In honour of Maintainer Month, Open Regulatory Compliance (ORC) will host a panel with GitHub on 27 May focused on one of the most pressing topics facing open source maintainers today.. Maarten Aertsen is among the expert speakers featured in the discussion, “The Cyber Resilience Act and Open Source: What Maintainers Really Need to Know.”
Maarten is an engineer interested in the legal, social and economic factors underlying the Internet's core technologies. He works as senior internet technologist at NLnet Labs, a small, independent public benefit organisation contributing to the robustness, security and reliability of the Internet and the privacy of its users. It’s open source software and work on open standards for the Domain Name System and (safe) inter-domain routing are in use globally. Maarten serves on the ICANN Security and Stability Advisory Committee (SSAC), which engages in ongoing threat assessment and risk analysis of the Internet's naming and address allocation services.
We asked Maarten a couple of questions so that attendees could learn a bit more about his work and his thoughts on the Cyber Resilience Act in advance of the session next week.
Can you tell us a bit about your background including your work with the Cyber Resilience Act (CRA)?
By sheer coincidence, I was one of the first people to look at the CRA's implications for Free and Open Source Software (FOSS) and raise awareness to bring others in to engage with policy makers, back in Fall 2022. A tweet about my analysis got me in touch with the European Commission and thus started - what at times felt like a roller-coaster - to discover how policy-making in Brussels works. From then until the end of negotiations on December 15, 2023, raising awareness and channelling feedback soon became a significant time-investment. There's a lightning talk at FOSDEM on my journey, for those who are interested, but the bottom line is that I am quite familiar with how the CRA came about.
How would you describe the CRA to someone who doesn’t understand it? Why should we care?
The CRA is the European Union introducing rules for digital products on its market. The aim of the law is to raise the floor on security practices amongst developers, generally, but puts obligations only where software is monetised. The CRA has a nuanced approach with respect to FOSS.
You should care about the rules the CRA introduces if you are making money on software in the EU. Or, if you are interested in understanding the first attempt to regulate the market for software.
Contributing to FOSS is not impacted. Individuals maintaining open source projects that are not monetising are not impacted either. Obligations for organisations maintaining open source projects are hard to summarise in a single sentence but are nuanced.
From your perspective, what are the biggest opportunities—or challenges—the CRA presents for the tech ecosystem?
Manufacturers, those that make money on software products on the EU market, will have obligations going forward. I believe most of the opportunities and challenges of the CRA for open source projects will flow from how manufacturers choose to act upon these obligations, in particular, in their interactions with upstream maintainers of dependencies they bundle into their products.
One of these obligations is to share security patches they apply to dependencies with the upstream maintainer. One change maintainers may therefore see, is more contributions from manufacturers. Notably, there is no obligation on a maintainer to engage. But I am personally hopeful that this obligation on manufacturers will move some of them from passive consumer to active contributor or supporter, with a positive effect on sustainability or security. We'll know in a few years.
What are some common misconceptions about the CRA that you think need clearing up?
If you heard that the CRA will have a large impact on FOSS, your knowledge may be outdated. As a result of FOSS advocacy, the CRA changed substantially between the first proposal and the published law. And so many of the early concerns, including some of mine, are no longer an issue.
The CRA, as published, has a nuanced approach to FOSS. But for those that make money off software on the EU market, there are obligations. The law will be a game-changer for the software industry.
I hope the panel will help people forget outdated concerns, identify what the CRA means to them, and what steps they can take to learn more.
Add it to your calendar to join.
Participate with the ORC
- Follow us on social: BlueSky, LinkedIn, and YouTube
- Learn
- Contribute
- Join the Working Group
