Re: OpenWrt One vs. EU Cyber Resilience Act
I did look into the EU CRA from the commercial entity point-of-view. SBOM documentation and continued product monitoring for vulnerabilities and hazards to people are central + effective incident response (including; how to pull a product of the market if needed). In regard to OpenWrt One; it would perhaps be enough if it was/is classified as a not-for-profit device ...? On 19/01/2024 21.18, Hauke Mehrtens wrote: The EU is working on a EU Cyber Resilience Act to improve the software security of (consumer) software and (consumer) hardware which contains software. This should be similar to the CE sign, but for software. https://en.wikipedia.org/wiki/Cyber_Resilience_Act After the successful lobbying of multiple open source organizations non commercial open source software developer would be exempt from this regulation. As far as I understood the OpenWrt project would not be affected by this regulation, but if a vendor uses OpenWrt on a router, this vendor has to make sure that his product including OpenWrt is compliant when selling onto the EU market. With the OpenWrt One we or Banana Pi could also get required to take care of this regulation. Did someone look into the requirements needed to make OpenWrt compliant to the EU Cyber Resilience Act for a commercial entity? Did someone look into this regulation with the OpenWrt One project in mind? I support the general idea of the EU to improve the security of software. I think the current draft is much better regarding open source than the first versions. Hauke ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel -- - Gregers Baur-Petersen Anthropologist Information security consultant ___ __ | |.-.-.-.| | | |..| |_ | - || _ | -__| || | | || _|| _| |___|| __|_|__|__||||__| || |__| W I R E L E S S F R E E D O M - OpenWrt 19.07.2, r10947-65030d81f3 - ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: OpenWrt One vs. EU Cyber Resilience Act
On Fri, Jan 19, 2024 at 09:18:02PM +0100, Hauke Mehrtens wrote: > The EU is working on a EU Cyber Resilience Act to improve the software > security of (consumer) software and (consumer) hardware which contains > software. This should be similar to the CE sign, but for software. > https://en.wikipedia.org/wiki/Cyber_Resilience_Act > > After the successful lobbying of multiple open source organizations non > commercial open source software developer would be exempt from this > regulation. As far as I understood the OpenWrt project would not be affected > by this regulation, but if a vendor uses OpenWrt on a router, this vendor > has to make sure that his product including OpenWrt is compliant when > selling onto the EU market. With the OpenWrt One we or Banana Pi could also > get required to take care of this regulation. > > Did someone look into the requirements needed to make OpenWrt compliant to > the EU Cyber Resilience Act for a commercial entity? > > Did someone look into this regulation with the OpenWrt One project in mind? Yes, per your email, we at SFC looked into this today. SFC believes that the compliance with this regulation will be the manufacturer's responsibility. Denver Gingerich Director of Compliance Software Freedom Conservancy ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: OpenWrt One vs. EU Cyber Resilience Act
The EU is working on a EU Cyber Resilience Act to improve the software security of (consumer) software and (consumer) hardware which contains software. This should be similar to the CE sign, but for software. https://en.wikipedia.org/wiki/Cyber_Resilience_Act After the successful lobbying of multiple open source organizations non commercial open source software developer would be exempt from this regulation. As far as I understood the OpenWrt project would not be affected by this regulation, but if a vendor uses OpenWrt on a router, this vendor has to make sure that his product including OpenWrt is compliant when selling onto the EU market. With the OpenWrt One we or Banana Pi could also get required to take care of this regulation. Did someone look into the requirements needed to make OpenWrt compliant to the EU Cyber Resilience Act for a commercial entity? Did someone look into this regulation with the OpenWrt One project in mind? I support the general idea of the EU to improve the security of software. I think the current draft is much better regarding open source than the first versions. Hauke ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel