A few months ago, EU finally finalized the Cyber Resilience Act (CRA) which aims to put essential security requirements on all “products with digital elements” in order to increase security for both consumers and businesses. There are special rules for free open source software to not burden them with compliance, but there are some light requirements on “open-source software stewards”, which is defined as
“a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products”
I’m not sure the if the openHAB foundation qualifies for this, since the Eclipse license allows for commercial use, but OH is not “intended” for it.
This is not, however, the issue I wish to address. I know from this forum, however, that there are several people who use OH for commercial purposes, and they will be considered as manufacturers according to the regulation and need to comply with all the requirements. Personally, i don’t wish for them to be individually responsible for all those requirements, which for some might be overwhelming and lead to discontinuation of their business ventures.
Instead I hope that we as a community can collaborate on some of the the requirements, to ease the burden on these individuals allowing them and others to continue their businesses. I work as a cybersecurity consultant myself, and have read up on the legislation quite a bit since it affect many of our customers. There are several things I can see that we as a community could contribute with to enable people to use OH in their businesses in an easy way:
- Create and publish a Software Bill of Materials (SBOM) in a standard format (SPDX or CycloneDX) for every major release. Since we are using Maven for dependencies, this should be quite straight forward to do in Jenkins or a Github action.
- Create documentation on the architecture of OH, on a high level, to show how the different parts of the system interacts.
- Based on the architecture diagrams, create a threat model and risk analysis, to discover both areas of improvement in OH itself, and/or serve as a manual for those who use OH in where they need to take extra care of security.
I can gladly look into #1, but would like to get some input on if this should be done for OH Core/Addons/UI etc separately, or if it should be done on the OH distro? (I could experiment a bit to see what’s viable, but if anyone can help with reasoning it is very welcome).
I have a basic grasp of #2, but will definitely need help from the people who have better knowledge of how things fit together.
#3 would be best done in a collaborative way between people who have good knowledge of different parts of OH (mainly UI and Core) and people who know security (I know that there are others beside myself who work in this area). If we could gather a few of these people (physically or virtually) that would likely be the best and hopefully interesting to all involved, I would live to be a part of this.
Hope that we can make the best of this in the interest of all current and future OH users!