Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Kicking off the CRA Attestations project
Some thoughts in line

Greg Wallace
Mobile: +1 919.247.3165

On Fri, Oct 24, 2025, 3:53 PM Luis Villa via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
<snip>

But the standard of evidence for a non-maintainer/steward assessment should be high, both as a simple factual matter (they are by definition not the most relevant experts in the code) and as a policy matter (you want to provide an incentive to work with the maintainers or to move off unmaintained code).

This is not always the case. Although I can't speak to whether the FreeBSD Foundation will ultimately become a Steward, for the sake of argument let's say they do. It would 100% be the case that their assessment would be done by the most relevant experts.

On Fri, Oct 24, 2025 at 9:53 AM Scott Lewis via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
On 10/23/2025 9:03 AM, Greg Wallace via open-regulatory-compliance wrote:
<stuff deleted>

2.  Given that a manufacturer can always fulfill their Article 13(5) due diligence by conducting an internal assessment or by commissioning a private one from any third party, what is the justification for proposing to limit who gets to issue attestations under Article 25? This refers both to the proposals I heard in the room allowing an open source project to select who gets to issue article 25 attestations or limiting it to - for example - stewards.

I've thought about this a lot. In my view, Community is inseparable from Open Source. And so any effort to address the security compliance of open source must actively include Community in the solution. Community members are typically:
  • the most apt people to audit (or oversee the auditing of) the security of a project and its development processes
  • the most expert people to address any security issues, whether uncovered by an initial assessment or found in the natural course of operations
  • or both

Hear, hear.   

I think this bears repeating:  And so any effort to address the security compliance of open source must actively include Community in the solution.


_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top