Re: [open-regulatory-compliance] Maintainer considering removing project

[Seth Michael Larson <sethmichaellarson@xxxxxxxxx>]

Thanks all for the replies, here are some thoughts from me:

> I'd be particularly interested in a description of the minimum steps
required to transfer CRA responsibilities to a FLOSS steward, say
hypothetically the PSF or a cooperative of Python consultants.

I'm not sure the PSF or any other foundation like it is in a position to absorb all projects under, in our example, PyPI. However, we still have our eyes on lowering the bar, for example I have plans this upcoming year to make complying with the "vulnerability reporting" and "market surveillance compliance" easier for maintainers. Things like an official location for a security policy, report a vulnerability, and a process for contacting all relevant market surveillance groups (CISA, ENISA, etc) in the case of actively exploited vulnerabilities. I think these sorts of developments are much more within our resourcing. That doesn't provide the resourcing and time it takes to operate those facilities (so is still a burden on solo-and-low-maintainer projects), but at least there's more clarity about what is actually needed from folks and for external groups to not "spook" maintainers with official and legalese-sounding emails that you are now legally obligated not to ignore.

Seth Larson

On Thu, Dec 19, 2024 at 10:34 AM Dick Brooks via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

I know it is possible to transfer a GitHub repo to another party, but I'm
not sure if this act would exempt a party from lawful requirements.

Thanks,

Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership

Never trust software, always verify and report! T
Risk always exists, but trust must be earned and awarded.T
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788


-----Original Message-----
From: open-regulatory-compliance
<open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Olle E.
Johansson via open-regulatory-compliance
Sent: Thursday, December 19, 2024 11:30 AM
To: Open Regulatory Compliance Working Group
<open-regulatory-compliance@xxxxxxxxxxx>
Cc: Olle E. Johansson <oej@xxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] Maintainer considering removing
project due to CRA obligations and uncertainty



> On 19 Dec 2024, at 17:20, Maarten Aertsen via open-regulatory-compliance
<open-regulatory-compliance@xxxxxxxxxxx> wrote:
>
> On Thu Dec 19, 2024 at 17:08 CET, Federico Leva via
open-regulatory-compliance wrote:
>> I'd be particularly interested in a description of the minimum steps
>> required to transfer CRA responsibilities to a FLOSS steward, say
>> hypothetically the PSF or a cooperative of Python consultants. The
>> risks for individuals may be overstated, but it seems there's demand
>> for an "insurance" to absorb these risks, and pooling them should help.
>
> I am not at all sure if there is such a thing. If an individual meets the
criteria for Manufacturer, there is no transfer possible. If they don't meet
those criteria, they are out of scope and a transfer is unnecessary.
Surely there has to be a transfer possibility. Companies buy companies,
software changes ownership. There must be a possibility to retire here.

>
> My perspective on what's needed, is more accessible guidance from credible
sources and active outreach to get guidance to the right places. Individuals
who spend their spare time maintaining digital infrastructure should not
need to fear this law, but clearly, in some cases they do.

Agree fully.

/O
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org