Re: [open-regulatory-compliance] Open source will be discussed in CEN/CE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Open source will be discussed in CEN/CENELEC WG9 PT3 call on Wed Sept 24th afternoon

From: Lars Francke <lars.francke@xxxxxxxxx>
Date: Mon, 22 Sep 2025 19:07:44 +0200
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>

Salve,

I do agree with you.

Unfortunately, we wont't change the system in time for the CRA so we
have to work within it for now.
A lof of people gave input for the 1025 "Have your say"[1] which would
allow the EU to make changes to the way standards are developed going
forward.
We're looking forward to the results of that.

But all is not lost as the public enquiry phase will start soon
(~November). Yes, it's still annoying, too little and too late but at
least more people get to comment.
Unfortunately, the procedure is different in every EU country. I can
tell you how it works in Germany but I don't know about other
countries (and I don't know about non-EU countries either).

So, I'd urge everyone to try and find out how the commenting works in
your country. It might require you having to sign up somewhere etc. so
it's good to get that sorted upfront.

Cheers,
Lars

[1] <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14511-Standardisation-Regulation-revision_en>

On Mon, Sep 22, 2025 at 7:01 PM Salve J. Nilsen via
open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
wrote:
>
> Hei Timo,
>
>
> On Mon, 22 Sep 2025, Timo Perala (Nokia) via open-regulatory-compliance wrote:
> >
> > It is indeed unfortunate that these meetings are not open for all
> > interested.
>
> Yes, though this is not only unfortunate, it's a disaster.
>
> I regularly talk with Open Source maintainers and contributors, and they
> almost *always* respond to the CRA with a shrug and a "why should I
> care?".
>
> When this working group signals the same ("Why should we care about the
> opinions of the open source folks"), then they - in their capacity as a
> primary thought leader on this topic - signal that there is no need to
> involve *any* voices from "long tail" of open source.
>
> Currently, the only open source communities who get to be part of the
> conversation, are the well-organized and successful ones. But – both next
> to and behind – each of them, there are large dependency graphs of
> smaller, important and resource-starved projects, some with a massive
> install base but with a community of *one* or *two* people.
>
> This is a disaster in the making because the CRA's requirements to
> metadata completeness and correctness, and it's requirements for
> conducting Due Diligence (and therefore, implying that *all* parties
> involved will act with _Due Care_ when an incident calls for it), REQUIRES
> the explicit buy-in and cooperation with _unpaid volunteers_.
>
> Each person – unpaid volunteer – needs to be involved on _their_ terms,
> lest we risk alienating these project owners and maintainers.
>
> The easiest response for *any* volunteer, will *always* be to do nothing
> or to walk away. Do _you_ want to know how expensive that will get, when
> too many communities decide to walk away? The businesses that depend on
> these open source communities _certainly_ want to know.
>
> So I'm sharing this warning: The output of these working groups will
> determine if walking away continues to be the most attractive option, or
> if there will be other options that make the "long tail" projects consider
> playing their role – acting with due care – in securing the PwDE's headed
> for the EU market, and responding to incidents in the future.
>
> If these working groups don't talk with enough people in the long tail -
> how can they even ensure that the needs in the long tail are taken into
> account?
>
> Right now, the answer looks bad.
>
>
> - Salve J. Nilsen (CPAN Security Group)
>
> --
> #!/usr/bin/env perl
> sub AUTOLOAD{$AUTOLOAD=~/.*::(\d+)/;seek(DATA,$1,0);print# Salve Joshua Nilsen
> getc DATA}$"="'};&{'";@_=unpack("C*",unpack("u*",':50,$'.#    <sjn@xxxxxx>
> '3!=0"59,6!`%%P\0!1)46%!F.Q`%01,`'."\n"));eval "&{'@_'}";  __END__ is near! :)
> _______________________________________________
> open-regulatory-compliance mailing list
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org

Follow-Ups:
- Re: [open-regulatory-compliance] Open source will be discussed in CEN/CENELEC WG9 PT3 call on Wed Sept 24th afternoon
  - From: Salve J. Nilsen

References:
- [open-regulatory-compliance] Open source will be discussed in CEN/CENELEC WG9 PT3 call on Wed Sept 24th afternoon
  - From: Timo Perala (Nokia)
- Re: [open-regulatory-compliance] Open source will be discussed in CEN/CENELEC WG9 PT3 call on Wed Sept 24th afternoon
  - From: Salve J. Nilsen

Prev by Date: Re: [open-regulatory-compliance] New Ecma Int. task group to standardize Contributing.yaml
Next by Date: Re: [open-regulatory-compliance] Open source will be discussed in CEN/CENELEC WG9 PT3 call on Wed Sept 24th afternoon
Previous by thread: Re: [open-regulatory-compliance] Open source will be discussed in CEN/CENELEC WG9 PT3 call on Wed Sept 24th afternoon
Next by thread: Re: [open-regulatory-compliance] Open source will be discussed in CEN/CENELEC WG9 PT3 call on Wed Sept 24th afternoon
Index(es):
- Date
- Thread

Breadcrumbs