KYCS ‒ Know Your Code Sources (and let it be known)

How Cyber Resilience Act is going to change FOSS forever and what can we do about it?


CRA at the time of submission is still in a draft status, but it is relatively clear that it will impose a duty to make the software safer if and when it is distributed on the market as a final product.

Part of the safety requirements includes the obligation to collect and keep available for inspection a list of software components obtained from third parties, that is their provenance, and the insecurities obtained through mainly CVE scanning. Incidentally there is an obligation to support and provide security patches after the product is placed on the market (hint, open source rulez).

Open Source Software is not exempted per se, the current discussion is where the final burden and responsibility of complying, if at all, lies. In any case, whatever the outcome of such discussion is, open source projects should strive to ease up CRA compliance for their downstream adopters, if they want to keep them. We will concentrate on how open source projects that aim at being considered in an industry supply chain (including that of software industry) should strive to make the supply chain’s life easier, building on our experience with Eclipse Oniro and the toolchain and processes we have devised for it.