There are cases where open source software, components, and artefacts are very clearly mature from both technological and cyber-resilient perspectives, and then should provide attestations, reports, etc. I didn't mean to suggest that OSS as a whole should adopt the "beta hack" I just proposed. It was more intended for those who don't know where they lie on the spectrum (and don't care).
I expect the issue introduced to us in this thread (the croniter github project) to be indicative of a nascent cottage industry of bike-shedded solutioning, as can be inferred from this comment:
https://github.com/kiorky/croniter/issues/144#issuecomment-2556304691 > This project is an open-source initiative and is provided "as-is" without any warranties or guarantees.
It does not comply with the EU Cyber Resilience Act (CRA) or any specific regulatory requirements.
> If you are using this project in a commercial product or a context where CRA compliance is required, we strongly advise against including it without conducting your own security assessments and ensuring compliance independently.
The maintainers accept no responsibility for regulatory or legal obligations arising from its use.
I know the CRA and the PLD were intended to protect the most vulnerable, but when I speak to stakeholders in the various OSS and Manufacturer communities where I am active, I see suffering, sadness, and frankly quite a bit of shock. We need to provide solid guidance and if one of the things we can offer our colleagues who are sad is a hack - well, then I think we should at least consider it when we formulate our handbook.
Cheers,
Daniel