Re: [open-regulatory-compliance] Publicness of dependencies of a product

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Publicness of dependencies of a product

From: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Date: Tue, 28 Oct 2025 18:56:52 +0100
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>

Well, I don't see it as something we would have to live with, but rather as the "cost of doing business" with open source: It is your legal obligation to cite the reference to the project and the license and the copyright for every piece of open source that your product consumes.

On Tue, Oct 28, 2025 at 6:47 PM Elizabeth Mattijsen via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

I'll take that as a:

"This something we would have to live with"

correct?

> On 28 Oct 2025, at 18:35, Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx> wrote:
>
> I am just going to cite a section of the MIT license:
>
> > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
>
>
>
> On Tue, Oct 28, 2025 at 6:34 PM Elizabeth Mattijsen via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
> Hi all,
>
> so this is probably been discussed at length in some places already.
>
> My question: how public will the dependencies of a product be?
>
>
> For instance, I love what Nginx has done here:
>
> https://docs.nginx.com/nginx/open-source-components/
>
> Will manufacturers be required to produce such an overview for each of their products? And would that have to be machine readable?
>
>
> If either of these answers is "yes", then we've also made it easier for bad people to find out where a compromised piece of software is being used. And thus be able to focus their ill deeds on just those products much quicker.
>
>
> FWIW, I'm not so much worried *if* a vulnerability has been reported through the proper channels, as ideally those vulnerabilities will be fixed within a small timeframe. I'm more worried about the vulnerabilities that have *not* (yet) been reported.
>
>
> Is this something we would have to live with?
>
>
>
> Elizabeth Mattijsen
> _______________________________________________
> open-regulatory-compliance mailing list
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

References:
- [open-regulatory-compliance] Publicness of dependencies of a product
  - From: Elizabeth Mattijsen
- Re: [open-regulatory-compliance] Publicness of dependencies of a product
  - From: Daniel Thompson-Yvetot
- Re: [open-regulatory-compliance] Publicness of dependencies of a product
  - From: Elizabeth Mattijsen

Prev by Date: Re: [open-regulatory-compliance] Kicking off the CRA Attestations project
Next by Date: Re: [open-regulatory-compliance] Publicness of dependencies of a product
Previous by thread: Re: [open-regulatory-compliance] Publicness of dependencies of a product
Next by thread: Re: [open-regulatory-compliance] Publicness of dependencies of a product
Index(es):
- Date
- Thread

Breadcrumbs