Dear ORC Community,
Please find
here the minutes of our last CRA Attestations, Stewards and Maintainers meeting.
The key aspects discussed in the meeting were based on the EU Action Plan on AI and Cybersecurity and the future scope of the call:
- Cooperation with ENISA is valuable but must not devolve into unpaid consultancy; the community remains committed to ongoing consultations and aligning financial support with community expectations.
- There is a recognised need for direct community involvement in EU legislative processes, as previous top-down attempts to define open source without this input have resulted in poor outcomes, how this cooperation will be defined depends on the processes, requirements and funding in place for that.
- Concerns were raised that AI-generated code, which can be difficult to inspect, creates significant liability risks under the CRA and may be unsuitable for foundational infrastructure.
- To address AI-related security risks, the group noted the importance of transparency in training data and the potential for using AI bots to filter low-quality code from project pull requests.
- A critical AOB concern was raised regarding a proposed German law that could force the disclosure of software vulnerabilities to foreign intelligence agencies, directly undermining the CRA's mandate to patch security flaws.
If you have any questions or comments, do not hesitate to comment, also the minutes doc includes links to the relevant resources.
Cheers,
Juan
-- Juan Rico
Eclipse Foundation: The Community for Open Collaboration and Innovation
Berliner Allee 47, 64295 Darmstadt
Handelsregister: Darmstadt HRB 92821
Managing Directors: Gaël Blondelle, Mike Milinkovich, Michael Plagge