Paul Barker
Paul Barker is the Ecosystem Engineering and Operations Lead at the Yocto Project, a Linux Foundation project. He has been working in Open Source and Embedded Linux for over a decade, with experience supporting clients in the automotive, industrial, and telecommunications sectors. Paul has contributed to several open source projects including the Linux kernel, U-Boot, and Yocto Project. He has presented at FOSDEM, Embedded Linux Conference Europe, Linaro Connect, and multiple Yocto Project summits.
Session
The EU Cyber Resilience Act introduces new obligations across the software supply chain, for both manufacturers and for the new category of open source stewards. We've been thinking about what this means for the Yocto Project - what are our obligations? And what can we do to help our users meet their obligations as manufacturers?
For manufacturers, the CRA requires the avoidance of known exploitable security issues, tracking of software components & vulnerabilities, reporting to relevant Computer Security Incident Response Teams (CSIRTs) and provision of software updates for the useful lifetime of products. Today, the Yocto Project provides a repeatable build process and tooling that will help manufacturers to meet these requirements. With further development, we could make it easier to achieve the required level of security and vulnerability tracking.
For the Yocto Project itself, the requirements on open source stewards are more lightweight. We will need to align the project's cybersecurity policy with the CRA and be prepared to share information with market surveillance authorities if requested.