<!DOCTYPE html><html><head><title></title><style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body><div>Hi all,<br></div><div><br></div><div>My initial thoughts were that it is ridiculous to expect open source projects that require no payment for use place responsibility on the project developers and maintainers to be responsible for security issues.<br></div><div><br></div><div>However the current reality is that based on recent examples OSGeo projects that become aware of a critical vulnerability result in it being fixed by maintainers within hours/days. These fixes are nearly always unpaid work carried out during weekends and evenings due to the conscientiousness of those involved in the projects. <br></div><div><br></div><div>From [1]: "The rules could cut the cost of cyber incidents to companies by as much as 290 billion euros ($289.8 billion) annually versus compliance costs of about 29 billion euros"<br></div><div><br></div><div>If OSGeo can find a way to capture some of this value by ensuring compliancy and gathering funds from large organisations that use OSGeo projects, then this could be seen as an opportunity rather than an impending disaster. <br></div><div><br></div><div>From the Log4js experience it seems companies are prepared to spend whatever it takes to resolve security issues, whilst avoiding any general maintenance and software update costs. <br></div><div><br></div><div>Seth<br></div><div><br></div><div>[1] <a href="https://www.reuters.com/technology/draft-eu-rules-target-smart-devices-with-cybersecurity-risks-2022-09-08/">https://www.reuters.com/technology/draft-eu-rules-target-smart-devices-with-cybersecurity-risks-2022-09-08/</a><br></div><div><br></div><div id="sig62266145"><div class="signature">--<br></div><div class="signature">web:<a href="https://geographika.net">https://geographika.net</a> & <a href="https://mapserverstudio.net">https://mapserverstudio.net</a><br></div><div class="signature">twitter: @geographika<br></div></div><div><br></div><div>On Fri, Jul 21, 2023, at 11:20 PM, Adam Steer via Discuss wrote:<br></div><blockquote type="cite" id="qt" style=""><div dir="auto"><div>Hi OSGeo<br></div><div dir="auto"><br></div><div dir="auto">The European Union's proposed Cyber Resilience Act has just come to the attention of many non-EU folks as a potential dampener on open source geospatial software development and usage. A summary from GitHub is here (thanks Marco Bernasocchi for pointing it out):<br></div><div dir="auto"><br></div><div dir="auto"><a href="https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/" target="_blank" rel="noreferrer">https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/</a><br></div><div dir="auto"><br></div><div dir="auto"> It's being discussed in the OSGeo board, and some responses from other open source organisations have already been made, for example: <a href="https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act" rel="noreferrer noreferrer" target="_blank">https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act</a><br></div><div dir="auto"><br></div><div dir="auto">It would be great to hear your thoughts on the impact of the proposed legislation on open source geospatial software development across the globe - so we can form an appropriate community response as soon as possible. What are your thoughts?<br></div><div dir="auto"><br></div><div dir="auto">Yes, we're late in gettung our attention on to this. Hopefully not too late. <br></div><div dir="auto"><br></div><div dir="auto">Thanks,<br></div><div dir="auto"><br></div><div dir="auto">Adam<br></div><div dir="auto"><br></div><div dir="auto">--<br></div><div dir="auto">Dr. Adam Steer<br></div><div dir="auto">OSGeo director<br></div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div></div><div>_______________________________________________<br></div><div>Discuss mailing list<br></div><div><a href="mailto:Discuss@lists.osgeo.org">Discuss@lists.osgeo.org</a><br></div><div><a href="https://lists.osgeo.org/mailman/listinfo/discuss">https://lists.osgeo.org/mailman/listinfo/discuss</a><br></div><div><br></div></blockquote><div><br></div></body></html>