SFP#39: Policy and EU: CRA and what’s next?
This is a transcript created with the Free Software tool Whisper. For more information and feedback reach out to podcast@fsfe.org
SFP#39: Policy and EU: CRA and what’s next?
WEBVTT 00:00.000 --> 00:01.040 Then let's get started. 00:14.480 --> 00:17.440 Hello and welcome to the Software Freedom Podcast. 00:17.440 --> 00:21.600 This podcast is presented to you by the Free Software Foundation Europe. 00:22.240 --> 00:26.640 We are a charity that empowers users to take control of technology. 00:27.280 --> 00:30.480 I'm Bonnie Mehring and I'm here with my colleague Alex. 00:30.480 --> 00:32.320 Hi Alex, nice to have you here. 00:32.320 --> 00:34.240 Hi Bonnie, nice to be here again. 00:34.240 --> 00:35.120 Hello, hello. 00:35.120 --> 00:42.240 So Alex, this week we will be talking about the CRA and I give up on the word cry if you notice. 00:46.240 --> 00:48.960 And especially focus on the questionnaire there. 00:48.960 --> 00:49.840 Yes. 00:49.920 --> 00:53.760 So can you give us a recap of what the CRA is? 00:53.760 --> 00:56.800 What are the roles in the CRA? 00:56.800 --> 00:58.080 Very, very quickly. 00:58.080 --> 01:02.080 Just to give everybody a quick overview of what we are talking about. 01:02.880 --> 01:03.920 Yes, sure. 01:03.920 --> 01:07.280 I mean, we already had a podcast episode on the Cyber Resilient Act. 01:07.280 --> 01:09.840 You can find it in the show notes as well. 01:09.840 --> 01:14.240 And there we also explained a bit about the Cyber Resilient Act. 01:14.240 --> 01:19.680 However, in short, the Cyber Resilient Act is product regulation and the aim 01:19.680 --> 01:22.560 is to make products more secure. 01:23.120 --> 01:29.200 And we talk about products with digital elements and this could be basically everything. 01:29.200 --> 01:31.200 It could be IoT device. 01:31.200 --> 01:38.320 It could be a piece of code and everything like operating system or operating system on your mobile. 01:38.960 --> 01:43.360 So whatever has a digital elements could be considered as a product. 01:44.000 --> 01:47.280 There are some exemptions for cars, for example, 01:47.280 --> 01:49.040 since they are regulated in other spaces. 01:49.040 --> 01:56.480 However, ultimately, it's about getting a CE label on those digital products. 01:56.480 --> 02:01.440 So it's also not only a product regulation but also a market entry regulation. 02:01.440 --> 02:05.280 So we only talk about products that are about to enter the market. 02:05.920 --> 02:10.240 Those are going to be pre-checked if there are, and so-called, yeah, 02:10.240 --> 02:14.320 let's say, verb flows in order to make the product more secure. 02:14.480 --> 02:17.280 One can say it's security by design. 02:17.280 --> 02:21.120 And once all of these workflows, applications are fulfilled, 02:21.120 --> 02:25.840 you get the CE label and can place the product on the European market. 02:26.480 --> 02:28.160 So that's what we are talking about. 02:28.720 --> 02:33.520 And yeah, since this obviously is regulating software, 02:34.160 --> 02:40.480 we advocated during the legislative process that there should be exemptions but also in detailed 02:40.480 --> 02:42.560 regulations for free software. 02:42.560 --> 02:47.920 Since you free software ecosystem is looking slightly different than normal software 02:47.920 --> 02:50.800 or not normal software, so it's a proprietary software. 02:50.800 --> 02:54.960 And by thus, we also need dedicated rules. 02:54.960 --> 03:00.960 So just imagine we are having those of projects that are not really placed on a market. 03:00.960 --> 03:02.160 They might be on GitHub. 03:02.160 --> 03:04.160 They might be on some websites. 03:04.160 --> 03:07.200 You can just download the code, install it, run it. 03:08.160 --> 03:11.840 You'll have all the freedoms of free software to use, study, share, and improve. 03:11.840 --> 03:15.440 Right? And so this is ultimately not really a product. 03:15.440 --> 03:19.200 Maybe you have sometimes charities around those projects. 03:19.200 --> 03:23.120 But sometimes these projects then ultimately also end up in a product. 03:23.120 --> 03:30.960 And that's why the legislative came up with the idea to also not only regulate the workflows 03:30.960 --> 03:34.400 differently, but also to come up with new roads. 03:34.480 --> 03:39.120 So they introduced the Stuart role and the manufacturer role. 03:39.600 --> 03:44.640 The manufacturer is pretty obviously that's basically the manufacturer that brings a product 03:44.640 --> 03:52.400 on the market. And the Stuart is then basically what could be a project that is then ultimately 03:52.400 --> 03:56.640 ending up in such a product by not being a product by its own. 03:57.360 --> 04:00.880 So and this also brings a couple of questions with it. 04:01.600 --> 04:04.240 For example, what is placing on the market? 04:05.280 --> 04:10.080 To which extent can you still have money in your project, 04:10.080 --> 04:12.480 while you are still not being a manufacturer? 04:12.480 --> 04:19.920 So again, let's imagine you are a charity or you are getting a few donations for your 04:19.920 --> 04:23.040 project. You have let's buy me a coffee button, whatever. 04:23.600 --> 04:27.360 So you don't really make a surplus with your project. 04:27.440 --> 04:31.760 But you just like keep it running or like have it as a hobby as a project, 04:31.760 --> 04:38.560 whatever the structure might be. And here those questions arise and then also some questions arise 04:38.560 --> 04:43.680 on like how the Stuart and the manufacturers shot in the activities each other. 04:43.680 --> 04:48.320 So let's imagine there's a security issue. A patch needs to be placed. 04:48.320 --> 04:51.680 So and how is this patch then finding its way into supply chain? 04:51.680 --> 04:55.840 Is it the Stuart and it's come up with the patch? Is it the manufacturer? 04:55.840 --> 04:59.520 The rules are clear. All applications are with the manufacturer. 04:59.520 --> 05:03.760 However, in order to make sure that the patch is then automatically ending in the project, 05:03.760 --> 05:11.280 you need to have somewhat a relationship with the project or so called Stuart then in this case. 05:11.920 --> 05:17.280 And this is basically what we tried to address with a survey. We came up with a question there. 05:18.000 --> 05:22.480 We is the German Bundesamt für Sicherheit in the Information Station. 05:22.640 --> 05:26.800 So the Asian Federal Agency for IT Security in Germany, 05:27.680 --> 05:32.560 we partnered on a project in order to bring more clarity towards those questions. 05:33.120 --> 05:39.280 And also to identify more questions, basically. So we were also trying to ask so the Stuart 05:39.280 --> 05:44.240 in particular, but also let's take a market on how they read and understand the CIA 05:44.240 --> 05:49.120 or where they have issues to not understand it. So where we need a bit more of like clarity. 05:50.080 --> 05:53.520 And this could be basically ending up in so called guidance. 05:53.520 --> 05:57.920 So this will be a document where the CIA is a bit more explained in detail. 05:57.920 --> 06:02.560 So what is placing on the market, right? So and how all these workflows need to look like, 06:02.560 --> 06:07.600 ultimately there's also standardization for these processes. They might be at the station. 06:08.400 --> 06:12.960 So on and so forth. And this is what we ask, basically, our community, 06:12.960 --> 06:18.960 what we ask other communities out there that tinker around with software and might be a 06:18.960 --> 06:24.080 affected by the cyber resilience act. And yeah, now we want to talk a bit about this questionnaire. 06:24.080 --> 06:28.480 In the last edition, we already talked a bit about the questionnaire itself and first result. 06:28.480 --> 06:32.720 And now we have some final results. And this is what we want to chat about today. 06:33.760 --> 06:41.680 Perfect. Thank you very much. I heard that you got like an amazing number of answers for the 06:41.680 --> 06:48.720 questionnaire. This is true. I mean, the questionnaire was basically available out there for two 06:48.720 --> 06:54.800 months July, August, mid July. We had the, or no, it was end of July, beginning of August. 06:54.800 --> 06:59.200 We also had the podcast episode on this where we also promoted the questionnaire. Again, 06:59.200 --> 07:04.240 we also had to talk at the German free software conference, the Frostconn, where we also presented 07:04.240 --> 07:10.240 the questionnaire and asked people to take part. Ultimately, we got 345 answers, which is 07:10.240 --> 07:15.520 really impressive. Since we also only asked for feedback from people that are more or less 07:15.520 --> 07:20.320 familiar with the cyber resilience act. So we didn't ask fully into the blue. We only asked people 07:20.320 --> 07:26.400 or, but we were addressing people and asking in particular for feedback from people that are 07:26.400 --> 07:31.440 familiar with the cyber resilience act that know about the legal rules, because this would then 07:31.440 --> 07:37.040 help us to identify basically the gaps where we need more clarity. So it doesn't make too much sense 07:37.040 --> 07:42.960 to ask, sort of, a random people on what do you know about the CIA and then they tell you 07:43.040 --> 07:47.840 nothing. So this is not really helpful. And for this, it was really impressive to get this 07:47.840 --> 07:52.480 amount of questions, although we had, and this is in particular important for this questionnaire, 07:53.040 --> 07:59.200 a lot of free fields. So where people could, yeah, basically try to explain in their own words 07:59.200 --> 08:04.720 what they are fearing, what they are seeing, what they are missing. And this in particular, I helped 08:04.720 --> 08:12.000 for us to better understand the ecosystem, to better understand fears and needs. And we had some 08:12.000 --> 08:18.400 gut feelings beforehand. Most of them have been also addressed by any response in the questionnaire, 08:18.400 --> 08:24.240 but they have been also some answers that we let's say didn't expect it to have it at least in 08:24.240 --> 08:29.680 that clarity. So this questionnaire definitely helped to get a better understanding of the knowledge 08:29.680 --> 08:37.600 around the cyber resilience act, but also around like ideas on how the market might react on 08:37.600 --> 08:44.960 cyber resilience act, as well as ultimately, yeah, the still open questions that many of the 08:44.960 --> 08:50.960 participants of this survey still have. And that we are, yeah, it's obviously that they need to be 08:50.960 --> 08:58.000 addressed. And this will mostly happen in guidance. And this is also something which we are going 08:58.000 --> 09:03.600 to look on in the next weeks and months. And based on this survey. 09:04.160 --> 09:10.960 Okay, before we dive into the questions and the answers we got there, just very quickly, 09:10.960 --> 09:17.920 very surprised by the amount of answers we got that were obviously there's some needs to be 09:17.920 --> 09:24.000 some knowledge about the CRA and there's some expert knowledge then there as well. Very surprised 09:24.000 --> 09:31.040 by the quality and the quantity or what, how, what was your feeling there? Yeah, both both, 09:31.600 --> 09:39.680 so it's like, as we asked for quality, basically, I didn't expect it to get that many high quality 09:39.680 --> 09:47.040 answers. And that's basically what we can see as at 345 answers, we had ultimately six questionnaires 09:47.920 --> 09:54.160 in German, as well as in English, basically three questionnaires then that have been translated, 09:54.160 --> 10:00.480 one for the manufacturers, one for the stewards, and one for the project to get a better understanding, 10:00.480 --> 10:06.560 first of all, where market participants see themselves. So if they are more or less like, 10:07.040 --> 10:14.960 yeah, understanding in which role they will end up with and or which role they might think of 10:14.960 --> 10:20.160 that they might end up with. And then as said, in particular, the three fields helped a lot 10:20.160 --> 10:27.280 for us to better understand the arguments, but also the reasoning of thinking of people 10:27.280 --> 10:32.400 why they do believe that they have a certain role or why do they believe they don't have 10:34.880 --> 10:42.000 Okay, then let's dive into this or I will take a first project. What was your key findings 10:42.000 --> 10:46.080 for the projects and what was so amazing there and what really stuck out to you? 10:47.280 --> 10:52.480 I mean, for the project and this is pretty much I think we can combine it with the stewards 10:52.480 --> 11:00.640 already together is that most of them still don't fully understand if they are in scope or not 11:00.640 --> 11:07.760 and if they are in scope which role precisely they will have and then what they have to do 11:07.760 --> 11:16.000 as in Italy. So we can see that many many answers we're going into the direction that like if 11:16.000 --> 11:22.160 we are covered somehow by the cyber resilience act. So if we for example, in this steward role, 11:22.800 --> 11:28.000 then projects want to be the stewards for their own project. So that's something which is very 11:28.000 --> 11:34.160 important to learn. So they do not want to have external stakeholders players around that do 11:34.160 --> 11:41.360 fulfill the steward roles for them. So if they are covered by the CIA in which role and in which 11:42.000 --> 11:47.840 doesn't matter too much then they all said more or less that they want to be the stewards for their 11:47.840 --> 11:55.920 own project. However, they all still struggle in order to better understand to which extent they 11:55.920 --> 12:03.360 are covered and also what the applications they have to fulfill. So this means many do not fully 12:03.360 --> 12:10.400 see the threshold of like how much money could be in a project in order to not be a manufacturer 12:10.400 --> 12:16.960 or in order to be for example fully out of the cyber resilience act. And this is also something 12:16.960 --> 12:22.880 we addressed in our sort of statements towards the commission but also to market surveillance 12:22.880 --> 12:28.800 authorities that we need more clarity here. The idea could be for example and this is also 12:28.800 --> 12:32.720 something which we have seen in the tax and European Parliament during the legislative process. 12:33.360 --> 12:41.120 So that amount of money that keeps the service running yeah that should be basically the 12:41.120 --> 12:46.720 threshold in order to say look you are not doing this for a commercial interest so to say you are 12:46.720 --> 12:53.360 just doing this you have to keep the service running and as soon as you or as long as you are 12:53.920 --> 13:00.560 not paying basically doing this to earn money with this but just to keep the service running 13:00.640 --> 13:06.000 then you should be out or you can decide on to be in the Stuart world. The question is like for 13:06.000 --> 13:11.920 example what do we do with charities. One solution could be you say like whatever the charity 13:11.920 --> 13:17.280 earns this this project it doesn't matter they can just like move the money then into other 13:17.920 --> 13:23.680 charitable work what they are doing since like for example we have to 13:24.320 --> 13:30.000 yeah charity status in Germany which doesn't allow you basically to earn money right so you have 13:30.000 --> 13:36.720 to basically invest it then in other courses you might have but then the question is again so 13:36.720 --> 13:42.800 is this fair or can we can we be a bit more precise here also what do we do with other countries 13:42.800 --> 13:49.600 that don't have such charity laws what do we do with countries that are not even European right so 13:49.680 --> 13:54.960 how do we evaluate this and for this I think it would be very good to have some very clear rules 13:54.960 --> 14:01.120 for example I'd say it's more or less clear to say like as much money as you need in order to keep 14:01.120 --> 14:06.560 the service running is fine but as soon as you are starting yeah to commercialize it in a way 14:06.560 --> 14:14.480 right so that you have surplus then it's clearly not a Stuart project anymore but you might 14:14.480 --> 14:20.000 be a manufacturer however what we see from the responses is that there needs to be clarity 14:20.000 --> 14:27.520 so people are fearing that it's basically zero euros that you that you can have in your 14:28.240 --> 14:34.400 in your pocket then when you have a project and this will definitely not be the case however 14:34.400 --> 14:39.520 the question is how much money can you have in your case so right and here we clearly see that 14:39.520 --> 14:44.480 we need answers and I do believe the commission is already aware of this however we will also then 14:45.200 --> 14:50.480 provide the commission with our feedback on this so that we need here definitely more clarity in 14:50.480 --> 14:56.720 order like how does the money game works out so that you can have for example support contracts 14:56.720 --> 15:04.880 in order to help manufacturers to be CIA compliant without the fear of becoming a manufacturer 15:04.960 --> 15:12.560 by yourself also I do believe that many still do not fully understand the idea of a product 15:12.560 --> 15:21.040 regulation so ultimately that the idea is to regulate F product that means you have F rich 15:21.840 --> 15:29.840 which is then getting FCE label the same manufacturer can come up with another fridge which is 15:30.320 --> 15:39.040 another product so this means if you have a project and yeah your your your code base is part 15:39.040 --> 15:46.320 of a product you're only the Stuart for this one product so you're not a Stuart for your project 15:46.320 --> 15:53.120 nor for a manufacturer at its whole right so you're only the Stuart for one product that means 15:53.120 --> 15:59.520 you can be I don't know 20 times the Stuart for 20 projects towards one manufacturer 16:00.560 --> 16:06.480 but you are never basically the Stuart for your project so to say right so you're always the Stuart 16:06.480 --> 16:13.760 for a product so let's assume you have a code that ends up in a fridge and then you are the 16:13.760 --> 16:20.000 Stuart for this code in this fridge right and this is also something I do believe we have 16:20.240 --> 16:26.960 no clarity I hope that these kinds of podcasts we are doing here is helping in this direction but 16:26.960 --> 16:32.240 also I said we were giving talks on this so this is also what we are trying to explain why so it's 16:32.240 --> 16:39.040 a product regulation and every product every single product and it's going to be regulated so 16:39.040 --> 16:45.760 and it's not about your project but ultimately always the singing of a product regulation so that's 16:45.840 --> 16:52.160 also something and what we have seen in the answers and where we need maybe that's more of a 16:52.160 --> 16:58.000 communication thingy but where we need more clarity but also guidance again could help here and 16:58.000 --> 17:03.840 ultimately what we have also seen and this is also true for the manufacturers as that they basically 17:03.840 --> 17:10.480 are asking for tools so we see that project Stuart's and manufacturers alike I want to have 17:11.200 --> 17:18.080 easy check boxes so to say and best in an automated process and for this they want tools right so 17:18.080 --> 17:25.680 and this is also something I think which is a key of feedback for the the whole implementation 17:25.680 --> 17:32.160 process that we also should think about that we are talking towards a technical community 17:32.160 --> 17:39.280 right so and they want all the tech solutions to fix the problem and to come up with workflows 17:39.280 --> 17:43.360 right so and this is also something which we should keep in mind so that we don't come up with 17:43.360 --> 17:53.040 paperwork too much but that we also think of tools this is a short break for our own cause thank 17:53.040 --> 17:58.240 you for listening to the software freedom podcast working for software freedom and producing 17:58.240 --> 18:06.000 podcasts costs money please consider supporting us with a donation on the fsfe.org slash donate 18:06.080 --> 18:14.800 and then the show notes okay I've had this very fascinating especially since there's this 18:15.600 --> 18:22.160 dismissing clarity but you also mentioned there's a fear of becoming manufacturers I think this 18:22.160 --> 18:28.240 is also related a bit to the clarity part right because there is uncertainty about what does 18:28.240 --> 18:35.360 all would mean exactly so people fear a lot so that as soon as there is somehow money involved 18:35.440 --> 18:39.760 then they they end up as a manufacturer so assuming you have a project and then the 18:39.760 --> 18:44.160 manufacturer drops by telling you all you have to fulfill these and these and these applications 18:45.280 --> 18:50.080 the project is saying nah no we don't want we don't have the resources to do so then the 18:50.080 --> 18:55.680 manufacturer say oh I understand I'm going to support you and for this I'm going to pay you money 18:55.680 --> 18:59.920 and then projects are fearing that as soon as they take this money they will end up in the 18:59.920 --> 19:06.640 manufacturer vote this is in particular not true however it's also addressing another problem 19:06.640 --> 19:12.000 that we see and that's the the lack of resources right so and that's also an answer we often got 19:13.040 --> 19:19.520 is that yeah project stewards fear that they will have more applications or even if it's not 19:19.520 --> 19:24.640 applications there's more work to do since they have to interact with the manufacturer right they 19:24.640 --> 19:31.760 need to prepare or provide resources basically a possibility for contact and maybe some more 19:32.400 --> 19:36.800 and for this they need resources and the question is there do these resources are going to be 19:36.800 --> 19:43.680 pulled from and the most obvious answer to this is the manufacturer should pay but the question is 19:43.680 --> 19:51.520 then if this is always working out in that way what we do hope for and what do we do if it's not 19:51.520 --> 19:57.280 going to work out and this is then basically a question so since again we also see that many 19:57.280 --> 20:02.720 projects are willing to contribute to IT security they are willing to help in the cyber resilience 20:02.720 --> 20:08.960 act but at the same time they are lacking resources we we know the funding issue of free software is 20:10.000 --> 20:15.040 it's a huge topic we also address this in another podcast episode but we also see it again here 20:15.040 --> 20:20.400 in the cyber resilience act all of these problems that we have on the one hand I'm strong manufacturers 20:20.400 --> 20:26.480 that maybe sometimes just pick the code don't contribute back in any way and on the other hand we 20:26.480 --> 20:35.360 have burned out maintainers in projects that yeah working like hell and don't get any resources 20:35.360 --> 20:40.160 focused and this is also something which we have seen a widely addressed in new responses to our 20:40.160 --> 20:46.720 questionnaire that there is a lack of resources a lack of funding and this is also something which 20:46.720 --> 20:53.360 we definitely need to address in order to make sure that not only free software projects survive 20:53.360 --> 20:59.920 but that they also get a reasonable funding and reasonable resources and here again this is 20:59.920 --> 21:05.920 something which nobody of you should fear if you are a project and again you get the resources in 21:05.920 --> 21:12.960 order to keep the service running this is definitely not the threshold of becoming a manufacturer 21:12.960 --> 21:18.240 however there will be more clarity on where the thresholds are but this is I'd say more or less 21:18.240 --> 21:24.080 for sure that this will definitely be a threshold so as soon as you get as much money in order to 21:24.080 --> 21:30.640 fulfill this road right which is given to you by the by the legislator and in order to keep your 21:30.640 --> 21:36.640 service running then you definitely won't end up in the manufacturer role however as said we need 21:36.720 --> 21:44.080 clarity here in order to say look it's bitten here you can be sure yeah and you have already 21:44.080 --> 21:51.200 mentioned that the manufacturers are also somehow involved in this whole CR-8 debate and we had 21:51.200 --> 22:01.680 actually see we had a questionnaire for them as well I'm doing a very very slow circle here two 22:01.760 --> 22:07.920 arts of manufacturers if you notice so are they what are the key findings there are they still 22:07.920 --> 22:14.960 considering to keep using free software or are they now more in fear of using free software and do 22:14.960 --> 22:20.240 they want to switch to some proprietary software but proprietary software will also be regulated by 22:20.240 --> 22:27.920 the CR-8 so what is their key findings yeah so maybe before we start with this since you address 22:27.920 --> 22:33.440 the role right so I think this is also very important to know for everyone all the applications 22:33.440 --> 22:39.920 in the cyber resilience and are with the manufacturer so and that's very important to learn and 22:39.920 --> 22:46.880 very important to know so also as a student if you should fail they're not even fines for you 22:46.880 --> 22:52.480 right so marked surveillance authority then will drop by and might guide you and help you out of 22:53.040 --> 22:59.200 this but they can't find you on the other hand manufacturers have all the applications so they 22:59.200 --> 23:04.560 must not need to make sure that their code is fine that it fulfills all the applications in the 23:04.560 --> 23:11.120 cyber resilience act and they could also be fine if it's going into a wrong direction and this 23:11.120 --> 23:17.280 is important to learn so since this means the manufacturer needs to have a relationship to 23:17.280 --> 23:24.960 the Stuart in order to say I am sure that I can fulfill the applications in the cyber resilience 23:24.960 --> 23:30.160 act meaning that for example you have the security incident and then you are able to bring the 23:30.160 --> 23:37.360 patch to the project right so and you it's it's basically impossible to do this if you don't 23:37.360 --> 23:42.400 have a relationship with the project or if you can't assure right so that the patch is handled 23:43.120 --> 23:49.440 and that it is then ultimately ending up in your product so and if you can't guarantee this 23:49.440 --> 23:56.640 then you might be fined by market's reigness authority and this then also means for manufacturers 23:56.640 --> 24:04.000 as you said there are a couple of ways in order to handle this situation so first and this would be 24:04.000 --> 24:09.360 I guess pretty much the best case and this is also what we are looking for the manufacturer is 24:09.360 --> 24:18.720 identifying the Stuart is providing the Stuart with resources in order to help the Stuart that 24:18.720 --> 24:25.200 the Stuart can help the manufacturer to fulfill the applications and then also there are workflows 24:25.200 --> 24:30.640 established that there is basically that the applications can be fulfilled there are a couple 24:30.640 --> 24:36.960 of them like notification patches handling blah blah blah let's don't go into the details but however 24:37.920 --> 24:43.440 it's all this the manufacturer so then assuming the manufacturer is not 24:43.440 --> 24:50.000 willing or capable to set up a relationship with Stuart so let's say you as a project you'll feel 24:50.000 --> 24:55.360 you don't want to work together with this specific company on this specific product for I don't 24:55.360 --> 25:02.160 know ethical reasons for example then what has the manufacturer for options right so and then he can 25:02.160 --> 25:09.200 say look I'm going to fork the project because then yeah you have basically the possibility to 25:09.200 --> 25:15.120 to to work on the code and fulfill the applications so you can basically also explain towards the 25:15.120 --> 25:22.640 market's reigness authority right so this is this I have power over the code so to say or and this 25:22.640 --> 25:30.480 is also what you already mentioned as an example you can scout for a proprietary alternative which 25:30.480 --> 25:37.040 already is a product in itself and has a CE label already and by thus you can yeah shift 25:37.040 --> 25:43.280 basically the applications towards the other supplier and you have a business to business relationship 25:43.280 --> 25:49.360 and ultimately so these are the options you will have as a manufacturer or you let the product 25:49.360 --> 25:54.880 by so that's all you just like remove this bit of the code and don't have this functionality for 25:55.680 --> 26:01.280 so these are the options as a as a manufacturer right so you have a good relationship to the 26:01.280 --> 26:08.960 Stuart best one I'd say you fork it second best one worst one is proprietary replacement or yeah 26:08.960 --> 26:16.240 you don't have the product only you pin bark at it anymore so and then and this is in particular 26:16.240 --> 26:23.600 interesting since we see this in the answers so most of the manufacturers do want to have a 26:23.600 --> 26:31.040 relationship with the Stuart and that's also I think a reasonable approach since imagine you 26:31.040 --> 26:35.920 are flocking at the project so this means you need to have the knowledge about the code you need 26:35.920 --> 26:41.200 to have the knowledge about the project and it's basically experienced people from this community 26:41.200 --> 26:46.800 in the best case that can work on this code right so I think it's not that easy to just say like 26:46.880 --> 26:55.120 so I'm just going to take I don't know Debian and now I fork it and then all is good right so I mean 26:55.120 --> 27:01.840 you also need to handle it and patches right so you need to improve the code you want innovation 27:01.840 --> 27:09.760 yari yari so it's it's not so easy to just simply fork it and then continue and take it from there 27:09.840 --> 27:17.120 so for this it's it's a pretty good idea to to to be connected to the project and basically work 27:17.120 --> 27:23.040 together with them so and this is also what most manufacturers are willing to do nearly none of them 27:24.320 --> 27:31.920 thinking about replacing this this proprietary alternatives so basically there are two ways for them 27:31.920 --> 27:38.480 the first one is and that's what they what they are trying to do is to go to the Stuart or to 27:38.480 --> 27:43.360 the project and by thus the potential Stuart trying to set up a relationship and also they are 27:43.360 --> 27:51.200 willing and to provide resources this is also interesting if you think about the fund debate but 27:51.200 --> 27:58.480 however and this is also learning if I can just site record here we also learned that projects that 27:58.480 --> 28:05.360 already do have a good relationship with manufacturers and do get resources it's still not 28:05.360 --> 28:10.320 sufficient so we should also be aware that if manufacturers say they are willing to support a 28:10.320 --> 28:15.520 project that doesn't mean that it's then fully financed it's just that they are willing to give 28:15.520 --> 28:21.360 something we don't know how much and we also don't know if the project will survive from 28:21.360 --> 28:28.720 curing market activities we see that it's rather not okay however manufacturers are up to do 28:29.680 --> 28:35.440 they are willing to work together with the Stuart that would be their first choice second choice 28:35.440 --> 28:42.240 is to fork the project and that's also I think very important to learn so we see on the one hand 28:43.120 --> 28:49.040 projects that want to be the Stuart for their own project and on the other side we see manufacturers 28:49.040 --> 28:58.000 that do not want to have a fork or that do not want to replace it but keep the project and also 28:58.080 --> 29:04.000 collaborate with the potential Stuart so we see that basically the two important entities 29:04.000 --> 29:10.720 roles in the cyber resilience act do want to collaborate so and now the question is how do we kick 29:10.720 --> 29:16.320 off this collaboration how do we make sure it doesn't harm the ecosystem and how do we make sure 29:16.880 --> 29:27.360 that those who benefit on the market also pay those who contribute so those are some of the outcomes 29:27.360 --> 29:33.840 and you already gave some yeah fewer hat of what is a hat what is lying ahead of us 29:35.440 --> 29:40.960 is there anything else you would outline now for the last question as the time is already running 29:40.960 --> 29:46.320 so fast again Alex yeah so what is important so I mean first of all what we are going to do is 29:46.320 --> 29:53.440 to take the results and put it in a report and present it towards the commission and try to make 29:53.520 --> 29:59.600 sure that all of these questions are going to be addressed in guidance or in the delegated 29:59.600 --> 30:05.360 implementing acts standardization attestation so in all of the implementing activities without 30:05.360 --> 30:10.480 going too much into details there are a couple of them so that all of these questions are going to 30:10.480 --> 30:15.440 be addressed also we have seen in the questionnaire that there are some other questions that we might 30:15.520 --> 30:24.240 need to work on spawn supply chain license issues so also in particular attestation might be a very 30:25.120 --> 30:30.320 interesting part to work on this is also something which I do believe is something we will pick up 30:31.120 --> 30:38.560 very soon and so there are there are some more questions next to the ones we just addressed here 30:38.560 --> 30:44.000 that need to be clarified maybe we come up with another survey something like this let's see how 30:44.000 --> 30:50.320 we and yeah how we how we channel through this however we will make sure in the implementation to 30:50.320 --> 30:56.960 again safeguard in particular project maintainers and I think individual developers that are 30:56.960 --> 31:02.720 something which we achieve but that we bring also clarity towards the projects and that everyone 31:02.720 --> 31:11.360 knows clearly what is going to happen and yeah if it's a good idea to become a steward or not and if so 31:12.320 --> 31:17.680 what do you need to do and what does mean for you and so on and so forth also we try to reflect 31:17.680 --> 31:24.240 the different players in the ecosystem why it's not like that there is a one fits all solutions so 31:24.240 --> 31:30.400 we will try to work with examples and guidance and to to yeah make this easily understandable 31:30.960 --> 31:37.600 yeah for you out there to channel through this so this will be our activity however it's 31:37.680 --> 31:45.600 even if discretion is closed we are still searching for input so if you feel that your project or 31:45.600 --> 31:50.480 even if you are I don't know a micro enterprise a small medium enterprise man medium enterprise 31:50.480 --> 31:57.440 depending on what you do but also here we do not want to harm micro enterprises right so all these 31:57.440 --> 32:03.280 one women armies that are out there sitting on their tiny project which then ends up in I don't 32:03.440 --> 32:09.360 know hundreds of products why this is also something we do care of if you see any problems there if 32:09.360 --> 32:15.600 you have any questions feel free to reach out to us even as the question is closed if you have feedback 32:15.600 --> 32:22.480 on this or if you have a specific problem which might be a gray area try to address this 32:23.120 --> 32:30.240 because now it's still the time to make those fixes and the more we see the more we can 32:30.240 --> 32:37.200 bring in the process in order to make sure we can safeguard as a specific project in specific gray 32:37.200 --> 32:42.560 areas this is also something which we learned during the questionnaires or I think we have seen 32:42.560 --> 32:48.880 already a lot but yeah during during the time we also had several meetings with project with 32:48.880 --> 32:56.240 foundations so on and so forth where there have been also some new niches that were unexplored for us 32:56.240 --> 33:03.440 so we can't see everything these come to us tell us about your specific issue might you might 33:03.440 --> 33:12.160 have and we will try to clarify and address this so this is also very much helping and yeah so 33:12.160 --> 33:19.120 this is also always a good idea so if you have anything that is like needs to be addressed 33:19.120 --> 33:24.000 tell us about it because then we still have the chance to address this towards markets railings 33:24.000 --> 33:31.040 authorities and the European Commission and make sure in the implementation process to bring in 33:31.040 --> 33:34.800 more clarity and this is also basically what we are now trying to do with this questionnaire 33:34.800 --> 33:42.080 right so like making this a bit more elaborated for the implementation process so that it can be 33:42.080 --> 33:48.480 addressed in the related documents all right thank you so much Alex so you will pull up there 33:48.560 --> 33:56.560 yes yes and we do and by that we will do so I guess that won't be the final episode of the 33:56.560 --> 34:03.680 server resilience aid but rather yeah as you can see more less serious so maybe we will talk about 34:03.680 --> 34:12.480 the server resilience act yeah and soon is again and yeah we will definitely keep you updated 34:12.560 --> 34:22.400 about the progress hopefully with good news then yes I do hope so as well but I am already very 34:22.400 --> 34:28.480 impressed by the numbers of answers we got and the quality as you have mentioned so yeah I find 34:28.480 --> 34:34.480 this is really fascinating and really really nice that there are so many people who care about 34:34.640 --> 34:43.920 free software and who want to keep free software safe guarded yeah and with this I'm saying goodbye 34:43.920 --> 34:49.200 thank you so much Alex for being here thank you so much for talking with us about the CRA 34:49.200 --> 34:54.240 yeah always a pleasure and yeah also for me thank you for everyone who not only listens but also 34:54.240 --> 35:01.280 then to part in the survey or share this survey so it's obvious that you helped you listeners and so 35:01.840 --> 35:11.280 thanks for this and yeah also thanks for listening and to all of our episodes yes thank you very 35:11.280 --> 35:17.520 much all right this was the software freedom podcast if you liked this episode please 35:17.520 --> 35:23.120 recommend it to your friends and rated it stay tuned for more inspiring conversations that 35:23.120 --> 35:29.920 explore the importance of software freedom and its impact on our digital lives this podcast is 35:29.920 --> 35:37.520 presented to you by the Free Software Foundation Europe and VR charity so we need your help please 35:37.520 --> 35:45.360 consider supporting us with our donation if you like our work you can do so under fsfe.org slash 35:45.360 --> 35:53.120 donate and if this is financially not possible for you you can share the podcast on social media 35:53.120 --> 36:03.840 rate it or contribute to our work as a volunteer thank you so much bye bye. 36:03.840 --> 36:22.240 yeah I'm Albert I've been volunteering for the Free Software Foundation Europe for like 13 years 36:22.240 --> 36:29.280 now something like that I do that because I think it's it's important to have also the political 36:29.360 --> 36:35.760 point because I mean yes lots of people in my environment see the technical advantages of having 36:35.760 --> 36:43.040 free licenses and being able to reuse stuff but somebody also has to think about the the the political 36:43.040 --> 36:50.800 implications of that and I do try to help out with Free Software Foundation Europe to actually be able 36:50.800 --> 36:54.480 to do anything in that area