Recent searches
Search options
The negotiations on the EU Cyber Resilience Act are continuing. 60k people visited my earlier page on this very scary & important act that may make it very hard to market hardware or software in the EU. Here is a followup on how it might work in practice. Spoiler: likely terribly. https://berthub.eu/articles/posts/eu-cra-practicalities/
@bert_hubert@fosstodon.orgA very worrying development in the latest #CRA compromise is that the EU will now demand that products ship "without known vulnerabilities" <period>. The previous draft spoke about "without known *exploitable* vulnerabilities", which was a lot better. https://berthub.eu/articles/posts/eu-cra-practicalities/
@bert_hubert Tree falling in the woods type question, but is a vulnerability which is not exploitable actually a vulnerability?
@edavies The point of regulations is not that they can charitably be interpreted as being good enough. They must be very clear so even an uncharitable reading comes out ok.
@bert_hubert Fair point. I guess even the history of having removed the word “exploitable” would work against somebody arguing that a non-exploitable vulnerability (if that's meaningful) is not a vulnerability. Or the opposite…
@edavies I updated the post a bit with some discussion on how one might interpret 'vulnerability'.
@bert_hubert And known by whom? Random employee who stumbled upon a problem while debugging a different problem and forgot to report it? Or like, the release manager/team?
With our without "exploitable" the main issue seems to be ignored whereby the EU will have to spin up a European version of what China and the US attempt to do with their vulnerability tracking efforts, despite them failing horribly for open source software.
I think the phrase I'm looking for is, "Ik zie beren op de weg", right?
@gregkh Soon you'll be able to pass for a native ;-) Updated the post with some words on 'known'. Not yet sure if I can/should write on the vulnerability tracking.
@bert_hubert Hi Bert, many thanks for writing your thoughts about this so swiftly and extensively. Where did you find the latest draft of the CRA that you are referring to in this second document? Is this a first Council compromise proposal, as reported by EURACTIV: https://www.euractiv.com/section/cybersecurity/news/eu-council-extends-product-lifetime-clarifies-scope-in-cybersecurity-law/ or did you find something else?
@mattis A 10th of March Council version is circulating widely, and that is what I am referring to. Will clarify that in the post.