Please give your feedback on EU CRA standards for container runtime systems #5285
Description
Hi maintainers! Hey @ktsakalozos!
In 2027, all software distributed in the EU will need to comply with the EU Cyber Resiliency Act. Even open source projects that are part of a commercial offering fall under this.
For container runtime systems, there are specific standards for compliance, created by ETSI. The first version of these standards is available for public comment here: https://labs.etsi.org/rep/stan4cra/en-304-635
There are, in my opinion, some serious issues with that standard. For example, it requires projects like Microk8s to support trusted execution environments out of the box, and requires Microk8s to constantly check the integrity of its binaries.
Commenting on these drafts is very easy, you can do it on the ETSI gitlab: https://labs.etsi.org/rep/stan4cra/en-304-635
I urge you to take a look at this standard and comment on any measures you find overbearing and not proportional. Otherwise you, and a whole bunch of other projects, will be in a world of hurt when this becomes law.