WEBVTT

00:00.000 --> 00:10.100
Not that the talk title on the screen doesn't tell you everything that you need to know,

00:10.100 --> 00:12.540
this talk is about regulation and open source.

00:12.540 --> 00:15.240
What is it and what's to focus on?

00:15.240 --> 00:17.240
Here's Toby Langel.

00:17.240 --> 00:26.820
Thank you, and now I have to wait for a minute, no, I'm joking, all right, I'm very glad

00:26.820 --> 00:31.520
to be here with you all today, and I'm here to talk about something that has been sort

00:31.520 --> 00:36.600
of talked about quite a bit for quite a number of years in this community, the Cyber Resilience

00:36.600 --> 00:42.760
Act, the CRA, and essentially to say that it is not coming out for you, that's not what

00:42.760 --> 00:49.200
the CRA is about, and sort of like, hopefully answer some of your questions and allow you

00:49.200 --> 01:01.100
to look at this with a little bit more calm, and sort of like trying to find the perspective

01:01.100 --> 01:09.740
in your position in this broader change to how software is going to be built in the future.

01:09.740 --> 01:16.340
So just some small credentials to give a bit of context, I'm actually a jazz drummer

01:16.340 --> 01:20.580
turned open source developer turned consultant in this space.

01:20.580 --> 01:25.420
Yes, it's a long story, I'm not going to talk about it today, but I could overbears

01:25.420 --> 01:26.420
or something.

01:26.420 --> 01:32.060
I run a small consulting firm, which is called unlock open, and the reasons I'm putting

01:32.060 --> 01:36.540
those credentials up is I've been very involved with the CRA's rollout.

01:36.540 --> 01:41.300
I help bootstrap the open regulatory compliance working group of the Eclipse Foundation, and

01:41.300 --> 01:48.340
I'm a member through a clip of the EU CRA expert group, which is a group that the European

01:48.340 --> 01:53.740
Commission set up that combines the different countries in the EU, represented at some

01:53.740 --> 02:00.060
of different countries, represented at some industry, and from key open source foundations.

02:00.060 --> 02:06.500
And so as a result, I get to have conversations with the Commission and the market surveillance

02:06.500 --> 02:11.620
authorities, and so I have a better understanding of where this is going than is publicly

02:11.620 --> 02:14.660
available for now.

02:14.660 --> 02:20.660
So we're going to talk about what is actually the CRA, what problem it's really trying

02:20.660 --> 02:27.020
to solve, and whether it's actually coming through you and look at contributors, maintainers,

02:27.020 --> 02:34.420
and also a bit companies, but more from the perspective of your roles in companies, rather

02:34.420 --> 02:41.980
than companies themselves, and then briefly will consider whether they're actually more interesting

02:41.980 --> 02:48.740
things to dig into this CRA that might possibly help sustain open source a bit better

02:48.740 --> 02:50.740
than this today.

02:50.740 --> 02:52.300
So what is this CRA?

02:52.300 --> 02:56.220
Well in a nutshell, it is product legislation, right?

02:56.220 --> 03:04.700
It is meant to improve the cybersecurity of physical products and software products that

03:04.700 --> 03:08.180
are sold on the market in the European market.

03:08.180 --> 03:11.020
It is not for services, right?

03:11.020 --> 03:18.140
It is not targeting what people do or how you build software, how you build open source.

03:18.140 --> 03:26.180
It is targeting the result of what ends up in the hands of businesses and citizens in the EU.

03:26.180 --> 03:37.460
And it is really aimed at those who are building, creating those products, and selling them.

03:37.460 --> 03:45.180
It is not aimed at folks who are developing software in those products.

03:45.180 --> 03:49.780
And the problem it's trying to solve, and sort of like where the law originates from,

03:49.780 --> 03:58.380
is fairly simple, is software is now everywhere, from toys to rovers on other planets,

03:58.380 --> 04:08.420
and the increase of cyber attacks in the last few years is costly and impacts businesses

04:08.420 --> 04:12.980
and people quite strongly and increasingly so.

04:12.980 --> 04:18.340
So that's the problem that the commission is trying to, well the Europe is trying to solve

04:18.340 --> 04:24.900
with the cyber resilience act, and technically what it is really targeting is done things like this,

04:24.900 --> 04:25.900
right?

04:25.900 --> 04:32.060
The classic, you know, conducted toy was a wide open server to the camera that is inside,

04:32.060 --> 04:38.620
that is listening to kids, the very poorly designed security camera that has a password

04:38.620 --> 04:44.100
1, 2, 3, 4, and of course the famous one for those that paid attention to what happened in

04:44.100 --> 04:52.420
the friends at the Louisville, the famous password for the Louisville security system, which was just Louisville.

04:52.420 --> 04:56.300
So that's what is trying to be fixed, right?

04:56.300 --> 05:01.660
It is not like, you know, your specific open source package.

05:01.660 --> 05:10.100
That said, there were very real issues with the earlier versions of the CRA, like it was really bad,

05:11.100 --> 05:16.100
and a lot of people in the community stepped up and had a lot of work to talk to the commission,

05:16.100 --> 05:22.100
to talk to the people that were writing it, to talk to folks in the parliament to amend that draft legislation,

05:22.100 --> 05:30.100
and frankly, it now is like pretty good, I think it really makes sense, and the more you understand it,

05:30.100 --> 05:35.100
and the more you understand sort of like all of the framework of legislation that it spilled upon,

05:35.100 --> 05:38.100
the more actually it's actually quite reasonable.

05:39.100 --> 05:41.100
So key problems have been fixed.

05:41.100 --> 05:49.100
That said, there's still a lot of questions in the final text, especially for open source contributors,

05:49.100 --> 05:57.100
and us, really, that feel like they're unanswered, and the good news is that's getting fixed,

05:57.100 --> 06:03.100
and it's getting fixed in that CRA expert group working directly was the commission.

06:03.100 --> 06:06.100
So that's reassuring.

06:06.100 --> 06:13.100
And the first thing I want you to do, if you haven't looked at the FAQs as grab this,

06:13.100 --> 06:18.100
because that's what we've been doing to essentially answer those questions.

06:18.100 --> 06:20.100
It's ongoing.

06:20.100 --> 06:27.100
There's about expected the size of it will double in the next, I don't know,

06:27.100 --> 06:30.100
two or three months, two months, let's say.

06:31.100 --> 06:40.100
And so those are a combination of community questions that are built on top of the knowledge

06:40.100 --> 06:46.100
that we're acquiring through this area expert group and reading the text and reading other legislation.

06:46.100 --> 06:53.100
And they're also, they also contain official frequently asked questions from the commission itself,

06:53.100 --> 06:56.100
that's baked into the whole system.

06:56.100 --> 07:08.100
And so that provides a lot more answers and sort of like answers that have a bit more weight than when just a community works on it.

07:08.100 --> 07:13.100
So, is this area coming for you or your open source community?

07:13.100 --> 07:15.100
Well, no, you're not the target at all, right?

07:15.100 --> 07:23.100
The target is all of those really egregious cases of like bad software or bad post that we're talking about before.

07:23.100 --> 07:28.100
Our contributors subject to the CIA know they're not.

07:28.100 --> 07:34.100
Is a company whose employees are contributing to open source subject to the CIA?

07:34.100 --> 07:37.100
No, absolutely not.

07:37.100 --> 07:41.100
Is a maintainer of subject to the CIA?

07:41.100 --> 07:45.100
So, the answer to this is essentially no, right?

07:45.100 --> 07:48.100
Unless you're making a lot of money doing so, right?

07:48.100 --> 07:54.100
So, who's here making a lot of money doing on source maintenance?

07:54.100 --> 07:57.100
Are you for real?

07:57.100 --> 08:05.100
Like so, for the video like one person actually raised their hand and now I'm completely confused in my whole sort of like talk is going to go sideways.

08:05.100 --> 08:06.100
Thank you.

08:06.100 --> 08:08.100
You and I can talk afterwards.

08:08.100 --> 08:13.100
I might consulting fees are like very low.

08:13.100 --> 08:15.100
How much money is a lot of money?

08:16.100 --> 08:19.100
I'm going to address this, but that's a good question.

08:19.100 --> 08:25.100
I have a slide for this, so I'm not going to let my, that get the real.

08:25.100 --> 08:28.100
But I'll get to it, absolutely, that's a good question.

08:28.100 --> 08:33.100
So, is the maintainer subject to the CIA if the receiving donations, right?

08:33.100 --> 08:42.100
If you have any kind of donation mechanism, well again, no, and again unless you're making a ton of money out of it, right?

08:42.100 --> 08:52.100
If you're receiving grants to develop the project to increase its security whatnot, like not at all, like regardless of like how much those grants are paying you.

08:52.100 --> 08:56.100
If you're getting paid to build open source, right?

08:56.100 --> 09:00.100
No.

09:00.100 --> 09:02.100
This is this gets better, right?

09:02.100 --> 09:10.100
If you're getting paid to help integrate your own open source project in clients software,

09:10.100 --> 09:13.100
you're still not subject to the CIA.

09:13.100 --> 09:20.100
Again, unless you're making a killing was it, and I'll get to what that means now.

09:20.100 --> 09:23.100
So, what exactly does it make a killing mean?

09:23.100 --> 09:30.100
Well, I mean, it means like essentially sustainably, so for a long period of time, not just like one month,

09:30.100 --> 09:36.100
making more money that is necessary to cover all of your professional costs, right?

09:36.100 --> 09:39.100
And you're reasonable living expenses.

09:39.100 --> 09:43.100
And sure, that is subject to interpretation, et cetera, obviously.

09:43.100 --> 09:54.100
But I think, you know, I mean, it's a reasonable clarification of the law.

09:54.100 --> 09:56.100
Is it still a person?

09:57.100 --> 09:59.100
Sorry, what?

10:05.100 --> 10:10.100
So, the question is whether that translates to minimum wage.

10:10.100 --> 10:17.100
No, it says reasonable living expenses.

10:17.100 --> 10:25.100
You don't know how much time it took to get that level of clarification.

10:25.100 --> 10:28.100
This is really precise and specific.

10:28.100 --> 10:31.100
Let me tell you.

10:31.100 --> 10:36.100
No, I mean, look, I am not an lawyer, and I'm not your lawyer, right?

10:36.100 --> 10:41.100
And it just heads off.

10:41.100 --> 10:48.100
But I think like if you're making the same kind of money that you would do,

10:48.100 --> 10:53.100
if you were having the same job as a full-time employee somewhere,

10:53.100 --> 10:58.100
plus covering your cost and, you know, all of like them, self-employment aspects,

10:58.100 --> 11:02.100
I think that fits that description, right?

11:02.100 --> 11:06.100
If you're living in a country where a developer is making, I don't know,

11:06.100 --> 11:11.100
let's say, 60,000 euros a year, and you're making 200.

11:11.100 --> 11:16.100
It's going to be hard to make the case, right?

11:16.100 --> 11:22.100
But also, I mean, if you're making that kind of money, you know, good for you, right?

11:22.100 --> 11:33.100
So now moving to what it actually means for companies.

11:33.100 --> 11:39.100
So if you're providing as a company, integration services for open-source, right?

11:39.100 --> 11:45.100
Let's say you're installing WordPress for your clients or something like this, right?

11:45.100 --> 11:46.100
Then you're out of scope.

11:46.100 --> 11:48.100
You're doing a service, right?

11:48.100 --> 11:51.100
You're not shipping a product in the market.

11:51.100 --> 11:55.100
So you're not impacted, but there is here something to watch out for.

11:55.100 --> 12:04.100
A lot of folks who aren't involved in the service business and the integration of open-source components

12:04.100 --> 12:10.100
look at way to diversify the income by creating adjacent products,

12:10.100 --> 12:12.100
and those are in scope, right?

12:12.100 --> 12:19.100
And it can be very, very small things, but like a WordPress theme is probably in scope of the CRA.

12:19.100 --> 12:25.100
So you have to be careful about those.

12:25.100 --> 12:29.100
If you're releasing software, if any of your employers are releasing open-source software,

12:29.100 --> 12:31.100
does that make them in scope?

12:31.100 --> 12:33.100
Well, it actually depends.

12:33.100 --> 12:37.100
Are you releasing software that's intended for commercial use,

12:37.100 --> 12:41.100
like as your company using that software itself to like sell products?

12:41.100 --> 12:48.100
Well, in that case, right, your company is probably the steward of that software.

12:48.100 --> 12:50.100
Right?

12:50.100 --> 12:55.100
And that is a role that is sort of like in-between, not being in scope,

12:55.100 --> 13:00.100
and being considered as a manufacturer in fully in scope.

13:00.100 --> 13:03.100
It has a very limited set of requirements.

13:03.100 --> 13:09.100
You can look up and they're in the FAQs that I give you the QR code for earlier.

13:09.100 --> 13:13.100
And essentially, that's the case.

13:13.100 --> 13:19.100
What's really interesting is if your company is actually selling open-source software,

13:19.100 --> 13:20.100
right?

13:20.100 --> 13:24.100
It is going to be considered the manufacture when there is a transaction,

13:24.100 --> 13:27.100
which is making money off of the software.

13:27.100 --> 13:33.100
But the community edition, right, even if it's a bit equivalent to the enterprise one,

13:33.100 --> 13:37.100
that is that the company will be a steward of that.

13:37.100 --> 13:38.100
Right?

13:38.100 --> 13:42.100
So there's this distinction between, is it open-source?

13:42.100 --> 13:43.100
Right?

13:43.100 --> 13:47.100
And always there are contracts, a tie to it, and a service agreement,

13:47.100 --> 13:50.100
and your company is making money out of it.

13:55.100 --> 14:00.100
Yeah, and that's the last one, and that's, I think, one of the most interesting aspect of the law.

14:00.100 --> 14:07.100
It's if you use open-source in your products, right, as a company,

14:07.100 --> 14:10.100
and you sell those products on the market,

14:10.100 --> 14:12.100
are you subjected to this array?

14:12.100 --> 14:15.100
Well, yes, absolutely, because you're selling a product, right?

14:15.100 --> 14:19.100
But what's most important is your responsible for all of your open-source,

14:19.100 --> 14:23.100
and all of its dependencies and transitive dependencies, right?

14:23.100 --> 14:29.100
So the company, making money out of placing the software in the market,

14:29.100 --> 14:35.100
is the one that is responsible for the security of all of the software that integrates.

14:35.100 --> 14:42.100
And that's one of the reasons I believe this legislation is a really good one.

14:42.100 --> 14:46.100
Oh, doing very good with time.

14:46.100 --> 14:48.100
And I'm going to be able to take questions.

14:48.100 --> 14:49.100
This is going to be great.

14:49.100 --> 14:54.100
Lastly, and I think this is an interesting point,

14:54.100 --> 14:58.100
and there's a lot of work going on in this space right now.

14:58.100 --> 15:04.100
There's kind of a question as to whether the survey could help sustain open-source, right?

15:04.100 --> 15:08.100
And that ties to the question, or we're just talking about before,

15:08.100 --> 15:12.100
which is manufacturers placing products on the market,

15:12.100 --> 15:16.100
they're in the ones responsible for the security of all of the open-source they ingest.

15:16.100 --> 15:19.100
So you can imagine that it doesn't really scale,

15:19.100 --> 15:22.100
it's not very effective and efficient if every manufacturer,

15:22.100 --> 15:27.100
sort of like forks stuff and like fixes security bugs and their own things,

15:27.100 --> 15:31.100
and then like sort of like maintains those, like we know how that goes, right?

15:31.100 --> 15:32.100
It's terrible.

15:32.100 --> 15:40.100
So the idea is kind of like wouldn't it be nice if we could shift security upstream to the maintainers,

15:40.100 --> 15:45.100
where it's a lot more efficient, and they know where they're talking about a lot more, right?

15:45.100 --> 15:48.100
And of course there's attention because the maintainers can just go,

15:48.100 --> 15:50.100
what I don't care, this is not mind problem, right?

15:50.100 --> 15:58.100
And so the CRA includes this mechanisms called security attestations

15:58.100 --> 16:01.100
that are currently being defined, right?

16:01.100 --> 16:05.100
The article that defines them is very, very hand-wavey.

16:05.100 --> 16:09.100
But the commission can write specific legislation just for this,

16:09.100 --> 16:11.100
and it's being discussed.

16:11.100 --> 16:15.100
It's being discussed in the orc working group in collaboration with commission.

16:15.100 --> 16:18.100
So if you're interested, hit that link at the bottom,

16:18.100 --> 16:20.100
and the slides will be available.

16:20.100 --> 16:25.100
And the idea is essentially, can we provide a mechanism by which,

16:25.100 --> 16:33.100
maintainers who would want to, right, could essentially sell attestations,

16:33.100 --> 16:38.100
remain maintainers, right, not become manufacturers,

16:38.100 --> 16:48.100
in order to fund the maintenance and securization of the open source projects that they maintain.

16:48.100 --> 16:51.100
So that's very much an open question at this point.

16:51.100 --> 16:55.100
Can it work when the manufacturers want to pay for this?

16:55.100 --> 17:00.100
So, you know, it's an interesting topic.

17:00.100 --> 17:03.100
And I think that's it.

17:03.100 --> 17:05.100
I will be able to take questions.

17:05.100 --> 17:10.100
And again, if you want to know more and have more questions,

17:10.100 --> 17:14.100
you can check this, and you can also follow GitHub issues

17:14.100 --> 17:17.100
to ask more questions if you want to.

17:17.100 --> 17:19.100
Thank you very much.

17:20.100 --> 17:25.100
Easy, one, what one?

17:25.100 --> 17:30.100
Hi, Tony. Thank you for the talk.

17:30.100 --> 17:37.100
On that last screen, one, do you think that we'll have some more clarity on whether or not security

17:37.100 --> 17:42.100
annotations can be a model for funding that manufacturers are willing to pay for?

17:42.100 --> 17:45.100
Like, what do you think the timeline roughly will?

17:45.100 --> 17:48.100
So that's a great question.

17:48.100 --> 17:53.100
I think more clarity will get quite soon.

17:53.100 --> 18:00.100
I think throughout the year we'll have an increasing sense of what they could look like.

18:00.100 --> 18:09.100
Whether that is an economically viable model is going to take a long,

18:09.100 --> 18:12.100
like, obviously longer to figure out.

18:12.100 --> 18:18.100
And it also depends on another sort of like hand-wavering thing in the CRA.

18:18.100 --> 18:24.100
And that is exactly how much due diligence manufacturers have to do.

18:24.100 --> 18:31.100
So, how much do they have to understand the code that they're adjusting?

18:31.100 --> 18:36.100
The higher the bar, the more they'll be inclined to pay for it,

18:36.100 --> 18:42.100
the higher the bar, the less they'll be inclined to use open source.

18:42.100 --> 18:45.100
So, it's an interesting tension.

18:45.100 --> 18:50.100
And I can't answer whether we'll be able to, you know, collectively get any of this right or not.

18:50.100 --> 18:53.100
But I think it's worth trying.

18:53.100 --> 18:56.100
Thank you, thank you very much for those slides.

18:56.100 --> 18:58.100
I have one question, though.

18:58.100 --> 19:00.100
Let's say I'm a manufacturer.

19:00.100 --> 19:03.100
I sell hardware and with that hardware.

19:03.100 --> 19:10.100
So, provide open source software from any community and rebuild those stuff.

19:10.100 --> 19:15.100
And maybe tweak a little bit and offer this as a service to our clients.

19:15.100 --> 19:21.100
What is the status for the manufacturer providing these software now?

19:21.100 --> 19:28.100
So, that is a more involved question that I would like to address in this setting.

19:28.100 --> 19:35.100
Because there's many sort of additional questions I would have to ask.

19:35.100 --> 19:36.100
Okay.

19:36.100 --> 19:47.100
Because it depends on whether it's complex, it depends on how data moves from the product to those services.

19:47.100 --> 19:49.100
It really depends.

19:49.100 --> 19:51.100
Okay, let's have a chat later.

19:51.100 --> 19:52.100
Absolutely.

19:52.100 --> 19:55.100
I'm sure others are affected as well.

19:55.100 --> 19:56.100
Thank you very much.

19:57.100 --> 19:58.100
Thank you very much.

19:58.100 --> 19:59.100
We're on time.

19:59.100 --> 20:00.100
So, thank you once again.

20:00.100 --> 20:01.100
So, thank you.