WordPress, Drupal, Joomla, and TYPO3 Challenge EU's Cyber Resilience Act

[nolderoos]

Summary

Some pretty big news from the world of open-source software. WordPress, Drupal, Joomla, and TYPO3, the big four of the FOSS CMS world, have teamed up to send an open letter to EU legislators. They're worried about the EU's Proposed Cyber Resilience Act (CRA) and how it could mess with the future of open-source platforms. They also held a public webinar/conference earlier today.

 

Here is a link to their open letter.
 

Quotes

"The letter points out that, in its current form, the proposed regulations run the risk of reducing software security and undermining the EU’s core aims and values."

"The primary contention is that the proposed CRA’s “commercial activity” definitions are unclear and problematic. The current non-commercial exemption in the proposed regulations fails to consider the intricate network of relationships underpinning FOSS and its roles in the digital economy."

 

My thoughts

This is a pretty big deal. Open-source software is a huge part of the digital economy, and these platforms are worried that the new regulations could put a damper on things. The fact that they're concerned about the future of platforms like WordPress, Drupal, Joomla, and TYPO3 is something we should all be paying attention to. They're calling for a chat with the legislators, which I think is a great move. Let's hope it leads to some positive changes. I'm am very afraid that this will lead to open source contributors leaving the platforms they are contributing to, some on twitter are afraid this might lead to them being personally accountable.

 

Sources

Open Letter on the Significance of Free and Open Source Software in the EU’s Proposed Cyber Resilience Act

FOSS CMS Projects Issue an Open Letter to EU on Proposed Cyber Resilience Act

[Doobeedoo]

Well good they did so upfront though. 

[leadeater]

If only WordPress was actually "Cyber Resilient" and not historically completely full of security vulnerabilities 

[EllieCat]

I wonder what will happen if they will be forced to comply

[nolderoos]

@leadeater Yes, WordPress has had some pretty bad security problems in the past. However, most of these problems are caused by weak defenses in place or bad plugins.. Most sites get breached because of human failure. When done right WordPress is as tight and secure as its alternatives! They have also actively been on a journey to harden its security by default!

[nolderoos]

@EllieCat If they would have to comply it would mean less contributors and making it harder to publish this free product. This would be counterproductive for the EU as that would force people to use US based subsriptions services, like Shopify, Squarespace, Wix Etc.

 

[tikker]

I haven't properly read up on the CRA beyond the general page, so take that as a disclaimer, but reading through their letter some statements sound a bit like "trust me bro"?

 

Quote

Our FOSS CMSs are mission-critical and exhaustively tested.

This is a double edged sword. If it's mission critical then security is important right? And if it is exhaustively tested to be secure, it shouldn't be too scared of tightened security regulation?

 

Quote

The proposed ban on releasing "unfinished software" contradicts the realities of modern
software development, whether FOSS or otherwise. Early versions, like alpha and beta
releases, are essential for development, innovation, and indeed security. These
“pre-releases” are marked accordingly and understood in the industry as unfinished
(non-final, initial) versions that need testing by our large communities of expert and
professional users before being released as final software.

I understand this, but I think I disagree with the statement that releasing "unfinished software" is "modern software development" outside of it happening a lot. I also think alpha or beta should not be a complete excuse for being insecure. You don't put a car into "beta production" without seatbelts, because their delivery is delayed just so people can start using the car. Of course you can't find every security flaw immediately and some things will only show up once bulk use starts happening, but throwing known bugged or insecure software into production with a 'the community will find them' attitude, however, is not the solution either I think. It's a difficult balance.

 

I doesn't immediately sound like alphas or betas are necessarily affected directly by this though? If you are an alpha package then you won't be an economic pillar package anyway, so you'll have time to slowly build out.

 

There will of course be a lot of nuance to this. I think asking for clarification with these kind of far reaching regulations is never a bad thing. I don't think they deserve a magic full exemption just because "FOSS", because while it can be great it can also be annoying. Yes technically anyone can go and add or fix stuff, but that is hard. First you need to be familiar with the software you will add to or fix, so a relatively small amount of people can properly do it who then need to find time to do it outside of their regular jobs and life. Because it is free, there is the added burden of there being no monetary incentive to actively and preemptively hunt for bugs or vulnerabilities or to prioritise certain aspects. And if nobody wants to fix it you circle back to the "well you can try it yourself, because it's FOSS!".

[nolderoos]

Hey there @tikker, you've raised some really good points.

 

When it comes to the statement about the FOSS's CMS's being "mission-critical and exhaustively tested," I think the concern is not about being afraid of tightened security these regulation would bring. Rather, about how these proposed regulations might be implemented and could hamper development.

 

The FOSS community is (mostly) all for security but the worry is that the act - as it's currently proposed might not take into account the complex and unique situation of open-source development projects and could unintentionally hamper it.

 

As for the "unfinished software" point, I understand what you mean. However the practice of alpha and beta releases are a very common standard, not just for finding bugs, but also for getting early feedback, making improvements and ofcourse for third party plugin providers to cross check their software to see if it is still compatible. (Alpha's and beta's are rarely actually used in active websites)

 

What seems to be the case here is that the makers of this act don't understand this aspect of software development.

 

You're right that alpha or beta versions might not be directly affected by the CRA, but the concern is about the potential implications and how they might affect the overall development process of them.

 

I agree with you that FOSS doesn't automatically deserve any different treatment. But the letter from them seems to be more about starting a dialogue and ensuring that the regulations take into account the unique aspects. It's not about getting a free pass, but about making sure the regulations are fair and effective. It's a complex issue.

[tikker]

5 minutes ago, nolderoos said:

When it comes to the statement about the FOSS's CMS's being "mission-critical and exhaustively tested," I think the concern is not about being afraid of tightened security these regulation would bring. Rather, about how these proposed regulations might be implemented and could hamper development.

 

The FOSS community is (mostly) all for security but the worry is that the act - as it's currently proposed might not take into account the complex and unique situation of open-source development projects and could unintentionally hamper it.

I think that "complex and unique situation" is part of the problem. Don't get me wrong, I think it's great, but at the same time it's a tug of war between a hundred people for every thing they want to implement. Having some regulation might help give some focus to security aspects. Of course it should be clear on that it entails exactly.

 

6 minutes ago, nolderoos said:

As for the "unfinished software" point, I understand what you mean. However the practice of alpha and beta releases are a very common standard, not just for finding bugs, but also for getting early feedback, making improvements and ofcourse for third party plugin providers to cross check their software to see if it is still compatible. (Alpha's and beta's are rarely actually used in active websites)

 

What seems to be the case here is that the makers of this act don't understand this aspect of software development.

 

You're right that alpha or beta versions might not be directly affected by the CRA, but the concern is about the potential implications and how they might affect the overall development process of them.

I wasn't argueing that alpha and beta releases aren't or shouldn't be part of the software cycle. More that those usually have specific goals, such as testing functionality in mind and are not something to wipe (potentially crucial) missing features under. For things where a certain type of security is essential, if that were missing I'd personally consider that simply not ready for even an alpha or beta outside a definitely non-production environment. For mission critical that should go double, since there (I know this is idealistic) beta features have no place in large scale, critical operation and should have been tested in controlled betas.

 

42 minutes ago, nolderoos said:

I agree with you that FOSS doesn't automatically deserve any different treatment. But the letter from them seems to be more about starting a dialogue and ensuring that the regulations take into account the unique aspects. It's not about getting a free pass, but about making sure the regulations are fair and effective. It's a complex issue.

I think it is good of them to do that. For me some aspects were jus to bit too vague or avoidant sounding, but then again calm and nice words don't get attention as well, so I understand why sometimes things need to be put more strongly.

[nolderoos]

@tikker To the extend of my knowledge, the open source programs are lead by the actual organization. So it wouldn’t (hopefully) be a tug of war.

 

I agree with the wording being a bit clickbaity. But yes its quit an important thing so I understand they phrase stuff like this!

[Kisai]

On 8/3/2023 at 4:31 AM, leadeater said:

If only WordPress was actually "Cyber Resilient" and not historically completely full of security vulnerabilities 

This is an ad, but the entire thing is poking fun at wordpress.

 

 

 

19 hours ago, nolderoos said:

@leadeater Yes, WordPress has had some pretty bad security problems in the past. However, most of these problems are caused by weak defenses in place or bad plugins.. Most sites get breached because of human failure. When done right WordPress is as tight and secure as its alternatives! They have also actively been on a journey to harden its security by default!

No, Wordpress is a swiss army knife that comes only with the nail file, and you have to buy all the other parts.

 

It does not do, anything, good out of the box. It lacks any basic cache and security features. It literately has none. You roll a stock wordpress out onto a web server, and it will just fall over as its' memory foot print is substantial for what little it does. And if you use all the suggested plugins, the memory footprint is hundreds of MB's. To render one 50KB page.

 

If you are not actively engaging with your audience in your comment section, Wordpress is the wrong product. Always. Without exception. When people use Wordpress to operate a store or a online comic book, it's the wrong product, because now the necessary themes, plugins require external subscriptions to being updated, so now instead of one product that you have to stay on top of, you now have dozens or even hundreds of parts that need to be updated and ANY SINGLE ONE OF THOSE will bring down the site, if not the server.

 

Real businesses build their own CMS systems or if they're not big enough (under 10 employees with no technical people) they outsource it to a third party who then either builds a CMS, or builds it on top of Drupal/Joomla/vBulletin with a support contract to keep the thing updated, which can cost you $1000's of dollars per month to stay on top of. Wordpress can be quite literately a never-ending make-work project, when better specialized products exist and cost less to support.

 

I'm not saying Drupal or Joomla are completely better here, but they are better than Wordpress out of the box. They are also much more fiddly to setup than Wordpress.

 

The only advantage Wordpress has is that you can drop it on any host, even cheap or free ones, and it will run. It will also cost you substantially more to operate since those hosts will demand you use a VPS or a dedicated server because you have no way to audit the system resources used by WP and it's themes and plugins. The last time I did this, core WP was 96MB and Jetpack adds another 64MB on top. Per page. That is without necessary stuff like Akismet to keep spam down which costs money, and some other security plugin to detect when plugins are breaking the site.

 

[leadeater]

35 minutes ago, Kisai said:

This is an ad, but the entire thing is poking fun at wordpress.

Damn that is savage and hilarious