Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Flowchart from a natural person's perspective -- straw man

On 21 Dec 2024, at 13:58, Dick Brooks via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

> I made it to step 70 and answered Yes as a legal person named Business Cyber Guardian.
> 
> As an independent legal person named Dick Brooks volunteering my time freely to create the CISASAGReader product, I believe I am personally exempt from CRA obligations.

So here you would typically be a natural person named Dick Brook unless you somehow incorporated as a person.

So in that case - I would saye it is going to hinge on the exact interpretation of 50; i.e. is a legal person a superset that includes a natural person (which EC officials have said in private/off the record meetings as their intended meaning) or are natural and legal persons two groups - as is generally the case in most other directives & a range of (tax related) EUJC rulings.

Dw.

> -----Original Message-----
> From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Dirk-Willem van Gulik via open-regulatory-compliance
> Sent: Friday, December 20, 2024 5:30 PM
> To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
> Cc: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>
> Subject: [open-regulatory-compliance] Flowchart from a natural person's perspective -- straw man
> 
> Here is my attempt at a more flowchart form for natural persons (mostly in reaction to some private questions).
> 
> Mainly to see if this teases out other questions/issues. 
> 
> I’ve been a bit black and white/over the top in below; somewhat intentional to see if this helps us get better boundaries for the vague areas; and if there are things we can simply take as right — and we can focus on the ‘indicators’ for these.
> 
> Dw.
> 
> 10: Do I personally contribute to an open source project ?
> 
> 	E.g. do I sent in patches or do I post bugfixes to an Open Source project ? Or do I do a pull request ?
> 
> 	No: 	Do I contribute to that open source project as part of job; because my boss wants it ? 
> 
> 		I.e. in the boss his time (also if I am my own boss - where it is part of what I deliver to my customers) ?
> 
> 		Yes: 	Generally - the CRA is not your problem, but your bosses their problem. 
> 
> 			This flowchart is not for them.
> 	
> 			goto 20
> 
> 		No: 	goto 20
> 
> 
> 	Yes:	Do I have a committer license agreement (CLA) with that open source Project and do you contribute under that license ?
> 
> 		Or do you contribute to a project with an implied contribution agreement that is part of the projects open source license ?
> 
> 			Yes:	While it depends on the minutiae; you are almost certainly fine if it is one of the many typical ASF variations of a CLA.
> 
> 				goto 20
> 
> 			No:	you are probably fine; but would be good to introduce a CLA
> 
> 				goto 20
> 
> 20:	Are you maintaining or operating a public software repositories of open source ?
> 
> 			Yes: 	You are probably fine
> 				
> 				goto 30
> 
> 			No: 	goto 30
> 
> 30:	Are you developing ppen source software in the course of a commercial activity ? 
> 
> 	i.e. is it placed such that others (downstream) can use it in lasting ways as these downstream parties go about their lives or business ?
> 
> 			Yes: 	goto 40
> 
> 			No:  	You are probable fine
> 
> 				So you are a pure hobbyist; no one really uses your code; or others if so - and if they do so - it does not result on something lasting that exposes it to other people beyond the person who you directly shared it with.
> 
> 				END
> 
> 40:	Are you monetising the work you do on this open source ?
> 
> 	For example you XXXX?
> 
> 			Yes:	Go read the CRA. This flow chart is not for you.
> 
> 				END
> 			
> 			No: 	goto 50
> 
> 50:	Is there a group of people and/or legal persons that you are part of, where there is the shared objective or purpose  to create, maintain, publish that open source licensed code ?
> 
> 	A typical indication is that you call yourself a group; have a website; have a SCM you all have access to; may have created a more formal legal vehicle; such as a foundation, society or similar, practice some software/release engineering and that you create some forms of processes and rules.
> 
> 			Yes:	> hit the superset or either/or issue of legal/natural person <
> 
> 				goto 60
> 
> 			No:	You are probable fine - depending a bit on the answer to above super/subset issue
> 	
> 				END
> 
> 60:	Is the purpose of that open source such that it is intended; or quite possibly, to be used `downstream’, including by others in a commercial setting ?
> 
> 	Typical indications of this are things like a SCM, release notes, versions numbers, READMEs, makefiles, including in repositories, systemd scripts to start/stop, an FAQ, A manual, a bug database, non directly involved developers submitting bugs or asking questions, etc.
> 
> 			Yes:	goto 70
> 		
> 			No: 	You are probable fine - and you and a few mates are working on something very internal; such as the open source code for a large model transit you are building together
> 
> 				END
> 
> 70	Is there an aspect of a sustained basis & ensuring longer term viability of the product. 
> 
> 	So think proper release engineering, fixing bugs, doing risk-based triage, responsible disclosure, filing CVEs, disclosing unsolved vulnerabilities in the release notes, peer review of the releases, timely releases, etc ?
> 
> 			Yes:	You are probably an open source steward.
> 
> 				END
> 
> 			No:  	You probably want to step up your organisational maturity. So that your software is generally `fit for purpose’; and some abandonware does not catch anyone of guard by accident. E.g. much like you would not leave a razorblade where a child could find it.
> 
> 				 As the CRA was designed to clam down on exactly this type of situation.
> 
> 				END
> 
> 
> 
> _______________________________________________
> open-regulatory-compliance mailing list
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org
> 
> _______________________________________________
> open-regulatory-compliance mailing list
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org
> 



Back to the top