Seven open source foundations are coming together to create common specifications and standards for Europe’s Cyber Resilience Act (CRA), regulation adopted by the European Parliament last month.
The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation revealed their intentions to pool their collective resources and connect the dots between existing security best practices in open source software development — and ensure that the much-maligned software supply chain is up to the task when the new legislation comes into force in three years.
Componentry
It’s estimated that between 70% and 90% of software today is made up of open source components, many of which are developed for free by programmers in their own time and on their own dime.
The Cyber Resilience Act was first unveiled in draft form nearly two years ago, with a view toward codifying best cybersecurity practices for both hardware and software products sold across the European Union. It’s designed to force all manufacturers of any internet-connected product to stay up-to-date with all the latest patches and security updates, with penalties in place for shortcomings.
These noncompliance penalties include fines of up to €15 million, or 2.5% of global turnover.
The legislation in its initial guise prompted fierce criticism from numerous third-party bodies, including more than a dozen open source industry bodies that last year wrote an open letter saying that the Act could have a “chilling effect” on software development. The crux of the complaints centered on how “upstream” open source developers might be held liable for security defects in downstream products, thus deterring volunteer project maintainers from working on critical components for fear of legal retribution (this is similar to concerns that abounded around the EU AI Act, which was greenlighted last month).
The wording within the CRA regulation did offer some protections for the open source realm, insofar as developers not concerned with commercializing their work were technically exempt. However, the language was open to interpretation in terms of what exactly fell under the “commercial activity” banner — would sponsorships, grants, and other forms of financial assistance count, for example?
Some changes to the text were eventually made, and the revised legislation substantively addressed the concerns through clarifying open source project exclusions, and carves out a specific role for what it calls “open source stewards,” which includes not-for profit foundations.
“In general, we are pleased with the outcome… the process worked, and the open source community was listened to,” Eclipse Foundation executive director Mike Milinkovich told TechCrunch. “One of the most interesting aspects of the final regulation is that it recognizes ‘open source software stewards’ as a form of economic actor which are part of the overall software supply chain. This is the first piece of legislation globally that recognizes the role played by foundations and other forms of community stewards.”
Although the new regulation has already been rubber stamped, it won’t come into force until 2027, giving all parties time to meet the requirements and iron out some of the finer details of what’s expected of them. And this is what the seven open source foundations are coming together for now.
“There is an enormous amount of work that will need to be done over the next three years in order to implement the CRA,” Milinkovich said. “Keep in mind that the CRA is the first law anywhere in the world regulating the software industry as a whole. The implications of this go far beyond the open source community and will impact startups and small enterprises as well as the global industry players.”
Documentation
The manner in which many open source projects evolve has meant that they often have patchy documentation (if any at all), which makes it difficult to support audits and makes it difficult for downstream manufacturers and developers to develop their own CRA processes.
Many of the better-resourced open source initiatives already have decent best practice standards in place, relating to things like coordinated vulnerability disclosures and peer review, but each entity might use different methodologies and terminologies. By coming together as one, this should go some way toward treating open source software development as a single “thing” bound by the same standards and processes.
Throw into the mix other proposed regulation, including the Securing Open Source Software Act in the U.S., and it’s clear that the various foundations and “open source stewards” will come under greater scrutiny for their role in the software supply chain.
“While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation,” the Eclipse Foundation wrote in a blog post today. “The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.”
The new collaboration, while consisting of seven foundations initially, will be spearheaded in Brussels by the Eclipse Foundation, which is home to hundreds of individual open source projects spanning developer tools, frameworks, specifications, and more. Members of the foundation include Huawei, IBM, Microsoft, Red Hat and Oracle.
Comment