’s the eleventh hour for the open source community, the technology industry, and arguably the larger economy as the CRA comes down to the final months before going into law. The CRA, first proposed in 2020, aims to strengthen cybersecurity throughout Europe. A vote could come later this year, making it law. If the law passes with the current language, open-source developers could face liability for sharing code.
The CRA gets broad overall support, save for how it puts the onus on upstream contributions. Its value includes long overdue requirements such as secure configurations by default, said Laura Seay, manager of product security supply chain operations at Red Hat.
And also, I like that the CRA has been a catalyst for opening these discussions, open source discussions between foundations, commercial software producers, as well as bringing the public sector together to the table to talk about bringing regulations and the regulatory bar to the standards that that meets everybody’s needs, both on the producer side and the consumer side,” said Seay.
But where do you put the liability, asked Justin Colannino, assistant general counsel of open source, standards, Open ML at Microsoft. He said liability should be on the product providers, and the second point is, if you have platforms like PyPy, should the organizations managing the projects be the ones who are verifying the security, or should it be the people who are taking that software and building it into the products they are developing?
“And again, I think it needs to be on the assembly and deployment of the software rather than on the development,” Colannino said.
Gabriele Columbro, the General Manager of the Linux Foundation Europe and the Executive Director of the Fintech Open Source Foundation discussed the potential impact of the CRA.
It’s not just Europe that may get impacted. Columbro emphasized the CRA could impact the entire global open source ecosystem and affect the ability of European developers and small to medium-sized businesses to participate effectively.
The CRA affects all digital products in the European market, introducing mandatory cybersecurity requirements for hardware and software products throughout their lifecycle, said Mirko Boehm, senior director of community development at Linux Foundation Europe. The panelists joining Boehm pointed out that it’s a horizontal regulation, meaning it doesn’t matter if your business is inside or outside the EU. If you’re offering products or making digital products available in the EU, you will be responsible for the obligations around reporting and compliance. On the panel were Kroah-Hartman; Cheuk Ting Ho, director, Python Software Foundation; Colannino; Seay, and Philip Robb, president, Ericsson Software Technology.
So what does this include? It means fixing discovered vulnerabilities, providing software updates, and auditing and certifying the products. The whole lifecycle of the product is affected. So, if revisions get made, reporting becomes a requirement.
What the language also states:
As it stands now, the CRA burdens open source developers. It makes them liable for the open source code they share. Technologies considered “critical” face the most significant scrutiny. These critical technologies include operating systems, container runtimes, networking interfaces, password managers, microcontrollers, etc. The language may change, but it will go into the CRA unless some last-minute changes are made.
The CRA calls for standards that still need to be developed. High-risk critical products like an OS would require mandatory third-party assessments. Developers must perform a cybersecurity risk assessment to ensure the product delivers without vulnerabilities. A developer must fix vulnerabilities without delay, perform regular tests and security reviews, disclose exploited vulnerabilities, and provide vulnerability patches to users. Active exploitations will require reporting to the European Union within 24 hours of discovery.
Individual developers, the hobbyists, so to speak, wouldn’t be exempt. But if that individual developer gets paid regularly, then it could be considered that they also hold responsibility for the commercial product.
The proposed language needs to reflect the bidirectional approach to software development. There are two underlying misconceptions, said Boehm. One: upstream developers know the code best and are best suited to fix vulnerabilities. And second, who is the upstream developer? There’s no distinction between open source development and bringing products into the market. Developers contribute upstream, but they’re also building products for consumers — that’s the other direction. These two processes follow different rules. And the CRA treats them the same.
Thanks, Mirko. I expect then much liability could fall on the foundations in case the language gets adopted. The companies, too, that employ developers. The release may go through the foundation but the contributions come from individuals who largely work for organizations.
— Alexander (@alexwilliams) October 3, 2023
Kroah-Hartman did say that the CRA has the potential to serve as a way to assure that devices are secure and safe over time. The CRA is a step forward if they require devices to be updated at the product level.
Ericsson benefits from income and revenue from its products built on open source, said Philip Robb, president of Ericsson Software Technology.
“Ericsson is ready to take that responsibility with our products and do that,” Robb said.
More conversations like this: