Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Flowchart from a natural person's perspective -- straw man

My feedback on the flowchart:

"10. ... Do I have a committer license agreement ..."

I do not think mixing up license aggreements with CRA is a good idea.
They follow a completely different legal regiment that have nothing to
do with each other. Statements like "you are almost certainly fine" or
"introduce a CLA" are dangerous under these conditions. Especially (but
not exclusively) for the reader.

"20:	Are you maintaining or operating a public software repository ...
Yes: You are probably fine"

No? This question is confusing because in both cases you get "goto 30".

"30:	Are you developing ppen source software in the course of a
commercial activity ? i.e. is it placed such that others (downstream)
can use it in lasting ways as these downstream parties go about their
lives or business ?"
The first quesion is correct and the answer "yes" would need "Go read
the CRA. This flow chart is not for you."
But the 2. question/explanation does not match the first question. These
are completely different things. The dev putting something on github can
never know whether anybody uses the software for whatever.
Actually, No 30 is the most complicated thing for any dev (who also
somehow makes a living from being a dev) anf the main course of fears
and it cannot be solved by a general questionaire.

No 50 adresses the stewardship issue we discussed in another thread.
Since national law might be involved and nobody knows what the European
market authorities are going to say this needs to be said very
cautiously. Larger groups should definitely get legal advice because
ramifications of wrong decisions are plenty.

I can understand that you want to give easy guidance but the whole
situation is not easy and in many cases outright complicated and it does
not help to pretend. I do not like answers like "you will be fine", they
can be misleading.

This sounds all very negative so I'm going to finish here and start a
new thread with a more positive outlook.

Kind regards
Ilu

Am 20.12.24 um 23:30 schrieb Dirk-Willem van Gulik via
open-regulatory-compliance:
Here is my attempt at a more flowchart form for natural persons (mostly in reaction to some private questions).

Mainly to see if this teases out other questions/issues.

I’ve been a bit black and white/over the top in below; somewhat intentional to see if this helps us get better boundaries for the vague areas; and if there are things we can simply take as right — and we can focus on the ‘indicators’ for these.

Dw.

10: Do I personally contribute to an open source project ?

	E.g. do I sent in patches or do I post bugfixes to an Open Source project ? Or do I do a pull request ?

  	No: 	Do I contribute to that open source project as part of job; because my boss wants it ?

		I.e. in the boss his time (also if I am my own boss - where it is part of what I deliver to my customers) ?

		Yes: 	Generally - the CRA is not your problem, but your bosses their problem.

			This flowchart is not for them.

			goto 20

		No: 	goto 20


	Yes:	Do I have a committer license agreement (CLA) with that open source Project and do you contribute under that license ?

		Or do you contribute to a project with an implied contribution agreement that is part of the projects open source license ?

			Yes:	While it depends on the minutiae; you are almost certainly fine if it is one of the many typical ASF variations of a CLA.

				goto 20

			No:	you are probably fine; but would be good to introduce a CLA

				goto 20

20:	Are you maintaining or operating a public software repositories of open source ?

			Yes: 	You are probably fine

				goto 30

			No: 	goto 30

30:	Are you developing ppen source software in the course of a commercial activity ?

	i.e. is it placed such that others (downstream) can use it in lasting ways as these downstream parties go about their lives or business ?

			Yes: 	goto 40

			No:  	You are probable fine

				So you are a pure hobbyist; no one really uses your code; or others if so - and if they do so - it does not result on something lasting that exposes it to other people beyond the person who you directly shared it with.

				END

40:	Are you monetising the work you do on this open source ?

	For example you XXXX?

			Yes:	Go read the CRA. This flow chart is not for you.

				END

			No: 	goto 50

50:	Is there a group of people and/or legal persons that you are part of, where there is the shared objective or purpose  to create, maintain, publish that open source licensed code ?

	A typical indication is that you call yourself a group; have a website; have a SCM you all have access to; may have created a more formal legal vehicle; such as a foundation, society or similar, practice some software/release engineering and that you create some forms of processes and rules.

			Yes:	> hit the superset or either/or issue of legal/natural person <

				goto 60

			No:	You are probable fine - depending a bit on the answer to above super/subset issue

				END

60:	Is the purpose of that open source such that it is intended; or quite possibly, to be used `downstream’, including by others in a commercial setting ?

	Typical indications of this are things like a SCM, release notes, versions numbers, READMEs, makefiles, including in repositories, systemd scripts to start/stop, an FAQ, A manual, a bug database, non directly involved developers submitting bugs or asking questions, etc.

			Yes:	goto 70

			No: 	You are probable fine - and you and a few mates are working on something very internal; such as the open source code for a large model transit you are building together

				END

70	Is there an aspect of a sustained basis & ensuring longer term viability of the product.

	So think proper release engineering, fixing bugs, doing risk-based triage, responsible disclosure, filing CVEs, disclosing unsolved vulnerabilities in the release notes, peer review of the releases, timely releases, etc ?

			Yes:	You are probably an open source steward.

				END

			No:  	You probably want to step up your organisational maturity. So that your software is generally `fit for purpose’; and some abandonware does not catch anyone of guard by accident. E.g. much like you would not leave a razorblade where a child could find it.

				 As the CRA was designed to clam down on exactly this type of situation.

				END



_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org



Back to the top