[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [open-regulatory-compliance] A more positive take on CRA FAQs and flowcharts
|
Hi Marta,
Am 06.01.25 um 07:55 schrieb Marta Rybczynska:
Dear Ilu,
It looks like I have touched a sensitive subject, sorry for that.
I'm sorry too. I'm getting a bit touchy because I see no progress.
Everybody is asking questions but this group is supposed to prepare the
answers - "to guide and support compliance". At least that's what I read
on the website. We will not get any answers about compliance by asking
the same questions over and over again.
Dirk-Willem gave answers by proposing a FAQ text and I gave answers by
proposing a different text (which, understandably, nobody liked).
Everybody else is just asking variants of the same question. But all of
us need to work on answers!
I was thinking *only* about the situation of a project without a formal
organization behind it,
that does not have stable funding, developers doing their work mostly on
volunteer basics.
Every single one of us knows such projects.
My impression was that this was the main subject that has been discussed
over the last few days.
For me personally, it seems to put all the manufacturer obligations on
those who use their
code in commercial products.
Yes, that is the intention. But there is a big grey area around the
"commercial" criterium and we don't know the outcome yet. And PLD is on
the horizon. There is a lot of good security related best-practice stuff
in CRA which even small projects can start on, if they prioritize it -
no matter whether they are in or out of CRA. Sticking with best
practices is always good.
These security related requirements are also those that are relevant for
software stewards. That's what we need to help with. F.e. with a list:
What stuff should I start with for compliance?
And I wasn't talking about the 'beta' versions. I was talking about the
'intended purpose' as in
Annex II.
Yes, that information has to be provided if you are in scope of CRA. But
it does not determine whether you are in scope or not.
I think that the 'intended purpose' has a big role to play, because this is
the way I envisaged
use for educational software that contains security issues to be found and
fixed by students.
I'm not exactly sure what type of "educational software" you mean but
I'm sure that schools and students are generally a group that CRA is not
intended for. But a teacher could also have a side business or the
university could have a startup incubator (I know several that have) and
suddenly you are back in grey area. It always needs careful assessment
of the individual situation.
And I have read the CRA multiple times.
I'm sorry that I implied differently. I understand that it is an
extremely difficult read and in parts impossible to make sense of.
That's exactly why I'm warning to come to any conclusions of the "I'm
out of scope" type. Only time will tell who the EU authorities consider
to be in scope. And don't forget about PLD.
Best regards,
Marta
On Fri, Jan 3, 2025 at 7:04 PM Ilu <ilulu@xxxxxxx> wrote:
Aaaaand we are back to the in-or-out discussion. :-(
A simple search through the CRA document would have led you to Art. 4
(3) - testing is ok "only for a limited period required for testing
purposes". The EU is not completely stupid.
I'd expect that everybody present here has read the CRA at least once.
Obviously not. I don't want to diss anybody personally but I'm really
frustrated.
This "Open Regulatory Compliance Working Group" consists, according to
their self-description (https://orcwg.org/), of
"Key stakeholders from industry and open source communities"
"collaborating to support compliance with government regulations,"
All I've seen so far is participants trying to find ways around said
regulation and contributing nothing but supposed "hacks" to avoid basic
supply chain security.
IMHO this paints a very bad picture of FOSS. Of course the CRA has some
more (partly rather stupid) requirements (mainly for manufacturers) but
the core of it is things which we should have done already anyways (and
which good projects are already doing).
I know I'm being controversial but I'm doing this on purpose in the
interest of our communities because I think this working group needs a
kick to get going. I'm still hopeful ...
No harm meant!
Ilu
Am 03.01.25 um 15:53 schrieb Marta Rybczynska via
open-regulatory-compliance:
I'm wondering if there isn't an easier way out of it, for projects/people
who are wondering
if they are getting into the 'manufacturer' category.
Every product under the CRA must have a scope in its documentation. And
what if the scope
says that it is only for testing/development purposes and should not be
used in professional
activities?
Would that effectively transfer all the responsibility to the
projects/companies using that module/
library/program?
That will work only if the original project does not do any 'direct
monetization' .
Kind regards,
Marta
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org