Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Minutes from the Vulnerability Handling TF meeting (Working on Due Diligence)


On 26 Feb 2026, at 22:02, Juan Rico via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Dear ORC Community,

find here the link to the minutes of the last meeting held today. 

Please note that we are working on Due diligence aspects in the call, so do not hesitate to contribute to the discussion. The doc in which the different ideas are collected and then mapped into the ToC is here.

While “Due diligence” may sound boring, there’s a scary perspective on this. If you are a manufacturer, you’re responsible for all components in your product - both Open Source and commercial. You need to validate that all components are up to date and that the source - the commercial vendor or open source project - upstream is ok and will be a good choice for you, in the light of the EU Cyber Resilience Act.

In the worst case, this will lead to lawyers, procurement officers and product owners inventing their own forms and REQUIRE open source maintainers to answers WITHIN XXX DAYS. With a possibility of hundreds or thousands of upstream components for a manufacturer and thousands of downstream manufacturers for a maintainer, this will simply not work.

We need to establish a best current practice, a minimum form for doing this. Maybe suggest that maintainers that wants to be used in CRA-compliant products publish this form in an easy to discover place. Or something else - let’s work together to find this out.

We need to do everything we can to avoid this potential DoS attack on Open Source maintainers and assist manufactures in this process.

Read through the docs and we’ll see you in our next meeting!

/O

PS. If you need something to distribute internally to create interest, we’ve blogged about this issue here:

Back to the top