Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Kicking off the CRA Attestations project
My thoughts, in line, are informed by my experience developing the FreeBSD SSDF Attestation when I worked at the FreeBSD Foundation and from my 15+ years in open source, including several at the Linux Foundation.

Greg Wallace
Mobile: +1 919.247.3165

On Thu, Oct 23, 2025 at 10:17 AM Mathias Schindler via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Hi everyone,

I would like to express my most sincere appreciation for Æva for preparing, organizing and running the workshop (and to everyone for making code&compliance possible).

The workshop on voluntary security attestations have left me with three questions to which no consensus on the factual basis exists. I have opinions on them and I try to phrase the question in a neutral manner (My apologies if I failed):

1. Regarding the due diligence obligations under Article 13(5), is the list of actions in Recital 34—such as checking conformity, reviewing update history, and scanning vulnerability databases—generally understood to represent the typical scope of a manufacturer's duty?

No thoughts. 

2.  Given that a manufacturer can always fulfill their Article 13(5) due diligence by conducting an internal assessment or by commissioning a private one from any third party, what is the justification for proposing to limit who gets to issue attestations under Article 25? This refers both to the proposals I heard in the room allowing an open source project to select who gets to issue article 25 attestations or limiting it to - for example - stewards.

I've thought about this a lot. In my view, Community is inseparable from Open Source. And so any effort to address the security compliance of open source must actively include Community in the solution. Community members are typically:
  • the most apt people to audit (or oversee the auditing of) the security of a project and its development processes
  • the most expert people to address any security issues, whether uncovered by an initial assessment or found in the natural course of operations
  • or both
If a Steward owns the project's trademark, then presumably this would provide some legal grounds to say that the Steward's Attestation is the only Official one. (NOTE - IANAL). All this said, I don't know whether it's possible or necessarily even desirable to restrict who prepares an attestation. Rather, I think a big part of the the task ahead is to educate the market on the above points - the unitary nature of open source + community and the importance of including community in the security compliance process. If effective, this education will result in a favoring of Community-produced Attestations and a market mechanism to cover their cost.

3. Is an attestation issued as a voluntary security attestation under an article 25 system bound to the software alone or *also* to the recipient? For instance, if Manufacturer A gets an attestation for libfoo 0.9.6c, can Manufacturer B, who uses the exact same component, also use that attestation for their own due diligence (assuming for the purpose of this question that B learned of the existence of this attestation)? If the answer is 'no, it's recipient-bound,' could you help me understand what law or rule creates that restriction?

For the FreeBSD SSDF Attestation, we chose to bind the Attestation to both the SW Version and the recipient. At the time, it was felt that this was the best way to ensure fairness. The Foundation includes the Attestation with any Corporate Partnership (https://freebsdfoundation.org/our-donors/freebsd-foundation-partnership-program/). 

I am asking these questions because I got to understand over the course of the workshop that the answer to these questions has very dramatic effects on how many of the finer topics were discussed or could be designed. And also I do not have a position set in stone on these questions, I am still in the deliberation phase.

To everyone not home to Brussels, have a safe trip home and I would love to see you again,
Mathias

On Mon, Oct 20, 2025 at 11:57 PM aeva.black--- via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Dear community,

I am pleased to announce the creation of the CRA Attestations project and our first meeting tomorrow, Tuesday October 21st, at 16:00 CEST / 14:00 UTC.

The meeting will be held via Jitsi: https://meet.jit.si/MainHeadquartersDismissWell

Kickoff agenda will loosely cover three topics:
- Project goals
- Contributing guidelines
- Agenda for the Code & Compliance Workshop on Thursday


Best regards,
--Æva

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top