Re: [open-regulatory-compliance] Open Source Software Stewards and CRA W

["Olle E. Johansson" <oej@xxxxxxxxxx>]

> On 7 Nov 2025, at 22:44, Elizabeth Mattijsen via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
> 
>> On 7 Nov 2025, at 22:32, Scott Lewis via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
>> On 11/7/2025 6:24 AM, Marta Rybczynska via open-regulatory-compliance wrote:
>>> Dear all,
>>> The "Open Source Software Stewards and CRA" White paper has reached a stage when it is ready for a general review, with the publication expected at the end of this month (end of November 2025).
>>> 
>>> The goal of the document is to provide our understanding on the operations of Open Source Stewards and their obligations. It ISN'T the goal to provide rules on deciding if an organization is a Steward or not.
>> 
>> You say this, but the first sentence in the Abstract is:
>> The Cyber Resilience Act (CRA) defines a new category of organizations...
> 
>> New category of *organizations* (defined by gov/legal org and requiring $$ to form, maintain, etc).  Which I would say in many real cases...right now...*excludes* the very people (project team members, maintainers, aka software labor, etc) that are *capable* of actually implementing *any* non-trivial requirements.
>> I'm sure there are plenty of legal/policy/manager types that are more than happy to say...in effect (and with lots of unnecessary legal language/jargon) that 'it's impossible to define into law/policy requirement on anything *but* a legal organization'.   If that's actually true in practice or policy, then I would say it would be worth asking yourselves:  is this going to do more harm...to the open source community...than good?
> 
> Well, if something is not a legal organization, it's an individual or a group of individuals.  And wasn't it the goal to never make an individual legally liable for the state of any Open Source project?
> 
> So, for better or worse, I think some kind of legal body will *always* be needed in the new CRA world.
> 
> Or am I missing something?

It’s the other way around. If there’s a legal body, like a foundation, there was a risk that the foundation was going to
be seen as a manufacturer. That’s why the “stewards” was invented, to give the foundations a role.

There’s no requirement for Open Source projects to have a steward, and no requirement to have any legal body.

I still think there’s a grey area with multiple shades between a manufacturer and a steward and a project.
This spring I asked a lot of questions about it - have anyone tried to sort it out?

/O