[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
|
> On 10 Nov 2025, at 10:20, Olle E. Johansson <oej@xxxxxxxxxx> wrote:
>> On 10 Nov 2025, at 10:15, Elizabeth Mattijsen via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
>>> There’s no requirement for Open Source projects to have a steward, and no requirement to have any legal body.
>> True. But then either the Open Source project will not be used in a commercial setting, or the manufacturer will eventually usurp and/or drop the project.
> I am sorry, but I don’t follow you. The manufacturer will be fully responsible for all components in the product
> regardless if there’s a steward upstream or not.
Right. So the manufacturer may either support the Open Source project in some way, or fork it and take complete responsibility.
And even though the CRA states (as I'm led to understand) that the manufacturer would be required to produce any fixes upstream (regardless of whether the license actually requires this), I don't see this (easily) actually enforced in reality.
> The change with the steward is outlined in our
> paper, but maybe not from a manufacturer’s point of view. With a steward upstream, chances are better that
> there’s a working security process.
And a steward would be a legal body, or not?
> We’re working on the attestations to figure them out, but they
> *MAY* be a way to simplify the manufacturer’s due diligence. A steward may also have a process
> to be more clear about lifecycle events for an open source project.
Well, they should. Otherwise they wouldn't be much of a steward?
> The risk of projects dying or being end-of-life is very similar to projects without a steward. In those cases
> the manufacturer will just have to make a decision to take the risk and continue using the software or switch to another solution.
That's what I meant with "usurp and/or drop". Because any sane company "taking the risk" would want to have control.
Elizabeth Mattijsen
