12 Mar
2024
12 Mar
'24
9:45 a.m.
Hi all,
Sorry this list has fallen silent a bit. The final CRA is going to be
approved in Plenary soon and I as wondering if we all agree with what
most of the FOSS community has said about the result: that it is OK.
I understand it's not great and in particular wrt security updates we
would have wanted more, but is it correct to tell people who ask that
we're generally rather supportive of the CRA as it has been agreed, or
at least that we don't have any major issues with it?
Thanks for any issues you'd like to flag!
Jan
--
JAN PENFRAT (he/him)
Senior Policy Advisor
Mobile/Signal: +32 470 839 044
Matrix: @jan:penfrat.net
EUROPEAN DIGITAL RIGHTS
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
/Working days are Monday-Thursday/
<https://edri.org/take-action/stay-up-to-date-with-edris-newsletters/>
12 Mar
12 Mar
11:08 a.m.
Hi Jan,
On 12/03/2024 9:45 am, Jan Penfrat (EDRi) wrote:
Hi all,
Sorry this list has fallen silent a bit. The final CRA is going to be
approved in Plenary soon and I as wondering if we all agree with what
most of the FOSS community has said about the result: that it is OK.
I understand it's not great and in particular wrt security updates we
would have wanted more, but is it correct to tell people who ask that
we're generally rather supportive of the CRA as it has been agreed, or
at least that we don't have any major issues with it?
Thanks for any issues you'd like to flag!
yes, in general we are fine even so we have to monitor guidelines and
delegated acts. So major improvement towards COM proposal and a
compromise that safeguards non profit work and individual developers.
There might be some hick up if you transform your non profit into a
start up but this is on the other end covered by fines that should
consider your size.
Best
Alex
12:41 p.m.
On 12-03-2024 09:45, Jan Penfrat (EDRi) wrote:
Hi all,
Sorry this list has fallen silent a bit. The final CRA is going to be
approved in Plenary soon and I as wondering if we all agree with what
most of the FOSS community has said about the result: that it is OK.
I understand it's not great and in particular wrt security updates we
would have wanted more, but is it correct to tell people who ask that
we're generally rather supportive of the CRA as it has been agreed, or
at least that we don't have any major issues with it?
I think it is better to have it go through than to have it shot down in
plenary. The document has massively improved in the trialogue, which
probably is a first in Brussels history.
That said, I fully expect the CRA not to last any longer than its
predecessor, the Cyber Security Act, did. If only because there are too
many loose strands out there. For example, the Linux kernel maintainers
have decided to consider every kernel bug a potential vulnerability.
Which from a security perspective is correct. This also means that every
kernel patch is considered a security patch. Per article 10(6b) CRA this
will create an obligation for downstream distributors to provide for
patches in products incorporating Linux kernels (basically every car,
set top box, etc).
In practice this will turn out to be unmanageable, not every bug and
patch are equal.
Either way, I expect the CRA to keep me employed for the foreseeable
future, which is not a good sign...
Regards,
Walter
1:49 p.m.
Thank you all for the quick feedback, this is very helpful!
So in summary I take away and might communicate to MEPs/groups who ask that
* (a) the CRA has improved as compared to the EC proposal, e.g. it
does not pose a threat to FOSS any more;
* (b) there are still very disappointing bits like Article 11 and the
software lifecycle that require improvement next time around;
* (c) but in summary we are not fundamentally opposed to the CRA
becoming law.
Hope this catches it well!
Jan
On 12/03/2024 12:41, Walter van Holst wrote:
On 12-03-2024 09:45, Jan Penfrat (EDRi) wrote:
--
JAN PENFRAT (he/him)
Senior Policy Advisor
Mobile/Signal: +32 470 839 044
Matrix: @jan:penfrat.net
EUROPEAN DIGITAL RIGHTS
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
/Working days are Monday-Thursday/
<https://edri.org/take-action/stay-up-to-date-with-edris-newsletters/>
Hi all,
Sorry this list has fallen silent a bit. The final CRA is going to be
approved in Plenary soon and I as wondering if we all agree with what
most of the FOSS community has said about the result: that it is OK.
I understand it's not great and in particular wrt security updates we
would have wanted more, but is it correct to tell people who ask that
we're generally rather supportive of the CRA as it has been agreed,
or at least that we don't have any major issues with it?
I think it is better to have it go through than to have it shot down
in plenary. The document has massively improved in the trialogue,
which probably is a first in Brussels history.
That said, I fully expect the CRA not to last any longer than its
predecessor, the Cyber Security Act, did. If only because there are
too many loose strands out there. For example, the Linux kernel
maintainers have decided to consider every kernel bug a potential
vulnerability. Which from a security perspective is correct. This also
means that every kernel patch is considered a security patch. Per
article 10(6b) CRA this will create an obligation for downstream
distributors to provide for patches in products incorporating Linux
kernels (basically every car, set top box, etc).
In practice this will turn out to be unmanageable, not every bug and
patch are equal.
Either way, I expect the CRA to keep me employed for the foreseeable
future, which is not a good sign...
Regards,
Walter
_______________________________________________
Edri-cra-discussion mailing list -- edri-cra-discussion(a)mailman.edri.org
To unsubscribe send an email to
edri-cra-discussion-leave(a)mailman.edri.org 
2:17 p.m.
*Aaaand today the EU’s Cyber Resilience Act (CRA) was adopted with 517
in favor, 12 against and 78 absentations.*
On 12/03/2024 13:49, Jan Penfrat (EDRi) wrote:
Thank you all for the quick feedback, this is very helpful!
So in summary I take away and might communicate to MEPs/groups who ask
that
* (a) the CRA has improved as compared to the EC proposal, e.g. it
does not pose a threat to FOSS any more;
* (b) there are still very disappointing bits like Article 11 and
the software lifecycle that require improvement next time around;
* (c) but in summary we are not fundamentally opposed to the CRA
becoming law.
Hope this catches it well!
Jan
On 12/03/2024 12:41, Walter van Holst wrote:
--
JAN PENFRAT (he/him)
Senior Policy Advisor
Mobile/Signal: +32 470 839 044
Matrix: @jan:penfrat.net
EUROPEAN DIGITAL RIGHTS
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
/Working days are Monday-Thursday/
<https://edri.org/take-action/stay-up-to-date-with-edris-newsletters/>
On 12-03-2024 09:45, Jan Penfrat (EDRi) wrote:
--
JAN PENFRAT (he/him)
Senior Policy Advisor
Mobile/Signal: +32 470 839 044
Matrix: @jan:penfrat.net
EUROPEAN DIGITAL RIGHTS
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
/Working days are Monday-Thursday/
<https://edri.org/take-action/stay-up-to-date-with-edris-newsletters/> Hi all,
Sorry this list has fallen silent a bit. The final CRA is going to
be approved in Plenary soon and I as wondering if we all agree with
what most of the FOSS community has said about the result: that it
is OK.
I understand it's not great and in particular wrt security updates
we would have wanted more, but is it correct to tell people who ask
that we're generally rather supportive of the CRA as it has been
agreed, or at least that we don't have any major issues with it?
I think it is better to have it go through than to have it shot down
in plenary. The document has massively improved in the trialogue,
which probably is a first in Brussels history.
That said, I fully expect the CRA not to last any longer than its
predecessor, the Cyber Security Act, did. If only because there are
too many loose strands out there. For example, the Linux kernel
maintainers have decided to consider every kernel bug a potential
vulnerability. Which from a security perspective is correct. This
also means that every kernel patch is considered a security patch.
Per article 10(6b) CRA this will create an obligation for downstream
distributors to provide for patches in products incorporating Linux
kernels (basically every car, set top box, etc).
In practice this will turn out to be unmanageable, not every bug and
patch are equal.
Either way, I expect the CRA to keep me employed for the foreseeable
future, which is not a good sign...
Regards,
Walter
_______________________________________________
Edri-cra-discussion mailing list -- edri-cra-discussion(a)mailman.edri.org
To unsubscribe send an email to
edri-cra-discussion-leave(a)mailman.edri.org 
330
days inactive
330
days old
edri-cra-discussion@mailman.edri.org
4 comments
3 participants
participants (3)
-
Alexander Sander -
Jan Penfrat (EDRi) -
Walter van Holst