12 Mar
2024
12 Mar
'24
12:41 p.m.
On 12-03-2024 09:45, Jan Penfrat (EDRi) wrote:
Hi all,
Sorry this list has fallen silent a bit. The final CRA is going to be
approved in Plenary soon and I as wondering if we all agree with what
most of the FOSS community has said about the result: that it is OK.
I understand it's not great and in particular wrt security updates we
would have wanted more, but is it correct to tell people who ask that
we're generally rather supportive of the CRA as it has been agreed, or
at least that we don't have any major issues with it?
I think it is better to have it go through than to have it shot down in
plenary. The document has massively improved in the trialogue, which
probably is a first in Brussels history.
That said, I fully expect the CRA not to last any longer than its
predecessor, the Cyber Security Act, did. If only because there are too
many loose strands out there. For example, the Linux kernel maintainers
have decided to consider every kernel bug a potential vulnerability.
Which from a security perspective is correct. This also means that every
kernel patch is considered a security patch. Per article 10(6b) CRA this
will create an obligation for downstream distributors to provide for
patches in products incorporating Linux kernels (basically every car,
set top box, etc).
In practice this will turn out to be unmanageable, not every bug and
patch are equal.
Either way, I expect the CRA to keep me employed for the foreseeable
future, which is not a good sign...
Regards,
Walter