Security Leftovers

posted by Roy Schestowitz on Jun 19, 2025

• LWN ☛ Open source and the Cyber Resilience Act

  The European Union's Cyber Resilience Act (CRA) has caused a stir in the software-development world. Thanks to advocacy by the Eclipse Foundation, Open Source Initiative, Linux Foundation, Mozilla, and others, open-source software projects generally have minimal requirements under the CRA — but nothing to do with law is ever quite so simple. Marta Rybczyńska spoke at Linaro Connect 2025 about the impact of the CRA on the open-source ecosystem, with an emphasis on the importance of understanding a project's role under the CRA. She later participated in a panel discussion with Joakim Bech, Kate Stewart, and Mike Bursell about how the CRA would impact embedded open-source development.

  Rybczyńska is not a lawyer. She's a security professional and a developer, but ""we cannot leave law to the lawyers"". A company in need of legal advice should go to its lawyer; for the rest of us, we have to rely on summaries from interested non-lawyers, or our own research.

  The CRA has already become law, but does not come completely into force until 2027, Rybczyńska said. Some provisions start earlier than others; as of September 2026, vendors will need to report exploited vulnerabilities. ""Basically everything"" is affected: any software or hardware that is or can be connected to the Internet and is sold in Europe. There are specific exceptions for web sites, for products with existing regulations, and for hobby projects (including many open-source projects). Open-source stewards, organizations that guide an open-source project but don't qualify as manufacturers, also have reduced requirements.

• Confidentiality

  • Unmitigated Risk ☛ How Let’s Encrypt Changed Everything

    Traditional certificate authorities were trapped by their own organizational structure. Their business model incentivized vendor lock-in rather than ecosystem expansion and optimization. Sales teams wanted products’ proprietary APIs to make it harder for customers to switch, and were riding the wave of internet expansion. Compliance teams’ jobs depended on defending existing processes. Engineering teams were comfortable punting all compliance work to the “compliance” department. Support teams were positioned as competitive differentiators and used to entrench customers. Their goal was maximizing revenue, defending their jobs, and maintaining the status quo, not getting the web to 100% HTTPS.

    Let’s Encrypt had completely different incentives and could optimize solving the larger problems without these organizational constraints. But LE’s success went beyond solving their own problems. They systematically identified every pain point in the way of getting to 100% HTTPS and built solutions that worked for everyone.

• Windows TCO

  • Silicon Angle ☛ UBS confirms employee data leak after ransomware attack on supplier

    The news of the breach was first reported Tuesday by Swiss media outlet Le Temps, which said that data relating to about 130,000 UBS employees had been available online for several days. The stolen information included names, email addresses, phone numbers, positions in the company, the language spoken by employees and the office and location at which the employees work.