Re: [open-regulatory-compliance] Open source will be discussed in CEN/CE

["Salve J. Nilsen" <sjn@xxxxxxxxxxxx>]

Hei Timo,


On Mon, 22 Sep 2025, Timo Perala (Nokia) via open-regulatory-compliance wrote:
>
> It is indeed unfortunate that these meetings are not open for all
> interested.

Yes, though this is not only unfortunate, it's a disaster.

I regularly talk with Open Source maintainers and contributors, and they
almost *always* respond to the CRA with a shrug and a "why should I
care?".

When this working group signals the same ("Why should we care about the
opinions of the open source folks"), then they - in their capacity as a
primary thought leader on this topic - signal that there is no need to
involve *any* voices from "long tail" of open source.

Currently, the only open source communities who get to be part of the
conversation, are the well-organized and successful ones. But – both next
to and behind – each of them, there are large dependency graphs of
smaller, important and resource-starved projects, some with a massive
install base but with a community of *one* or *two* people.

This is a disaster in the making because the CRA's requirements to
metadata completeness and correctness, and it's requirements for
conducting Due Diligence (and therefore, implying that *all* parties
involved will act with _Due Care_ when an incident calls for it), REQUIRES
the explicit buy-in and cooperation with _unpaid volunteers_.

Each person – unpaid volunteer – needs to be involved on _their_ terms,
lest we risk alienating these project owners and maintainers.

The easiest response for *any* volunteer, will *always* be to do nothing
or to walk away. Do _you_ want to know how expensive that will get, when
too many communities decide to walk away? The businesses that depend on
these open source communities _certainly_ want to know.

So I'm sharing this warning: The output of these working groups will
determine if walking away continues to be the most attractive option, or
if there will be other options that make the "long tail" projects consider
playing their role – acting with due care – in securing the PwDE's headed
for the EU market, and responding to incidents in the future.

If these working groups don't talk with enough people in the long tail -
how can they even ensure that the needs in the long tail are taken into
account?

Right now, the answer looks bad.


- Salve J. Nilsen (CPAN Security Group)

-- 
#!/usr/bin/env perl
sub AUTOLOAD{$AUTOLOAD=~/.*::(\d+)/;seek(DATA,$1,0);print# Salve Joshua Nilsen
getc DATA}$"="'};&{'";@_=unpack("C*",unpack("u*",':50,$'.#    <sjn@xxxxxx>
'3!=0"59,6!`%%P\0!1)46%!F.Q`%01,`'."\n"));eval "&{'@_'}";  __END__ is near! :)