Re: [open-regulatory-compliance] Maintainer considering removing project

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty

From: Seth Michael Larson <sethmichaellarson@xxxxxxxxx>
Date: Thu, 19 Dec 2024 10:06:33 -0600
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>

I believe from reading the thread it's the combination of:

* Uncertainty around the who, what, and how for conforming the CRA.

* Heavy fines and liability (max 15M Euros)

* This project is already in minimal-maintenance mode due to restricted maintainer time.

* Options for handing off the project (to a foundation? to a new maintainer? (remember the xz-utils backdoor...)) are unclear at this point for the current maintainer.

This scenario is not a rare one, I suspect that many folks are in the same situation but aren't aware of the CRA in any way yet.

Seth Larson

On Thu, Dec 19, 2024 at 9:53 AM Dick Brooks <dick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Seth,

Did that party identify any specifics regarding the EU-CRA open-source expectations that they are most concerned about?

Business Cyber Guardian is seeking to understand more details about the EU-CRA, specifically we are interested in knowing who/what is considered an “open-source software steward” and what are the obligations of an open-source software steward.

Thanks,

Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788

From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Seth Michael Larson via open-regulatory-compliance
Sent: Thursday, December 19, 2024 10:49 AM
To: open-regulatory-compliance@xxxxxxxxxxx
Cc: Seth Michael Larson <sethmichaellarson@xxxxxxxxx>
Subject: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty

Hello all, hope you are doing well.

I was shared this example by Jarek Potiuk from Airflow, a case where an open source maintainer is planning to completely remove their project from PyPI due to the CRA uncertainty and obligations. I think this shows how important having a factual, up-to-date, TLDR-style blog post about the current state of affairs would be from our group, especially for open source projects under foundations and those maintained by individuals.

Seth Larson

Follow-Ups:
- Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
  - From: Dick Brooks

References:
- [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
  - From: Seth Michael Larson
- Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
  - From: Dick Brooks

Prev by Date: Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
Next by Date: Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
Previous by thread: Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
Next by thread: Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
Index(es):
- Date
- Thread

Breadcrumbs