Re: [open-regulatory-compliance] Open Source Software Stewards and CRA W

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th

From: Scott Lewis <slewis@xxxxxxxxxxxxx>
Date: Mon, 10 Nov 2025 12:00:22 -0800
Arc-authentication-results: i=1; oxsus-vadesecure.net; auth=pass smtp.auth=3@640737 smtp.mailfrom=slewis@xxxxxxxxxxxxx;
Arc-message-signature: i=1; a=rsa-sha256; d=oxsus-vadesecure.net; s=arc-202309-rsa2048; t=1762804826; c=relaxed/relaxed; h=from:reply-to:subject:date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to:references:list-id:list-help:list-unsubscribe:list-unsubscribe-post:list-subscribe:list-post:list-owner:list-archive; bh=b2iCzOnWCB8LOYeh2NA8AvC02mRjqll++T+gNZxqbyo=; b=evPXiJHn0cphvmmhPHNBNfemNd2oEm6r7hneGQD8wCHRpfa0UVxpPSLM0DKJSnt1FyZDb9F5asFeUlICTJ02wxrLq/2pRwySo2ok53J5ngD9y0nmm41FJgXG2emO8GeHQ4AkIBDILEE9Nj3wQZg1sBHqEcl6Aa5SjLjI8LUHgEqnlnUkFS4LCoB6eaBIdGvEtbgdegRv6hTYkpe7BoQ79OPh7oIFlSGMRxNDac9pUvUM8XrHEBAO5IoLRH0CW2fphjuYaAL2xWE1UMGS5/MsP1fCiGnrZyxLMEIg9VQMTaybyTe0uEz60cWB/LHyDhI0ZOaeNSkS3Ta7HdXXSwyHDw==
Arc-seal: i=1; a=rsa-sha256; d=oxsus-vadesecure.net; s=arc-202309-rsa2048; t=1762804826; cv=none; b=L8tn9S03+AUNVJiNzmyrpwU1P0th3n6yBSdGiP+R7T3POMNrnHUQxY9OHSic+Z9lRzkzKjFU883ssfqb1YBjoMCo0RDj2FqpDBFpEgnzOl0aDPQv2mrz2oV6Pj/tHHr9v6NYSOXfH1ShrpH+3b6yi9B8LC2Ni6kLCqshkntyO+BsgXVKD6KHrE4yY4C9nI989QBYVnEBqDHeS1F/nJ2lOjfwYXdwblwJslBsUpiARofbBsioqPUgogncHdvHlYC2cfjzTl7a3844O1hoXVAQgw0VBWm179SoRhbV4io3z0fIpg7XdCA3eX0aO4ZNd+arg09dmjkhQ7BbzG6GWt0Kow==
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla Thunderbird

On 11/10/2025 1:54 AM, Dirk-Willem van Gulik via open-regulatory-compliance wrote:

<stuff deleted>

We’re working on the attestations to figure them out, but they
*MAY* be a way to simplify the manufacturer’s due diligence. A steward may also have a process
to be more clear about lifecycle events for an open source project.

Well, they should. Otherwise they wouldn't be much of a steward?

All one has to do to find existing problems with 'non-profit/profit/Foundation as open source steward' approach is to look at an existing org-hosted project's dependencies. There are *many* large popular open source projects where plenty of resources, time, money, managers, lawyers, insurance, other 'middle-men' exist (and are often well-payed) to keep that project secure...e.g. all of the Foundation's 'flagship' projects/applications.

But look 1-level or more down in the project dependency tree (e.g. modules/libs that are used, or libs that those libs use, etc.) and the situation changes completely. Historically, many (if not most) of the major security issues in open source end up being underneath the top level projects...in the middle and lower layers of the technology 'stack'. Examples: log4 (a widely-used logging library, heartbleed (openssl), middleware, operating-system or even hardware issues. The current situation is that these lib/infra projects do not get support necessary to even continue in many cases...and asking them to add maintenance work through frequently unsupported 'contributions' is just impossible.

Further, it's not reasonable to expect that just anyone (even in the dev community specifically) will be able to actually provide reasonable 'stewardship' for n-level dependencies...no matter what is said in the marketplace. IMO, there needs to be some requirements put on 'stewards' that recognizes and addresses this problem wrt dependencies...as such dependencies are a part of what defines open source 'community', 'transparency', as well as 'collaboration'.

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

References:
- [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
  - From: Marta Rybczynska
- Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
  - From: Scott Lewis
- Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
  - From: Elizabeth Mattijsen
- Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
  - From: Olle E. Johansson
- Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
  - From: Elizabeth Mattijsen
- Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
  - From: Olle E. Johansson
- Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
  - From: Elizabeth Mattijsen
- Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
  - From: Dirk-Willem van Gulik

Prev by Date: Re: [open-regulatory-compliance] ORC events this week
Previous by thread: Re: [open-regulatory-compliance] Open Source Software Stewards and CRA Whitepaper: review in progress until November 20th
Index(es):
- Date
- Thread

Breadcrumbs