I was just looking at “Cyber Essentials”, a UK government backed certification scheme that certifies that we’ve taken sensible precautions against the most common attacks:
https://iasme.co.uk/cyber-essentials/
They define “Licensed and supported software” as:
Licensed and supported software is software that you have a legal right to use and that a vendor has committed to support by providing regular vulnerability fixes. The vendor must provide the future date when they will stop providing these. (Note that the vendor doesn’t need to have created the software originally, but they must be able to modify the original software to create fixes)
and then requires that all software on any device that we own is “Licensed and Supported”:
You must make sure that all software in scope is kept up to date. All software on in-scope devices must: • be licensed and supported • be removed from devices when it becomes unsupported, or removed from scope by using a defined sub-set that prevents all traffic to or from the internet • have automatic updates enabled where possible • be updated, including vulnerability fixes, within 14 days* of release, where: o the update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’ o the update addresses vulnerabilities with a CVSS v3 base score of 7 or above o there are no details of the level of vulnerabilities that the update fixes provided by the vendor
I’d seen discussions over on Mastodon that had kind of indicated that any scheme that makes using open-source software completely impossible is basically kind of a shit scheme, but I hadn’t read the documents myself until now.
Just posting here for the sanity check that I’m reading it right. There is no way of using Syncthing that’s compatible with Cyber Essentials Certification, is there?