What’s to come of open source software with the coming requirements that come with the Cyber Resiliency Act, now in deliberation within the European Union?At the Open Source Summit in Europe, we sat down with Christopher “Crob” Robinson, Chief Security Architect at the Open Source Security Foundation, to discuss the CRA’s implications.Think of it in terms of software development. It often starts with a developer who has a problem with a particular software. They realize that other developers might have similar problems. They write a utility or a framework to address the issue. And yay, they gain recognition. Then, the open source utility, for example, gets noticed by car companies, turbine manufacturers, you name it. They install it.“I’ve read that between 80% and 97% of commercial offerings contain substantial amounts of open source software,” Robinson said in our interview from the conference in Amsterdam.However, the developer is often left to maintain the project alone. The project is gaining momentum and starting to gain popularity. Robinson said an open source project has, on average, 160 dependencies.In the meantime, the developer has built a project with numerous dependencies, averaging around 160. And this maintainer is still working all alone. Daniel Stenberg, who runs the Curl project, spoke at the Open Source Summit and joked that he might get some time to build out features, but the rest of the job is managing the overall project. Stenberg showed this slide to illustrate the work he has to do:Now, most open source developers have no idea how people use their software. However, companies that use open source software have strict requirements regarding issues such as vulnerability reporting.“So what Daniel noted in his keynote is the constant pressure and requests and demands from downstream that he has no relationship to,” Robinson said. “He showcased letters from commercial lawyers, or different governmental agencies, demanding that he give them their Software Bill of Materials (SBOM), give me your SBOM. Give me your market surveillance conformity assessment. And that’s not necessarily the role of those engineers upstream.”These companies, with their extensive use of open-source software, sell to customers across different geopolitical regions. The United States, the European Union, China, India — they all institute laws to protect their citizenry. Over the past few years, the European Union has worked on CRA, focusing on protecting its citizens from cybersecurity incidents. They want to ensure their citizens don’t get attacked due to serious vulnerabilities, such as Log4Shell or the XZ Utilities backdoor.The CRA goes into effect next October. For a commercial enterprise, there are some fairly burdensome requirements, as well as significant consequences, such as fines and penalties on the order of billions of euros if they’re found negligent or harm customers within the EU.What does that mean for software vendors, for foundations? Learn more in this episode of The New Stack Agents.The post How the EU’s Cyber Act Burdens Lone Open Source Developers appeared first on The New Stack.