| Re: [open-regulatory-compliance] Kicking off the CRA Attestations project |
<stuff deleted>
Perhaps the attestations could even focus on the support provided by a specific manufacturer to a project to enable this? i.e. tying the attestation to a combination of a project and a manufacturer and attesting that the manufacturer support enables the level of support required to meet the manufacturer's compliance obligations?
As a lurker on this list, I want to say +1 to this.
In this example, just like in the related certification schemes, the attestations just attest facts about the project (or possibly about the support provided by a specific manufacturer to a project). They're not contracts. They can however be used as bargaining chips to fund a stronger security posture and/or meeting more essential requirements, facilitating due diligence and sustaining open source in the process.
Another +1...for facilitating project-level due diligence and sustaining open source. IMO, this is captured by the words: 'open community collaboration'.
I'm not suggesting the above example is the right solution, but I believe it illustrates an actionable way to think about this problem.
I would go farther than Tobie does...I think ideas like this are the 'right solution'...at least from the point of view of the open source developer communities (i.e. the people that do most of the work of open source). Because some of us are old enough to remember a time when open source didn't exist in software, and don't want to go back to that (i.e. unsustainable).
Scott