Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Kicking off the CRA Attestations project 
Hi Jordan,

> On 27 Oct 2025, at 13:31, Jordan Maris <jordan.maris@xxxxxxxxxxxxxx> wrote:
>> One of the concepts that gave me the shivers at the conference, was the concept of "downstream attestations".  This can only happen if attestations would *not* be recipient bound.  Which would completely invalidate any "business plan" for Open Source Stewards, especially for the smaller Open Source communities.  Or am I missing something here?
> I tend to agree with this statement, but I do think that making attestations recipient bound does risk creating some barriers, but theoretically, it could be possible to do both: for example:
>     • 
> A steward announces "we need 1000€ monthly to provide an attestation to the public for this component".
>     • Manufacturers commit to supporting the project for a fixed number of months at a fixed rate (IE:€50/month)

This approach may work for SMEs, but for larger companies a 50€/month amount is below a threshold for consideration: it won't be on anybody's radar in a bigger company, because dealing with small change in a big company usually means that you're on a dead-end career-wise.

I think that it would make sense let the amounts depend on the size of the company in question, possibly related to the financial risk that *they* run if they do not fulfil their CE requirements.


>     • If the steward’s goal is met, then the attestation becomes publicly available to everyone, with a nice Thanks.md file with the names of the companies who are supporting security of the project.
>     • If the steward’s goal is not met, then the attestation becomes recipient bound.

I'm not sure how that's going to work: manufacturers will probably need an attestation within a certain timeframe.  Possibly way before a steward's goal has been met.


>     • Manufacturers who committed to supporting get the attestation at the price they committed to (IE: €50/month), for the number of months that they committed to, followed by the standard rate. (This both incentivises supporting projects, and supporting them for longer periods)
>     • Manufacturers who did not commit to pay a standard rate, which is set at double the median committed support (IE: €100/month)
> 
> It's not perfect, but perhaps it could be an approach.

Indeed, that could be an approach.  But this also means there will be no "cash cow" component to Open Source support from manufacturers.  And it's *that* component that should ensure not only maintenance, but also further development of (new) Open Source projects.

Also, the approach of making an attestation publicly available, means that there could be a financial objective for companies to wait before committing support, because there is a chance that a needed attestation will become available for free if one waits long enough.  Which would be helping the freeloaders  :-(


Elizabeth Mattijsen

Back to the top