Greg Kroah-Hartman explains the Cyber Resilience Act for open source developers

Summary

Opinion There has been considerable worry about the impact of the European Union's Cyber Resilience Act on open source programmers. Linux stable kernel maintainer Greg Kroah-Hartman says, however, that there won't be much of an impact at all. The Linux Foundation has to abide by these rules. Mozilla has to abide by these rules. Me and Linus, as individuals working for them, don't have to abide by the rules... When the news of the EU's Cyber Resilience Act (CRA) first emerged, open source software developers and companies were worried sick. As the Python Software Foundation (PSF) executive director Deb Nicholson said at the time, "Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products." Ouch! Since then, however, the EU has made the CRA more open source friendly. How friendly? Well, according to Greg Kroah-Hartman, a top Linux kernel maintainer and member of the CRA working group of experts, "for open source contributors and maintainers, … [the] CRA is a good thing. I think it's gonna help us. Speaking in Paris at the Linux Kernel Recipes conference, Kroah-Hartman started by saying, "You never expect to be dealing with lawyers and things like that when you start out programming. But here I am. This is all my personal opinion." But, he believes, the CRA has become "something that's actually palatable and can be used" for open source's benefit. Kroah-Hartman explained that the CRA introduces a legal requirement for producers of products with digital elements (PDE). This is a broad category that includes nearly all software-driven devices and programs to document, secure, and maintain their software supply chain. This means companies must now generate a Software Bill of Materials (SBOM), tracking vulnerabilities, responding to newly discovered issues, and being transparent about security practices. For open source developers, this mean...