The European Parliament passed the Cyber Resilience Act (CRA) last month, and seven open-source foundations are working together to create shared specifications and standards for it.
Several prominent foundations, including the Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation, have announced their plans to collaborate and strengthen security measures in open source software development. Their aim is to address concerns surrounding the software supply chain and ensure its readiness for upcoming legislation in the next three years.
Estimates suggest that open-source components make up between 70% and 90% of software. Dedicated programmers often create these components by voluntarily contributing their time and resources.
The draft of the Cyber Resilience Act was introduced almost two years ago, aiming to establish standardized cybersecurity practices for hardware and software products sold throughout the European Union. It ensures that all manufacturers of internet-connected products are required to stay current with the latest patches and security updates, and there are penalties for any shortcomings.
These penalties for noncompliance can be quite severe, with potential fines reaching up to €15 million, or 2.5% of global turnover.
The legislation in its initial form received strong criticism from various third-party organizations, including over a dozen open-source industry bodies. They expressed their concerns about the Act’s potential negative impact on software development in a letter last year. There were significant concerns about the potential liability of open-source developers for security defects in downstream products. This fear of legal consequences deterred volunteer project maintainers from working on critical components, similar to the concerns surrounding the recently approved EU AI Act.
Within the CRA regulation, there were certain provisions that provided protections for the open source community. These provisions exempted developers who were not interested in commercializing their work. Nevertheless, there was room for interpretation regarding what activities would be considered “commercial”—for” instance, would sponsorships, grants, and other types of financial assistance be included?
The text underwent several revisions to address the concerns. The revised legislation clarified the exclusions for open source projects and introduced a designated role for “open source stewards,” including not-for-profit foundations.
Overall, we are satisfied with the result. In an interview with Eltrys, Mike Milinkovich, the executive director of the Eclipse Foundation, affirmed the success of the process and the consideration of the open source community’s input. It’s fascinating how the final regulation acknowledges the role of “open source software stewards” as economic actors within the software supply chain. This legislation is groundbreaking as it acknowledges the crucial role that foundations and other community stewards play on a global scale.
Like an IT project manager, we have approved the new regulation and scheduled its implementation for 2027. This timeline allows all parties involved to ensure they are fully prepared and address any specific requirements or concerns. And this is the current objective of the seven open-source foundations.
Milinkovich stated, “We need to accomplish a significant amount of work in the next three years to successfully implement the CRA.” It’s worth noting that the CRA is the pioneering legislation that governs the software industry globally. This has significant implications that extend beyond just the open source community. It will have an impact on startups, small enterprises, and even the major players in the global industry.
Proper documentation is essential for any project to ensure clarity and organization. It allows for easy reference and understanding of the project’s objectives, requirements, and processes. By maintaining thorough and well-structured documentation, project managers can effectively communicate with team members and stakeholders, facilitating smooth
Similar to an IT project manager, the way numerous open-source projects progress often results in incomplete or nonexistent documentation. This poses challenges for conducting audits and prevents downstream manufacturers and developers from establishing their own CRA processes.
Similar to an IT project manager, some of the more well-funded open source initiatives have established effective best practice standards. These standards cover areas such as coordinated vulnerability disclosures and peer review. However, it is important to note that each organization may employ different methodologies and terminologies. By collaborating and uniting, we can strive to approach open source software development as a unified entity guided by common standards and processes.
With the addition of other proposed regulations, such as the Securing Open Source Software Act in the U.S., it is evident that the different foundations and “open source stewards” will face increased scrutiny for their involvement in the software supply chain.
“In a recent blog post, the Eclipse Foundation highlighted the need for better alignment and comprehensive documentation in the approaches of open source communities and foundations, despite their adherence to industry best practices around security.” It is evident that the open source community and the software industry as a whole are currently facing a pressing issue. The introduction of legislation has created a sense of urgency about the need for cybersecurity process standards.
The Eclipse Foundation will lead the new collaboration from its central hub in Brussels. This foundation is known for its vast collection of open-source projects, including developer tools, frameworks, and specifications. The foundation consists of renowned companies such as Huawei, IBM, Microsoft, Red Hat, and Oracle.
