Cyber Resilience Act and why the TYPO3 Association needs your help until the end of August 2023

TYPO3 Association
1

Authors Matthias Bolt-Lesniak, Boris Hinzer
Info Due to a limitation in talk.typo3.org we posted the links to the sources in the HedgeDoc

TL;DR

The EU wants to strengthen cybersecurity by setting forth requirements for products with digital elements. The goal of the regulations, known as the Cyber Resilience Act, is to ensure more secure hardware and software products.

TYPO3 supports the EU’s goal of increasing software security, and we can’t simply expect FOSS to be excluded from the act. However, the EU proposal does not consider the special aspects of free and open-source software (FOSS).

To achieve CE marking for a product, the proposal moves liability for the security of the hardware or software to the vendor. Defining who the vendor is and mapping the liability of contributors is very hard for FOSS projects. Although the legislation includes an exemption for non-commercial activity, what constitutes commercial activity is not well-defined. It also includes a clause against unfinished software.

What happened so far

The open-source content management systems WordPress, Drupal, Joomla and TYPO3 joined forces and wrote an open letter to the EU legislators, raising their concerns and inviting to a dialogue.

Some relevant sections of the act

Citation 10:

In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetizes other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.

Citation 16:

Directive 85/374/EEC 25 is complementary to this Regulation. That Directive sets out liability rules for defective products so that injured persons can claim compensation when damage has been caused by defective products. It establishes the principle that the manufacturer of a product is liable for damages caused by a lack of safety in their product, irrespective of fault (‘strict liability’). Where such a lack of safety consists in a lack of security updates after placing the product on the market, and this causes damage, the liability of the manufacturer could be triggered. Obligations for manufacturers that concern the provision of such security updates should be laid down in this Regulation.

Article 4.3:

Member States shall not prevent the making available of unfinished software which does not comply with this Regulation, provided that the software is only made available for a limited period required for testing purposes and that a visible sign clearly indicates that it does not comply with this Regulation and will not be available on the market for purposes other than testing.

Sources:

We need your feedback now

The open letter was well received by the EU legislators and an open discussion was started. The EU legislator asked us for constructive feedback, and we have formulated the following questions:

  1. What do you consider to be the definition of a not-for-profit FOSS product? When does it become commercial?
  2. When do you consider a TYPO3 extension or service to be commercial?
  3. What kind of processes and requirements would you think of, to establish a standardized security handling?
  4. Which of our standards and best practice recommendations could be suitable as a requirement within the legislation to achieve CE marking?
  5. How can we generalize such standards to become usable by any FOSS project?
  6. What is our definition of the TYPO3 related products’ responsibility for code contributions? How far does the responsibility reach?
  7. What is our definition of the TYPO3 products’ responsibility for dependencies? How far does the responsibility reach?
  8. Who is responsible for the warranty and liability of publicly available TYPO3 websites including or excluding third-party code (thinking of Freelancers, TYPO3 Customer, TYPO3 Agency, TYPO3 Association)?
1 Like
2

First of all: Thanks for taking care!

In my opinion something gets commercial as soon as money is involved. So if a client orders a website from an agency or freelancer, it becomes a commercial service. The GDPR also requires users to use updates and not using outdated software.

I really don’t know if it is possible in these days to say: The vendor can’t be hold liable, neither the agency nor the client. If something happens it is just bad luck?! However, as long as every part does it’s homework like client having secure passwords, agency does the updates and there is no intended security issue in the core, nobody should be hold liable.

It will be the same if you use any proprietary software. If there is an issue but latest version is used, nobody will be hold liable - I guess?

answering the questions

  1. What do you consider to be the definition of a not-for-profit FOSS product? When does it become commercial?

as soon as a contract requires someone to create a website

  1. When do you consider a TYPO3 extension or service to be commercial?

as soon as the extension is paid

  1. What kind of processes and requirements would you think of, to establish a standardized security handling?

check for latest versions, not only the software but also the dependencies like other packages but also PHP version.

  1. Which of our standards and best practice recommendations could be suitable as a requirement within the legislation to achieve CE marking?
  • version support matrix for the start.
  • something like the verified extensions which require extensions to support TYPO3 versions
  • security team
  1. How can we generalize such standards to become usable by any FOSS project?

sorry don’t know, besides above 4.

  1. What is our definition of the TYPO3 related products’ responsibility for code contributions? How far does the responsibility reach?
  • handle development to the best of our knowledge and belief (besten wissen & gewissen)
  • automated checks
  1. What is our definition of the TYPO3 products’ responsibility for dependencies? How far does the responsibility reach?
  • e.g. with composer: users must be allowed to update dependencies to a secure version
  • non composer: we need to release a new version
  1. Who is responsible for the warranty and liability of publicly available TYPO3 websites including or excluding third-party code (thinking of Freelancers, TYPO3 Customer, TYPO3 Agency, TYPO3 Association)?
  • assoc must select a good core team and should provide features like automated tests. assoc must provide security features like possibilities to force secure passwords
  • agencies/freelancers for providing updates, upgrades and good configurations
3

FOSS stops being not-for-profit and becomes commercial the second that it stops being freely available and starts costing something.

When a fee is charged for the product or service.

In which context? TYPO3 core, community extensions, or services provided relating to TYPO3?

Sorry, I have no idea. But I guess, based on how the EU normally operates: none of them.

Sorry, no idea. Nor do I personally believe that this is feasible or even desirable.

We ship with the GPL license. Sections 15, 16 and 17 declare the extent of responsibility.

See previous answer.

In terms of source code: core’s source code is under GPL, see sections 15, 16 and 17. Third party code: entirely depends on the license of said third-party code.

In terms of things like user data protection: whomever operates the site is liable for things like adherence to GDPR etc.

I’d be interested to see if EU honestly think that they can legally impose liabilities on FOSS licensed software that has strict license terms describing the exact liability and warranty - especially in the light of how section 17 of GPL is formulated. If a fee is leveraged, then sure: the fee recipient may be held liable (for no higher sum than what was received as a fee). But for traditional, freely available, uncurated FOSS…?

4

">,

5

6

What do you consider to be the definition of a not-for-profit FOSS product? When does it become commercial?

A FOSS that is available for free and that has no paid version (also no early-access version).

When do you consider a TYPO3 extension or service to be commercial?

Once it’s directly paid for by a customer/client so that they can use it. (Being the result of paid work doesn’t count.)

What kind of processes and requirements would you think of, to establish a standardized security handling?

Allow private security reports, and have someone handle them in a timely manner. Have a security team that publishes vulnerability alerts with CVEs.

Which of our standards and best practice recommendations could be suitable as a requirement within the legislation to achieve CE marking?

Allow private security reports, and have someone handle them in a timely manner. Have a security team that publishes vulnerability alerts with CVEs.

How can we generalize such standards to become usable by any FOSS project?

Allow private security reports, and have someone handle them in a timely manner. Have a security team that publishes vulnerability alerts with CVEs.

What is our definition of the TYPO3 related products’ responsibility for code contributions? How far does the responsibility reach?

I don’t fully understand the question.

What is our definition of the TYPO3 products’ responsibility for dependencies? How far does the responsibility reach?

If we bundle dependencies (Composer dependencies only in the composer.json don’t count), we are required to update (in maintained versions of our products) them if there are security vulnerabilities.

Who is responsible for the warranty and liability of publicly available TYPO3 websites including or excluding third-party code (thinking of Freelancers, TYPO3 Customer, TYPO3 Agency, TYPO3 Association)?

The agency/freelancer needs to educate the customer that updates are necessary, and the customer needs to pay for them.

7
  1. What do you consider to be the definition of a not-for-profit FOSS product? When does it become commercial?

FOSS means anybody can use it, anybody may modify it, anybody may redistribute it and anybody may redistribute modified versions. The not-for-profit part means that the author/vendor of the software may not make a profit from developing the software. This implies that the author may receive money but this may not result in making a profit.
It becomes commercial as soon as a profit is made.

  1. When do you consider a TYPO3 extension or service to be commercial?

If a profit is made. I’m not sure about the legal consequences of the author hiring a third person to modify the software. Please, ask a lawyer.

  1. What kind of processes and requirements would you think of, to establish a standardized security handling?

A published procedure on where to report, which responses to expect, how things are handled, time periods for different steps and make sure there are capable people to handle the issues.

  1. Which of our standards and best practice recommendations could be suitable as a requirement within the legislation to achieve CE marking?

I have no idea if this applies to products that consist of only software and which have a GPL license. TYPO3 is more a semi-finished product which can help the website builder to create a functioning website. If it is described how the software can be used an what is promised about the functionality then to me TYPO3 is more a tool/product that website builders use to create the final product.

  1. How can we generalize such standards to become usable by any FOSS project?

Different FOSS have a different field of use. A word processor can be used by an end user. Other software is more like a tool or semi-finished product to create other products. In the second case one could argue that the creator of the website is responsible for issues with his product.

  1. What is our definition of the TYPO3 related products’ responsibility for code contributions? How far does the responsibility reach?

To what extend is a baker responsible for issues with products he uses to create bread? Or is the maker of the yeast responsible? Or the builder of the factory where the yeast is produced? Or the…

  1. What is our definition of the TYPO3 products’ responsibility for dependencies? How far does the responsibility reach?

As far as I know the seller is responsible for the entire product. In the case of TYPO3, it was “our” decision to use a dependency and not write our own equivalent.

  1. Who is responsible for the warranty and liability of publicly available TYPO3 websites including or excluding third-party code (thinking of Freelancers, TYPO3 Customer, TYPO3 Agency, TYPO3 Association)?

The owner of the website (they decided to make the website publicly available.