Comment by sunshine-o
10 hours ago
Yes so the problem is this is not about random f-up, the CRA is full of buzzwords concepts like "Cyber security by design", "Cyber security by default" "according to risks" which will be evaluated by the courts if you end up there.
Every software you provide have to be secure and if not you are liable for damage. So this is not just a random f-up, and we know how hard security really is in practice.
I also know that when you are a provider of a software most vulnerabilities and risks are usually requested/created by the client who usually exercise pressure on you (especially if you are a small actor). It is often done in a sneaky manner, putting the provider in an impossible situation. You will need to document this the best you can because now you are liable big time.
EDIT: What I mean is I understand they did that to force big manufacturers of IoT device to care more about security. But if you are now a small provider setting up some customized software you fall under the same rules.
Open source software is unsecure. It's neither secure or insecure. Securing something means implementing policies like SSO and ACLs. That's not open source's job. Open source gives you a tool and it's your responsibility to secure the thing. It's not the responsibility of open source developers. It can't be. What they strive to do is to not ship something that's known to be insecure.
So in other words if you provide someone software and it sets their business on fire, you're liable to repay the value of the business you set on fire. Yes, this is how all business relations work. If I sell someone a mango that sets their business on fire I'm liable for that too. Not unique to software. No difference if it's a mango full of genetically modified bacteria that spontaneously combust after a certain time passes, or a server that sends network signals to turn the heating up to 1000 degrees. And in both cases the solution is don't do that.
So I want to know what specific risks you're worried about that are not present in literally 100% of business interactions. Or do you expect software to be exempt from the general principles of liability?