Re: [open-regulatory-compliance] Open Source Software Stewards and CRA W

["Olle E. Johansson" <oej@xxxxxxxxxx>]

> On 10 Nov 2025, at 10:15, Elizabeth Mattijsen via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
> 
>> On 10 Nov 2025, at 09:39, Olle E. Johansson <oej@xxxxxxxxxx> wrote:
>>> On 7 Nov 2025, at 22:44, Elizabeth Mattijsen via open-regulatory-So, for better or worse, I think some kind of legal body will *always* be needed in the new CRA world.
>> It’s the other way around. If there’s a legal body, like a foundation, there was a risk that the foundation was going to
>> be seen as a manufacturer. That’s why the “stewards” was invented, to give the foundations a role.
> 
> Aaah!  Good to know!
> 
> 
>> There’s no requirement for Open Source projects to have a steward, and no requirement to have any legal body.
> 
> True.  But then either the Open Source project will not be used in a commercial setting, or the manufacturer will eventually usurp and/or drop the project.
I am sorry, but I don’t follow you. The manufacturer will be fully responsible for all components in the product
regardless if there’s a steward upstream or not. The change with the steward is outlined in our
paper, but maybe not from a manufacturer’s point of view. With a steward upstream, chances are better that
there’s a working security process. We’re working on the attestations to figure them out, but they
*MAY* be a way to simplify the manufacturer’s due diligence.  A steward may also have a process
to be more clear about lifecycle events for an open source project.

The risk of projects dying or being end-of-life is very similar to projects without a steward. In those cases
the manufacturer will just have to make a decision to take the risk and continue using the software
or switch to another solution.
> 
> 
>> I still think there’s a grey area with multiple shades between a manufacturer and a steward and a project.
> 
> Agree.

:-)

/O