Digital sovereignty - Resilience
15 views
Skip to first unread message
Gerhard Weck
Feb 2, 2025, 8:30:11 PMFeb 2
to qubes-project
In Germany, there are growing concerns that IT usage is at risk due to widespread lock-in caused by using closed-source products of major software companies like Microsoft or Oracle. For this reason, the German Informatics Society (GI) has started a working group on Digital Sovereignty, which intends to find and show ways out of this dependency on American and Chinese products.
The most promising direction, in my opinion, is to switch from Closed to Open Source, wherever possible. For this reason, I have joined this working group, and I am currently preparing a presentation on Qubes for our next session, showing that Qubes can be used as a valuable Open Source tool for a migration from a closed Windows environment into the Open Source world. In the Qubes Forum, I already posted a short paper that I wrote for this working group, describing what Qubes is and how it can be used to get away from the lock-ins.
In this context, two questions have come up already. One is, if and how the Qubes team would be interested in cooperation with this working group, which might be profitable for both sides. The other question came from the consideration that Qubes shows a degree of resilience that currently cannot be found in most / any other desktop systems. The EU has now created a "Cyber Resilience ACT (CRA)", which intends to ensure a certain level of quality for IT products, and currently, there are investigations, on how this can be applied to Open Source products. If this is done well, Qubes might qualify for a CRA certification, which could help to get more organizations to use Qubes.
In this context, I got the following letter from another member of the working group. I am asking if you are interested in this activity and could perhaps help with the enclosed questionnaire. Here is the letter, and I will gladly give your input to the working group.
--------------------------------
Dear Gerhard,
today, I am contact you to pls forward the following questions to the developers of Qubes OS, which I think will be in the scope of the coming EU Cyber Resilience Act. Response in due time will be highly appreciated.
I am contributing to this project with BSI and will be happy to answer any question about this initiative.
Many thanks for your support and best Regards,
Peter
---------------------------------------
Subject: CRA questionnaire - Your input is needed to enrich the debate
As part of the German BSI "Dialog für Cybersicherheit", the Free Software Foundation Europe (FSFE) proposed a workstream on the role of Cyber Resilience Act (CRA) for Open Source that is now being implemented [1]. In this workstream, we will work on clarifying open questions regarding CRA implementation together with stakeholders from the Free Software community, also known as Open-Source community. For this, we kindly ask for your input.
We will be looking at how Open-Source manufactures and stewards come together, what their cooperation can and should look like, and what requirements arise in the process. The CRA leaves us at this point with some uncertainties we like to see clarified.
We like to encourage you to join in and help us with your personal experience in the Open-Source World. With your input, we want to identify pain points and work to derive clarifications to eventually improve our understanding and help the Open-Source community with CRA compliance.
We will first work on a questionnaire aimed at future stewards and manufacturers to ask for their views on CRA implementation and collaboration. Answers to the questionnaire will be assessed by the workstream participants and will be publicly anonymous.
Since our workstream efforts are bound to a schedule, we highly appreciate your answer before 2025-02-10 so that we can assess all comments and suggestions incoming on fair ground.
**A few thoughts and organizational considerations:**
\* It is not about quantity but quality, we want to talk to experts as much as possible.
\* It is about realistic assessments - we do not need maximum demands but real, pragmatic proposals and assessments. With the funding question in particular, we need realistic estimates of the expected costs and requirements.
\* Our aim is for stewards and manufacturers to cooperate and work well together. We do not want to divide, we want to bring together.
\* We are particularly interested in cases from the gray area and less in those where everything is clear.
\* We want to enrich the debate with our results, sharing it with relevant decision makers and stakeholders
**You can help us with this:**
1) Do you have any questions that should be included in this questionnaire, that concern you and that we should investigate?
2) To whom do you think we should send the questionnaire? Both individuals and organisations can be proposed.
3) Do you have experience, ideas or fears with how future stewards collaborate with manufacturers? We’d also like to speak directly with those responsible. If you have ideas or examples, concise ones are preferred.
4) If you have specific suggestions and ideas, these are of course always welcome.
[1] https://www.dialog-cybersicherheit.de/workstreams/ (in German)
---------------------------------------
today, I am contact you to pls forward the following questions to the developers of Qubes OS, which I think will be in the scope of the coming EU Cyber Resilience Act. Response in due time will be highly appreciated.
I am contributing to this project with BSI and will be happy to answer any question about this initiative.
Many thanks for your support and best Regards,
Peter
---------------------------------------
Subject: CRA questionnaire - Your input is needed to enrich the debate
As part of the German BSI "Dialog für Cybersicherheit", the Free Software Foundation Europe (FSFE) proposed a workstream on the role of Cyber Resilience Act (CRA) for Open Source that is now being implemented [1]. In this workstream, we will work on clarifying open questions regarding CRA implementation together with stakeholders from the Free Software community, also known as Open-Source community. For this, we kindly ask for your input.
We will be looking at how Open-Source manufactures and stewards come together, what their cooperation can and should look like, and what requirements arise in the process. The CRA leaves us at this point with some uncertainties we like to see clarified.
We like to encourage you to join in and help us with your personal experience in the Open-Source World. With your input, we want to identify pain points and work to derive clarifications to eventually improve our understanding and help the Open-Source community with CRA compliance.
We will first work on a questionnaire aimed at future stewards and manufacturers to ask for their views on CRA implementation and collaboration. Answers to the questionnaire will be assessed by the workstream participants and will be publicly anonymous.
Since our workstream efforts are bound to a schedule, we highly appreciate your answer before 2025-02-10 so that we can assess all comments and suggestions incoming on fair ground.
**A few thoughts and organizational considerations:**
\* It is not about quantity but quality, we want to talk to experts as much as possible.
\* It is about realistic assessments - we do not need maximum demands but real, pragmatic proposals and assessments. With the funding question in particular, we need realistic estimates of the expected costs and requirements.
\* Our aim is for stewards and manufacturers to cooperate and work well together. We do not want to divide, we want to bring together.
\* We are particularly interested in cases from the gray area and less in those where everything is clear.
\* We want to enrich the debate with our results, sharing it with relevant decision makers and stakeholders
**You can help us with this:**
1) Do you have any questions that should be included in this questionnaire, that concern you and that we should investigate?
2) To whom do you think we should send the questionnaire? Both individuals and organisations can be proposed.
3) Do you have experience, ideas or fears with how future stewards collaborate with manufacturers? We’d also like to speak directly with those responsible. If you have ideas or examples, concise ones are preferred.
4) If you have specific suggestions and ideas, these are of course always welcome.
[1] https://www.dialog-cybersicherheit.de/workstreams/ (in German)
---------------------------------------
michael carbone
Feb 6, 2025, 6:08:51 AMFeb 6
to qubes-...@googlegroups.com
hi gerhard,
i really appreciate these efforts of yours, thank you.
i am perhaps dense but i didn't see the questionnaire, could you provide
a link?
many thanks,
michael
On 2/2/25 11:30, Gerhard Weck wrote:
> In Germany, there are growing concerns that IT usage is at risk due to
> widespread lock-in caused by using closed-source products of major software
> companies like Microsoft or Oracle. For this reason, the German Informatics
> Society (GI) <https://gi.de/> has started a working group on Digital
> Sovereignty <https://pak-digs.gi.de/>, which intends to find and show ways
--
Qubes OS <https://qubes-os.org>
i really appreciate these efforts of yours, thank you.
i am perhaps dense but i didn't see the questionnaire, could you provide
a link?
many thanks,
michael
On 2/2/25 11:30, Gerhard Weck wrote:
> In Germany, there are growing concerns that IT usage is at risk due to
> widespread lock-in caused by using closed-source products of major software
> companies like Microsoft or Oracle. For this reason, the German Informatics
> Sovereignty <https://pak-digs.gi.de/>, which intends to find and show ways
> out of this dependency on American and Chinese products.
>
> The most promising direction, in my opinion, is to switch from Closed to
> Open Source, wherever possible. For this reason, I have joined this working
> group, and I am currently preparing a presentation on Qubes for our next
> session, showing that Qubes can be used as a valuable Open Source tool for
> a migration from a closed Windows environment into the Open Source world.
> In the Qubes Forum, I already posted a short paper that I wrote for this
> working group, describing what Qubes is and how it can be used to get away
> from the lock-ins.
>
> In this context, two questions have come up already. One is, if and how the
> Qubes team would be interested in cooperation with this working group,
> which might be profitable for both sides. The other question came from the
> consideration that Qubes shows a degree of resilience that currently cannot
> be found in most / any other desktop systems. The EU has now created a "Cyber
> Resilience ACT (CRA)"
> <https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/>,
>
> The most promising direction, in my opinion, is to switch from Closed to
> Open Source, wherever possible. For this reason, I have joined this working
> group, and I am currently preparing a presentation on Qubes for our next
> session, showing that Qubes can be used as a valuable Open Source tool for
> a migration from a closed Windows environment into the Open Source world.
> In the Qubes Forum, I already posted a short paper that I wrote for this
> working group, describing what Qubes is and how it can be used to get away
> from the lock-ins.
>
> In this context, two questions have come up already. One is, if and how the
> Qubes team would be interested in cooperation with this working group,
> which might be profitable for both sides. The other question came from the
> consideration that Qubes shows a degree of resilience that currently cannot
> be found in most / any other desktop systems. The EU has now created a "Cyber
> Resilience ACT (CRA)"
Qubes OS <https://qubes-os.org>
Reply all
Reply to author
Forward
0 new messages