Hi everyone,
I would like to express my most sincere appreciation for Æva for preparing, organizing and running the workshop (and to everyone for making code&compliance possible).
The workshop on voluntary security attestations have left me with three questions to which no consensus on the factual basis exists. I have opinions on them and I try to phrase the question in a neutral manner (My apologies if I failed):
1. Regarding the due diligence obligations under Article 13(5), is the list of actions in Recital 34—such as checking conformity, reviewing update history, and scanning vulnerability databases—generally understood to represent the typical scope of a manufacturer's duty?
2. Given that a manufacturer can always fulfill their Article 13(5) due diligence by conducting an internal assessment or by commissioning a private one from any third party, what is the justification for proposing to limit who gets to issue attestations under Article 25? This refers both to the proposals I heard in the room allowing an open source project to select who gets to issue article 25 attestations or limiting it to - for example - stewards.
3. Is an attestation issued as a voluntary security attestation under an article 25 system bound to the software alone or *also* to the recipient? For instance, if Manufacturer A gets an attestation for libfoo 0.9.6c, can Manufacturer B, who uses the exact same component, also use that attestation for their own due diligence (assuming for the purpose of this question that B learned of the existence of this attestation)? If the answer is 'no, it's recipient-bound,' could you help me understand what law or rule creates that restriction?
I am asking these questions because I got to understand over the course of the workshop that the answer to these questions has very dramatic effects on how many of the finer topics were discussed or could be designed. And also I do not have a position set in stone on these questions, I am still in the deliberation phase.
To everyone not home to Brussels, have a safe trip home and I would love to see you again,
Mathias
