Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts

Ilu,

> This working group is not about your company. It's about the ecosystem as a whole and about formulating general advice on how to comply for everybody to follow.
Is it possible that my situation is exemplary of others ( a common use case)  and the answers would be the same for all the others "doing the same thing"?

Thanks,

Dick Brooks
   
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™ 
https://businesscyberguardian.com/ 
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788


-----Original Message-----
From: Ilu <ilulu@xxxxxxx> 
Sent: Friday, January 3, 2025 2:01 PM
To: dick@xxxxxxxxxxxxxxxxxxxxxxxxx; 'Open Regulatory Compliance Working Group' <open-regulatory-compliance@xxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts

Am 03.01.25 um 19:19 schrieb Dick Brooks:
> Ilu,
>
>> All I've seen so far is participants trying to find ways around said
> regulation and contributing nothing but supposed "hacks" to avoid 
> basic supply chain security.
>
> I assure you, my interest in this matter is to get answers to two questions:
>
> - Is my Company considered an "open-source software steward" for 
> freely providing support and vulnerability management for the 
> CISASAGReader FOSS product under the EU-CRA?

That's exactly the sort of question I'm ranting about. The only person allowed to answer that question is a lawyer you contract (and pay).
There are some lawyers on this mailing list but none of them will do a specific assessment of your company on this forum.

> - If so, what are the expectations of this role with regard to Secure 
> by Default and other transparency obligations to remain compliant with 
> the EU-CRA?

Somebody already told you that the activities you posted about are way more than the steward role requires (I have not checked that). But again, nobody here can and will assess your companies compliance efforts.

This working group is not about your company. It's about the ecosystem as a whole and about formulating general advice on how to comply for everybody to follow.

> In my experience, having read the EU-CRA, these answers are not 
> blatantly obvious to me. I have reached out to colleagues at OpenSSF, 
> Eclipse Foundation and even the US CISA for assistance in answering these questions.
> There is still a lot of noodling on these matters, but no clear, 
> definitive answers yet.
>
> I'm hoping for a Jeff Foxworthy type of answer: You know you're an 
> "open-source software steward" if you do  .............. (this).
> It's not as straight forward as I was hoping. The best possible answer 
> is "you are not an open source software steward when doing this"

I already explained why IMHO it's impossible to give such an answer and why we shouldn't even try to do so. Just assume you are a steward.
Implement supply chain security like you seem to have already started with. You can't go wrong with that.

Regards
Ilu

>
>
> Thanks,
>
> Dick Brooks
>
> Active Member of the CISA Critical Manufacturing Sector, Sector 
> Coordinating Council - A Public-Private Partnership
>
> Never trust software, always verify and report! T Risk always exists, 
> but trust must be earned and awarded.T 
> https://businesscyberguardian.com/
> Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
> Tel: +1 978-696-1788
>
>
> -----Original Message-----
> From: open-regulatory-compliance
> <open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Ilu via 
> open-regulatory-compliance
> Sent: Friday, January 3, 2025 1:04 PM
> To: open-regulatory-compliance@xxxxxxxxxxx
> Cc: Ilu <ilulu@xxxxxxx>
> Subject: Re: [open-regulatory-compliance] A more positive take on CRA 
> FAQs and flowcharts
>
> Aaaaand we are back to the in-or-out discussion. :-(
>
> A simple search through the CRA document would have led you to Art. 4
> (3) - testing is ok "only for a limited period required for testing 
> purposes". The EU is not completely stupid.
>
> I'd expect that everybody present here has read the CRA at least once.
> Obviously not. I don't want to diss anybody personally but I'm really 
> frustrated.
>
> This "Open Regulatory Compliance Working Group" consists, according to 
> their self-description (https://orcwg.org/), of "Key stakeholders from 
> industry and open source communities"
> "collaborating to support compliance with government regulations,"
>
> All I've seen so far is participants trying to find ways around said 
> regulation and contributing nothing but supposed "hacks" to avoid 
> basic supply chain security.
>
> IMHO this paints a very bad picture of FOSS. Of course the CRA has 
> some more (partly rather stupid) requirements (mainly for 
> manufacturers) but the core of it is things which we should have done 
> already anyways (and which good projects are already doing).
>
> I know I'm being controversial but I'm doing this on purpose in the 
> interest of our communities because I think this working group needs a 
> kick to get going. I'm still hopeful ...
>
> No harm meant!
> Ilu
>
> Am 03.01.25 um 15:53 schrieb Marta Rybczynska via
> open-regulatory-compliance:
>> I'm wondering if there isn't an easier way out of it, for 
>> projects/people who are wondering if they are getting into the 
>> 'manufacturer' category.
>>
>> Every product under the CRA must have a scope in its documentation.
>> And what if the scope says that it is only for testing/development 
>> purposes and should not be used in professional activities?
>>
>> Would that effectively transfer all the responsibility to the 
>> projects/companies using that module/ library/program?
>>
>> That will work only if the original project does not do any 'direct 
>> monetization' .
>>
>> Kind regards,
>> Marta
>>
>>
>> _______________________________________________
>> open-regulatory-compliance mailing list 
>> open-regulatory-compliance@xxxxxxxxxxx
>> To unsubscribe from this list, visit https://accounts.eclipse.org
>>
> _______________________________________________
> open-regulatory-compliance mailing list 
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org
>



Back to the top