Risk Assessment of Essential Product Requirements: Prerequisites

Dear Reader,

My talk Building an EU CRA Compliant Operator Terminal was accepted for the Embedded Software Engineering (ESE) Congress (1-5 December 2025 in Sindelfingen). As I must provide an abridged written version for the conference proceedings by 12 October 2025, I had the idea to do this in one newsletter.

I quickly realised that the scope for the original title would be far too big and that I should focus on the most important and most difficult part of EU CRA compliance: the risk assessment of the essential product requirements (Annex I, Part I). When I reached the 2000-word mark, it was clear that I had to split up the newsletter into three: Risk Assessment of Essential Product Requirements - Prerequisites, Process and Documentation.

Besides reading and writing about the EU CRA, I also managed to write two smaller technical posts.

Running Wayland Clients as Non-Root Users. Far too many embedded Linux systems run Qt applications with root privileges so that a Wayland compositor like Weston can display them. This violates the cybersecurity principle of least privilege - and hence the EU Cyber Resilience Act (CRA). I'll show you how neither the Wayland compositor nor its clients (the Qt applications) must run as root - and how to make your system a little bit more secure.
DISTRO_FEATURES:append After DISTRO_FEATURES:remove Has No Effect. The Yocto build always executes all remove’s after all append’s for a variable. Hence, you can never re-append an item if you removed it in any metadata file. It’s gone forever. Fortunately, there is a trick how to get a removed item back into the variable. As so often in programming, it just takes another indirection.

Enjoy reading,
Burkhard 💜