Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty 
I second this motion:

’this is how you do the CRA’

That would be very useful to little guys serving as "open-source software stewards" that are trying to keep a FOSS product viable and trustworthy.

Thanks,

Dick Brooks
   
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™ 
https://businesscyberguardian.com/ 
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788


-----Original Message-----
From: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxx> 
Sent: Friday, December 20, 2024 2:49 PM
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: dick@xxxxxxxxxxxxxxxxxxxxxxxxx; Brian Fox <brianf@xxxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty

On 20 Dec 2024, at 15:18, Brian Fox via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

> There's clearly work to be done to tighten the understanding. The flow chart shared earlier doesn't quite map to what I had understood. It seemed like the Steward category was created to generally cover more of the umbrella organizations that assist/sponsor/host many oss projects. Things like Eclipse, LF, ASF, Github and also things like Maven Central, Pypi etc. 

I can also see it fit very easily to small, single project open source - i.e. where there is not really an umbrella - but simply a group of diligent people which are sufficiently diverse to do normal, 4 eye, peer reviewed release engineering and with enough organisational capability/collective disciple to do triage based bug/vulnerability follow up. Of which there are actually quite a lot.

In a way - I am way more worried about existing umbrella organisations that try to solve this not by having the community embrace good release engineering - but instead start paying non-volunteers to introduce processes & then end up having to pay `leaders’ to enforce/keep-save projects by pushing for paperwork. And then end up having to focus on ‘getting money’ - as opposed to being a good house for their community.

And then you get into the same problem you so often see at companies - a paper dragon that does probably does nothing but provide rope to the regulator/insurance to hang you - while getting in the way of the engineers*.

So am hoping we can collectively avoid that. And focus on industry good release engineering - and making that equivalent to ’this is how you do the CRA’.

Dw

*: https://www.youtube.com/watch?v=vJV7TUF9Gxw — Mike Wazowski, you didn't file your paperwork last nigh. Again.

Back to the top