Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty

Thanks, Seth.

 

I can understand why a software producer would be paying careful attending to these EU-CRA obligations if they are categorized as a “manufacturer”, with the strictest obligations – including fines, or as an “open-source software steward” wit ha much lighter touch, but still requires certain obligations under the EU-CRA.

 

There is an EU-CRA expert group working on cybersecurity. Hopefully this group will provide the clarity software developers need to comply with the EU-CRA.

https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=3967

 

A pure open-source developer seeking no compensation (a true volunteer) seems to be exempt from the EU-CRA obligations, based on my understanding. But, like you said, there is still come uncertainty regarding EU-CRA compliance expectations.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

Risk always exists, but trust must be earned and awarded.

https://businesscyberguardian.com/

Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx

Tel: +1 978-696-1788

 

 

From: Seth Michael Larson <sethmichaellarson@xxxxxxxxx>
Sent: Thursday, December 19, 2024 11:07 AM
To: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty

 

I believe from reading the thread it's the combination of:

 

* Uncertainty around the who, what, and how for conforming the CRA.

* Heavy fines and liability (max 15M Euros)

* This project is already in minimal-maintenance mode due to restricted maintainer time.

* Options for handing off the project (to a foundation? to a new maintainer? (remember the xz-utils backdoor...)) are unclear at this point for the current maintainer.

 

This scenario is not a rare one, I suspect that many folks are in the same situation but aren't aware of the CRA in any way yet.

 

Seth Larson

 

On Thu, Dec 19, 2024 at 9:53AM Dick Brooks <dick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Seth,

 

Did that party identify any specifics regarding the EU-CRA open-source expectations that they are most concerned about?

 

Business Cyber Guardian is seeking to understand more details about the EU-CRA, specifically we are interested in knowing who/what is considered an “open-source software steward” and what are the obligations of an open-source software steward.

 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

Risk always exists, but trust must be earned and awarded.™

https://businesscyberguardian.com/

Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx

Tel: +1 978-696-1788

 

 

From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Seth Michael Larson via open-regulatory-compliance
Sent: Thursday, December 19, 2024 10:49 AM
To: open-regulatory-compliance@xxxxxxxxxxx
Cc: Seth Michael Larson <sethmichaellarson@xxxxxxxxx>
Subject: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty

 

Hello all, hope you are doing well.

 

I was shared this example by Jarek Potiuk from Airflow, a case where an open source maintainer is planning to completely remove their project from PyPI due to the CRA uncertainty and obligations. I think this shows how important having a factual, up-to-date, TLDR-style blog post about the current state of affairs would be from our group, especially for open source projects under foundations and those maintained by individuals.

 

Seth Larson


Back to the top