2025-09-05 –, Lecture Hall
The Cyber Resilience Act (CRA) is the EU's most important regulation for software in the last decade. While it makes an exception for open-source software and impact NixOS directly, any commercial product that includes NixOS has to comply with the CRA to allow offering in the EU.
In this talk, we give insights into the CRA’s requirements, showcase that Nix tooling with its focus on reproducibility is very well positioned for compliance, and point out the unsolved shortcomings. We focus on the update mechanism, SBOM tooling (together with matching CVEs from vulnerability mechanisms), and support durations.
Lukas Beierlieb is a software engineer at Cyberus Technology and a PhD student at the University of Würzburg, both with a focus on virtualization technology. He does not want to imagine a world in that development systems and environments are not managed with Nix.