[OSGeo-Discuss] EU Cyber Resilience Act - potential impacts on open geospatial software?

Sun Jul 23 11:07:51 PDT 2023

I have some sympathy for regulators on this one. Software ate the world,
and open source ate the software. Now the consequence are that there are
disruptions to society when there is a problem with our open source
software.

There is a good Apache Article (
https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act)
for those who wish to read rather than watch the eclipse video.

One critical ask the articles makes makes is about open-source being
treaded as a "commons". Many folks, including the regulators apparently,
are not sure how to participate in a commons and respect both the grass and
others enjoying it.

To that point I am not sure where the impression that companies being
willing to "pay what ever it takes" comes from. The actual lived experience
of security vulnerability reporting ... comes across as very entitled at
best, and harassment/demanding at worst.

Do not be distracted by "software provider" - we are a community with the
mandate to empower everyone with free and open source geospatial software.
The apache article makes it very clear that society expects us as "software
providers" to do much better (these regulations are intentionally aimed at
open source). What is quiet is that we as "software providers" expect
society to do better also (if stability, safety and security matter then it
is a place the wider society can invest time).

The other interesting aspect is the economics of this proposed regulation.
The regulators are hoping the european small and medium sized businesses
will only have to pay to certify the code they are responsible for; and
rely on others upstream to certify the rest.

But with free and open source the license is use at your own risk - and the
source code is provided so that you can mitigate your own risk.  The social
contract invites these businesses onto the grass. It is a shared pasture,
and if your country wants to mandate organic seed start planting.

I fear this will place a very large strain on our European friends. Not
only only the small and medium business; but anyone participating.

It is worth noting that OSGeo as an organization is not against having
standards and regulations.
- OSGeo very much thrives with open-standards (indeed history shows GRASS
community bootstrapped some of this with the formation of OGC.)
- OSGeo directly has "regulations" with an incubation checklist capturing
what we viewed as valuable 15 years ago. While it is time to update that
list, the important thing is we have a list. We made that checklist to
ensure our software was trustworthy for our community; in part to combat
the open source FUD at the time (so that open source could reach a wider
audience).

I started saying that software at the world, and open source ate the
software. But in our specific industry that is not true. OSGeo has not
followed through on the disruptive part of the formula (due to a lack of
marketing/advocacy  I expect). The effect is that GIS / Mapping software
has not transitioned from an advantage, to a  commodity, from a commodity
to a foss4g commons we can all benefit from.  It would be good to have a
larger foss4g community to draw on when adapting to these changing
expectations.

The value of having a software foundation as a neutral  ground remains. We
do have a commons under the OSGeo umbrella, and it is a sensible response
for European small and medium buisness to pool resources to address any
regulation requirements. We will learn how realistic this is, and if OSGeo
has  role to play in the coming years. OSGeo may need to figure out how
much liability it is prepared to take on; or if it is smarter to have
distinct foundations like qgis.org and gvSig Assoication.

Random thoughts:

- Large buisness may choose to meet these requirements on their own (which
makes RHEL actions recently more understandable).

- Apache article also hints that open source just may not operate in Europe
(as happened with US encryption regulations). I do not think that is a long
term solution, as I expect we will get more regulation over time in other
locations.

- The economics of this are where I would like to know more. I hope we get
a Paul Ramsey keynote on this topic as his thoughtfulness and clarity has
served our community well.

I am going to stop writing, this is probably a topic for geobeers.
--
Jody

On Fri, Jul 21, 2023 at 5:36 PM Seth G via Discuss <discuss at lists.osgeo.org>
wrote:

> Hi all,
>
> My initial thoughts were that it is ridiculous to expect open source
> projects that require no payment for use place responsibility on the
> project developers and maintainers to be responsible for security issues.
>
> However the current reality is that based on recent examples OSGeo
> projects that become aware of a critical vulnerability result in it being
> fixed by maintainers within hours/days. These fixes are nearly always
> unpaid work carried out during weekends and evenings due to the
> conscientiousness of those involved in the projects.
>
> From [1]: "The rules could cut the cost of cyber incidents to companies by
> as much as 290 billion euros ($289.8 billion) annually versus compliance
> costs of about 29 billion euros"
>
> If OSGeo can find a way to capture some of this value by ensuring
> compliancy and gathering funds from large organisations that use OSGeo
> projects, then this could be seen as an opportunity rather than an
> impending disaster.
>
> From the Log4js experience it seems companies are prepared to spend
> whatever it takes to resolve security issues, whilst avoiding any general
> maintenance and software update costs.
>
> Seth
>
> [1]
> https://www.reuters.com/technology/draft-eu-rules-target-smart-devices-with-cybersecurity-risks-2022-09-08/
>
> --
> web:https://geographika.net & https://mapserverstudio.net
> twitter: @geographika
>
> On Fri, Jul 21, 2023, at 11:20 PM, Adam Steer via Discuss wrote:
>
> Hi OSGeo
>
> The European Union's proposed Cyber Resilience Act has just come to the
> attention of many non-EU folks as a potential dampener on open source
> geospatial software development and usage. A summary from GitHub is here
> (thanks Marco Bernasocchi for pointing it out):
>
>
> https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/
>
>  It's being discussed in the OSGeo board, and some responses from other
> open source organisations have already been made, for example:
> https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act
>
> It would be great to hear your thoughts on the impact of the proposed
> legislation on open source geospatial software development across the
> globe  - so we can form an appropriate community response as soon as
> possible. What are your thoughts?
>
> Yes, we're late in gettung our attention on to this. Hopefully not too
> late.
>
> Thanks,
>
> Adam
>
> --
> Dr. Adam Steer
> OSGeo director
>
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/discuss
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/discuss
>
-- 
--
Jody Garnett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/discuss/attachments/20230723/9d68684e/attachment.htm>