[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [open-regulatory-compliance] Is there anything outside the scope of CRA's connection requirement?
|
On 2 Jan 2025, at 15:21, Jeremy Stanley via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:\
> Still, I'm unclear on the extent to which this minimizes user
> expectations in reality; I hear numerous reports of users operating
> such "non-production" artifacts in production environments because
> it's easier for them than actually building their own. To what
> extent are projects creating an attractive nuisance by making
> available these sorts of example builds and container images,
> knowing that users will still frequently disregard warnings and
> disclaimers for the sake of convenience?
I think that reads on the same issue as Olle his comment:
"discussions about source code availability not meaning “placing a product on the market”. This needs to be clarified for both these cases."
And is also, I guess, where the PLD regulation starts to matter. And I am not sure that either a very USA style legal approach will help; nor that hiding helps.
Because for pretty much all other things - society places expects reasonable caution when you do something potentially dangerous.
And while you do not, in Europe, have to worry too much about being liable for an idiot customer killing their wet&cold Hamster in your Microwave & blame you for not explaining that the microwave was not suitable for the gentle warming up of pets; we do expect quite around food, medicines and so on.
E.g. if I place some water bottles outside my house during the big Marathon in summer - with a sign saying `Free' and some disclaimer of all warranties/fitness for drinking by humans -- the latter is probably going to be used against me if it was indeed rotten water & I did not take reasonable precautions.
And in all fairness - that is, in the IT, sector what we are fairly close to doing regularly. I can think of plenty of my own code from the start of this century; which I spend a lot of time nicely packaging for CI/CD & then pretty much abandoned or lost control over. And it then lives as a ghost on the clacks forever as part of some tertiary/transitive dependency deep down in something.
So I think; going forward - that it is useful for us as a community to develop a set of 'tests' for a contribution and a set of test for when the release engineering is such that it becomes akin to placing it on the market. Such as having release notes, a version number, managed dependencies, CI/CD integration and so on. Which is then also the list for `meet & exceed that' -- and you are probably a (good) open source steward. Or, do not meet that, and you are either not in scope for the CRA or doing something you should not.
With kind regards,
Dw.