[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
|
I second this motion:
’this is how you do the CRA’
That would be very useful to little guys serving as "open-source software stewards" that are trying to keep a FOSS product viable and trustworthy.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788
-----Original Message-----
From: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxx>
Sent: Friday, December 20, 2024 2:49 PM
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: dick@xxxxxxxxxxxxxxxxxxxxxxxxx; Brian Fox <brianf@xxxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
On 20 Dec 2024, at 15:18, Brian Fox via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
> There's clearly work to be done to tighten the understanding. The flow chart shared earlier doesn't quite map to what I had understood. It seemed like the Steward category was created to generally cover more of the umbrella organizations that assist/sponsor/host many oss projects. Things like Eclipse, LF, ASF, Github and also things like Maven Central, Pypi etc.
I can also see it fit very easily to small, single project open source - i.e. where there is not really an umbrella - but simply a group of diligent people which are sufficiently diverse to do normal, 4 eye, peer reviewed release engineering and with enough organisational capability/collective disciple to do triage based bug/vulnerability follow up. Of which there are actually quite a lot.
In a way - I am way more worried about existing umbrella organisations that try to solve this not by having the community embrace good release engineering - but instead start paying non-volunteers to introduce processes & then end up having to pay `leaders’ to enforce/keep-save projects by pushing for paperwork. And then end up having to focus on ‘getting money’ - as opposed to being a good house for their community.
And then you get into the same problem you so often see at companies - a paper dragon that does probably does nothing but provide rope to the regulator/insurance to hang you - while getting in the way of the engineers*.
So am hoping we can collectively avoid that. And focus on industry good release engineering - and making that equivalent to ’this is how you do the CRA’.
Dw
*: https://www.youtube.com/watch?v=vJV7TUF9Gxw — Mike Wazowski, you didn't file your paperwork last nigh. Again.