cross-posted from: https://feddit.org/post/19584461

As long as a project is not organized as a legal or commercial entity, the CRA requires only a basic “readme” with a security contact. There is no legal risk for individual contributors simply sharing code online or in publications, even when they receive payment for writing an article, as long as the software itself is not monetized or organized.

[ …] the CRA’s focus is on commercial manufacturers and distributors. That means businesses that integrate open source code into EU products must fully comply with documentation, incident response, and lifecycle management requirements. This includes publishing Software Bills Of Materials (SBOMs), patching vulnerabilities within regulated timeframes, and responding proactively to security incident reports.

[…] manufacturers must act on vulnerabilities, even if the upstream maintainer does not fix the issue. Manufacturers selecting open source code for their products must understand the code, support it, and respond to regulatory reporting requirements. This may, Kroah-Hartman observed, increase pressure on companies to use actively supported open source projects or stick closer to mainstream, well-resourced communities."

[…] it’s coming soon for companies. Manufacturers are going to care in September of next year. They’re going to start panicking in the summer of next year, and things are going to start hitting the fan."

They’ll want developers to shoulder the burden the CRA will place on them. But you don’t have to do that. It’s their problem, not yours as a programmer.

The overworked maintainers of Libxml2, ImageMagick, or contributors to such industry-wise important things as the real-time kernel patches, might enjoy to read this.

The important thing is: Change licenses to copyleft ones, such as GPLv3 or AGPL. By this way, industrial manufacturers are not only obliged to patch their stuff (via the EU CRA), but also, if they sell the result in a product, to re-contribute patches. Win-win!