Re: [open-regulatory-compliance] A more positive take on CRA FAQs and fl

[Ilu <ilulu@xxxxxxx>]

Hi Marta,

Am 06.01.25 um 07:55 schrieb Marta Rybczynska:
> Dear Ilu,
> It looks like I have touched a sensitive subject, sorry for that.

I'm sorry too. I'm getting a bit touchy because I see no progress.
Everybody is asking questions but this group is supposed to prepare the
answers - "to guide and support compliance". At least that's what I read
on the website. We will not get any answers about compliance by asking
the same questions over and over again.
Dirk-Willem gave answers by proposing a FAQ text and I gave answers by
proposing a different text (which, understandably, nobody liked).
Everybody else is just asking variants of the same question. But all of
us need to work on answers!

> I was thinking *only* about the situation of a project without a formal
> organization behind it,
> that does not have stable funding, developers doing their work mostly on
> volunteer basics.
> Every single one of us knows such projects.
>
> My impression was that this was the main subject that has been discussed
> over the last few days.
>
> For me personally, it seems to put all the manufacturer obligations on
> those who use their
> code in commercial products.

Yes, that is the intention. But there is a big grey area around the
"commercial" criterium and we don't know the outcome yet. And PLD is on
the horizon. There is a lot of good security related best-practice stuff
in CRA which even small projects can start on, if they prioritize it -
no matter whether they are in or out of CRA. Sticking with best
practices is always good.

These security related requirements are also those that are relevant for
software stewards. That's what we need to help with. F.e. with a list:
What stuff should I start with for compliance?

> And I wasn't talking about the 'beta' versions. I was talking about the
> 'intended purpose' as in
> Annex II.

Yes, that information has to be provided if you are in scope of CRA. But
it does not determine whether you are in scope or not.

> I think that the 'intended purpose' has a big role to play, because this is
> the way I envisaged
> use for educational software that contains security issues to be found and
> fixed by students.

I'm not exactly sure what type of "educational software" you mean but
I'm sure that schools and students are generally a group that CRA is not
intended for. But a teacher could also have a side business or the
university could have a startup incubator (I know several that have) and
suddenly you are back in grey area. It always needs careful assessment
of the individual situation.

> And I have read the CRA multiple times.

I'm sorry that I implied differently. I understand that it is an
extremely difficult read and in parts impossible to make sense of.
That's exactly why I'm warning to come to any conclusions of the "I'm
out of scope" type. Only time will tell who the EU authorities consider
to be in scope. And don't forget about PLD.

> Best regards,
> Marta
>
> On Fri, Jan 3, 2025 at 7:04 PM Ilu <ilulu@xxxxxxx> wrote:
>
> > Aaaaand we are back to the in-or-out discussion. :-(
> >
> > A simple search through the CRA document would have led you to Art. 4
> > (3) - testing is ok "only for a limited period required for testing
> > purposes". The EU is not completely stupid.
> >
> > I'd expect that everybody present here has read the CRA at least once.
> > Obviously not. I don't want to diss anybody personally but I'm really
> > frustrated.
> >
> > This "Open Regulatory Compliance Working Group" consists, according to
> > their self-description (https://orcwg.org/), of
> > "Key stakeholders from industry and open source communities"
> > "collaborating to support compliance with government regulations,"
> >
> > All I've seen so far is participants trying to find ways around said
> > regulation and contributing nothing but supposed "hacks" to avoid basic
> > supply chain security.
> >
> > IMHO this paints a very bad picture of FOSS. Of course the CRA has some
> > more (partly rather stupid) requirements (mainly for manufacturers) but
> > the core of it is things which we should have done already anyways (and
> > which good projects are already doing).
> >
> > I know I'm being controversial but I'm doing this on purpose in the
> > interest of our communities because I think this working group needs a
> > kick to get going. I'm still hopeful ...
> >
> > No harm meant!
> > Ilu
> >
> > Am 03.01.25 um 15:53 schrieb Marta Rybczynska via
> > open-regulatory-compliance:
> > > I'm wondering if there isn't an easier way out of it, for projects/people
> > > who are wondering
> > > if they are getting into the 'manufacturer' category.
> > >
> > > Every product under the CRA must have a scope in its documentation. And
> > > what if the scope
> > > says that it is only for testing/development purposes and should not be
> > > used in professional
> > > activities?
> > >
> > > Would that effectively transfer all the responsibility to the
> > > projects/companies using that module/
> > > library/program?
> > >
> > > That will work only if the original project does not do any 'direct
> > > monetization' .
> > >
> > > Kind regards,
> > > Marta
> > >
> > >
> > > _______________________________________________
> > > open-regulatory-compliance mailing list
> > > open-regulatory-compliance@xxxxxxxxxxx
> > > To unsubscribe from this list, visit https://accounts.eclipse.org