Do suppliers of FOSS components like Qt LGPL, Weston/Wayland, Linux BSPs, containers and OTA update solutions have to perform no, light-touch or full CRA compliance? The answer affects how much due diligence machine and device manufacturers must exercise for these components in their CRA compliance.
The definitions for making available on the market, placing on the market, intended purpose and substantial modification are crucial for understanding the CRA. The CRA, Blue Guide and Commission guidance interpret them differently. I am trying to sort out this mess.
Many embedded Linux systems use a Wayland compositor like Weston for window management. Qt applications act as Wayland clients. Weston composes the windows of the Qt applications into a single window and displays it on a screen. I still have
Manufacturers must provide security updates during the support period plus 10 years. The length is calculated from average lifetime, component availability and other criteria. The support period starts when the product is placed on the market.
The eight requirements define how the manufacturer's process for vulnerability handling must look. They include identifying, addressing and publishing of vulnerabilities as well as timely security updates and generating an SBoM. The post gives practical examples how to do this.
Embedded systems must satisfy the 13 essential product properties like confidentiality, integrity, availability and access control. Otherwise, they violate the CRA and must not be placed on the market. The post illustrates the product properties with many practical examples.
Episode 54: Better Built By Burkhard
By default, eMMC storage comes with two boot partitions. Two partitions enable an A/B strategy for U-Boot updates. Moreover, U-Boot can automatically start from the other partition, if the first is corrupt or empty.