Esta página no se ha traducido todavía. Por favor, consulte esta página para informarse de cómo puede ayudar con las traducciones y hacer otras contribuciones.

SFP#39: Policy and EU: CRA and what’s next?

Back to the episode SFP#39

This is a transcript created with the Free Software tool Whisper. For more information and feedback reach out to podcast@fsfe.org

SFP#39: Policy and EU: CRA and what’s next?


WEBVTT

00:00.000 --> 00:01.040
Then let's get started.

00:14.480 --> 00:17.440
Hello and welcome to the Software Freedom Podcast.

00:17.440 --> 00:21.600
This podcast is presented to you by the Free Software Foundation Europe.

00:22.240 --> 00:26.640
We are a charity that empowers users to take control of technology.

00:27.280 --> 00:30.480
I'm Bonnie Mehring and I'm here with my colleague Alex.

00:30.480 --> 00:32.320
Hi Alex, nice to have you here.

00:32.320 --> 00:34.240
Hi Bonnie, nice to be here again.

00:34.240 --> 00:35.120
Hello, hello.

00:35.120 --> 00:42.240
So Alex, this week we will be talking about the CRA and I give up on the word cry if you notice.

00:46.240 --> 00:48.960
And especially focus on the questionnaire there.

00:48.960 --> 00:49.840
Yes.

00:49.920 --> 00:53.760
So can you give us a recap of what the CRA is?

00:53.760 --> 00:56.800
What are the roles in the CRA?

00:56.800 --> 00:58.080
Very, very quickly.

00:58.080 --> 01:02.080
Just to give everybody a quick overview of what we are talking about.

01:02.880 --> 01:03.920
Yes, sure.

01:03.920 --> 01:07.280
I mean, we already had a podcast episode on the Cyber Resilient Act.

01:07.280 --> 01:09.840
You can find it in the show notes as well.

01:09.840 --> 01:14.240
And there we also explained a bit about the Cyber Resilient Act.

01:14.240 --> 01:19.680
However, in short, the Cyber Resilient Act is product regulation and the aim

01:19.680 --> 01:22.560
is to make products more secure.

01:23.120 --> 01:29.200
And we talk about products with digital elements and this could be basically everything.

01:29.200 --> 01:31.200
It could be IoT device.

01:31.200 --> 01:38.320
It could be a piece of code and everything like operating system or operating system on your mobile.

01:38.960 --> 01:43.360
So whatever has a digital elements could be considered as a product.

01:44.000 --> 01:47.280
There are some exemptions for cars, for example,

01:47.280 --> 01:49.040
since they are regulated in other spaces.

01:49.040 --> 01:56.480
However, ultimately, it's about getting a CE label on those digital products.

01:56.480 --> 02:01.440
So it's also not only a product regulation but also a market entry regulation.

02:01.440 --> 02:05.280
So we only talk about products that are about to enter the market.

02:05.920 --> 02:10.240
Those are going to be pre-checked if there are, and so-called, yeah,

02:10.240 --> 02:14.320
let's say, verb flows in order to make the product more secure.

02:14.480 --> 02:17.280
One can say it's security by design.

02:17.280 --> 02:21.120
And once all of these workflows, applications are fulfilled,

02:21.120 --> 02:25.840
you get the CE label and can place the product on the European market.

02:26.480 --> 02:28.160
So that's what we are talking about.

02:28.720 --> 02:33.520
And yeah, since this obviously is regulating software,

02:34.160 --> 02:40.480
we advocated during the legislative process that there should be exemptions but also in detailed

02:40.480 --> 02:42.560
regulations for free software.

02:42.560 --> 02:47.920
Since you free software ecosystem is looking slightly different than normal software

02:47.920 --> 02:50.800
or not normal software, so it's a proprietary software.

02:50.800 --> 02:54.960
And by thus, we also need dedicated rules.

02:54.960 --> 03:00.960
So just imagine we are having those of projects that are not really placed on a market.

03:00.960 --> 03:02.160
They might be on GitHub.

03:02.160 --> 03:04.160
They might be on some websites.

03:04.160 --> 03:07.200
You can just download the code, install it, run it.

03:08.160 --> 03:11.840
You'll have all the freedoms of free software to use, study, share, and improve.

03:11.840 --> 03:15.440
Right? And so this is ultimately not really a product.

03:15.440 --> 03:19.200
Maybe you have sometimes charities around those projects.

03:19.200 --> 03:23.120
But sometimes these projects then ultimately also end up in a product.

03:23.120 --> 03:30.960
And that's why the legislative came up with the idea to also not only regulate the workflows

03:30.960 --> 03:34.400
differently, but also to come up with new roads.

03:34.480 --> 03:39.120
So they introduced the Stuart role and the manufacturer role.

03:39.600 --> 03:44.640
The manufacturer is pretty obviously that's basically the manufacturer that brings a product

03:44.640 --> 03:52.400
on the market. And the Stuart is then basically what could be a project that is then ultimately

03:52.400 --> 03:56.640
ending up in such a product by not being a product by its own.

03:57.360 --> 04:00.880
So and this also brings a couple of questions with it.

04:01.600 --> 04:04.240
For example, what is placing on the market?

04:05.280 --> 04:10.080
To which extent can you still have money in your project,

04:10.080 --> 04:12.480
while you are still not being a manufacturer?

04:12.480 --> 04:19.920
So again, let's imagine you are a charity or you are getting a few donations for your

04:19.920 --> 04:23.040
project. You have let's buy me a coffee button, whatever.

04:23.600 --> 04:27.360
So you don't really make a surplus with your project.

04:27.440 --> 04:31.760
But you just like keep it running or like have it as a hobby as a project,

04:31.760 --> 04:38.560
whatever the structure might be. And here those questions arise and then also some questions arise

04:38.560 --> 04:43.680
on like how the Stuart and the manufacturers shot in the activities each other.

04:43.680 --> 04:48.320
So let's imagine there's a security issue. A patch needs to be placed.

04:48.320 --> 04:51.680
So and how is this patch then finding its way into supply chain?

04:51.680 --> 04:55.840
Is it the Stuart and it's come up with the patch? Is it the manufacturer?

04:55.840 --> 04:59.520
The rules are clear. All applications are with the manufacturer.

04:59.520 --> 05:03.760
However, in order to make sure that the patch is then automatically ending in the project,

05:03.760 --> 05:11.280
you need to have somewhat a relationship with the project or so called Stuart then in this case.

05:11.920 --> 05:17.280
And this is basically what we tried to address with a survey. We came up with a question there.

05:18.000 --> 05:22.480
We is the German Bundesamt für Sicherheit in the Information Station.

05:22.640 --> 05:26.800
So the Asian Federal Agency for IT Security in Germany,

05:27.680 --> 05:32.560
we partnered on a project in order to bring more clarity towards those questions.

05:33.120 --> 05:39.280
And also to identify more questions, basically. So we were also trying to ask so the Stuart

05:39.280 --> 05:44.240
in particular, but also let's take a market on how they read and understand the CIA

05:44.240 --> 05:49.120
or where they have issues to not understand it. So where we need a bit more of like clarity.

05:50.080 --> 05:53.520
And this could be basically ending up in so called guidance.

05:53.520 --> 05:57.920
So this will be a document where the CIA is a bit more explained in detail.

05:57.920 --> 06:02.560
So what is placing on the market, right? So and how all these workflows need to look like,

06:02.560 --> 06:07.600
ultimately there's also standardization for these processes. They might be at the station.

06:08.400 --> 06:12.960
So on and so forth. And this is what we ask, basically, our community,

06:12.960 --> 06:18.960
what we ask other communities out there that tinker around with software and might be a

06:18.960 --> 06:24.080
affected by the cyber resilience act. And yeah, now we want to talk a bit about this questionnaire.

06:24.080 --> 06:28.480
In the last edition, we already talked a bit about the questionnaire itself and first result.

06:28.480 --> 06:32.720
And now we have some final results. And this is what we want to chat about today.

06:33.760 --> 06:41.680
Perfect. Thank you very much. I heard that you got like an amazing number of answers for the

06:41.680 --> 06:48.720
questionnaire. This is true. I mean, the questionnaire was basically available out there for two

06:48.720 --> 06:54.800
months July, August, mid July. We had the, or no, it was end of July, beginning of August.

06:54.800 --> 06:59.200
We also had the podcast episode on this where we also promoted the questionnaire. Again,

06:59.200 --> 07:04.240
we also had to talk at the German free software conference, the Frostconn, where we also presented

07:04.240 --> 07:10.240
the questionnaire and asked people to take part. Ultimately, we got 345 answers, which is

07:10.240 --> 07:15.520
really impressive. Since we also only asked for feedback from people that are more or less

07:15.520 --> 07:20.320
familiar with the cyber resilience act. So we didn't ask fully into the blue. We only asked people

07:20.320 --> 07:26.400
or, but we were addressing people and asking in particular for feedback from people that are

07:26.400 --> 07:31.440
familiar with the cyber resilience act that know about the legal rules, because this would then

07:31.440 --> 07:37.040
help us to identify basically the gaps where we need more clarity. So it doesn't make too much sense

07:37.040 --> 07:42.960
to ask, sort of, a random people on what do you know about the CIA and then they tell you

07:43.040 --> 07:47.840
nothing. So this is not really helpful. And for this, it was really impressive to get this

07:47.840 --> 07:52.480
amount of questions, although we had, and this is in particular important for this questionnaire,

07:53.040 --> 07:59.200
a lot of free fields. So where people could, yeah, basically try to explain in their own words

07:59.200 --> 08:04.720
what they are fearing, what they are seeing, what they are missing. And this in particular, I helped

08:04.720 --> 08:12.000
for us to better understand the ecosystem, to better understand fears and needs. And we had some

08:12.000 --> 08:18.400
gut feelings beforehand. Most of them have been also addressed by any response in the questionnaire,

08:18.400 --> 08:24.240
but they have been also some answers that we let's say didn't expect it to have it at least in

08:24.240 --> 08:29.680
that clarity. So this questionnaire definitely helped to get a better understanding of the knowledge

08:29.680 --> 08:37.600
around the cyber resilience act, but also around like ideas on how the market might react on

08:37.600 --> 08:44.960
cyber resilience act, as well as ultimately, yeah, the still open questions that many of the

08:44.960 --> 08:50.960
participants of this survey still have. And that we are, yeah, it's obviously that they need to be

08:50.960 --> 08:58.000
addressed. And this will mostly happen in guidance. And this is also something which we are going

08:58.000 --> 09:03.600
to look on in the next weeks and months. And based on this survey.

09:04.160 --> 09:10.960
Okay, before we dive into the questions and the answers we got there, just very quickly,

09:10.960 --> 09:17.920
very surprised by the amount of answers we got that were obviously there's some needs to be

09:17.920 --> 09:24.000
some knowledge about the CRA and there's some expert knowledge then there as well. Very surprised

09:24.000 --> 09:31.040
by the quality and the quantity or what, how, what was your feeling there? Yeah, both both,

09:31.600 --> 09:39.680
so it's like, as we asked for quality, basically, I didn't expect it to get that many high quality

09:39.680 --> 09:47.040
answers. And that's basically what we can see as at 345 answers, we had ultimately six questionnaires

09:47.920 --> 09:54.160
in German, as well as in English, basically three questionnaires then that have been translated,

09:54.160 --> 10:00.480
one for the manufacturers, one for the stewards, and one for the project to get a better understanding,

10:00.480 --> 10:06.560
first of all, where market participants see themselves. So if they are more or less like,

10:07.040 --> 10:14.960
yeah, understanding in which role they will end up with and or which role they might think of

10:14.960 --> 10:20.160
that they might end up with. And then as said, in particular, the three fields helped a lot

10:20.160 --> 10:27.280
for us to better understand the arguments, but also the reasoning of thinking of people

10:27.280 --> 10:32.400
why they do believe that they have a certain role or why do they believe they don't have

10:34.880 --> 10:42.000
Okay, then let's dive into this or I will take a first project. What was your key findings

10:42.000 --> 10:46.080
for the projects and what was so amazing there and what really stuck out to you?

10:47.280 --> 10:52.480
I mean, for the project and this is pretty much I think we can combine it with the stewards

10:52.480 --> 11:00.640
already together is that most of them still don't fully understand if they are in scope or not

11:00.640 --> 11:07.760
and if they are in scope which role precisely they will have and then what they have to do

11:07.760 --> 11:16.000
as in Italy. So we can see that many many answers we're going into the direction that like if

11:16.000 --> 11:22.160
we are covered somehow by the cyber resilience act. So if we for example, in this steward role,

11:22.800 --> 11:28.000
then projects want to be the stewards for their own project. So that's something which is very

11:28.000 --> 11:34.160
important to learn. So they do not want to have external stakeholders players around that do

11:34.160 --> 11:41.360
fulfill the steward roles for them. So if they are covered by the CIA in which role and in which

11:42.000 --> 11:47.840
doesn't matter too much then they all said more or less that they want to be the stewards for their

11:47.840 --> 11:55.920
own project. However, they all still struggle in order to better understand to which extent they

11:55.920 --> 12:03.360
are covered and also what the applications they have to fulfill. So this means many do not fully

12:03.360 --> 12:10.400
see the threshold of like how much money could be in a project in order to not be a manufacturer

12:10.400 --> 12:16.960
or in order to be for example fully out of the cyber resilience act. And this is also something

12:16.960 --> 12:22.880
we addressed in our sort of statements towards the commission but also to market surveillance

12:22.880 --> 12:28.800
authorities that we need more clarity here. The idea could be for example and this is also

12:28.800 --> 12:32.720
something which we have seen in the tax and European Parliament during the legislative process.

12:33.360 --> 12:41.120
So that amount of money that keeps the service running yeah that should be basically the

12:41.120 --> 12:46.720
threshold in order to say look you are not doing this for a commercial interest so to say you are

12:46.720 --> 12:53.360
just doing this you have to keep the service running and as soon as you or as long as you are

12:53.920 --> 13:00.560
not paying basically doing this to earn money with this but just to keep the service running

13:00.640 --> 13:06.000
then you should be out or you can decide on to be in the Stuart world. The question is like for

13:06.000 --> 13:11.920
example what do we do with charities. One solution could be you say like whatever the charity

13:11.920 --> 13:17.280
earns this this project it doesn't matter they can just like move the money then into other

13:17.920 --> 13:23.680
charitable work what they are doing since like for example we have to

13:24.320 --> 13:30.000
yeah charity status in Germany which doesn't allow you basically to earn money right so you have

13:30.000 --> 13:36.720
to basically invest it then in other courses you might have but then the question is again so

13:36.720 --> 13:42.800
is this fair or can we can we be a bit more precise here also what do we do with other countries

13:42.800 --> 13:49.600
that don't have such charity laws what do we do with countries that are not even European right so

13:49.680 --> 13:54.960
how do we evaluate this and for this I think it would be very good to have some very clear rules

13:54.960 --> 14:01.120
for example I'd say it's more or less clear to say like as much money as you need in order to keep

14:01.120 --> 14:06.560
the service running is fine but as soon as you are starting yeah to commercialize it in a way

14:06.560 --> 14:14.480
right so that you have surplus then it's clearly not a Stuart project anymore but you might

14:14.480 --> 14:20.000
be a manufacturer however what we see from the responses is that there needs to be clarity

14:20.000 --> 14:27.520
so people are fearing that it's basically zero euros that you that you can have in your

14:28.240 --> 14:34.400
in your pocket then when you have a project and this will definitely not be the case however

14:34.400 --> 14:39.520
the question is how much money can you have in your case so right and here we clearly see that

14:39.520 --> 14:44.480
we need answers and I do believe the commission is already aware of this however we will also then

14:45.200 --> 14:50.480
provide the commission with our feedback on this so that we need here definitely more clarity in

14:50.480 --> 14:56.720
order like how does the money game works out so that you can have for example support contracts

14:56.720 --> 15:04.880
in order to help manufacturers to be CIA compliant without the fear of becoming a manufacturer

15:04.960 --> 15:12.560
by yourself also I do believe that many still do not fully understand the idea of a product

15:12.560 --> 15:21.040
regulation so ultimately that the idea is to regulate F product that means you have F rich

15:21.840 --> 15:29.840
which is then getting FCE label the same manufacturer can come up with another fridge which is

15:30.320 --> 15:39.040
another product so this means if you have a project and yeah your your your code base is part

15:39.040 --> 15:46.320
of a product you're only the Stuart for this one product so you're not a Stuart for your project

15:46.320 --> 15:53.120
nor for a manufacturer at its whole right so you're only the Stuart for one product that means

15:53.120 --> 15:59.520
you can be I don't know 20 times the Stuart for 20 projects towards one manufacturer

16:00.560 --> 16:06.480
but you are never basically the Stuart for your project so to say right so you're always the Stuart

16:06.480 --> 16:13.760
for a product so let's assume you have a code that ends up in a fridge and then you are the

16:13.760 --> 16:20.000
Stuart for this code in this fridge right and this is also something I do believe we have

16:20.240 --> 16:26.960
no clarity I hope that these kinds of podcasts we are doing here is helping in this direction but

16:26.960 --> 16:32.240
also I said we were giving talks on this so this is also what we are trying to explain why so it's

16:32.240 --> 16:39.040
a product regulation and every product every single product and it's going to be regulated so

16:39.040 --> 16:45.760
and it's not about your project but ultimately always the singing of a product regulation so that's

16:45.840 --> 16:52.160
also something and what we have seen in the answers and where we need maybe that's more of a

16:52.160 --> 16:58.000
communication thingy but where we need more clarity but also guidance again could help here and

16:58.000 --> 17:03.840
ultimately what we have also seen and this is also true for the manufacturers as that they basically

17:03.840 --> 17:10.480
are asking for tools so we see that project Stuart's and manufacturers alike I want to have

17:11.200 --> 17:18.080
easy check boxes so to say and best in an automated process and for this they want tools right so

17:18.080 --> 17:25.680
and this is also something I think which is a key of feedback for the the whole implementation

17:25.680 --> 17:32.160
process that we also should think about that we are talking towards a technical community

17:32.160 --> 17:39.280
right so and they want all the tech solutions to fix the problem and to come up with workflows

17:39.280 --> 17:43.360
right so and this is also something which we should keep in mind so that we don't come up with

17:43.360 --> 17:53.040
paperwork too much but that we also think of tools this is a short break for our own cause thank

17:53.040 --> 17:58.240
you for listening to the software freedom podcast working for software freedom and producing

17:58.240 --> 18:06.000
podcasts costs money please consider supporting us with a donation on the fsfe.org slash donate

18:06.080 --> 18:14.800
and then the show notes okay I've had this very fascinating especially since there's this

18:15.600 --> 18:22.160
dismissing clarity but you also mentioned there's a fear of becoming manufacturers I think this

18:22.160 --> 18:28.240
is also related a bit to the clarity part right because there is uncertainty about what does

18:28.240 --> 18:35.360
all would mean exactly so people fear a lot so that as soon as there is somehow money involved

18:35.440 --> 18:39.760
then they they end up as a manufacturer so assuming you have a project and then the

18:39.760 --> 18:44.160
manufacturer drops by telling you all you have to fulfill these and these and these applications

18:45.280 --> 18:50.080
the project is saying nah no we don't want we don't have the resources to do so then the

18:50.080 --> 18:55.680
manufacturer say oh I understand I'm going to support you and for this I'm going to pay you money

18:55.680 --> 18:59.920
and then projects are fearing that as soon as they take this money they will end up in the

18:59.920 --> 19:06.640
manufacturer vote this is in particular not true however it's also addressing another problem

19:06.640 --> 19:12.000
that we see and that's the the lack of resources right so and that's also an answer we often got

19:13.040 --> 19:19.520
is that yeah project stewards fear that they will have more applications or even if it's not

19:19.520 --> 19:24.640
applications there's more work to do since they have to interact with the manufacturer right they

19:24.640 --> 19:31.760
need to prepare or provide resources basically a possibility for contact and maybe some more

19:32.400 --> 19:36.800
and for this they need resources and the question is there do these resources are going to be

19:36.800 --> 19:43.680
pulled from and the most obvious answer to this is the manufacturer should pay but the question is

19:43.680 --> 19:51.520
then if this is always working out in that way what we do hope for and what do we do if it's not

19:51.520 --> 19:57.280
going to work out and this is then basically a question so since again we also see that many

19:57.280 --> 20:02.720
projects are willing to contribute to IT security they are willing to help in the cyber resilience

20:02.720 --> 20:08.960
act but at the same time they are lacking resources we we know the funding issue of free software is

20:10.000 --> 20:15.040
it's a huge topic we also address this in another podcast episode but we also see it again here

20:15.040 --> 20:20.400
in the cyber resilience act all of these problems that we have on the one hand I'm strong manufacturers

20:20.400 --> 20:26.480
that maybe sometimes just pick the code don't contribute back in any way and on the other hand we

20:26.480 --> 20:35.360
have burned out maintainers in projects that yeah working like hell and don't get any resources

20:35.360 --> 20:40.160
focused and this is also something which we have seen a widely addressed in new responses to our

20:40.160 --> 20:46.720
questionnaire that there is a lack of resources a lack of funding and this is also something which

20:46.720 --> 20:53.360
we definitely need to address in order to make sure that not only free software projects survive

20:53.360 --> 20:59.920
but that they also get a reasonable funding and reasonable resources and here again this is

20:59.920 --> 21:05.920
something which nobody of you should fear if you are a project and again you get the resources in

21:05.920 --> 21:12.960
order to keep the service running this is definitely not the threshold of becoming a manufacturer

21:12.960 --> 21:18.240
however there will be more clarity on where the thresholds are but this is I'd say more or less

21:18.240 --> 21:24.080
for sure that this will definitely be a threshold so as soon as you get as much money in order to

21:24.080 --> 21:30.640
fulfill this road right which is given to you by the by the legislator and in order to keep your

21:30.640 --> 21:36.640
service running then you definitely won't end up in the manufacturer role however as said we need

21:36.720 --> 21:44.080
clarity here in order to say look it's bitten here you can be sure yeah and you have already

21:44.080 --> 21:51.200
mentioned that the manufacturers are also somehow involved in this whole CR-8 debate and we had

21:51.200 --> 22:01.680
actually see we had a questionnaire for them as well I'm doing a very very slow circle here two

22:01.760 --> 22:07.920
arts of manufacturers if you notice so are they what are the key findings there are they still

22:07.920 --> 22:14.960
considering to keep using free software or are they now more in fear of using free software and do

22:14.960 --> 22:20.240
they want to switch to some proprietary software but proprietary software will also be regulated by

22:20.240 --> 22:27.920
the CR-8 so what is their key findings yeah so maybe before we start with this since you address

22:27.920 --> 22:33.440
the role right so I think this is also very important to know for everyone all the applications

22:33.440 --> 22:39.920
in the cyber resilience and are with the manufacturer so and that's very important to learn and

22:39.920 --> 22:46.880
very important to know so also as a student if you should fail they're not even fines for you

22:46.880 --> 22:52.480
right so marked surveillance authority then will drop by and might guide you and help you out of

22:53.040 --> 22:59.200
this but they can't find you on the other hand manufacturers have all the applications so they

22:59.200 --> 23:04.560
must not need to make sure that their code is fine that it fulfills all the applications in the

23:04.560 --> 23:11.120
cyber resilience act and they could also be fine if it's going into a wrong direction and this

23:11.120 --> 23:17.280
is important to learn so since this means the manufacturer needs to have a relationship to

23:17.280 --> 23:24.960
the Stuart in order to say I am sure that I can fulfill the applications in the cyber resilience

23:24.960 --> 23:30.160
act meaning that for example you have the security incident and then you are able to bring the

23:30.160 --> 23:37.360
patch to the project right so and you it's it's basically impossible to do this if you don't

23:37.360 --> 23:42.400
have a relationship with the project or if you can't assure right so that the patch is handled

23:43.120 --> 23:49.440
and that it is then ultimately ending up in your product so and if you can't guarantee this

23:49.440 --> 23:56.640
then you might be fined by market's reigness authority and this then also means for manufacturers

23:56.640 --> 24:04.000
as you said there are a couple of ways in order to handle this situation so first and this would be

24:04.000 --> 24:09.360
I guess pretty much the best case and this is also what we are looking for the manufacturer is

24:09.360 --> 24:18.720
identifying the Stuart is providing the Stuart with resources in order to help the Stuart that

24:18.720 --> 24:25.200
the Stuart can help the manufacturer to fulfill the applications and then also there are workflows

24:25.200 --> 24:30.640
established that there is basically that the applications can be fulfilled there are a couple

24:30.640 --> 24:36.960
of them like notification patches handling blah blah blah let's don't go into the details but however

24:37.920 --> 24:43.440
it's all this the manufacturer so then assuming the manufacturer is not

24:43.440 --> 24:50.000
willing or capable to set up a relationship with Stuart so let's say you as a project you'll feel

24:50.000 --> 24:55.360
you don't want to work together with this specific company on this specific product for I don't

24:55.360 --> 25:02.160
know ethical reasons for example then what has the manufacturer for options right so and then he can

25:02.160 --> 25:09.200
say look I'm going to fork the project because then yeah you have basically the possibility to

25:09.200 --> 25:15.120
to to work on the code and fulfill the applications so you can basically also explain towards the

25:15.120 --> 25:22.640
market's reigness authority right so this is this I have power over the code so to say or and this

25:22.640 --> 25:30.480
is also what you already mentioned as an example you can scout for a proprietary alternative which

25:30.480 --> 25:37.040
already is a product in itself and has a CE label already and by thus you can yeah shift

25:37.040 --> 25:43.280
basically the applications towards the other supplier and you have a business to business relationship

25:43.280 --> 25:49.360
and ultimately so these are the options you will have as a manufacturer or you let the product

25:49.360 --> 25:54.880
by so that's all you just like remove this bit of the code and don't have this functionality for

25:55.680 --> 26:01.280
so these are the options as a as a manufacturer right so you have a good relationship to the

26:01.280 --> 26:08.960
Stuart best one I'd say you fork it second best one worst one is proprietary replacement or yeah

26:08.960 --> 26:16.240
you don't have the product only you pin bark at it anymore so and then and this is in particular

26:16.240 --> 26:23.600
interesting since we see this in the answers so most of the manufacturers do want to have a

26:23.600 --> 26:31.040
relationship with the Stuart and that's also I think a reasonable approach since imagine you

26:31.040 --> 26:35.920
are flocking at the project so this means you need to have the knowledge about the code you need

26:35.920 --> 26:41.200
to have the knowledge about the project and it's basically experienced people from this community

26:41.200 --> 26:46.800
in the best case that can work on this code right so I think it's not that easy to just say like

26:46.880 --> 26:55.120
so I'm just going to take I don't know Debian and now I fork it and then all is good right so I mean

26:55.120 --> 27:01.840
you also need to handle it and patches right so you need to improve the code you want innovation

27:01.840 --> 27:09.760
yari yari so it's it's not so easy to just simply fork it and then continue and take it from there

27:09.840 --> 27:17.120
so for this it's it's a pretty good idea to to to be connected to the project and basically work

27:17.120 --> 27:23.040
together with them so and this is also what most manufacturers are willing to do nearly none of them

27:24.320 --> 27:31.920
thinking about replacing this this proprietary alternatives so basically there are two ways for them

27:31.920 --> 27:38.480
the first one is and that's what they what they are trying to do is to go to the Stuart or to

27:38.480 --> 27:43.360
the project and by thus the potential Stuart trying to set up a relationship and also they are

27:43.360 --> 27:51.200
willing and to provide resources this is also interesting if you think about the fund debate but

27:51.200 --> 27:58.480
however and this is also learning if I can just site record here we also learned that projects that

27:58.480 --> 28:05.360
already do have a good relationship with manufacturers and do get resources it's still not

28:05.360 --> 28:10.320
sufficient so we should also be aware that if manufacturers say they are willing to support a

28:10.320 --> 28:15.520
project that doesn't mean that it's then fully financed it's just that they are willing to give

28:15.520 --> 28:21.360
something we don't know how much and we also don't know if the project will survive from

28:21.360 --> 28:28.720
curing market activities we see that it's rather not okay however manufacturers are up to do

28:29.680 --> 28:35.440
they are willing to work together with the Stuart that would be their first choice second choice

28:35.440 --> 28:42.240
is to fork the project and that's also I think very important to learn so we see on the one hand

28:43.120 --> 28:49.040
projects that want to be the Stuart for their own project and on the other side we see manufacturers

28:49.040 --> 28:58.000
that do not want to have a fork or that do not want to replace it but keep the project and also

28:58.080 --> 29:04.000
collaborate with the potential Stuart so we see that basically the two important entities

29:04.000 --> 29:10.720
roles in the cyber resilience act do want to collaborate so and now the question is how do we kick

29:10.720 --> 29:16.320
off this collaboration how do we make sure it doesn't harm the ecosystem and how do we make sure

29:16.880 --> 29:27.360
that those who benefit on the market also pay those who contribute so those are some of the outcomes

29:27.360 --> 29:33.840
and you already gave some yeah fewer hat of what is a hat what is lying ahead of us

29:35.440 --> 29:40.960
is there anything else you would outline now for the last question as the time is already running

29:40.960 --> 29:46.320
so fast again Alex yeah so what is important so I mean first of all what we are going to do is

29:46.320 --> 29:53.440
to take the results and put it in a report and present it towards the commission and try to make

29:53.520 --> 29:59.600
sure that all of these questions are going to be addressed in guidance or in the delegated

29:59.600 --> 30:05.360
implementing acts standardization attestation so in all of the implementing activities without

30:05.360 --> 30:10.480
going too much into details there are a couple of them so that all of these questions are going to

30:10.480 --> 30:15.440
be addressed also we have seen in the questionnaire that there are some other questions that we might

30:15.520 --> 30:24.240
need to work on spawn supply chain license issues so also in particular attestation might be a very

30:25.120 --> 30:30.320
interesting part to work on this is also something which I do believe is something we will pick up

30:31.120 --> 30:38.560
very soon and so there are there are some more questions next to the ones we just addressed here

30:38.560 --> 30:44.000
that need to be clarified maybe we come up with another survey something like this let's see how

30:44.000 --> 30:50.320
we and yeah how we how we channel through this however we will make sure in the implementation to

30:50.320 --> 30:56.960
again safeguard in particular project maintainers and I think individual developers that are

30:56.960 --> 31:02.720
something which we achieve but that we bring also clarity towards the projects and that everyone

31:02.720 --> 31:11.360
knows clearly what is going to happen and yeah if it's a good idea to become a steward or not and if so

31:12.320 --> 31:17.680
what do you need to do and what does mean for you and so on and so forth also we try to reflect

31:17.680 --> 31:24.240
the different players in the ecosystem why it's not like that there is a one fits all solutions so

31:24.240 --> 31:30.400
we will try to work with examples and guidance and to to yeah make this easily understandable

31:30.960 --> 31:37.600
yeah for you out there to channel through this so this will be our activity however it's

31:37.680 --> 31:45.600
even if discretion is closed we are still searching for input so if you feel that your project or

31:45.600 --> 31:50.480
even if you are I don't know a micro enterprise a small medium enterprise man medium enterprise

31:50.480 --> 31:57.440
depending on what you do but also here we do not want to harm micro enterprises right so all these

31:57.440 --> 32:03.280
one women armies that are out there sitting on their tiny project which then ends up in I don't

32:03.440 --> 32:09.360
know hundreds of products why this is also something we do care of if you see any problems there if

32:09.360 --> 32:15.600
you have any questions feel free to reach out to us even as the question is closed if you have feedback

32:15.600 --> 32:22.480
on this or if you have a specific problem which might be a gray area try to address this

32:23.120 --> 32:30.240
because now it's still the time to make those fixes and the more we see the more we can

32:30.240 --> 32:37.200
bring in the process in order to make sure we can safeguard as a specific project in specific gray

32:37.200 --> 32:42.560
areas this is also something which we learned during the questionnaires or I think we have seen

32:42.560 --> 32:48.880
already a lot but yeah during during the time we also had several meetings with project with

32:48.880 --> 32:56.240
foundations so on and so forth where there have been also some new niches that were unexplored for us

32:56.240 --> 33:03.440
so we can't see everything these come to us tell us about your specific issue might you might

33:03.440 --> 33:12.160
have and we will try to clarify and address this so this is also very much helping and yeah so

33:12.160 --> 33:19.120
this is also always a good idea so if you have anything that is like needs to be addressed

33:19.120 --> 33:24.000
tell us about it because then we still have the chance to address this towards markets railings

33:24.000 --> 33:31.040
authorities and the European Commission and make sure in the implementation process to bring in

33:31.040 --> 33:34.800
more clarity and this is also basically what we are now trying to do with this questionnaire

33:34.800 --> 33:42.080
right so like making this a bit more elaborated for the implementation process so that it can be

33:42.080 --> 33:48.480
addressed in the related documents all right thank you so much Alex so you will pull up there

33:48.560 --> 33:56.560
yes yes and we do and by that we will do so I guess that won't be the final episode of the

33:56.560 --> 34:03.680
server resilience aid but rather yeah as you can see more less serious so maybe we will talk about

34:03.680 --> 34:12.480
the server resilience act yeah and soon is again and yeah we will definitely keep you updated

34:12.560 --> 34:22.400
about the progress hopefully with good news then yes I do hope so as well but I am already very

34:22.400 --> 34:28.480
impressed by the numbers of answers we got and the quality as you have mentioned so yeah I find

34:28.480 --> 34:34.480
this is really fascinating and really really nice that there are so many people who care about

34:34.640 --> 34:43.920
free software and who want to keep free software safe guarded yeah and with this I'm saying goodbye

34:43.920 --> 34:49.200
thank you so much Alex for being here thank you so much for talking with us about the CRA

34:49.200 --> 34:54.240
yeah always a pleasure and yeah also for me thank you for everyone who not only listens but also

34:54.240 --> 35:01.280
then to part in the survey or share this survey so it's obvious that you helped you listeners and so

35:01.840 --> 35:11.280
thanks for this and yeah also thanks for listening and to all of our episodes yes thank you very

35:11.280 --> 35:17.520
much all right this was the software freedom podcast if you liked this episode please

35:17.520 --> 35:23.120
recommend it to your friends and rated it stay tuned for more inspiring conversations that

35:23.120 --> 35:29.920
explore the importance of software freedom and its impact on our digital lives this podcast is

35:29.920 --> 35:37.520
presented to you by the Free Software Foundation Europe and VR charity so we need your help please

35:37.520 --> 35:45.360
consider supporting us with our donation if you like our work you can do so under fsfe.org slash

35:45.360 --> 35:53.120
donate and if this is financially not possible for you you can share the podcast on social media

35:53.120 --> 36:03.840
rate it or contribute to our work as a volunteer thank you so much bye bye.

36:03.840 --> 36:22.240
yeah I'm Albert I've been volunteering for the Free Software Foundation Europe for like 13 years

36:22.240 --> 36:29.280
now something like that I do that because I think it's it's important to have also the political

36:29.360 --> 36:35.760
point because I mean yes lots of people in my environment see the technical advantages of having

36:35.760 --> 36:43.040
free licenses and being able to reuse stuff but somebody also has to think about the the the political

36:43.040 --> 36:50.800
implications of that and I do try to help out with Free Software Foundation Europe to actually be able

36:50.800 --> 36:54.480
to do anything in that area

Back to the episode SFP#39