 We need to start talking about the cyber-resilience act because according to all major open source organization the CRA is a threat to free software itself and it has been approved by the European Committee that was working on it. So this is going to be a complex story of loss and bureaucracy and even though it might seem like Europe accidentally hurt it open source whilst doing an otherwise great bill this is very much intentional so let's get started. Everything revolves around cybersecurity so yes as an user it's terrible when a vulnerability is found in a product we are using as it might put our sensitive data at risk but did you know that the EU Parliament estimated that better cybersecurity would make European companies save between 180 billion and 290 billion euros a year so not only security is essential for us customers but even from an economical point of view there's a very strong incentive for the EU to require higher level of cybersecurity but how? Well the proposal is roughly what you would expect. They meet a list of software products that are potentially more at risk than others such as network managers, server operating systems, password managers and son and they outlined a list of security requirements for these products. These requirements cover everything that should be done before publishing the product such as a full security audit but also what to do whenever a critical vulnerability is discovered such as TAL ENISA. Who's ENISA? It's the European Union Agency for Cybersecurity the part of the EU that deals with cybersecurity so roughly speaking this is the spirit of the CRA. If you have a potentially vulnerable product you have to self-certificate that is secure enough and if there is a vulnerability please tell us as soon as possible. All of this sounds amazingly reasonable as an idea and in fact pretty much all big open source organizations that speak against the CRA start off by saying we do like the act, we think it's a good idea but so what's the but? What's the big deal? So first of all people are not happy that they have to communicate to ENISA all the vulnerabilities as soon as they are exploited. In fact the act requires to do it within hours. The established policies for unpatched vulnerabilities are only TAL D people that can actually contribute to fixing the security vulnerability. Quoting it up a wide disclosure of ununpatched vulnerabilities does not make the open source ecosystem more resilient it makes it more perilous. Personally I have no idea how valid this criticism is however there's a secondary obvious problem so I've talked about self-certification to attest the security of a product before releasing. The obvious question is how much work is that? Well the EU estimates that the work needed will result in 25% more in cost overhead which is a significant amount thus an obvious question is raised. Who in volunteer based open source communities is going to volunteer to do this work? So let's take this is the part of the video where I realized I should have checked the pronunciations before recording. Apache? Apish? How do you pronounce Apache? Somebody? How to pronounce Apache? Apache? Apache? Let's take Apache as an example. They are clearly the kind of software that these requirements are thought for. If Apache was developed by a big commercial company well no big deal they will have to pay the extra 25% to hire a team dedicated to this. But Apache is not that. In fact it's volunteer based. They say hey some of these CRA obligations are virtually impossible to meet. For example there is an obligation to deliver a product only if it has no known exploitable vulnerabilities. This is an almost impossible bar to set especially as the open source others neither know nor have control over how their code is integrated downstream. Or take the Eclipse Foundation. They say right away hey we are in a better situation compared to others. We have the staff, we have infrastructure, we have a security team with security policies and yet the CRA requires that if there's a vulnerability the organization has to immediately address it through an automatic updates and it has to notify users of those updates. Eclipse can't do that because because of privacy their projects do not call home or require user registration and there's no mechanism to notify all users of the update. This would require to completely rethink the entire Eclipse infrastructure. Even worse the CRA puts strict requirements to what they call incomplete software that is beta or nightly releases. Either you certify every beta release every single one with all of those security requirements which is crazy. Usually you do a lot of beta releases to quickly iterate before the stable one or you only make the incomplete release for a short period of time clearly stating that this does not comply with the CRA and only available for testing. Here's the issue even if you write on the release page hey this is only for testing that doesn't matter because the license of the beta software is do whatever you want with it. This is open source we cannot publish something just for testing. The thing is this is worse than you think. It doesn't affect you know just a couple of big open source projects it affects a lot of them and the list of products in the CRA is quite long. Think of Kiri which mostly makes a desktop and applications. Kiri would be affected firstly because of Kiri Neon which is technically an operating system but even Kiri's network manager the tool that sets up your Wi-Fi in plasma falls within the category of network management tools. GNOME would be affected as well. A lot of open source projects would be affected and I'll be honest Kiri does not have the money to hire somebody just to do CRA complaints and I really don't think that we can get enough skilled people to volunteer to certify every release of every piece of software affected by the CRA. This is why immediately everybody started asking hey Europe did you know that 90% of the software out there is open source? I mean open source is really a big deal and we can't really comply with the CRA as it is now. Would you please say that all of these requirements only apply to commercial entities? If you're a big company making money with your product you can afford to make security audits and everything. If you're maybe even just a single developer doing free software not quite so remember that the first line of all open source licenses are always saying this software is granted as is and the author takes no responsibility with it. Take it use it fork it do not blame me. Now luckily Europe did listen to all of this but to explain that I have to make a quick timeline of the CRA. The act was proposed last September. It was discussed in a commission of the European parliament called ITRE and they drafted up a proposal to give to the entire parliament. The commission voted on this draft in July and it was approved so the next step is for it to be approved by the entire parliament. At the same time the European Council is developing its own version of the act and when the parliament votes positively for the act Europe will take the original proposal the draft accepted by the parliament and the one drafted by the council and they will actually merge the three into a single act. This is expected to happen early next year like nine months from now and when that happens we will have two years to comply with it. That means that the act really is close to being approved and it might not change much before it is however it's still three years away in time roughly before it starts being effective so it's a ticking time bomb isn't it? So what did we manage to get out of the negotiations within the ITRE? There is an extension for open source software for non-commercial use. The only issue is it's a mess. It's just a mess. So firstly if you take a recurring donation from a company that is considered commercial. This immediately rules out a lot of the open source world. Take again Keri as an example. Yes Keri is a non-profit we don't make money. However we do have patrons which you can check at keri.org. The patrons of Keri do actually donate money to Keri every something and hey would you look at all of these beautiful commercial companies. Now I'm not saying that Keri would be considered commercial because of the donations. I am not a lawyer but I am saying that the best interpretation I can give of the act is yeah and this worries me. But forget Keri. Do you know just how many small github open source projects maintained by just one person receive recurring donations from companies using that software? It's a lot. Just this little sentence in the bill recurring donations from companies make you commercial. It's not exactly like that and paraphrasing creates a lot of issues to both small one person open source projects and the bigger ones. And it's not just that. In order to be a non-profit the CRA requires that the project is completely decentralized and there is not a single one company that can decide what gets interpreted into the project and what doesn't. This means as it was interpreted by most organizations that if you give gith access to anybody involved in a commercial project boom you have to follow the CRA your commercial. Any corporate developer makes you a commercial project. Even worse and here I really hope that me and all the articles I've read are just missing the point because this is terrifying. The exact wording here is weird. So it is. Similarly, where the main contributors to free and open source projects are developers employed by commercial entities and when such developers or the employee can exercise control as to which modifications are accepted in the codebase the project should generally be considered to be of commercial nature. Do you see the big big big loophole? It says if the main developers are employed and the main developers can exercise control on the project the project is commercial. It never actually states that the company behind those employees has to be relevant. Taking this literally if I was employed in I don't know a pizza place doing free software on my spare time that would still make my project commercial because I am employed. So what the f***. So it would be really really easy now to just say well oops the ITRE just did a pretty bad job with making definitions. We just have to tell them how to fix this couple of sentences and it's basically okay, isn't it? This is on purpose. This is not some random mistake. They meant to do this and for a quite simple reason. They noticed that a typical European small and medium enterprise acronym SME uses roughly 95% of open source code and then just adds their own 5% on top and they say well if we ask SMEs to certify that 5% that they make they can do that. It's not a lot but if we ask to certify the whole thing they don't have the resources to do that and somebody has to certify the open source part of this type because well you know it's 95% of the whole thing. Because of that they want most open source organizations to provide these security certifications because they don't think SMEs would be able to handle it. To quote the Apache software foundation for this reason the policymakers have made it crystal clear that the ASF that they intend to have the CRA apply to open source foundations. The current exemptions for open source are either for pure hobbyists code that is not used in real life or for things such as mirrors and package repositories like NPM. All of this is on purpose. So eventually all of this is mostly a clash of ideologies. The free software ideology is we are volunteers we provide you with software that's freely available to everyone. You can do whatever you want with it but you take responsibility for it. Instead Europe wants to save billions in euros of cybersecurity and to do that they need all open source software to be certified. And right now they believe that the only way to achieve that is to throw away the don't blame the other and actually put the cyber security blame to open source foundations. This is scary. It feels like it could be really dangerous. Luckily it might actually work out in the end. Maybe in practice only a few projects will be considered commercial and the requirements won't be that strict. A lot of people were terrified of the GDPR lowest but they didn't end up being that bad. However to the best of my knowledge after hours of research this does not look good. By the way hours of research and writing the script and then recording it and then hours of editing now. Equipment. Everything. All of this takes time and money which is why this channel is supported by the recording donations from not companies but people like you. So if you want to support the channel and give some money to make sure that everything all of this keeps on going on I do have other sources of income but this one helps me actually keep everything up. So if you would like to help out I do have a patron I do have a people I do have a libra pay I do have a co-five you can just help in any way that you like and I think that was everything. Thanks everybody for watching.