OpenWrt and the EU CRA - SFC becoming an OpenSource steward?
Hauke Mehrtens
hauke at hauke-m.de
Fri Nov 29 12:33:54 PST 2024
On 11/29/24 17:03, Götz Görisch wrote:
> Dear OpenWrt devs and manufactures,
>
> as the EU Cyber Resilience Act is now signed and will enter into force
> on 2024-12-10 how will this affect OpenWrt development?
>
> Will the SFC take the responsibility of an OpenSource Steward for
> OpenWrt and the other projects it is hosting?
>
> Will the SFC join the Open Regulation Compliance working group
> (https://orcwg.org/)?
>
> And lastly how will this influence the development and processes of OpenWrt?
>
> This mail is meant to start an open discussion on this topic.
>
> Best regards,
> Goetz
Hi,
Thank you for bringing this topic up.
We haven't talked much about the CRA in the OpenWrt project. It just
came up once related to the OpenWrt One.
If it gets into force on 2024-12-10, I assume it will be in full force
36 months later on 2027-12-10. Do all products which are sold after the
2027-12-10 have to be compliant to the CRA?
I think the OpenWrt project is not directly affected by the CRA. The
OpenWrt project is not a commercial entity, we do not sell licenses for
money nor does the OpenWrt project provide commercial services.
I do not think the OpenWrt project is an Open source software steward.
If you are using OpenWrt in a commercial product like building a router
with OpenWrt running on it and want to sell it in the EU you are
affected by the CRA and have to take care of OpenWrt compliance. This is
probably a bigger effort. This should also affect you when using some
vendor SDK based on OpenWrt.
I think there is a business opportunity. Someone could provide a
commercial certified OpenWrt for a license fee which is compliant to the
CRA to reduce the effort for the vendors.
As far as I understood vendors using OpenWrt in their product have to
inform OpenWrt about any vulnerability which affects an OpenWrt
components when they are getting informed about this and share their
patch with us. I do not know how this works when the vendor gets such
information under an non-disclosure agreements (NDAs). The Wifi alliance
for example often shares issues under NDA with their members and OpenWrt
is not a wifi alliance member.
I think the Open Source lobby organization in the EU did a good job in
reducing the bad effects on Open Source.
I used this blog post for the latest information:
https://blog.nlnetlabs.nl/what-i-learned-in-brussels-the-cyber-resilience-act/
I haven't read the full CRA.
I am not a lawyer. Maybe some other members of the OpenWrt project are
disagreeing on some of the points I made. We haven't created a common
opinion on this topic.
Hauke
More information about the openwrt-devel
mailing list