[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [open-regulatory-compliance] Open source will be discussed in CEN/CENELEC WG9 PT3 call on Wed Sept 24th afternoon
|
On Mon, 22 Sep 2025, Lars Francke wrote:
> Salve,
>
> I do agree with you.
That is good to hear. Let's use this to make a difference.
> Unfortunately, we wont't change the system in time for the CRA so we
> have to work within it for now.
My message is isn't intended for "changing the system". It's for sharing
with the people involved within the system, to remind them what is at
stake.
Sharing, for example, by forwarding the email, or sharing a link to the
archive:
https://www.eclipse.org/lists/open-regulatory-compliance/msg00909.html
> [...]
>
> But all is not lost as the public enquiry phase will start soon
> (~November). Yes, it's still annoying, too little and too late but at
> least more people get to comment.
The texts are put up for public enquiry are written and shaped right now -
including on the announce meeting on Wednesday.
I'd love to see more "long tail" FOSS communities to raise their voices
_now_ while the text is being written, instead of just waiting until
November. We don't have to be passive bystanders.
Of course, we'll see in November if the working groups have listened to
their FOSS commuities. I'm hoping to see that the feedback they receive at
that time will be of the "Wow, they _did_ understand the nuances of
FOSS"-type, and not the negative kind.
> [...]
Thank you for caring!
- Salve J. Nilsen (CPANSec
> On Mon, Sep 22, 2025 at 7:01 PM Salve J. Nilsen via
> open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
> wrote:
> >
> > Hei Timo,
> >
> >
> > On Mon, 22 Sep 2025, Timo Perala (Nokia) via open-regulatory-compliance wrote:
> > >
> > > It is indeed unfortunate that these meetings are not open for all
> > > interested.
> >
> > Yes, though this is not only unfortunate, it's a disaster.
> >
> > I regularly talk with Open Source maintainers and contributors, and they
> > almost *always* respond to the CRA with a shrug and a "why should I
> > care?".
> >
> > When this working group signals the same ("Why should we care about the
> > opinions of the open source folks"), then they - in their capacity as a
> > primary thought leader on this topic - signal that there is no need to
> > involve *any* voices from "long tail" of open source.
> >
> > Currently, the only open source communities who get to be part of the
> > conversation, are the well-organized and successful ones. But – both next
> > to and behind – each of them, there are large dependency graphs of
> > smaller, important and resource-starved projects, some with a massive
> > install base but with a community of *one* or *two* people.
> >
> > This is a disaster in the making because the CRA's requirements to
> > metadata completeness and correctness, and it's requirements for
> > conducting Due Diligence (and therefore, implying that *all* parties
> > involved will act with _Due Care_ when an incident calls for it), REQUIRES
> > the explicit buy-in and cooperation with _unpaid volunteers_.
> >
> > Each person – unpaid volunteer – needs to be involved on _their_ terms,
> > lest we risk alienating these project owners and maintainers.
> >
> > The easiest response for *any* volunteer, will *always* be to do nothing
> > or to walk away. Do _you_ want to know how expensive that will get, when
> > too many communities decide to walk away? The businesses that depend on
> > these open source communities _certainly_ want to know.
> >
> > So I'm sharing this warning: The output of these working groups will
> > determine if walking away continues to be the most attractive option, or
> > if there will be other options that make the "long tail" projects consider
> > playing their role – acting with due care – in securing the PwDE's headed
> > for the EU market, and responding to incidents in the future.
> >
> > If these working groups don't talk with enough people in the long tail -
> > how can they even ensure that the needs in the long tail are taken into
> > account?
> >
> > Right now, the answer looks bad.
> >
> >
> > - Salve J. Nilsen (CPAN Security Group)
> >
> > --
> > #!/usr/bin/env perl
> > sub AUTOLOAD{$AUTOLOAD=~/.*::(\d+)/;seek(DATA,$1,0);print# Salve Joshua Nilsen
> > getc DATA}$"="'};&{'";@_=unpack("C*",unpack("u*",':50,$'.# <sjn@xxxxxx>
> > '3!=0"59,6!`%%P\0!1)46%!F.Q`%01,`'."\n"));eval "&{'@_'}"; __END__ is near! :)
> > _______________________________________________
> > open-regulatory-compliance mailing list
> > open-regulatory-compliance@xxxxxxxxxxx
> > To unsubscribe from this list, visit https://accounts.eclipse.org
>
--
#!/usr/bin/env perl
sub AUTOLOAD{$AUTOLOAD=~/.*::(\d+)/;seek(DATA,$1,0);print# Salve Joshua Nilsen
getc DATA}$"="'};&{'";@_=unpack("C*",unpack("u*",':50,$'.# <sjn@xxxxxx>
'3!=0"59,6!`%%P\0!1)46%!F.Q`%01,`'."\n"));eval "&{'@_'}"; __END__ is near! :)
