Hi folks, I was lucky enough to attend the ASF Board face2face strategy meeting that was held immediately before the Community over Code EU. I don't speak for the board and don't want to steal their thunder but I did want to give our community a heads-up of changes coming our way. I'm sure there will be more discussions from the ASF on these topics in the coming weeks and months.
Two of the big priorities for the board are to help projects meet Cyber Resilience Act (CRA) requirements and reduce the burden on projects for things like board reporting. There will be good and bad aspects of the CRA, but my feeling for us is that once some ASF tooling (still under discussion) is in place, we'll be able to produce higher quality releases with lower burdens on the project. For those that haven't brushed up on the CRA recently, a quick summary follows. A few weeks ago, the European commission added digital software products as products covered under the Product Liability Directive. The CRA will fully roll out over the next 3 years with increasing requirements coming into play over time. This means that there will be an increased burden on projects within the open source ecosystem/supply chain. Similar initiatives are following in other regions over the coming years. The EU has just been the first to get the legislation enacted. Some of the requirements will likely be: * CVE Processes * Risk Based triage * Responsible Disclosure * SBOM publication * Reproducible builds * Explicit reporting/alerts to the regulators * Release artifacts not built on an individual release manager's laptop For us, we are already in a reasonable position but if the ASF wasn't planning to do more, there would certainly be further burdens. The CRA talks about "manufacturers" who have many requirements and "open source stewards" who have fewer. The ASF is an open source steward. Their current thinking (at the board level) is that they would like to make meeting the (open source steward level of) CRA requirements as easy as possible for their projects. That is good news for us. Some of the things we do in our release builds might move into common tooling, so we won't have to maintain that part. Now, before everyone gets too pessimistic that the CRA might destroy our industry, I want to point out that I have given a super condensed version of the situation. There is provision for hobby open source, research projects, and micro-businesses, where the CRA requirements may not apply. There are grey areas like testing tools and static analysis tools (think codenarc) which never end up in a digital product. There's fuzziness around software-as-a-service scenarios. There is also a risk-based assessment of products that may or may not harm a human being. So, I am not trying to give a definitive picture, just a heads-up. My guess on how this might impact us is: * We will likely need to make further build improvements around quality. Eventually some of this will be taken over by foundation-level tooling. * We will need to get more rigorous around EOL statements for old versions. In at least one place for instance, we have some warm fuzzy words "not actively supported ... but if the community provides a patch, we may apply it". Under CRA that won't be good enough. It is either "fit for commercial purposes" with reasonable CVE delays, or it must be EOL. * While some projects within our ecosystem may not be affected, there is likely to be some which prefer the comfort of being part of a well-established software steward. If that happens, we might need to help them enter the ASF (or elsewhere) or consider adding them as Groovy subprojects. I don't see any immediate action points, just wanted to give you all a heads-up. If others are more intimately involved with the CRA, please feel free to add any clarification, in particular if you think I haven't quite got the details correct. Some of this is still quite new to me and I have taken liberties in summarizing to keep this email from doubling in size. Cheers, Paul. <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
