[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [open-regulatory-compliance] Kicking off the CRA Attestations project
|
I love the idea of developing a few ‘example business models’ that should be considered. What Jordan is describing wouldn’t work for us, for instance, but what I think we are trying to accomplish is, a regulatory policy that would permit multiple different approaches to use the attestation to get some sort of reciprocal committment from the users who require this. Such a committment from the users who want the attestation might not even be monetary - it could even be, data sharing, or technical contributions.
Vicky
> On Oct 27, 2025, at 11:10 AM, Elizabeth Mattijsen via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
>
> Hi Jordan,
>
>> On 27 Oct 2025, at 13:31, Jordan Maris <jordan.maris@xxxxxxxxxxxxxx> wrote:
>>> One of the concepts that gave me the shivers at the conference, was the concept of "downstream attestations". This can only happen if attestations would *not* be recipient bound. Which would completely invalidate any "business plan" for Open Source Stewards, especially for the smaller Open Source communities. Or am I missing something here?
>> I tend to agree with this statement, but I do think that making attestations recipient bound does risk creating some barriers, but theoretically, it could be possible to do both: for example:
>> •
>> A steward announces "we need 1000€ monthly to provide an attestation to the public for this component".
>> • Manufacturers commit to supporting the project for a fixed number of months at a fixed rate (IE:€50/month)
>
> This approach may work for SMEs, but for larger companies a 50€/month amount is below a threshold for consideration: it won't be on anybody's radar in a bigger company, because dealing with small change in a big company usually means that you're on a dead-end career-wise.
>
> I think that it would make sense let the amounts depend on the size of the company in question, possibly related to the financial risk that *they* run if they do not fulfil their CE requirements.
>
>
>> • If the steward’s goal is met, then the attestation becomes publicly available to everyone, with a nice Thanks.md file with the names of the companies who are supporting security of the project.
>> • If the steward’s goal is not met, then the attestation becomes recipient bound.
>
> I'm not sure how that's going to work: manufacturers will probably need an attestation within a certain timeframe. Possibly way before a steward's goal has been met.
>
>
>> • Manufacturers who committed to supporting get the attestation at the price they committed to (IE: €50/month), for the number of months that they committed to, followed by the standard rate. (This both incentivises supporting projects, and supporting them for longer periods)
>> • Manufacturers who did not commit to pay a standard rate, which is set at double the median committed support (IE: €100/month)
>>
>> It's not perfect, but perhaps it could be an approach.
>
> Indeed, that could be an approach. But this also means there will be no "cash cow" component to Open Source support from manufacturers. And it's *that* component that should ensure not only maintenance, but also further development of (new) Open Source projects.
>
> Also, the approach of making an attestation publicly available, means that there could be a financial objective for companies to wait before committing support, because there is a chance that a needed attestation will become available for free if one waits long enough. Which would be helping the freeloaders :-(
>
>
> Elizabeth Mattijsen
> _______________________________________________
> open-regulatory-compliance mailing list
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org
