[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [open-regulatory-compliance] Manufacturer's responsibility
|
On Mon, 5 Aug 2024, Joe Murray via open-regulatory-compliance wrote:
> Olle wrote:
>
> > Even if the manufacturer can point to an attestation by an open source
> > steward - won’t the manufacturer be fully responsible for the product they
> > are placing on the market. I don’t think
> > there’s any provision in the CRA to forward the blame upstream in the
> > software supply chain,
> > regardless if it’s commercial or open source component used.
> >
>
> In terms of liability for an incident, if the manufacturer can show they
> took reasonable steps to ensure the security of their product then they are
> not liable under a negligence standard of liability in common law
> jurisdictions, but they can still be liable under a strict liability
> standard. I am guessing that what the new European regime is creating is a
> way to allow manufacturers to show they took reasonable care in creating
> their digital product so that they are not liable for negligence, and that
> there is not a strict liability policy in place.
>
> What obligation do OSS Stewards have to fund the fixes for reported
> vulnerabilities?
My reading is that it's NOT the OSS Stewards that are offering an
Attestation, but rather some other EU organ (source: Recital 21 and/or
118, and Article 25).
Here's what I wronte in the Matrix channel on this:
=======8<-------------
[…] To me, the question is about due diligence, and for those who need to
exercise it (usually Manufacturers). The scenario that I'm thinking of
usually, is when a Manufacturer looks at their application's or device's
dependency graph, and see that it contains maybe thousands of
dependencies.
Anyone who has done a "due diligence" work knows that this amount of
diligence is quite unreasonable to ask from most businesses with limited
resources – and that's where the OSS Stewards can step in and help.
My understanding is that this is meant to happen with four steps:
* Manufacturers have a need to exercise due diligence, but need help
* OSS Stewards commit (for pay) to help with this, in cooperation with
both Manufacturers and the OSS component projects
* Component OSS projects commit to assist by stating that their components
are "Intended for commercial use"
* Some EU attestation authority signs of on this work with an official
attestation, so that both Manufacturers, Stewards and Projects don't have
to waste time doing redundant work
And to me, the thing that makes this work, is that the Stewards can fund
their work by for example selling access to attested component releases,
and if a Manufacturer uses these (and pays for the privilege), they can
assume that they have performed their due diligence regarding these
components.
[…]
As I read it, the prime motivator in play in this particular economic
system, is the Manufacturer's willingness to pay for avoiding liability.
If this motivation is an actual thing (e.g. the incentives are in place,
the guarantees are public and well-known), then this motivation can be
used in a bunch of ways, depending on the Manufacturer's situation and
needs:
* They can re-implement dependencies
* They may fork dependencies
* They can keep a library of "internal" patches that address any issues
they encounter
* They can "outsource" the management of performing due diligence to any
upstream OSS Stewards (and have this work attested by an official body)
* They can involve themselves in the OSS projects directly
… or any combination of these, depending on circumstance or needs.
… and this goes for any or all projects/components in their dependency
graph. 🙂
---->8==========
So in short – I think we have an opportunity to create an
ecosystem-friendly economy here, that _both_ is beneficial for the
Manufacturers and the Open Source communities they depend on. :-D
- Salve J. Nilsen (CPAN Security Group)
--
#!/usr/bin/env perl
sub AUTOLOAD{$AUTOLOAD=~/.*::(\d+)/;seek(DATA,$1,0);print# Salve Joshua Nilsen
getc DATA}$"="'};&{'";@_=unpack("C*",unpack("u*",':50,$'.# <sjn@xxxxxx>
'3!=0"59,6!`%%P\0!1)46%!F.Q`%01,`'."\n"));eval "&{'@_'}"; __END__ is near! :)
