Debian statement:
https://www.debian.org/vote/2023/vote_002#statisticssome interesting comments on LWN and hackernews
https://news.ycombinator.com/item?id=38787005https://lwn.net/Articles/956187/My take away from this is, that people are unsure whether this is an honest attempt at legislating for more computer security, or whether it's monopolists trying to kill off smaller competitors or FOSS projects with impossible regulatory burdens. Debians take seems to be that if they can make provisions for FOSS and smaller companies it might be good, they seem to think that the CRA makes sense for closed source software, but less so for open source.
<Manufacturers will need to perform risk assessments and produce technical documentation and, for critical components, have third-party audits conducted. Discovered security issues will have to be reported to European authorities within 24 hours. The CRA will be followed up by the Product Liability Directive which will introduce compulsory liability for software.The irony is that FOSS software probably gets audited more than any other software, but it's by other programmers who will not bother to declare an official audit. They will just use the issue-tab on git-hub, complain about bugs/vulnerabilities in the project-forum/messaging, mailing lists or on irc. GPL and other free-software licenses generally have disclaimers that they do not offer any warranties. The CRA legislation would introduce compulsory liability. So that would be trying to make a law that overrules the GPL and other such licenses. I think the reasons why FOSS software had those liability exemption clauses added in the first place might have been because there was a lot of "liability lawsuit trolling" in the past. If i understood this correctly there might be a risk that if you make a GitHub-repository and post some code to it, somebody might try to sue you for liability as part of a shady lawyer-scam or something. It was generally the case that in order to get a warranty you had to buy a software support contract with a company, and the liability was handled via that contract, that way only actual customers could sue, instead of litterally everybody.
I remain skeptical about the prospects of legislating more computer security into existence, because for most software types, security can't be quantified or measured like one can with structural integrity of a building or the seaworthiness of a ship (security vs environment). Whether software is secure or not tends to be relative and depends on the abilities of the attackers. I still think that the path to significantly more computer security lies in making software development tools that do not let you write insecure code in the first place. Like the RUST programming language that has eliminated a hole class of memory-leak security flaws, because a clever compiler does that part of memory management. Basically IT security-know-how in a can. Expertise not simply exercised to check code once, but instead condensed into a tool that shepherds all programmers into "secure code lanes" all the time.
I thought that open and close source software could, live and let live, coexist side by side, and that it wasn't going to be like in the 90s whem MS tried to kill Linux. In case this is some kind of attack against FOSS by propritary monopolists, what's to be done ?