Am 09.12.23 um 04:07 schrieb Paul Wise: > > Does anyone have any more info about the changes? > Yes, I've seen the leaked document. I (and not only I) think NL-labs outlook is too optimistic. It's also necessary to understand that these kind of statements (the "update, december 2023") are also part of the political game of give and take.
The leaked rumor says there have been some improvements, mainly to adress concerns from big platforms and foundations. Only point 3 from vote A has been addressed. Small projects (point 4) and commercial endeavours (point 1), like for example Freexian, are still out in the rain. The reporting obligations for exploited vulnerabilities (point 2) were doubled and so even became worse. PLD hasn't even been touched yet. And all this is still only a proposal which needs to be voted on by parliament (planned for March 2024). After the parliamentary decision the executive authorities will have to decide on the provisions for implementation and enforcement. Upcoming new standards will play a big role. Lobbying will have to go on and support from Debian will still be needed. There is also no way and no necessity to adapt the GA text based on unofficial rumors since ... > ... the answer from the EU legislative body will not be to read and > consider each bullet point we make --- ... the European legislative > bodies will just see "oh, a biggish project opposes CRA". (Gunnar Wolf am 25.11.23 um 16:59) And that's all that's necessary. Am 09.12.23 um 04:07 schrieb Paul Wise:
Hi all, On IRC it was mentioned that there are updates to the CRA that may address the concerns of the FLOSS community. These blogs have updates at the top: https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/ 🥳 update, december 2023: The concerns expressed in this blog have been heard and are being addressed in the final text. If you read on, do so because you are interested in historical context, not because you seek an understanding of how the CRA will apply in practice. https://berthub.eu/articles/posts/eu-cra-best-open-source-security/ UPDATE: On December 1st the EU agreed on a version of the Cyber Resilience Act that appears to have substantially addressed the concerns in the post below. Further analysis awaits, but do know that the text that follows is now mostly of historical interest! Does anyone have any more info about the changes?
