Re: [open-regulatory-compliance] A more positive take on CRA FAQs and fl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts

From: "Dick Brooks" <dick@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 3 Jan 2025 13:19:26 -0500
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
Feedback-id: i99214975:Fastmail
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
Organization: Business Cyber Guardian
Thread-index: AQHEhcgRxsP8qsOmDREvnh6YkmmRWAILxTbrAWsat/SzF1I8sA==

Ilu,

> All I've seen so far is participants trying to find ways around said
regulation and contributing nothing but supposed "hacks" to avoid basic
supply chain security.

I assure you, my interest in this matter is to get answers to two questions:

- Is my Company considered an "open-source software steward" for freely
providing support and vulnerability management for the CISASAGReader FOSS
product under the EU-CRA?
- If so, what are the expectations of this role with regard to Secure by
Default and other transparency obligations to remain compliant with the
EU-CRA?

In my experience, having read the EU-CRA, these answers are not blatantly
obvious to me. I have reached out to colleagues at OpenSSF, Eclipse
Foundation and even the US CISA for assistance in answering these questions.
There is still a lot of noodling on these matters, but no clear, definitive
answers yet.

I'm hoping for a Jeff Foxworthy type of answer: You know you're an
"open-source software steward" if you do  .............. (this).
It's not as straight forward as I was hoping. The best possible answer is
"you are not an open source software steward when doing this"


Thanks,

Dick Brooks
   
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council - A Public-Private Partnership

Never trust software, always verify and report! T
Risk always exists, but trust must be earned and awarded.T 
https://businesscyberguardian.com/ 
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788


-----Original Message-----
From: open-regulatory-compliance
<open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Ilu via
open-regulatory-compliance
Sent: Friday, January 3, 2025 1:04 PM
To: open-regulatory-compliance@xxxxxxxxxxx
Cc: Ilu <ilulu@xxxxxxx>
Subject: Re: [open-regulatory-compliance] A more positive take on CRA FAQs
and flowcharts

Aaaaand we are back to the in-or-out discussion. :-(

A simple search through the CRA document would have led you to Art. 4
(3) - testing is ok "only for a limited period required for testing
purposes". The EU is not completely stupid.

I'd expect that everybody present here has read the CRA at least once.
Obviously not. I don't want to diss anybody personally but I'm really
frustrated.

This "Open Regulatory Compliance Working Group" consists, according to their
self-description (https://orcwg.org/), of "Key stakeholders from industry
and open source communities"
"collaborating to support compliance with government regulations,"

All I've seen so far is participants trying to find ways around said
regulation and contributing nothing but supposed "hacks" to avoid basic
supply chain security.

IMHO this paints a very bad picture of FOSS. Of course the CRA has some more
(partly rather stupid) requirements (mainly for manufacturers) but the core
of it is things which we should have done already anyways (and which good
projects are already doing).

I know I'm being controversial but I'm doing this on purpose in the interest
of our communities because I think this working group needs a kick to get
going. I'm still hopeful ...

No harm meant!
Ilu

Am 03.01.25 um 15:53 schrieb Marta Rybczynska via
open-regulatory-compliance:
> I'm wondering if there isn't an easier way out of it, for 
> projects/people who are wondering if they are getting into the 
> 'manufacturer' category.
>
> Every product under the CRA must have a scope in its documentation. 
> And what if the scope says that it is only for testing/development 
> purposes and should not be used in professional activities?
>
> Would that effectively transfer all the responsibility to the 
> projects/companies using that module/ library/program?
>
> That will work only if the original project does not do any 'direct 
> monetization' .
>
> Kind regards,
> Marta
>
>
> _______________________________________________
> open-regulatory-compliance mailing list 
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org
>
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Follow-Ups:
- Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
  - From: Ilu

References:
- [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
  - From: Ilu
- Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
  - From: Marta Rybczynska
- Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
  - From: Ilu

Prev by Date: Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
Next by Date: Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
Previous by thread: Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
Next by thread: Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
Index(es):
- Date
- Thread

Breadcrumbs