[OSGeo-Discuss] OSGeo Cyber Resilience Act statement

Jody Garnett jody.garnett at gmail.com
Fri Nov 3 14:56:10 PDT 2023 

My understand is that the time to influence has largely passed (but at
least some good feedback is now going to be included).

We will be in a better position to plan after November 8th, and then again
when the law goes into effect.

Some personal notes and observations:

* The public feedback understandably focuses on liability for individuals
and organizations that contribute to free and open source. It is my hope
that projects can be sheltered by OSGeo, with the foundation allowing risk
to be shared, rather than simply excluding contributors from Europe (or
having contributors from Europe exclude themselves).

* I am curious if this will be like GPDR and have a world wide impact on
service providers, software and websites (just because they can be accessed
from Europe and are thus "published" into the european market and subject
to regulation).

* To be successful in helping projects face CRA requirements OSGeo will
have revise our project incubation requirements. It is rare for OSGeo to
play such an active role. The last time this was done was done to implement
code-of-conduct policies (which was also a response to liability risk).

* I expect OSGeo benefit from better funding/participation to help projects
meet CRA requirements. As a community, for whatever reason, we struggle to
talk plainly about money.

* It is awkward that service providers / organizations / companies do not
have great representation in our community. Collaborating on topics like
the CRA may be an opportunity for OSGeo to strengthen these relationships
(and to strengthen relationships between service providers).

* It is interesting that the CRA is strongly aligned with one of OSGeo's
cherished beliefs: that project governance is best shared.  The revised
text appears to acknowledge projects with a decentralized decision making,
while projects managed by a single developer or company require full
compliance. Having shared governance is also a requirement for OSGeo
projects (part of our history of being adverse to vendor lock-in).

* Many FOSS4G projects are managed by a single individual or organization.
Seeking out partnerships to avoid being governed by a single entity, or
joining the OSGeo foundation as a project to take advantage of reduced
requirements, may be a sensible response.

* OSGeo community projects are endorsed by OSGeo, but do not have a formal
leadership relationship with OSGeo. We may need to revisit this program in
2024 strictly from a liability perspective.

* I feel that this regulation is what success looks like for free and
open-source. Regulation in Europe is not isolated, as there is also
regulation taking shape in the US and other markets.

* It looks like some of the more annoying regulations may be required only
for vulnerabilities that are actively under attack.  Security experts are
already speaking up on why ideas like informing the government within 24
hours is a terrible idea.

We will learn more next week,
Jody


On Fri, Nov 3, 2023 at 12:35 AM Luí­s Moreira de Sousa <
luis.de.sousa at protonmail.ch> wrote:

> Hi there,
>
> thank you to the board for going through with this initiative. While it
> may seem there is little time left to influence the process, it is still
> very important to let your MEPs know of your concerns. We all benefit if
> the open source community at large makes it clear it is sentient of
> legislative initiatives and willing to engage.
>
> Regards.
>
>
> --
> Luís
>
>
> Sent with Proton Mail <https://proton.me/> secure email.
>
> ------- Original Message -------
> On Thursday, November 2nd, 2023 at 8:17 PM, Jody Garnett via Discuss <
> discuss at lists.osgeo.org> wrote:
>
> Dear All,
>
> A short statement from OSGeo is now available to share:
> https://www.osgeo.org/foundation-news/eu-cyber-resilience-act/
>
> Thanks to OSGeo board and Simone Giannecchini for working on this
> statement.
> --
> Jody Garnett
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/discuss/attachments/20231103/688da33e/attachment.htm>

More information about the Discuss mailing list