Siden er endnu ikke oversat. Nedenfor ser du den originale udgave af siden. Kig venligst på denne side for at finde ud af hvordan du kan hjælpe med oversættelser, og andre ting.

SFP#39: Policy and EU: CRA and what’s next?

Back to the episode SFP#39

This is a transcript created with the Free Software tool Whisper. For more information and feedback reach out to podcast@fsfe.org

SFP#39: Policy and EU: CRA and what’s next?


WEBVTT

00:00.000 --> 00:01.040
Then let's get started.

00:14.480 --> 00:17.440
Hello and welcome to the Software Freedom Podcast.

00:17.440 --> 00:21.600
This podcast is presented to you by the Free Software Foundation Europe.

00:22.240 --> 00:26.640
We are a charity that empowers users to take control of technology.

00:27.280 --> 00:30.480
I'm Bonnie Mehring and I'm here with my colleague Alex.

00:30.480 --> 00:32.320
Hi Alex, nice to have you here.

00:32.320 --> 00:34.240
Hi Bonnie, nice to be here again.

00:34.240 --> 00:35.120
Hello, hello.

00:35.120 --> 00:42.240
So Alex, this week we will be talking about the CRA and I give up on the word cry if you notice.

00:46.240 --> 00:48.960
And especially focus on the questionnaire there.

00:48.960 --> 00:49.840
Yes.

00:49.920 --> 00:53.760
So can you give us a recap of what the CRA is?

00:53.760 --> 00:56.800
What are the roles in the CRA?

00:56.800 --> 00:58.080
Very, very quickly.

00:58.080 --> 01:02.080
Just to give everybody a quick overview of what we are talking about.

01:02.880 --> 01:03.920
Yes, sure.

01:03.920 --> 01:07.280
I mean, we already had a podcast episode on the Cyber Resilient Act.

01:07.280 --> 01:09.840
You can find it in the show notes as well.

01:09.840 --> 01:14.240
And there we also explained a bit about the Cyber Resilient Act.

01:14.240 --> 01:19.680
However, in short, the Cyber Resilient Act is product regulation and the aim

01:19.680 --> 01:22.560
is to make products more secure.

01:23.120 --> 01:29.200
And we talk about products with digital elements and this could be basically everything.

01:29.200 --> 01:31.200
It could be IoT device.

01:31.200 --> 01:38.320
It could be a piece of code and everything like operating system or operating system on your mobile.

01:38.960 --> 01:43.360
So whatever has a digital elements could be considered as a product.

01:44.000 --> 01:47.280
There are some exemptions for cars, for example,

01:47.280 --> 01:49.040
since they are regulated in other spaces.

01:49.040 --> 01:56.480
However, ultimately, it's about getting a CE label on those digital products.

01:56.480 --> 02:01.440
So it's also not only a product regulation but also a market entry regulation.

02:01.440 --> 02:05.280
So we only talk about products that are about to enter the market.

02:05.920 --> 02:10.240
Those are going to be pre-checked if there are, and so-called, yeah,

02:10.240 --> 02:14.320
let's say, verb flows in order to make the product more secure.

02:14.480 --> 02:17.280
One can say it's security by design.

02:17.280 --> 02:21.120
And once all of these workflows, applications are fulfilled,

02:21.120 --> 02:25.840
you get the CE label and can place the product on the European market.

02:26.480 --> 02:28.160
So that's what we are talking about.

02:28.720 --> 02:33.520
And yeah, since this obviously is regulating software,

02:34.160 --> 02:40.480
we advocated during the legislative process that there should be exemptions but also in detailed

02:40.480 --> 02:42.560
regulations for free software.

02:42.560 --> 02:47.920
Since you free software ecosystem is looking slightly different than normal software

02:47.920 --> 02:50.800
or not normal software, so it's a proprietary software.

02:50.800 --> 02:54.960
And by thus, we also need dedicated rules.

02:54.960 --> 03:00.960
So just imagine we are having those of projects that are not really placed on a market.

03:00.960 --> 03:02.160
They might be on GitHub.

03:02.160 --> 03:04.160
They might be on some websites.

03:04.160 --> 03:07.200
You can just download the code, install it, run it.

03:08.160 --> 03:11.840
You'll have all the freedoms of free software to use, study, share, and improve.

03:11.840 --> 03:15.440
Right? And so this is ultimately not really a product.

03:15.440 --> 03:19.200
Maybe you have sometimes charities around those projects.

03:19.200 --> 03:23.120
But sometimes these projects then ultimately also end up in a product.

03:23.120 --> 03:30.960
And that's why the legislative came up with the idea to also not only regulate the workflows

03:30.960 --> 03:34.400
differently, but also to come up with new roads.

03:34.480 --> 03:39.120
So they introduced the Stuart role and the manufacturer role.

03:39.600 --> 03:44.640
The manufacturer is pretty obviously that's basically the manufacturer that brings a product

03:44.640 --> 03:52.400
on the market. And the Stuart is then basically what could be a project that is then ultimately

03:52.400 --> 03:56.640
ending up in such a product by not being a product by its own.

03:57.360 --> 04:00.880
So and this also brings a couple of questions with it.

04:01.600 --> 04:04.240
For example, what is placing on the market?

04:05.280 --> 04:10.080
To which extent can you still have money in your project,

04:10.080 --> 04:12.480
while you are still not being a manufacturer?

04:12.480 --> 04:19.920
So again, let's imagine you are a charity or you are getting a few donations for your

04:19.920 --> 04:23.040
project. You have let's buy me a coffee button, whatever.

04:23.600 --> 04:27.360
So you don't really make a surplus with your project.

04:27.440 --> 04:31.760
But you just like keep it running or like have it as a hobby as a project,

04:31.760 --> 04:38.560
whatever the structure might be. And here those questions arise and then also some questions arise

04:38.560 --> 04:43.680
on like how the Stuart and the manufacturers shot in the activities each other.

04:43.680 --> 04:48.320
So let's imagine there's a security issue. A patch needs to be placed.

04:48.320 --> 04:51.680
So and how is this patch then finding its way into supply chain?

04:51.680 --> 04:55.840
Is it the Stuart and it's come up with the patch? Is it the manufacturer?

04:55.840 --> 04:59.520
The rules are clear. All applications are with the manufacturer.

04:59.520 --> 05:03.760
However, in order to make sure that the patch is then automatically ending in the project,

05:03.760 --> 05:11.280
you need to have somewhat a relationship with the project or so called Stuart then in this case.

05:11.920 --> 05:17.280
And this is basically what we tried to address with a survey. We came up with a question there.

05:18.000 --> 05:22.480
We is the German Bundesamt für Sicherheit in the Information Station.

05:22.640 --> 05:26.800
So the Asian Federal Agency for IT Security in Germany,

05:27.680 --> 05:32.560
we partnered on a project in order to bring more clarity towards those questions.

05:33.120 --> 05:39.280
And also to identify more questions, basically. So we were also trying to ask so the Stuart

05:39.280 --> 05:44.240
in particular, but also let's take a market on how they read and understand the CIA

05:44.240 --> 05:49.120
or where they have issues to not understand it. So where we need a bit more of like clarity.

05:50.080 --> 05:53.520
And this could be basically ending up in so called guidance.

05:53.520 --> 05:57.920
So this will be a document where the CIA is a bit more explained in detail.

05:57.920 --> 06:02.560
So what is placing on the market, right? So and how all these workflows need to look like,

06:02.560 --> 06:07.600
ultimately there's also standardization for these processes. They might be at the station.

06:08.400 --> 06:12.960
So on and so forth. And this is what we ask, basically, our community,

06:12.960 --> 06:18.960
what we ask other communities out there that tinker around with software and might be a

06:18.960 --> 06:24.080
affected by the cyber resilience act. And yeah, now we want to talk a bit about this questionnaire.

06:24.080 --> 06:28.480
In the last edition, we already talked a bit about the questionnaire itself and first result.

06:28.480 --> 06:32.720
And now we have some final results. And this is what we want to chat about today.

06:33.760 --> 06:41.680
Perfect. Thank you very much. I heard that you got like an amazing number of answers for the

06:41.680 --> 06:48.720
questionnaire. This is true. I mean, the questionnaire was basically available out there for two

06:48.720 --> 06:54.800
months July, August, mid July. We had the, or no, it was end of July, beginning of August.

06:54.800 --> 06:59.200
We also had the podcast episode on this where we also promoted the questionnaire. Again,

06:59.200 --> 07:04.240
we also had to talk at the German free software conference, the Frostconn, where we also presented

07:04.240 --> 07:10.240
the questionnaire and asked people to take part. Ultimately, we got 345 answers, which is

07:10.240 --> 07:15.520
really impressive. Since we also only asked for feedback from people that are more or less

07:15.520 --> 07:20.320
familiar with the cyber resilience act. So we didn't ask fully into the blue. We only asked people

07:20.320 --> 07:26.400
or, but we were addressing people and asking in particular for feedback from people that are

07:26.400 --> 07:31.440
familiar with the cyber resilience act that know about the legal rules, because this would then

07:31.440 --> 07:37.040
help us to identify basically the gaps where we need more clarity. So it doesn't make too much sense

07:37.040 --> 07:42.960
to ask, sort of, a random people on what do you know about the CIA and then they tell you

07:43.040 --> 07:47.840
nothing. So this is not really helpful. And for this, it was really impressive to get this

07:47.840 --> 07:52.480
amount of questions, although we had, and this is in particular important for this questionnaire,

07:53.040 --> 07:59.200
a lot of free fields. So where people could, yeah, basically try to explain in their own words

07:59.200 --> 08:04.720
what they are fearing, what they are seeing, what they are missing. And this in particular, I helped

08:04.720 --> 08:12.000
for us to better understand the ecosystem, to better understand fears and needs. And we had some

08:12.000 --> 08:18.400
gut feelings beforehand. Most of them have been also addressed by any response in the questionnaire,

08:18.400 --> 08:24.240
but they have been also some answers that we let's say didn't expect it to have it at least in

08:24.240 --> 08:29.680
that clarity. So this questionnaire definitely helped to get a better understanding of the knowledge

08:29.680 --> 08:37.600
around the cyber resilience act, but also around like ideas on how the market might react on

08:37.600 --> 08:44.960
cyber resilience act, as well as ultimately, yeah, the still open questions that many of the

08:44.960 --> 08:50.960
participants of this survey still have. And that we are, yeah, it's obviously that they need to be

08:50.960 --> 08:58.000
addressed. And this will mostly happen in guidance. And this is also something which we are going

08:58.000 --> 09:03.600
to look on in the next weeks and months. And based on this survey.

09:04.160 --> 09:10.960
Okay, before we dive into the questions and the answers we got there, just very quickly,

09:10.960 --> 09:17.920
very surprised by the amount of answers we got that were obviously there's some needs to be

09:17.920 --> 09:24.000
some knowledge about the CRA and there's some expert knowledge then there as well. Very surprised

09:24.000 --> 09:31.040
by the quality and the quantity or what, how, what was your feeling there? Yeah, both both,

09:31.600 --> 09:39.680
so it's like, as we asked for quality, basically, I didn't expect it to get that many high quality

09:39.680 --> 09:47.040
answers. And that's basically what we can see as at 345 answers, we had ultimately six questionnaires

09:47.920 --> 09:54.160
in German, as well as in English, basically three questionnaires then that have been translated,

09:54.160 --> 10:00.480
one for the manufacturers, one for the stewards, and one for the project to get a better understanding,

10:00.480 --> 10:06.560
first of all, where market participants see themselves. So if they are more or less like,

10:07.040 --> 10:14.960
yeah, understanding in which role they will end up with and or which role they might think of

10:14.960 --> 10:20.160
that they might end up with. And then as said, in particular, the three fields helped a lot

10:20.160 --> 10:27.280
for us to better understand the arguments, but also the reasoning of thinking of people

10:27.280 --> 10:32.400
why they do believe that they have a certain role or why do they believe they don't have

10:34.880 --> 10:42.000
Okay, then let's dive into this or I will take a first project. What was your key findings

10:42.000 --> 10:46.080
for the projects and what was so amazing there and what really stuck out to you?

10:47.280 --> 10:52.480
I mean, for the project and this is pretty much I think we can combine it with the stewards

10:52.480 --> 11:00.640
already together is that most of them still don't fully understand if they are in scope or not

11:00.640 --> 11:07.760
and if they are in scope which role precisely they will have and then what they have to do

11:07.760 --> 11:16.000
as in Italy. So we can see that many many answers we're going into the direction that like if

11:16.000 --> 11:22.160
we are covered somehow by the cyber resilience act. So if we for example, in this steward role,

11:22.800 --> 11:28.000
then projects want to be the stewards for their own project. So that's something which is very

11:28.000 --> 11:34.160
important to learn. So they do not want to have external stakeholders players around that do

11:34.160 --> 11:41.360
fulfill the steward roles for them. So if they are covered by the CIA in which role and in which

11:42.000 --> 11:47.840
doesn't matter too much then they all said more or less that they want to be the stewards for their

11:47.840 --> 11:55.920
own project. However, they all still struggle in order to better understand to which extent they

11:55.920 --> 12:03.360
are covered and also what the applications they have to fulfill. So this means many do not fully

12:03.360 --> 12:10.400
see the threshold of like how much money could be in a project in order to not be a manufacturer

12:10.400 --> 12:16.960
or in order to be for example fully out of the cyber resilience act. And this is also something

12:16.960 --> 12:22.880
we addressed in our sort of statements towards the commission but also to market surveillance

12:22.880 --> 12:28.800
authorities that we need more clarity here. The idea could be for example and this is also

12:28.800 --> 12:32.720
something which we have seen in the tax and European Parliament during the legislative process.

12:33.360 --> 12:41.120
So that amount of money that keeps the service running yeah that should be basically the

12:41.120 --> 12:46.720
threshold in order to say look you are not doing this for a commercial interest so to say you are

12:46.720 --> 12:53.360
just doing this you have to keep the service running and as soon as you or as long as you are

12:53.920 --> 13:00.560
not paying basically doing this to earn money with this but just to keep the service running

13:00.640 --> 13:06.000
then you should be out or you can decide on to be in the Stuart world. The question is like for

13:06.000 --> 13:11.920
example what do we do with charities. One solution could be you say like whatever the charity

13:11.920 --> 13:17.280
earns this this project it doesn't matter they can just like move the money then into other

13:17.920 --> 13:23.680
charitable work what they are doing since like for example we have to

13:24.320 --> 13:30.000
yeah charity status in Germany which doesn't allow you basically to earn money right so you have

13:30.000 --> 13:36.720
to basically invest it then in other courses you might have but then the question is again so

13:36.720 --> 13:42.800
is this fair or can we can we be a bit more precise here also what do we do with other countries

13:42.800 --> 13:49.600
that don't have such charity laws what do we do with countries that are not even European right so

13:49.680 --> 13:54.960
how do we evaluate this and for this I think it would be very good to have some very clear rules

13:54.960 --> 14:01.120
for example I'd say it's more or less clear to say like as much money as you need in order to keep

14:01.120 --> 14:06.560
the service running is fine but as soon as you are starting yeah to commercialize it in a way

14:06.560 --> 14:14.480
right so that you have surplus then it's clearly not a Stuart project anymore but you might

14:14.480 --> 14:20.000
be a manufacturer however what we see from the responses is that there needs to be clarity

14:20.000 --> 14:27.520
so people are fearing that it's basically zero euros that you that you can have in your

14:28.240 --> 14:34.400
in your pocket then when you have a project and this will definitely not be the case however

14:34.400 --> 14:39.520
the question is how much money can you have in your case so right and here we clearly see that

14:39.520 --> 14:44.480
we need answers and I do believe the commission is already aware of this however we will also then

14:45.200 --> 14:50.480
provide the commission with our feedback on this so that we need here definitely more clarity in

14:50.480 --> 14:56.720
order like how does the money game works out so that you can have for example support contracts

14:56.720 --> 15:04.880
in order to help manufacturers to be CIA compliant without the fear of becoming a manufacturer

15:04.960 --> 15:12.560
by yourself also I do believe that many still do not fully understand the idea of a product

15:12.560 --> 15:21.040
regulation so ultimately that the idea is to regulate F product that means you have F rich

15:21.840 --> 15:29.840
which is then getting FCE label the same manufacturer can come up with another fridge which is

15:30.320 --> 15:39.040
another product so this means if you have a project and yeah your your your code base is part

15:39.040 --> 15:46.320
of a product you're only the Stuart for this one product so you're not a Stuart for your project

15:46.320 --> 15:53.120
nor for a manufacturer at its whole right so you're only the Stuart for one product that means

15:53.120 --> 15:59.520
you can be I don't know 20 times the Stuart for 20 projects towards one manufacturer

16:00.560 --> 16:06.480
but you are never basically the Stuart for your project so to say right so you're always the Stuart

16:06.480 --> 16:13.760
for a product so let's assume you have a code that ends up in a fridge and then you are the

16:13.760 --> 16:20.000
Stuart for this code in this fridge right and this is also something I do believe we have

16:20.240 --> 16:26.960
no clarity I hope that these kinds of podcasts we are doing here is helping in this direction but

16:26.960 --> 16:32.240
also I said we were giving talks on this so this is also what we are trying to explain why so it's

16:32.240 --> 16:39.040
a product regulation and every product every single product and it's going to be regulated so

16:39.040 --> 16:45.760
and it's not about your project but ultimately always the singing of a product regulation so that's

16:45.840 --> 16:52.160
also something and what we have seen in the answers and where we need maybe that's more of a

16:52.160 --> 16:58.000
communication thingy but where we need more clarity but also guidance again could help here and

16:58.000 --> 17:03.840
ultimately what we have also seen and this is also true for the manufacturers as that they basically

17:03.840 --> 17:10.480
are asking for tools so we see that project Stuart's and manufacturers alike I want to have

17:11.200 --> 17:18.080
easy check boxes so to say and best in an automated process and for this they want tools right so

17:18.080 --> 17:25.680
and this is also something I think which is a key of feedback for the the whole implementation

17:25.680 --> 17:32.160
process that we also should think about that we are talking towards a technical community

17:32.160 --> 17:39.280
right so and they want all the tech solutions to fix the problem and to come up with workflows

17:39.280 --> 17:43.360
right so and this is also something which we should keep in mind so that we don't come up with

17:43.360 --> 17:53.040
paperwork too much but that we also think of tools this is a short break for our own cause thank

17:53.040 --> 17:58.240
you for listening to the software freedom podcast working for software freedom and producing

17:58.240 --> 18:06.000
podcasts costs money please consider supporting us with a donation on the fsfe.org slash donate

18:06.080 --> 18:14.800
and then the show notes okay I've had this very fascinating especially since there's this

18:15.600 --> 18:22.160
dismissing clarity but you also mentioned there's a fear of becoming manufacturers I think this

18:22.160 --> 18:28.240
is also related a bit to the clarity part right because there is uncertainty about what does

18:28.240 --> 18:35.360
all would mean exactly so people fear a lot so that as soon as there is somehow money involved

18:35.440 --> 18:39.760
then they they end up as a manufacturer so assuming you have a project and then the

18:39.760 --> 18:44.160
manufacturer drops by telling you all you have to fulfill these and these and these applications

18:45.280 --> 18:50.080
the project is saying nah no we don't want we don't have the resources to do so then the

18:50.080 --> 18:55.680
manufacturer say oh I understand I'm going to support you and for this I'm going to pay you money

18:55.680 --> 18:59.920
and then projects are fearing that as soon as they take this money they will end up in the

18:59.920 --> 19:06.640
manufacturer vote this is in particular not true however it's also addressing another problem

19:06.640 --> 19:12.000
that we see and that's the the lack of resources right so and that's also an answer we often got

19:13.040 --> 19:19.520
is that yeah project stewards fear that they will have more applications or even if it's not

19:19.520 --> 19:24.640
applications there's more work to do since they have to interact with the manufacturer right they

19:24.640 --> 19:31.760
need to prepare or provide resources basically a possibility for contact and maybe some more

19:32.400 --> 19:36.800
and for this they need resources and the question is there do these resources are going to be

19:36.800 --> 19:43.680
pulled from and the most obvious answer to this is the manufacturer should pay but the question is

19:43.680 --> 19:51.520
then if this is always working out in that way what we do hope for and what do we do if it's not

19:51.520 --> 19:57.280
going to work out and this is then basically a question so since again we also see that many

19:57.280 --> 20:02.720
projects are willing to contribute to IT security they are willing to help in the cyber resilience

20:02.720 --> 20:08.960
act but at the same time they are lacking resources we we know the funding issue of free software is

20:10.000 --> 20:15.040
it's a huge topic we also address this in another podcast episode but we also see it again here

20:15.040 --> 20:20.400
in the cyber resilience act all of these problems that we have on the one hand I'm strong manufacturers

20:20.400 --> 20:26.480
that maybe sometimes just pick the code don't contribute back in any way and on the other hand we

20:26.480 --> 20:35.360
have burned out maintainers in projects that yeah working like hell and don't get any resources

20:35.360 --> 20:40.160
focused and this is also something which we have seen a widely addressed in new responses to our

20:40.160 --> 20:46.720
questionnaire that there is a lack of resources a lack of funding and this is also something which

20:46.720 --> 20:53.360
we definitely need to address in order to make sure that not only free software projects survive

20:53.360 --> 20:59.920
but that they also get a reasonable funding and reasonable resources and here again this is

20:59.920 --> 21:05.920
something which nobody of you should fear if you are a project and again you get the resources in

21:05.920 --> 21:12.960
order to keep the service running this is definitely not the threshold of becoming a manufacturer

21:12.960 --> 21:18.240
however there will be more clarity on where the thresholds are but this is I'd say more or less

21:18.240 --> 21:24.080
for sure that this will definitely be a threshold so as soon as you get as much money in order to

21:24.080 --> 21:30.640
fulfill this road right which is given to you by the by the legislator and in order to keep your

21:30.640 --> 21:36.640
service running then you definitely won't end up in the manufacturer role however as said we need

21:36.720 --> 21:44.080
clarity here in order to say look it's bitten here you can be sure yeah and you have already

21:44.080 --> 21:51.200
mentioned that the manufacturers are also somehow involved in this whole CR-8 debate and we had

21:51.200 --> 22:01.680
actually see we had a questionnaire for them as well I'm doing a very very slow circle here two

22:01.760 --> 22:07.920
arts of manufacturers if you notice so are they what are the key findings there are they still

22:07.920 --> 22:14.960
considering to keep using free software or are they now more in fear of using free software and do

22:14.960 --> 22:20.240
they want to switch to some proprietary software but proprietary software will also be regulated by

22:20.240 --> 22:27.920
the CR-8 so what is their key findings yeah so maybe before we start with this since you address

22:27.920 --> 22:33.440
the role right so I think this is also very important to know for everyone all the applications

22:33.440 --> 22:39.920
in the cyber resilience and are with the manufacturer so and that's very important to learn and

22:39.920 --> 22:46.880
very important to know so also as a student if you should fail they're not even fines for you

22:46.880 --> 22:52.480
right so marked surveillance authority then will drop by and might guide you and help you out of

22:53.040 --> 22:59.200
this but they can't find you on the other hand manufacturers have all the applications so they

22:59.200 --> 23:04.560
must not need to make sure that their code is fine that it fulfills all the applications in the

23:04.560 --> 23:11.120
cyber resilience act and they could also be fine if it's going into a wrong direction and this

23:11.120 --> 23:17.280
is important to learn so since this means the manufacturer needs to have a relationship to

23:17.280 --> 23:24.960
the Stuart in order to say I am sure that I can fulfill the applications in the cyber resilience

23:24.960 --> 23:30.160
act meaning that for example you have the security incident and then you are able to bring the

23:30.160 --> 23:37.360
patch to the project right so and you it's it's basically impossible to do this if you don't

23:37.360 --> 23:42.400
have a relationship with the project or if you can't assure right so that the patch is handled

23:43.120 --> 23:49.440
and that it is then ultimately ending up in your product so and if you can't guarantee this

23:49.440 --> 23:56.640
then you might be fined by market's reigness authority and this then also means for manufacturers

23:56.640 --> 24:04.000
as you said there are a couple of ways in order to handle this situation so first and this would be

24:04.000 --> 24:09.360
I guess pretty much the best case and this is also what we are looking for the manufacturer is

24:09.360 --> 24:18.720
identifying the Stuart is providing the Stuart with resources in order to help the Stuart that

24:18.720 --> 24:25.200
the Stuart can help the manufacturer to fulfill the applications and then also there are workflows

24:25.200 --> 24:30.640
established that there is basically that the applications can be fulfilled there are a couple

24:30.640 --> 24:36.960
of them like notification patches handling blah blah blah let's don't go into the details but however

24:37.920 --> 24:43.440
it's all this the manufacturer so then assuming the manufacturer is not

24:43.440 --> 24:50.000
willing or capable to set up a relationship with Stuart so let's say you as a project you'll feel

24:50.000 --> 24:55.360
you don't want to work together with this specific company on this specific product for I don't

24:55.360 --> 25:02.160
know ethical reasons for example then what has the manufacturer for options right so and then he can

25:02.160 --> 25:09.200
say look I'm going to fork the project because then yeah you have basically the possibility to

25:09.200 --> 25:15.120
to to work on the code and fulfill the applications so you can basically also explain towards the

25:15.120 --> 25:22.640
market's reigness authority right so this is this I have power over the code so to say or and this

25:22.640 --> 25:30.480
is also what you already mentioned as an example you can scout for a proprietary alternative which

25:30.480 --> 25:37.040
already is a product in itself and has a CE label already and by thus you can yeah shift

25:37.040 --> 25:43.280
basically the applications towards the other supplier and you have a business to business relationship

25:43.280 --> 25:49.360
and ultimately so these are the options you will have as a manufacturer or you let the product

25:49.360 --> 25:54.880
by so that's all you just like remove this bit of the code and don't have this functionality for

25:55.680 --> 26:01.280
so these are the options as a as a manufacturer right so you have a good relationship to the

26:01.280 --> 26:08.960
Stuart best one I'd say you fork it second best one worst one is proprietary replacement or yeah

26:08.960 --> 26:16.240
you don't have the product only you pin bark at it anymore so and then and this is in particular

26:16.240 --> 26:23.600
interesting since we see this in the answers so most of the manufacturers do want to have a

26:23.600 --> 26:31.040
relationship with the Stuart and that's also I think a reasonable approach since imagine you

26:31.040 --> 26:35.920
are flocking at the project so this means you need to have the knowledge about the code you need

26:35.920 --> 26:41.200
to have the knowledge about the project and it's basically experienced people from this community

26:41.200 --> 26:46.800
in the best case that can work on this code right so I think it's not that easy to just say like

26:46.880 --> 26:55.120
so I'm just going to take I don't know Debian and now I fork it and then all is good right so I mean

26:55.120 --> 27:01.840
you also need to handle it and patches right so you need to improve the code you want innovation

27:01.840 --> 27:09.760
yari yari so it's it's not so easy to just simply fork it and then continue and take it from there

27:09.840 --> 27:17.120
so for this it's it's a pretty good idea to to to be connected to the project and basically work

27:17.120 --> 27:23.040
together with them so and this is also what most manufacturers are willing to do nearly none of them

27:24.320 --> 27:31.920
thinking about replacing this this proprietary alternatives so basically there are two ways for them

27:31.920 --> 27:38.480
the first one is and that's what they what they are trying to do is to go to the Stuart or to

27:38.480 --> 27:43.360
the project and by thus the potential Stuart trying to set up a relationship and also they are

27:43.360 --> 27:51.200
willing and to provide resources this is also interesting if you think about the fund debate but

27:51.200 --> 27:58.480
however and this is also learning if I can just site record here we also learned that projects that

27:58.480 --> 28:05.360
already do have a good relationship with manufacturers and do get resources it's still not

28:05.360 --> 28:10.320
sufficient so we should also be aware that if manufacturers say they are willing to support a

28:10.320 --> 28:15.520
project that doesn't mean that it's then fully financed it's just that they are willing to give

28:15.520 --> 28:21.360
something we don't know how much and we also don't know if the project will survive from

28:21.360 --> 28:28.720
curing market activities we see that it's rather not okay however manufacturers are up to do

28:29.680 --> 28:35.440
they are willing to work together with the Stuart that would be their first choice second choice

28:35.440 --> 28:42.240
is to fork the project and that's also I think very important to learn so we see on the one hand

28:43.120 --> 28:49.040
projects that want to be the Stuart for their own project and on the other side we see manufacturers

28:49.040 --> 28:58.000
that do not want to have a fork or that do not want to replace it but keep the project and also

28:58.080 --> 29:04.000
collaborate with the potential Stuart so we see that basically the two important entities

29:04.000 --> 29:10.720
roles in the cyber resilience act do want to collaborate so and now the question is how do we kick

29:10.720 --> 29:16.320
off this collaboration how do we make sure it doesn't harm the ecosystem and how do we make sure

29:16.880 --> 29:27.360
that those who benefit on the market also pay those who contribute so those are some of the outcomes

29:27.360 --> 29:33.840
and you already gave some yeah fewer hat of what is a hat what is lying ahead of us

29:35.440 --> 29:40.960
is there anything else you would outline now for the last question as the time is already running

29:40.960 --> 29:46.320
so fast again Alex yeah so what is important so I mean first of all what we are going to do is

29:46.320 --> 29:53.440
to take the results and put it in a report and present it towards the commission and try to make

29:53.520 --> 29:59.600
sure that all of these questions are going to be addressed in guidance or in the delegated

29:59.600 --> 30:05.360
implementing acts standardization attestation so in all of the implementing activities without

30:05.360 --> 30:10.480
going too much into details there are a couple of them so that all of these questions are going to

30:10.480 --> 30:15.440
be addressed also we have seen in the questionnaire that there are some other questions that we might

30:15.520 --> 30:24.240
need to work on spawn supply chain license issues so also in particular attestation might be a very

30:25.120 --> 30:30.320
interesting part to work on this is also something which I do believe is something we will pick up

30:31.120 --> 30:38.560
very soon and so there are there are some more questions next to the ones we just addressed here

30:38.560 --> 30:44.000
that need to be clarified maybe we come up with another survey something like this let's see how

30:44.000 --> 30:50.320
we and yeah how we how we channel through this however we will make sure in the implementation to

30:50.320 --> 30:56.960
again safeguard in particular project maintainers and I think individual developers that are

30:56.960 --> 31:02.720
something which we achieve but that we bring also clarity towards the projects and that everyone

31:02.720 --> 31:11.360
knows clearly what is going to happen and yeah if it's a good idea to become a steward or not and if so

31:12.320 --> 31:17.680
what do you need to do and what does mean for you and so on and so forth also we try to reflect

31:17.680 --> 31:24.240
the different players in the ecosystem why it's not like that there is a one fits all solutions so

31:24.240 --> 31:30.400
we will try to work with examples and guidance and to to yeah make this easily understandable

31:30.960 --> 31:37.600
yeah for you out there to channel through this so this will be our activity however it's

31:37.680 --> 31:45.600
even if discretion is closed we are still searching for input so if you feel that your project or

31:45.600 --> 31:50.480
even if you are I don't know a micro enterprise a small medium enterprise man medium enterprise

31:50.480 --> 31:57.440
depending on what you do but also here we do not want to harm micro enterprises right so all these

31:57.440 --> 32:03.280
one women armies that are out there sitting on their tiny project which then ends up in I don't

32:03.440 --> 32:09.360
know hundreds of products why this is also something we do care of if you see any problems there if

32:09.360 --> 32:15.600
you have any questions feel free to reach out to us even as the question is closed if you have feedback

32:15.600 --> 32:22.480
on this or if you have a specific problem which might be a gray area try to address this

32:23.120 --> 32:30.240
because now it's still the time to make those fixes and the more we see the more we can

32:30.240 --> 32:37.200
bring in the process in order to make sure we can safeguard as a specific project in specific gray

32:37.200 --> 32:42.560
areas this is also something which we learned during the questionnaires or I think we have seen

32:42.560 --> 32:48.880
already a lot but yeah during during the time we also had several meetings with project with

32:48.880 --> 32:56.240
foundations so on and so forth where there have been also some new niches that were unexplored for us

32:56.240 --> 33:03.440
so we can't see everything these come to us tell us about your specific issue might you might

33:03.440 --> 33:12.160
have and we will try to clarify and address this so this is also very much helping and yeah so

33:12.160 --> 33:19.120
this is also always a good idea so if you have anything that is like needs to be addressed

33:19.120 --> 33:24.000
tell us about it because then we still have the chance to address this towards markets railings

33:24.000 --> 33:31.040
authorities and the European Commission and make sure in the implementation process to bring in

33:31.040 --> 33:34.800
more clarity and this is also basically what we are now trying to do with this questionnaire

33:34.800 --> 33:42.080
right so like making this a bit more elaborated for the implementation process so that it can be

33:42.080 --> 33:48.480
addressed in the related documents all right thank you so much Alex so you will pull up there

33:48.560 --> 33:56.560
yes yes and we do and by that we will do so I guess that won't be the final episode of the

33:56.560 --> 34:03.680
server resilience aid but rather yeah as you can see more less serious so maybe we will talk about

34:03.680 --> 34:12.480
the server resilience act yeah and soon is again and yeah we will definitely keep you updated

34:12.560 --> 34:22.400
about the progress hopefully with good news then yes I do hope so as well but I am already very

34:22.400 --> 34:28.480
impressed by the numbers of answers we got and the quality as you have mentioned so yeah I find

34:28.480 --> 34:34.480
this is really fascinating and really really nice that there are so many people who care about

34:34.640 --> 34:43.920
free software and who want to keep free software safe guarded yeah and with this I'm saying goodbye

34:43.920 --> 34:49.200
thank you so much Alex for being here thank you so much for talking with us about the CRA

34:49.200 --> 34:54.240
yeah always a pleasure and yeah also for me thank you for everyone who not only listens but also

34:54.240 --> 35:01.280
then to part in the survey or share this survey so it's obvious that you helped you listeners and so

35:01.840 --> 35:11.280
thanks for this and yeah also thanks for listening and to all of our episodes yes thank you very

35:11.280 --> 35:17.520
much all right this was the software freedom podcast if you liked this episode please

35:17.520 --> 35:23.120
recommend it to your friends and rated it stay tuned for more inspiring conversations that

35:23.120 --> 35:29.920
explore the importance of software freedom and its impact on our digital lives this podcast is

35:29.920 --> 35:37.520
presented to you by the Free Software Foundation Europe and VR charity so we need your help please

35:37.520 --> 35:45.360
consider supporting us with our donation if you like our work you can do so under fsfe.org slash

35:45.360 --> 35:53.120
donate and if this is financially not possible for you you can share the podcast on social media

35:53.120 --> 36:03.840
rate it or contribute to our work as a volunteer thank you so much bye bye.

36:03.840 --> 36:22.240
yeah I'm Albert I've been volunteering for the Free Software Foundation Europe for like 13 years

36:22.240 --> 36:29.280
now something like that I do that because I think it's it's important to have also the political

36:29.360 --> 36:35.760
point because I mean yes lots of people in my environment see the technical advantages of having

36:35.760 --> 36:43.040
free licenses and being able to reuse stuff but somebody also has to think about the the the political

36:43.040 --> 36:50.800
implications of that and I do try to help out with Free Software Foundation Europe to actually be able

36:50.800 --> 36:54.480
to do anything in that area

Back to the episode SFP#39