| Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty |
Thanks, Seth. I can understand why a software producer would be paying careful attending to these EU-CRA obligations if they are categorized as a “manufacturer”, with the strictest obligations – including fines, or as an “open-source software steward” wit ha much lighter touch, but still requires certain obligations under the EU-CRA. There is an EU-CRA expert group working on cybersecurity. Hopefully this group will provide the clarity software developers need to comply with the EU-CRA. A pure open-source developer seeking no compensation (a true volunteer) seems to be exempt from the EU-CRA obligations, based on my understanding. But, like you said, there is still come uncertainty regarding EU-CRA compliance expectations. Thanks, Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ Risk always exists, but trust must be earned and awarded.™ https://businesscyberguardian.com/ Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx Tel: +1 978-696-1788 From: Seth Michael Larson <sethmichaellarson@xxxxxxxxx> I believe from reading the thread it's the combination of: * Uncertainty around the who, what, and how for conforming the CRA. * Heavy fines and liability (max 15M Euros) * This project is already in minimal-maintenance mode due to restricted maintainer time. * Options for handing off the project (to a foundation? to a new maintainer? (remember the xz-utils backdoor...)) are unclear at this point for the current maintainer. This scenario is not a rare one, I suspect that many folks are in the same situation but aren't aware of the CRA in any way yet. Seth Larson On Thu, Dec 19, 2024 at 9:53 AM Dick Brooks <dick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
|
