CRA Stewarship in Ansible project

CRA, EU Cyber Resilience Act, has stirred a lot of discussion in the Open Source Communities. Will my project be usable in EU anymore? What are my responsibilities as a developer of open source software? My software is shipped with a commercial software, does it make me a manufacturer? Open Source Community is dealing with a lot of confusion and qurries relating to EU Cyber Resilience Act. I am no different especially the deadline coming in next few months.

Red Hat has formally identified with the role of Open Source Steward for Ansible project. We, at Ansible community divided the complaince jounry in the following 4 phases :

  • Gap analysis
  • Implementation
  • Communication
  • Plan the next phase

Gap analysis

Finding out

  • What does the law says?
  • Requirement to be CRA compliant (for the role of steward)
  • What does it mean to CRA steward compliant for Ansible project?
  • Find out the gaps under CRA in the Ansible project

Implemention

The next phase for Ansible is implementation.
CRA should be viewed by the lenses of security. An opportunity to make the project secure by default and not the afterthought. With these intent earlier this year I, posted in Ansible Forum

As part of this work (as a member of the Ansible community and PE engineering team at Red Hat), we filed the following PRs to be reviewed by the community :

  1. vulnerability management policy PR
  2. security best practices PR
  3. security policy PR

In the coming weeks and months you will read more on this topic from me.

Show Comments