So the bill itself has critical security flaws that need to be reported within a timeframe measured in hours. Better hope the entities behind it get it patched, because it's absolutely proprietary.

In the absolutely proprietary cyberpunk dystopia of the future, I will be the shady guy in a trenchcoat, fedora, and penguin mask handing out bootable arch usbs in dark alleyways.

I like a lot of EU acts, but they _really_ do not understand technology. I will never forget when Ylva Johansson compared encryption to a travelbag in an airport, and chat control a "sniffing dog" that can detect CP in said "travelbag" during a debate with a security expert.

Even if this is not enforced on open source projects in practice. It will still dissuade a lot of people from getting involved in open source. And worst of all I can imagine companies forbidding their staff from contributing to open source projects.

Seriously, I cannot imagine a single company - let alone an OSS project - to comply. 25% additional costs is a lot. What will happen then, will the EU reform to an agricultural state, because we cannot use any software at all?

Written by people who don’t know what goes into tech. Beaurocracy at its finest, closest to idiocy

I've worked in industries impacted by new EU regulations. The short version of my complaint is that most of the regulations are almost impossible to meet unless you are a large corporation with a ton of money to meet ridiculous requirements in a short time to meet unrealistic deadlines, and if you don't meet the deadline you need to shut business down or be met with fines so large it will bankrupt you. The conclusion I have come to is that the people making the regulations have no idea what they are doing, or this is intentional.

NO ONE can keep up with this crazy bill. Their goal is noble but it's unattainable. What and how they want to do, it's simply crazy. Every commercial company will have either to lie about the CRA compliance of their software or try to drastically change their development process and commercial cycle releases which most probably send them bankrupt before even achieve the cra goal. For open source entities? Who will even accept this enormous responsibility and liability under law that may result in prison time and fines, imposed by this bill? I bet there is no software project out there, open source or not, that was ever bug free and 100% secure. The bill is just insane, created by people that have no clue how modern software is developed or they simply don't care to draft something that can be achieved.

The requirement to notify is the scariest to me because it would require that all software collect data, regardless of if they were before or actually need it. And guess who loves to get data from private companies? The government.

Free software shouldn't bee seen as a product. First of all it is a collective and shared knowledge. No government should impose rules to sharing knowledge.

They want opensource software to be certified AND they want open source developers pay for it. How disgusting.

so they're effectively creating a centralised database of 0day vulnerabilities in business and finance critical softwares? I'm sure that will go well and not be the target of every blackhat on the internet.

This act WON'T save them this money though. You'll annihilate open source, and then Microsoft, Apple, Oracle, Red Hat, etc will own the whole thing. That eCommerce website you paid a freelancer $2000 for? That will be $25,000 now thank you very much. The freelancer still only keeps a small fraction mind you, they just have to pay exorbitant fees to corporates for basic functionality. It would be the 1990s all over again.

If there is a vulnerability, tell us immediately so we can weaponize it against our enemies; you.

Gods, to me this doesn't sound reasonable or awful, it sounds like panicked middle and upper managers covering their collective arses in an area they know next to nothing about. So, ok, it's awful 😞

If the use of this software is so critical to European SMEs (providing 95% of the code base) then why doesn't the CRA establish a certification authority that is industry funded and pays for all this work instead of simply demanding that the work be carried out? If you're profiting from it (indirectly because the SMEs pay taxes) then you have a responsibility to put your money where your mouth is.

They assume there can't ever be bugs in software. Are they fricking dumb. You can't guarantee that there will not be bugs or vulnerability in software. Do they make these laws with input and insight from real experts in the field (programmers and other IT professionals) or is it just a bunch of guys in suits sitting in fancy offices coming up with all these garbage unrealistic goals. I would like to hear Linus' opinion on such ignorant laws.

Reading the act, operating systems are considered critical and thus need independent review by the CAB. Makes you wonder what they'll think of as an OS. Is it the kernel or the desktop environment. Also for some reason hard drives are an example of noncritical. They also say importers can't bring noncomplying software into the single market. Like, how would that even work with SaaSS? Is that importing? If not then this act is going to result in a lot of EU data being held outside of the EU. Honestly the more I read this thing the worse I think it is. I want to make free software. But I also don't want a fine measured in the millions. I'll probably ignore the risk. But I imagine a lot of people won't.

This is what you get if you have people, that know nothing about a subject, make legislation around that subject.... I think Open Source should be exempt because the code is open, you can check and change it yourself... So the responsibility lies with the user... As it should be.. This should only be a thing for non open source, where you cannot see what's in the package for yourself... I think it might be time for a petition before the vote the law in effect...

If foundations can't keep up and this ends up "pulling off" from Europe in "support & compliance" frame... Well, their plan, and a big portion of tech, is screwed.

Europe is imposing its sanctions on itself for the sake of security. As a US dev, I expect you’re going to see organizations blacklist the EU from using its code.

I wonder if even one tech person was in the room when they drafted this silly bill. It's impossible to report a security issue within hours, you're still mitigating the breach.

I would recommend just not having the optimism you had at the end. The consequences can be massive from something like this, we should be as pessimistic as possible. If something *can* happen under the law and it’s bad, we should assume that it *will* happen. Some miser somewhere will find and pull that trigger when it suits them. Also, they’re rationale is “oh small companies can’t absorb the cost of vetting the other 95% of the codebase” - so instead you put the cost onto the open source developers whom may not even be paid for their open source contributions? To put it simply, that’s hypocritical and stupid. It’s on the same level of hypocrisy and stupidity as a US law, I expect better from the EU. They should instead instate an audit funding pool rule for downstream commercial entities. If you have 10 entities that add 5% on top of some open source project, those 10 entities are responsible for together funding a security audit for the remaining 95%, 9.5% each. Also reporting security vulnerabilities to people not involved in a fix is pretty stupid. That totally violates the principle of least privilege, and it provides a perfect place for bad actors to worm their way in to catch wind of security vulnerabilities for *all* open source projects that report to that organization which compromises security for *all* of them, rather than having to worm their way into each individual project (which I would imagine numbers in the thousands, minimum).

Sounds to me like a classic case of regulatory capture. The big boys get the government to write regulations that the smaller players cannot afford to comply with in order to keep them out of the market.

I think the key question is what happens if you certify that your software has no vulnerabilities and then it inevitably does, because the answer to that will determine everything. If there is a punishment, it encourages being dishonest about newly discovered vulnerabilities. If there is no punishment, then there is no reason to exercise rigor when doing the security audit.

That's not *saving* billions, it's only shifting the burden for the spending.

I'm definitely torn over this issue. The insecurity of software and systems is a *huge* problem socially and economically. And it's only getting worse as every aspect of our lives go online. Most people have no idea about security, so it need to be provided for them for - especially when they are required to use online services by government and businesses. At the same time implementing these sorts of rules will drive small developers out of business. I am planning two commercial projects that involve software and complying with this would be impossible for me. So that means software, and hardware that runs software can only be developed by large organisations. That's some serious dystopia right there.

I guess we better hope Google are still scared enough of being labeled anticompetitive that they're willing to bankroll an audit to certify Firefox, otherwise RIP free and open Internet. OTOH, forcing publication of exploits in "Operating Systems" (embedded OSes are OSes too) and "boot managers" (bootloaders?) way before any device vendor could realistically deploy a patch could start a whole new era of device jailbreaking, so I guess there's that. :/ Has the EP voted on this yet?

11:46 Yes, it can mean that. If the developers are employed (employed anywhere by anyone to do anything, even if all different from each other and unrelated) and the developers make decisions on the project, it becomes commercial. Completely insane!

These processes are designed to increase barriers of entry. Large organization with lots of money are already engaged in processes to mitigate 0day vulnerabilities. What this does is place legal liabilities on people for innovating. I see some companies pulling in tremendous profits by eliminating competition.

They do not realise how much of the world is based on open source too. And there’s absolutely no way to know ALL the insecurities in software or hardware until they’re discovered.

1 How does certification guarantee the software is secure? 2 If a problem is found in certified software does that not leave them open to lawsuits? 3 What about the principle that states you cannot create bug free software, especially in large projects? 4 How does this change the design and layouts of chips and their performance? 5 One more point many of the definitions we use in computing are not fixed. The law will have a huge problem with that. Example what is the difference between information and data? 6 If all the software and hardware fall under one security umbrella that is unanimous we then fall into the Apple inc. problem. 7 The largest producers of security vulnerabilities and hackers is the governments and if the bill cant fix that it is useless.

Old timers in linux remember as a regular feature in man pages and other software documentation a list of known bugs, the better to enable the end user to work around these bugs. This would include configuration settings to avoid vulnerabilities.

Thank you very much for explaining this. My current understanding of this (which comes only from your presentation) leads me to believe this will not have any effect on the software publishers. I guess almost nobody will bother with this certification and publishers will simply add to their license that this software is not suitable for use in Europe. Individuals will most likely still be able to use any open source software they want (through vpn if it comes to that). It is the enterprises, government institutions, and, more importantly academic institutions that will loose access to any concerned open source software they were using and end up having to pay huge amounts of money for the commercial alternatives. So this is an economic catastrophy for an enconomy that is struggling to retain some competitivity and it feels very much like intentional internal sabotage but it is of no concern to the software world.

Apache should amend the License and add "This software is illegal to use within the EU". Nginx should also add the same thing. Them sit back and watch the fallout!

For a law that can affect so many people and so much of the internet it doesn't feel like they really researched its impact or even considered hearing from the industry at all on this matter.

The sad thing is open source, thanks to its nature has developed awesome software, the most downloaded and used in the world, like Blender, Krita, Git, LibreOffice, etc, and the OS running critical servers for the Internet.

All I hear is "so lets raise the barrier of entry because we worked for decades to stop effective end to end security in every product so we can spy on people, so now lets make a bill so convoluted and arbitrary only some corporation will be able to comply". Oh and "reporting to us within hours lets us exploit those bugs before they are fixed so we can get our stuff installed".

That would be awesome. If you want to tarpit an open source project as a company just donate 1€ monthly and they have to comply to the CRA ^^

In the future all open-source projects will be by anonymous.

The EU is where good ideas go to die because of bad implementations. The level of incompetence is so very frustrating.

Brexit is beginning to make a bit more sense now XD

When my current school project comes due, I have to provide the source via Github. And I work for a corporate entity. Does this mean that if I keep my (project) web page online after the course ends, I have to ensure that it can't be accessed in Europe?

This is just plainly ridiculous, i'd say politicians should also be held to this same level of standard.

Why don't they just put the liability on companies selling a software or service? That way, the actual companies put money and dev time into certifying upstream code.

One thing here is that having all software automatically notify users of updates would tangle badly with the GDPR. Not to mention the fact that you can't just go updating things randomly. It can break stuff even worse and create more vulnerabilities through various integrations. Updates have to be tested, and users may want to allocate specific time slots for updates to avoid outages. They could have simply asked any sysadmin in Brussels...

I miss the days when governments didn't take the internet seriously

Add a line to all of the standard open source licenses: “Due to legal changes that are not feasible to comply with completely this product is banned in the EU and no users within the legal jurisdiction of the EU are authorized to use it”. Just blacklist the entire EU from all open source software. Watch them panic as the web servers shut down. Finger pointing and then the bad law is quickly repealed.

I would like to see it in form that any commercial product that uses open-source project is responsible to help getting CRA certification for that project.

What will EU do if open-source projects are suddenly registered as legal entities from outside of the EU, or anonymously hosted on Tor, with the addition of maintainers being paid in Monero (whose transactions cannot be traced from person to person, even if it was aqquired at an exchange in the first place)? What if open-source projects chose a dual-licensing model, that forbids commercial use unless these users pay regular fees into a funds dedicated to certification? What I want to say with this, is that there are still options to circumvent this BS. However, I don't think that CRA would pass legal review, and even if it did, it's open wide to being challenged at court due to conflicting a plethora of preexisting laws. Funnily enough, it's an EU law that new legislation must not conflict existing legislation - the whole thing would be overruled/suspended, until EU politicians came up with a compatible version - this is also happened with the EU directive on telecommunications data retention, which is now thankfully in a state of eternal limbo due to essentially being unimplementable.

Regarding the GDPR reference - this is much much much more onerous than the GDPR: the GDPR is (mostly) about things you shouldn't do - don't store such and such information; let users know when you're about to store that information. It was also about operators that interact with users. The CRA is not really about users - it says "users" a few times, but in its extensive (40 items) list of definitions, there's no definition of "user". The CRA is all about "manufacturer" where its basically - if you create software or make something that has something to do with software - you are a manufacturer, and then there's tons of red-tape you have to do, from documentation to having "systematic" processes in place to notifying government agencies to being available for questions by government agencies. You aren't even allowed to stop being a manufacturer without notifying an agency using an arduous process. Under GDPR you can always just delete the database and close the servers, and you are off the hook.

Thanks for sharing this important news! What a shame. Looks like we're not taking the risk of putting our custom proprietary software out there in public after all, at least not before this mess of a directive is unambiguously sorted out. 🤔

At 12:00, when you are talking about the commercial companies--what everyone seems to have missed is the evil companies do. Say I have an interest in stopping Apache. Well, I hire one of the main fork devs, and I now have control over the code base by telling that dev what to do. It allows commercial entities to insert themselves into the open-source world in a way we can never allow--by buying their way into controlling and ultimately destroying any open source project they wish. Without limit. Brilliant.

The endgame here is to make necessary parts of the tech stack beholden to government for its existence and thus compliant to requests for backdoors/user data/etc. The government power of licensure is, and always will be, a net detriment to the public.

This is an excellent, important and well explained video. So if the open source software foundations simply published explanations for potential users within the EU that use of their software may be 'illegal' for commercial purposes within the EU what would the users of the 95% OSS do (especially if the foundations were outside the EU)? Would they suddenly need to find paid for versions of Apache etc.? The EU creating laws for companies operating within the EU is fine but with something as universal as software, in todays highly interconnected world, it's harder to see how such laws could be enforceable. All OSS foundations need to apply for charitable status to avoid appearing as commercial (or perhaps a religion...if Scientology can do it...). Also the initial drafting of laws is usually appalling anyway and takes years or decades to knock into shape through spending huge amounts to test things in court. We can hope that common sense causes changes to the initial act but I don't suppose any of us are holding our breath.

Where a liberty oriented community collides with a bureaucratic socialist oriented community.

I think that a part of the issue (related to a lot of open source networking packages) could be resolved if companies like ASUS, MSI MikroTik, Netgear, Synology, Ubiquiti (these are just some of the examples, which I came to think of) etc. would step up and support these projects (if they don't already do so). A lot of these companies make SOHO routers and sell them to end users. Most of the software being used on these devices is open source, but some of these companies do not contribute a lot (if at all) to the software itself.

This will end badly, for EU. What will they do when OSS foundations start banning their software be used in EU ? Writing everything which runs internet from scratch ?

War is Peace, Slavery is Freedom, Ignorance is Wisdom, Poverty is Wealth, Hunger is Satisfying, Bugs are delicious, And so on....

Europe should just certify it itself. Or if this gets trough, i would want to "patch" and "disassemble" whoever put this in it.

This is one of those ideas that seems good until you realize the people writing how to implement it have no idea how "stuff works". Having spent more time than I care to think about explaining to decision makers with no tech expertise the how and why of things it only makes me wonder how much worse that must be when dealing with bureaucrats and politicians. I really hope they realize how damaging this would be and rewrite it.

Will games go under this act? If yes, it will destroy 90% of indie game dev studios... Edit: unless it will be possible to say: "steam is certified, our game is not online except for interaction with steam, and as such, we consider the game safe" and that would comply?

7:44 Note that this "provided as is" statement is ubiquious with most if not all commercial software as well.

I'm pretty sure that employment line was saying if the employer has control over the project, not just control over the employee, so no a pizza job wouldn't have any impact whatsoever and a game dev working on a linux distribution where the gaming company they work for is not legally able to tell their employee "hey we need you to change xyz in that linux distro for us". Granted, there maybe some semantic gibberish someone might be able to pull in a court of law but that would be scum of the worst order and result in mass rebellion at the sheer stupidity... kinda like say D&D 3.5's drowning rules not including a means of stopping the process and also resetting negative HP to 0, neither of which no sane DM should allow.

All software source files and EULA's will contain the following line: "This software may NOT be used in the European Union" Solves the problem for the developer, and would be a death stab to the EU if implemented in large software projects. (Imagine the Linux kernel no longer being allowed inside Europe... 🙃 *Poof* to all datacenters, routers, entire internet and all android phones.)

The scary thing is that, with the nature of the internet, this will affect anyone who makes software anywhere. I have a music looping software I’m developing and have available through my Patreon, but since people in the EU could get it, does that mean I have to do all this bull crap too?

I worried about whether the CRA would affect the open-source foundations. This act doesn't target independent developers as they may not function as economic operators, but what about charities, they usually receive donations for their open-source projects and most of their projects may have one primary commercial entity behind them...

EU does something stupid. I'm shocked.

The CRA cannot be enforced either way, nor can its goals be achieved with reasonable amounts of human and monetary resources.

Film trailer voice:" In a world run by MBAs, where a certificate means more than a brain, no-one can stop the infinite stupidity of bureaucrats... " That's it, there is no second act.

Sorry i don't know where to directly leave some information on kde. I noticed that the splash screen section of the system setting has the button (get new splash .....) on the top and all other items have the button on the bottom. Where could i go to submit these type of things? cheers

I'll admit a small, dark part of me wants this to go through, and then have it blow up in their faces in spectacular fashion. Will they actually learn if that happens? Probably not. But I'd still bring the popcorn.

A product is the item offered for sale. A product can be a service or an item. It can be physical or in virtual or cyber form. Every product is made at a cost and each is sold at a price. The price that can be charged depends on the market, the quality, the marketing and the segment that is targeted. Open Source software that is not being sold is not a product even if there are donations. "Security requirements relating to the properties of *products* with digital elements" does not apply.

Inform the voters, and then let the People vote on it. Otherwise I will rescind my protection of politicians in the EU parliament. They are outnumbered. We don't need them.

can't wait to publish a CRA certified Hello World software. that just says Hello World lol

Two options: 1. Don't comply and expose yourself to the wrath of these bureaucrats with infinite money 2. Comply vigorously and flood the system with each and every trivial 'breach' you can possibly imagine. Do the latter across all open source projects and you basically DDOS their process.

Tyrants will be tyrants. Make no mistake: government interference IS the WORST CYBER SECURITY THREAT.

As with everything… along come the clowns to bleed it dry and mess everything up. Yay for politicians, may the all hold their collective breath for 30 minutes 😊

Shifting responsibility, eh? A tale as old as time

If this actually goes through VPN companies are gonna have a blast. Theres no way most companies commercial or not would comply and just decided to not operate in the EU at all.

Great video man. really explains everything that is going on with it. I think the way to solve the issue with smaller companies that use open source software is to have all of them contribute together to improving the security of upstream open source software, I mean there is no way around it, if they ship a product they're at least partially responsible for the security of it. although the cyber Resilience act would be difficult to comply with still. but I do believe this going off this train of thought is a lot more workable while still achieving better security.

The day I can no longer use Linux to compute or web browse if the day I stop using PC's. Between this crap and the Google Web DRM crap its not looking good. They want only MicroSucks and Apple Cult to survive. I refuse both!

I'm not worried about this bill at all. It's pretty clear to anyone who knows the first thing about software development in general that this is simply not viable for a number of reasons. It will be dropped or changed, and if for some freak accident reason it actually goes through the way it is currently, I give it a month or two before they simply have to backpedal on it because of how it completely destroys the software and library ecosystems.

Open source won't die. Although with this act in place it would be much easier NOT to run a business out of EU. Ones they count how much money they loose in taxes, I bet the act will be reverted in a day.

Well, this is quite easy. We'll have to remove all opensource from a lot of production environments and replace them with closed variants. That will bring the internet down along with everything. I think the intention is good but the way to do it is not. There is a good system in use of reporting bugs and security issues in place already. It is also in everyones interest to keep things secure unless the source is hidden and flaws can be kept in a hidden repo somewhere. The recent Tetra hacks is a good example of how closed solutions is less secure than open. Again, prepare versions of open licences that prohibits production use and apply them if EU chooses to implement the rules. Nothing will work after that.

They're getting more anti-social every time they touch anything..

Maybe suggest the following change to the CRA : every company that uses a an open source project must share the cost and responsibility of the certification of the 95% of the software stack, that way making the open source developers free from that certification cost. This of course would require some formal way of knowing which companies uses which open source software, and a certification body, that can do the certification or make sure that the companies involved, indeed has certified the software, and how to split the certification cost, and possibly making a CVS system that can control/show which parts of the software has been certified (This should be able to be done rigorously, so that you don’t have to recertify everything at every revision - but rather if all parts of a project is certified, it should be a routine call to the certify it all).

Couldn't a company just decide to stop marketing to EU countries? If people in the EU want the product they could just import it themselves and/or use a VPN. I really don't like it when EU laws impair my own use of technology. They are the reason why literally every website has a cookie popup that defaults to consent for tracking so you can't even block them. They never think things through.

The whole proposal is ridiculous. They're barking up the wrong tree here. You can certify software till kingdom come, but make one mistake in configuration and your systems are wide open. And what if you simply won't accept updates? What if your production depends on an obsolete version of _______ (insert any software) that is full of vulnerabilities? (A nightmare, sure, but an unfortunate reality for many.) My proposal: take the proposed budget, split it, put some in security research and development with the goal of publishing practical advice and instructions for developers, and some in sponsoring bug bounties or actual security fixes (i.e. development projects).

It's time to form the Unorganized Militia Signal Corps.

I think the decentralized nature of open source ultimately makes these acts not apply to oss. What exactly is stopping these projects from just going "no, lol"?

there are alot of projects that have in their terms of use "Don't use in North Korea". The terms can be updated to add "and EU"

People who make laws so seldom reflict on who the powers stipulated can be turned around to do the opposite of what is desired. Automatic updates are themselves a security problem. It looks like what they are doing here is trying to do here is to make sure that all software has interfaces that allows the good guys to take control or watch what is being done with it. I.e. to integrate all software into existing good guy systems that have convenient UIs.

Did no one tell these idiots that YOU CANNOT LEGISLATE SECURITY?!

Hard enough being a small developer, not going to comply. I also deliver my products as is. I try make it it secure but I don't want to answer to some third party. If customers demanded more security and paid for it, it would happen due to market pressure

the fact that the law is in direct conflict with the GPL is insane. it’s impossible to comply with both. i do think that we need more vetting of open source projects, but this is clearly not the way to do it. the responsibility should if anything fall on the commercial users, preferably in a way that encourages them to pay the open source developers for doing the vetting. that might discourage companies from using small OSS projects, but i’m not even sure that that is entirely a bad thing

What we need is a dark web, open source, github, and a bunch of open source dark web AI. And the hard part ... they gotta be distributed.

So, open source software makers have no power to regulate what goes into their code, (because if they did it wouldn't be "open,") yet they are personally responsible for any malware that slips in?!

Basically, TLDR... the EU is making sure that all companies move their data centers and offices outside the EU. Thankfully, this will speed up the process of the EU as a dying entity. By the end, the entire Euro zone will be a deindustrialized wasteland with no tech companies or farming. The EU just keeps shooting themselves in the legs over and over again, I love it... keep it up.

Just add a clause to the SW license that forbides the usage of Open Source in the EU. Problem solved.