Re: [open-regulatory-compliance] A more positive take on CRA FAQs and fl

[Brian Fox <brianf@xxxxxxxxxxxx>]

On Tue, Jan 7, 2025 at 10:22 AM Tobie Langel <tobie@xxxxxxxxxxxxxx> wrote:

On Tue, Jan 7, 2025 at 3:49 PM Brian Fox via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Yes, although I think your hierarchy is upside down. I noticed this in a few previous emails and intended to highlight it for clarity:

 In terms of least to most requirements, I see it as:

Pure Open Source contributor

Open Source Steward

Manufacturer.

My understanding is that the order you describe is the intention of the legislators.

However, because Open Source Software Steward is defined as a legal person only in the text, the concern is that for solo open source developers (and potentially for loosely organized groups of developers) the path entirely skips open source steward and moves directly from "Pure Open Source contributor" to "Manufacturer" on a whim. This is what we would need to clarify.

From my pov and recollection of how this evolved, that's by intent. The early drafts really had non-commercial (contributor) or manufacturer. Then at the last minute to try and capture the cases represented by the oss foundations and other tooling like Github or Maven Central, the steward was created. So for me, I wouldn't expect a project to fit into that steward category. What's not clear even to me though is where the line is between a single project and hundreds of projects where a steward comes in to play. 

I believe this because the legislation basically just says the steward has no fine. The requirements seem to be essentially the same as those of a manufacturer but without the teeth.

Stewards are under a light touch regime which is considerably lighter than the manufacturers. They're not subject to the obligations of Article 13 and only partially to those of Article 14.

--tobie

--

Brian Fox Chief Technology Officer