Open-source software: A first attempt at organization after CRA

The open-source software (OSS) industry is developing the core software for the global infrastructure, to the point that even some proprietary software giants adopt Linux servers for their cloud services. Still, it has never been able to get organized by creating representative bodies capable of giving an organic response to issues such as those raised at the European level by the Cyber Resilience Act.

I have been advocating for years the need to transform a movement based on the enthusiasm of individuals into something structured, which represents its market value (according to some estimates, over 100 billion euros in Europe alone).

Of course, the challenge is to carry out the transformation without distorting the movement, because the goal is not to reproduce the world of proprietary software and its structural dependence on the lobby system, but to bring the same kind of innovative approach from software to organizations.

The EU Cyber Resilience Act as impetus for change

The Cyber Resilience Act was a shock that awakened many people from their comfort zone: How dare the “technical” representatives of the European Union question the security of open-source software? The answer is very simple: because we never told them, and they assumed it was because no one was concerned about security.

This is a short-sighted view but is representative of the lack of awareness of open-source software even among insiders, which unfortunately is a direct consequence of both very little attention to communication and the lack of a shared strategy on common issues, such as security.

The Heartbleed and Log4Shell incidents have created the perception that no one is looking after the security of open-source software. As if the global infrastructure, which rests on the shoulders of many servers and network equipment based on Linux, works by pure chance or by a lucky coincidence.

At the end, the Cyber Resilience Act was approved by the EU legislators with several changes that made it acceptable. The most important is the creation of the “open source steward”.

The open source steward is any legal person (other than a manufacturer) whose purpose is to:

• Provide support on a sustained basis for the development of products with digital elements qualifying as free and open-source software (FOSS), intended for commercial activities
• Ensure the viability of those products

Consequently, the provision of free and open-source software products with digital elements that are not monetized by their manufacturers is not considered a commercial activity and is not subject to the same rules set by the Cyber Resilience Act for commercial software.

The CRA requires software with automatic updates to roll out security updates automatically by default, while allowing users to opt out (when feasible, security updates should be separated from feature updates). 

Companies must conduct a cyber risk assessment before a product is released and throughout 10 years or its expected lifecycle, and must notify the EU cybersecurity agency ENISA of any incidents within 24 hours of becoming aware of them, as well as take measures to resolve them. In addition to that, software products must carry the CE marking to show that they meet a minimum level of cybersecurity checks.

Open-source stewards will have to care about the security of their products but will not be asked to follow these rules.

In exchange, they will have to improve the communication and sharing of best security practices, which are already in place, although they have not always been shared. So, the first action was to create a project to standardize them, for the entire open-source software industry.

The OSS industry must become a real industry

One of the most active and structured organizations during the process of revising the first version of the Cyber Security Act was Eclipse Foundation. Therefore, it was logical that a joint project for standardizing best security practices would find its “home” within it and be open to all open-source organizations and projects.

The project is called the Open Regulatory Compliance Working Group. (For technical aspects, there is a GitLab repo.)

The project will enter the operational phase in early 2025, ready for the Cyber Resilience Act, which will come into effect in 2026 at EU level, and in 2027 at the level of individual states, with the hope that they will transpose the law properly on a country-by-country basis.

The project has many members – large companies such as Mercedes and Nokia, Eclipse Foundation projects, and some open-source foundations, including The Document Foundation – and will welcome additional ones.

I am confident about the success of the initiative. I think it is important to point out how the circumstances – the fear that we are close to the disappearance of the open-source software industry – have woken people and made it clear how the divisions of the past were meaningless, especially in the face of the compactness of the proprietary software industry.

It is probably the right time for the open-source software industry to become a real industry, with shared best practices (instead of the traditional “my bit is better than yours”), shared communication (instead of the traditional lack of communication), and the ability to bring forward issues in the common interest of open-source software.

We have started on the right path, but there is still a long, long way to go.