| Re: [open-regulatory-compliance] CRA: Online survey for Free Software Stewards, for Free Software projects and for manufacturers |
Here is my suggestion to the manufacturer community wrt existing
open source project dependencies and security maintenance:
a) Figure out which OSS projects your products depend upon...and
*all the oss projects that those projects depend upon...i.e.
transitive closure of dependencies*. You've probably already done
this.
b) Pick one or two projects from a list...preferably in the
'dependency of dependency ' level (at least), and contact the
technical project lead directly. Not the company that employs
them, or 'owns' or 'manages' the project. Usually it's easy
enough to figure that out with a little looking...especially if
the project has been available for a while inside or outside a
Foundation or some other org. Many are already doing this, of
course, as it's clear the 'health' of the oss project
team/community is very important to consumers of that project.
c) Ask that person (off the public or employee record) how the project is maintained wrt security, bug fixes, new features/innovation, and integrations.
d) Ask that person what they/the existing team would need wrt
meeting the CRA requirements (as understood right now of course).
Just a suggestion.
I want to thank Alex for putting this out there.
As someone involved with the CRA, it is good to see the ongoing interest in the regulation in OSS. Likewise, it is helpful to me (and I am not speaking for anyone else here) to see what concerns OSS developers and others have about it.
Even when concerns and questions might not all mesh with my understanding of the regulation or my own concerns about standardization and eventual enforcement … they are helpful. The CRA is as yet untested and its language is sometimes fairly convoluted. I think even disagreement or confusion over it can give valuable feedback to the folk involved in standardization etc. Of course I would also love to see consensus around a set of critical questions and issues from OSS developers and the community.
Sincerely,
August
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this- e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by e-mail (by replying to this message) and permanently delete the original and any copy of any e-mail and any printout thereof. Thank you for your cooperation with respect to this matter.
On Sun, Jul 13, 2025 at 9:18 PM Scott Lewis via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
On 7/13/2025 12:08 PM, Stéfane Fermigier via open-regulatory-compliance wrote:
Sorry, but this questionnaire assumes that an entity can't be both a manufacturer and a steward ("Do you consider yourself a Manufacturer and a Steward, but for different projects?")Yeah....poor assumption I would say.
>
Note that this is something I have been arguing for since late 2022 or early 2023. So it would be good if it is actually the case that one entity can be both a manufacturer and a steward for the same product (depending not on the product itself, but on the commercial and contractual relationship attached to it).Agreed. I'm not sure how many people have to say this...and how many times...for it to get through to the right people...but it appears to be more than you and I have done so far. Maybe I should train my open source project lead agent to make this point.
_______________________________________________
Also, there is no way to go back to revise a previous answer, which is both annoying (I had to start again in incognito mode) and will probably lead to biased results.
S.
On Sun, Jul 13, 2025 at 4:08 PM Alexander Sander via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Hi all
We created a CRA questionnaire as part of the "Dialogue for
Cybersecurity". The questionnaires were developed to gain important
insights into the EU Cyber Resilience Act (CRA) and its impact.
There are questionnaires for Free Software projects, manufacturers and
potential Free Software stewards.
The responses will help us understand what guidance is needed and this
will feed into our work across the Free Software ecosystem and with the
European Commission to support the CRA implementation.
Potential Free Software stewards (EN)
https://dialog-cybersicherheit.limesurvey.net/146965?lang=en
Free Software projects (EN)
https://dialog-cybersicherheit.limesurvey.net/241948?lang=en
Manufacturer (EN)
https://dialog-cybersicherheit.limesurvey.net/582853?lang=en
The questionnaire will be open for responses until August 31. Please
note that all responses received by July 30 will be included in an
initial evaluation. These preliminary results will be presented as part
of a presentation at FrOSCon [1]. Of course, any feedback received after
July 30 will also be considered in the final analysis. We appreciate
your participation and support! Note: The feedback will be published
anonymously. Thank you for your support.
Best
Alex
[1]
https://programm.froscon.org/froscon2025/talk/0a656836-cb27-4ef1-80e1-d64c553a96ca/
--
Alexander Sander - Senior Policy Consultant
Free Software Foundation Europe e.V.
Revaler Str. 19, 10245 Berlin |
+49 (0)30 2759 5290 |
Registered at Amtsgericht Hamburg, VR 17030 |
(fsfe.org/join)
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
--
Stefane Fermigier - http://fermigier.com/ - http://twitter.com/sfermigier - http://linkedin.com/in/sfermigier
Founder & CEO, Abilian - Enterprise Social Software - http://www.abilian.com/Co-Founder & Co-Chairman, National Council for Free & Open Source Software (CNLL) - http://cnll.fr/Co-Founder & Co-chair, Association Professionnelle Européenne du Logiciel Libre (APELL) - https://www.apell.info/Founder, EuroStack Directory Project - https://euro-stack.com/
_______________________________________________ open-regulatory-compliance mailing list open-regulatory-compliance@xxxxxxxxxxx To unsubscribe from this list, visit https://accounts.eclipse.org
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org