Re: Cybersecurity Risk Assessment Request from Emerson for apt
- To: "KATARE, SAURABH [EMR/MSOL/PUNE]" <saurabh.katare@emerson.com>
- Cc: "deity@lists.debian.org" <deity@lists.debian.org>, "Kulkarni, Pavan Kumar [EMR/MSOL/PUNE]" <pavankumar.kulkarni@emerson.com>, "Joshi, Tejesh [EMR/MSOL/PUNE]" <Tejesh.Joshi@emerson.com>, "Nagesh, Rahul [EMR/MSOL/PUNE]" <rahul.nagesh@emerson.com>
- Subject: Re: Cybersecurity Risk Assessment Request from Emerson for apt
- From: Julian Andres Klode <jak@debian.org>
- Date: Mon, 11 Aug 2025 14:01:33 +0200
- Message-id: <[🔎] 20250811135006.GA19363@debian.org>
- Mail-followup-to: "KATARE, SAURABH [EMR/MSOL/PUNE]" <saurabh.katare@emerson.com>, "deity@lists.debian.org" <deity@lists.debian.org>, "Kulkarni, Pavan Kumar [EMR/MSOL/PUNE]" <pavankumar.kulkarni@emerson.com>, "Joshi, Tejesh [EMR/MSOL/PUNE]" <Tejesh.Joshi@emerson.com>, "Nagesh, Rahul [EMR/MSOL/PUNE]" <rahul.nagesh@emerson.com>
- In-reply-to: <[🔎] DM4PR10MB68647A353749B74BBA088A8A8028A@DM4PR10MB6864.namprd10.prod.outlook.com>
- References: <[🔎] DM4PR10MB68647A353749B74BBA088A8A8028A@DM4PR10MB6864.namprd10.prod.outlook.com>
On Mon, Aug 11, 2025 at 10:27:13AM +0000, KATARE, SAURABH [EMR/MSOL/PUNE] wrote:
> Hello,
>
>
>
> I hope this message finds you well.
>
>
>
> As part of our ongoing efforts to comply with the EU Cyber Resilience Act (CRA), we are currently conducting a cybersecurity risk assessment of third-party software vendors whose products or components are integrated into our systems.
>
> To support this initiative, we kindly request your input on the following questions related to your software product "apt" with version 1.2.31 Please provide your responses directly in the table below and do reply to all added in this email,
>
>
>
> Additional Information:
>
> * Purpose: This security assessment is part of our due diligence and regulatory compliance obligations under the EU CRA.
> * Confidentiality: All information shared will be treated as confidential and used solely for the purpose of this assessment.
> * Contact: Should you have any questions or need further clarification, please feel free to reach out by replying directly to this email.
>
>
>
> We kindly request your response by Monday, August 25, 2025, to ensure timely completion of our assessment process. Thank you for your cooperation and continued partnership in maintaining a secure and resilient digital environment.
If you need a supported version of APT, please get your APT
from a supplier you have signed a support contract with.
The 1.2.31 release you are refering to is outdated. A security
update and further bug fix releases have been released. Further
security updates can be received by subscribing to Ubuntu Pro,
or entering into a support contract with another supplier who
will backport patches from newer releases for you.
APT itself, as opposed to APT supplied via the means of a commercial
entity as part of a commercial operation, is not a commercial project
and not subject to the CRA.
Please don't spam open source projects with ridiculous non-sense
like this. This is not how the CRA works.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: