Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty

I believe from reading the thread it's the combination of:

* Uncertainty around the who, what, and how for conforming the CRA.
* Heavy fines and liability (max 15M Euros)
* This project is already in minimal-maintenance mode due to restricted maintainer time.
* Options for handing off the project (to a foundation? to a new maintainer? (remember the xz-utils backdoor...)) are unclear at this point for the current maintainer.

This scenario is not a rare one, I suspect that many folks are in the same situation but aren't aware of the CRA in any way yet.

Seth Larson

On Thu, Dec 19, 2024 at 9:53 AM Dick Brooks <dick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Seth,

 

Did that party identify any specifics regarding the EU-CRA open-source expectations that they are most concerned about?

 

Business Cyber Guardian is seeking to understand more details about the EU-CRA, specifically we are interested in knowing who/what is considered an “open-source software steward” and what are the obligations of an open-source software steward.

 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

Risk always exists, but trust must be earned and awarded.

https://businesscyberguardian.com/

Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx

Tel: +1 978-696-1788

 

 

From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Seth Michael Larson via open-regulatory-compliance
Sent: Thursday, December 19, 2024 10:49 AM
To: open-regulatory-compliance@xxxxxxxxxxx
Cc: Seth Michael Larson <sethmichaellarson@xxxxxxxxx>
Subject: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty

 

Hello all, hope you are doing well.

 

I was shared this example by Jarek Potiuk from Airflow, a case where an open source maintainer is planning to completely remove their project from PyPI due to the CRA uncertainty and obligations. I think this shows how important having a factual, up-to-date, TLDR-style blog post about the current state of affairs would be from our group, especially for open source projects under foundations and those maintained by individuals.

 

Seth Larson


Back to the top