Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty

like Schalnat, Ria (The Open Compli... reacted to your message:

From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> on behalf of Dirk-Willem van Gulik via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
Sent: Friday, December 20, 2024 7:49:24 PM
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
 
On 20 Dec 2024, at 15:18, Brian Fox via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

> There's clearly work to be done to tighten the understanding. The flow chart shared earlier doesn't quite map to what I had understood. It seemed like the Steward category was created to generally cover more of the umbrella organizations that assist/sponsor/host many oss projects. Things like Eclipse, LF, ASF, Github and also things like Maven Central, Pypi etc.

I can also see it fit very easily to small, single project open source - i.e. where there is not really an umbrella - but simply a group of diligent people which are sufficiently diverse to do normal, 4 eye, peer reviewed release engineering and with enough organisational capability/collective disciple to do triage based bug/vulnerability follow up. Of which there are actually quite a lot.

In a way - I am way more worried about existing umbrella organisations that try to solve this not by having the community embrace good release engineering - but instead start paying non-volunteers to introduce processes & then end up having to pay `leaders’ to enforce/keep-save projects by pushing for paperwork. And then end up having to focus on ‘getting money’ - as opposed to being a good house for their community.

And then you get into the same problem you so often see at companies - a paper dragon that does probably does nothing but provide rope to the regulator/insurance to hang you - while getting in the way of the engineers*.

So am hoping we can collectively avoid that. And focus on industry good release engineering - and making that equivalent to ’this is how you do the CRA’.

Dw

*: https://urldefense.com/v3/__https://www.youtube.com/watch?v=vJV7TUF9Gxw__;!!NpxR!jqH4i-mFwFL78oru3GRYB1XbHQvbmZHemKtwMtX_pd7_h3l4cs5fEb_vMaaKbI1jw7RrTvLVQuAoe8cSZufHe2Wf7IUY$  — Mike Wazowski, you didn't file your paperwork last nigh. Again.





_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://urldefense.com/v3/__https://accounts.eclipse.org__;!!NpxR!jqH4i-mFwFL78oru3GRYB1XbHQvbmZHemKtwMtX_pd7_h3l4cs5fEb_vMaaKbI1jw7RrTvLVQuAoe8cSZufHe0iByyJf$

Back to the top