[roenxi]

My first thought on reading "cybersecurity regulations" was whether this was going to be the EU at the root cause again. The legislation mentioned in the article seems to be 2x EU instruments.

The problem here seems to be fear over how EU legislators and judges will interpret CVEs more than anything the kernel is doing. Looks like a complex and legally risky situation; good luck to the EU devs, hope it stays as a theoretical concern. I imagine common sense will prevail and the law will be interpreted the sensible way.

[graemep]

One possible solution is for people in the EU to set up their own triaging system to triage Linux CVEs (and other CVEs, and maybe other sources of info) in line with EU law. There should be enough people affected willing to find something like this.

I am not clear how the law affects people outside the EU whose software is distributed in the EU (including open source software that is not covered by the exemptions).

>I imagine common sense will prevail and the law will be interpreted the sensible way.

I hope it will, but I would hate to be in the position of having to depend on that.

[tracker1]

Largely my thought as well. Not having a kennel CNA would be far more problematic than the approach outlined for the Kernel CNA team.

Also if interpreted correctly it should help mitigate legal risks for EU companies that rely on Linux that update regularly.