Re: [open-regulatory-compliance] CRA discussion topics and activities

[Tobie Langel <tobie@xxxxxxxxxxxxxx>]

Someone asked offlist what part of the CRA triggered the GPL-like requirement for upstreaming vulnerabilities, so I thought I'd share my answer here for everyone's benefit. It's in Article 12, section 6: 

Manufacturers shall, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Annex I, Part II. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component, where appropriate in a machine-readable format.

Hope that's useful to others.

And just so y'all feel more comfortable asking questions on the list, just know that I didn't know the answer off the top of my head and had to look it up. There's a lot to absorb here, and it's entirely OK not to know the answers and/or make mistakes.

We're all in this together!

--tobie

On Fri, Jun 14, 2024 at 11:47 AM Tobie Langel <tobie@xxxxxxxxxxxxxx> wrote:

Yes, the GPL-like requirements for upstreaming vulnerability fixes are a fascinating feature of the CRA.

I'd imagine they'd be part of the discussion on vulnerability handling (in the second list). WDYT?

--tobie

On Fri, Jun 14, 2024 at 11:44 AM Tobias Frech via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi!
While getting up to date with my knowledge about the CRA I was surprised to learn integrators will need to fix security issues and/or to provide fixes back to the OSS projects. I think this will lead to a set of new requirements for OSS projects to publish ways of contact and probably standard rates for support work.
Where would you put such thoughts?

Best
Tobias (iJUG e.V.)

Am 14. Juni 2024 10:59:39 MESZ schrieb Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>:

Hi all,

I'm preparing a form to gather your input on CRA-related discussion topics and activities you'd like to get involved with.

Here's a list of general topics taken from Gaël's presentation yesterday:

- CRA reading group
- Building support documentation (glossary, collecting references, etc.)
- How to ensure effective participation in the EU standardization process
- How to provide input to the EU Commission in general (and about product categorisation in particular)
- CRA impact on Open Source Stewards / foundations
- CRA impact on open source consumers (SMEs / enterprise / OSPOs)
- CRA impact on single-vendor open source

And here's a list of the more technical topics he shared:

- Standards for identifiers (CPEs), version numbers, end-of-live status & dates, referencing (transitive) dependencies, etc
- Standards for releases, recall, EOL
- Secure by design
- Open source supply chain security
- Vulnerability handling
- Software lifecycle; including post EOL vulnerabilities

Any pressing topics I'm missing?

Thanks for your input,

--tobie

---
Tobie Langel
Tech Lead ORC WG, Eclipse Foundation
Principal, UnlockOpen

--
Frech IT GmbH / Am Brünnele 7 / 71642 Ludwigsburg
phone : +49-(0)7141-9113037 / HR B 744851 / AG Stuttgart

---

Geschäftsführer: Tobias Frech
mobile: +49-(0)172-7112352 / email: tobias@xxxxxxxxxx

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org