The Open Source Community is Building Cybersecurity Processes for CRA Compliance
tl;dr – Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are jointly announcing our intention to collaborate on the establishment of common specifications for secure software development based on existing open source best practices.
In an effort to meet the real challenges of cybersecurity in the open source ecosystem, and to demonstrate full cooperation with, and to support the implementation of, the European Union’s Cyber Resilience Act (CRA), Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are announcing an initiative to establish common specifications for secure software development based on open source best practices.
This collaborative effort will be hosted at the Brussels-based Eclipse Foundation AISBL under the auspices of the Eclipse Foundation Specification Process and a new working group. As Europe’s largest open source foundation, which also supports a robust open specification process, the Eclipse Foundation is a natural home for this effort. Other code-hosting open source foundations, SMEs, industry players, and researchers are invited to join in as well. The starting point for this highly technical standardisation effort will be today’s existing security policies and procedures of the respective open source foundations, and similar documents describing best practices. The governance of the working group will follow the Eclipse Foundation’s usual member-led model but will be augmented by explicit representation from the open source community to ensure diversity and balance in decision-making. The deliverables will consist of one or more process specifications made available under a liberal specification copyright licence and a royalty-free patent licence.
The reasons for this collaboration extend beyond compliance. In an era where software, particularly open source software, plays an increasingly vital role in modern society, the need for reliability, safety, and security has steadily increased. New regulations, exemplified by the impending CRA, underscore the urgency for secure by design and robust supply chain security standards well before the new regulation comes into force in 2027.
While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation. The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.
The CRA will lead to numerous standards requests from the Commission to the European Standards Organisations. And these are only the European requirements – additional demands from the US and other regions can be anticipated.
The CRA also creates a new type of economic actor – the “Open Source Software Steward”. It is in this context that we, as open source foundations, want to respond to the challenge of establishing common specifications for secure software development.
This challenge is compounded by the following:
- Today’s global software infrastructure is over 80% open source. The software stack that underpins any product with digital elements is typically built using open source software. As a result, it is fair to say that when we discuss the “software supply chain,” we are primarily, but not exclusively, referring to open source.
- Traditional standards organisations have had limited interactions with open source communities and the broader software/IT industry. To make matters more complicated, their governance models currently do not provide opportunities for open source communities to engage.
- Open source communities have a limited history of dealing with traditional standards organisations. To make matters more complicated, their resource constraints make it difficult for them to engage.
- Standards setting is typically a long process, and time is of the essence.
So while these new cybersecurity standards must be developed with the requirements of open source development processes and communities in mind, there is no clear path on how to do so in the time available. It is also important to note that it is similarly necessary that these standards be developed in a manner that also includes the requirements of proprietary software development, large enterprises, vertical industries, and small and medium enterprises.
Despite these challenges, a foundation for progress exists. The leading open source communities and foundations have for years developed and practised secure software development processes. These are processes that have often defined or set industry best practices around things such as coordinated disclosure, peer review, and release processes. These processes have been documented by each of these communities, albeit sometimes using different terminology and approaches. We hypothesise that the cybersecurity process technical documentation that already exists amongst the open source communities can provide a useful starting point for developing the cybersecurity processes required for regulatory compliance.
We hope that our specifications could inform the formal standardisation processes of at least one of the European Standards Organisations. Given the tight time horizon for implementation of the CRA, we believe that this immediate start will provide a constructive environment to host the technical discussions necessary for the stewards, contributors, and adopters of open source to meet the requirements set forth in these new regulations.
We invite you to join our collaborative effort to create specifications for secure open source development: Contribute your ideas and participate in the magic that unfolds when open source foundations, SMEs, industry leaders, and researchers combine forces to tackle big challenges. To stay updated on this initiative, sign up for our mailing list.
Eclipse and OpenAtom: Pioneering Open Source Innovation
We’re thrilled to share that the Eclipse Foundation has signed a collaboration agreement with the OpenAtom Foundation, China’s first open source foundation. Together, we will be driving the development of Oniro, an open source project that builds upon the versatile OpenHarmony operating system. Our aim is to create a modular and globally compatible operating system platform and ecosystem, catering to a wide spectrum of smart devices.
Oniro is more than an open source project. To our knowledge, this marks the first instance of two open source foundations engaging in such detailed technical collaboration – a significant step towards cultivating a global ecosystem for open intelligent devices. The collaborative approach not only ensures a competitive landscape, but also opens doors for participation by organisations worldwide, affirming the far-reaching impact of open source on technical innovation.
OpenHarmony: A Robust Platform
OpenHarmony shines in its versatility, offering robust support for a wide array of smart devices that not only showcases scalability, but also highlights its adaptability. Designed for scalable management of distributed systems, OpenHarmony stands out as a flexible platform capable of accommodating IoT solutions of varying scale.
In recent years, OpenHarmony has made some noteworthy advancements. It’s been certified in over 200 devices and now supports more than 40 development boards. With a vibrant community of over 6,200 contributors and over 16 million lines of code, it has fostered 42 distributions and played a pivotal role in launching over 200 devices.
Oniro: Tailoring OpenHarmony for Western Markets
The goal of the Oniro Project is to elevate the OpenHarmony platform by developing a suite of Western market-focused modifications and add-ons, while preserving compatibility with the core platform. This dynamic collaboration encompasses advancements in application frameworks, system-level components, software development tools, and a toolchain ensuring adherence to regulatory compliance, intellectual property compliance, and licensing.
As per Statista’s 2023 forecast, the worldwide count of connected devices is anticipated to nearly double by 2030, reaching an impressive 29.42 billion IoT devices. Oniro is well positioned to actively participate in this expansive growth with strong execution of the 3 fundamental principles on which this project is built: seamless interoperability, modularization, and a visually appealing user interface. These principles not only embody the core mission of Oniro, but also position it as the go-to option for a broad range of applications, including consumer electronics, home appliances, industrial IoT devices, smart home devices, and multimedia devices.
Join the Innovation Journey
As OpenHarmony and Oniro join forces, exciting times are ahead. We invite you to be part of this journey, contribute your ideas, and participate in the magic that unfolds when open source organisations collaborate. Stay tuned for more updates as we collectively build a future where innovation knows no bounds!
Good News on the Cyber Resilience Act
As the title says, there is good news to share on the progress of the European Union’s proposed Cyber Resilience Act (“CRA”) as the final revisions agreed to in the trilogue negotiations appear to largely exclude the open source community from its scope.
I have written (here and here) and spoken extensively about our concerns with the European Union’s proposed Cyber Resilience Act (“CRA”) in the past. As originally drafted, the CRA would have had an enormous negative impact on both the open source community and the EU’s innovation economy. In short, it would have required most open source projects (and every open source project that matters) made available in Europe to meet unrealistic regulatory requirements related to their secure software development and maintenance. OSS projects would have also been required to affix the CE Mark on their releases certifying that these regulatory requirements had been met, which additionally would have required outside audits performed for critical infrastructure projects such as operating systems. You can read the links above if you want to get a full understanding of the dire implications of the original draft of the CRA.
While the Eclipse Foundation has always shared the goals of the CRA to improve the state of security in the software industry, we have been very vocal in expressing our concerns with how unrealistic requirements could damage the open source community and Europe’s innovation economy. We have been very active in raising community awareness of the issues over the past year. For example, we helped facilitate two open letters co-signed with many of our peer organizations detailing the issues (here and here).
But we also invested a great deal of time and energy in constructively engaging with policymakers by providing explanations of the functioning of our ecosystems and technologies. The European Commission, the European Parliament, the Council through the Spanish Presidency, as well as numerous policy makers at the national level have all been open to our contributions and recognise our efforts to protect European open innovation. I would like to thank my colleagues Gesine Freund, Enzo Ribagnac, Mikaël Barbero, and Gaël Blondelle for their many contributions to this process.
We were not alone in these efforts. An assuredly incomplete list of other open source organizations that contributed to raising awareness includes: Apache Software Foundation, Internet Society, Free Software Foundation Europe, Linux Foundation, Mozilla Foundation, NLNet Labs, Open Source Initiative, Python Software Foundation, The Document Foundation, and many others. OpenForum Europe played a pivotal role in facilitating communication between these groups, and Ciarán O’Riordan at the OFE deserves recognition for his yeoman’s effort in coordinating the community’s input throughout the discussions on the CRA.
On December 1st it was announced that the EU co-legislators had reached political agreement on the CRA. Although the final text is still being worked on, we are happy to report the open source community has been listened to. The revised legislation has vastly improved its exclusion of open source projects, communities, foundations, and their development and package distribution platforms. It also creates a new form of economic actor, the “open source steward,” which acknowledges the role played by foundations and platforms in the open source ecosystem. This is the first time this has appeared in a regulation, and it will be interesting to see how this evolves. The Eclipse Foundation will be investing a great deal of effort into helping refine this concept and its implementation to ensure it aligns with the norms of the open source community. The final revisions also extended the implementation phase to three years, which means full compliance with the CRA will likely start in early 2027. OpenForum Europe’s recent press release on the CRA is certainly worth a read for additional context.
It is important to recognize and thank the many people that were involved in achieving this significantly better outcome. Both those who were involved from the side of the co-legislators who genuinely listened and made extensive improvements, and the many people from the open source community who invested their time and energy into explaining the unique requirements of the open source community.
But this journey is only beginning.
It is important to note that while the CRA has been revised to largely exclude the open source community from its scope, this legislation will still have an enormous impact on the software industry as a whole.
Open source projects will not be required to directly implement the mandated processes described in the CRA. But every commercial product made available in the EU which is built on top of those open source projects will. For the first time in the software industry’s history, it will soon have regulatory requirements for secure software development and maintenance. I predict this will put pressure on projects and communities to enhance their processes to assist in downstream commercialization.
After all, if a project is used in hundreds of products, doing the bulk of the CE Mark conformance work in the project rather than repeating the effort hundreds of times makes enormous sense. But as we all know, OSS projects at the moment simply do not have the resources to do this. It is impossible to know how all of this will play out, but an optimistic hypothesis is that once companies are required by law to meet secure software development practices they will be incented to invest in the upstream projects they rely upon. The Eclipse Foundation will be working hard to ensure that we evolve to support the needs of our committers, projects, and members in order to support the implementation of these new regulatory requirements. We will be discussing this early in the new year.
Interesting times!
Celebrating Eclipse Theia’s Milestone: Full Compatibility with VS Code Extension API
We are thrilled to announce a landmark achievement in the evolution of Theia: full compatibility with the Visual Studio Code (VS Code) extension API, marking a significant milestone in the journey of Theia towards becoming a universally adaptable development environment.
Unleashing a World of Features with VS Code Extensions
Theia has supported hosting VS Code extensions for many years. The integration of the VS Code extension API unlocked an unprecedented array of features for Theia-based applications. This compatibility means that users can leverage the extensive ecosystem of VS Code extensions, bringing thousands of new capabilities to Theia. With the completion of a recent initiative, Theia now is fully compatible with the VS Code API allowing the vast majority of VS Code extensions to be used in any Theia-based application. Of particular note is the recent addition of support for notebook editors, a game-changer that opens Theia to new audiences, such as data scientists, who rely heavily on notebook interfaces for languages like Python.
A Symphony of Collaboration
This achievement is not just a technical milestone; it is a testament to the power of collaborative open-source development. The original VS Code API compatibility implementation was contributed by Red Hat. The journey to full compatibility, initiated by STMicroelectronics and crafted through the concerted efforts of EclipseSource, Ericsson, Typefox, and other contributors, has been one of shared vision and united effort. STMicroelectronics and EclipseSource played a pivotal role in establishing an open, structured process for regular API comparison and issue tracking. This approach facilitated a broad-based contribution, allowing various organizations to contribute effectively to the project.
Empowering the Developer Community
The compatibility with the VS Code API multiplies Theia’s effectiveness as a development platform. For developers, this means access to the latest and most advanced tools available in the VS Code ecosystem, significantly enhancing both the adopter and user experience with Theia.
Overcoming Challenges through Open Source Collaboration
The journey to this point wasn’t without challenges. Initially, contributions were focused only on specific missing API features needed for particular extensions used by contributors. However, the structured process initiated by STMicroelectronics set a new direction – aiming for complete compatibility. This approach significantly simplified the distribution and parallelization of work. As a result, this process galvanized the open-source community, leading to a surge in contributions and exemplifying the true spirit of collaborative innovation.
Maintaining the Pace: The Future Roadmap
For nearly half a year, Theia has maintained full compatibility with the VS Code extension API. The commitment to this standard is unwavering. With regular scans of new VS Code API updates, contributors that Theia stays in lockstep with the latest advancements, continually integrating new features and capabilities.
Join Us in this Continual Journey
As we celebrate this milestone, we also look to the future. Theia’s journey is ongoing, and the path ahead is as exciting as the accomplishments behind us. We invite the developer community, contributors, and enthusiasts to join us in this vibrant and continually evolving project. Together, we will keep pushing the boundaries of what’s possible in open-source development environments.
Let’s continue to shape the future of software development tools with Theia. Your contributions, feedback, and engagement are not just welcome – they are essential to our shared success.
Here are a couple of links to get you started in your journey with Eclipse Theia:
- Theia’s website
- Project overview page
- Github organization
- Project readme
- Getting started with Theia
- Contributing to Theia