[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [open-regulatory-compliance] ORC Charter
|
On 12/14/2024 7:03 AM, Tobie Langel
wrote:
Hi Scott,
Thanks for taking the time to email us.
The omission of committer members is an accident that was
recently noticed and that is currently being fixed.
Glad to hear.
The replacement of Steward Members by Foundation Members was
done on purpose to avoid creating the impression of a 1:1
mapping between member classes and the description of
certain roles in the Cyber Resilience Act. "Open Source
Steward" is a role that both a foundation and a forprofit
can take on.
Yes I understand that. But one complication I'm concerned
about: in the real Eclipse project world, we are talking about
diverse/dynamic project teams (some corp and some not with members
that come and go). This does not match well...IMHO...with the
current hierarchical governance structure of EF/PMC -> Working
groups -> EF projects -> (typically one person) project lead
-> project team committers, etc. For example, currently,
Foundation personnel, Working Groups reps, PMC contribute very
little/nothing to the actual technical/project work of many
relevant projects.
Has anyone done any thinking about this wrt the CRA application
of 'stewardship' to Eclipse projects?
It's even possible for an organization to be both the
manufacturer of a project and the steward of another. That
would be super confusing for member classes.
Sure. IMHO that suggests that for some kinds of project-level
'stewardship', it would make sense to have multiple stewards
and/or independent stewards...that are not from the same corp (or
even the same non-profit). Project diversity was one of the
founding principles for Eclipse projects and seems to me important
to maintain as security regulatory compliance is figured out.
Hope this helps address the concerns you've raised.
Please let us know if it doesn't.
It does at this point, thank you. As stated above, I think
there further questions about how compliance will actually
happen/be implemented in the relevant Eclipse projects. I
request that these questions be discussed openly and publicly on
forums like this.
Scott
---
Tobie Langel
Senior Technical Lead, ORC WG
Principal, UnlockOpen