Linux基金会：2025年开源网络安全最佳实践之路研究报告（英文版）

The European Union’s Cyber Resilience Act (CRA) presents a watershed moment for the open source ecosystem, imposing rigorous cybersecurity requirements on products with digital elements (PDEs) commercialized in the EU. While the regulation will not fully apply until December 2027, with certain provisions taking effect earlier, the stakes are enormous—penalties reaching €15 million or 2.5% of global annual turnover for non-compliance. The Linux Foundation’s analysis of three flagship projects—