As the EU Cyber Resilience Act (CRA) continues to shape the landscape of digital security, I’ve been reflecting on how this impacts open-source projects like openHAB. The CRA introduces specific requirements for manufacturers using open-source software, which could potentially affect small businesses and hobbyists relying on these platforms.
While the CRA exempts free open-source software from many compliance obligations, it does introduce light requirements for ‘open-source software stewards.’ This has me wondering: how can our community collectively address these requirements to ease the burden on individuals using openHAB commercially?
One idea that comes to mind is creating a Software Bill of Materials (SBOM) for openHAB. Given that we use Maven for dependencies, generating an SBOM in a standard format like SPDX or CycloneDX could be a straightforward process. I’d love to hear others’ thoughts on whether this should be done for core components, addons, or the entire distribution.
Another thought is documenting the architecture of openHAB and conducting a threat model analysis. This not only helps identify areas for improvement but also provides a manual for users to secure their setups. I’d be happy to contribute to these efforts, but I’d appreciate input from those with deeper knowledge of openHAB’s internals and cybersecurity best practices.
If we could gather a group of knowledgeable individuals—both from the openHAB community and cybersecurity experts—to collaborate on these tasks, it could be incredibly beneficial. Let’s make the most of this opportunity to support all current and future users of openHAB while staying compliant with evolving regulations!