First of all - thanks for engaging and caring. And glad to see you here.
I think we are mixing up two aspects here — the meta aspect of the governance of this working group; and then what we are actually going to work on (i.e. capture what we, as open source good practices, long applied, but under documented standards, that help us prepare for the CRA).
From my perspective, with this Eclipse effort on their governance, we have secured:
- the ability of (any) open source participants to participate freely (as in free-beer and as in free-speech) and directly (e.g. without having to rely on employers of open source volunteers to happen to have the right things in place) easily.
- So that our open source developers can come to the table and contribute. Immediately.
- And existing processes ensure that comments and ideas, no matter how small or from whom; need to be looked at.
- That has sufficient governance & other trimmings as expected by policy makers and notified bodies in order to allow our output to not go to waste once it crosses into that world.
The DoU idea is nice and simple. Tempting. But, I think, (far) too simple. Therefore I think we disagree with the change of governance you proposed and have been pushing for; nor do I see the need to add this to the agenda.
Yes — It could have been easier to set up a mailing and, perhaps, sign some MoUs. However - with CENELEC the appointed normative body - we have to face the hard and unpleasant reality that there will be a lot of interfacing, and some level of scratching itches other than our own — if we are to help CENELEC with creating the right standards; this effort will also require significant organisational and editorial cycles.
More importantly - given the “power” (projected onto) of the open source foundations, e.g. from a (geo) political perspective -- such crowd gathering on a simple mailing list effort would soon be required to develop a very decent story around governance, around non-capturability, around stability, acountability and so on. So that simple mailing list effort with a DoU was not going to fly. We’d have to add all the trimmings. And creating such a beast from zero; that is hard - how do you bootstrap trust with the policy makers ?
Of all the open source foundations - Eclipse happened to have both 1) a proven, familiar (for policy makers), generic process for such collaborations in contested spaces (including those involving biotech).
Where, by design, the process governance is very far away from the day to day work. I.e., just like in the apache software foundation, the governance is just process guardrails -- the projects or working groups themselves figure out what they want to do, how fast and so on. And eclipse is familiar/proven - in the sense that EU policy makers would not immediatel worry (or have to investigate) that this process succums to commercial pressure or shenanigans (of USA big tech they do not trust). And 2) - Eclipse is based in Europe, in Brussels even.
So I think the Eclipse effort is hitting that very pragmatic balance between simplicity, speed and expediency that lets us scratch our itch now. Especially for us open source foundations. So we support the proposed governance and the recent tweaks (already implemented by Eclipse). We don't see any other model you have proposed to be working for this effort that has to function in a CRA context. I don’t see any caps for the membership of foundations.
And yes - I am less concerned about commercial entities. In part as this is first and foremost an open source effort (i.e. we, potential open source stewards, are doing this to define what we are). And in part as those in industry, i.e. at commercial entities, that care a lot, are generally part of our (say Apache) community already. So even volunteers employed by the smallest of Micro-SMEs can participate as volunteers as part of their respective open source foundations, that's the beauty of it.
I would love to have this Thursday spend on getting going on the actual content. I.e. start the process by which we inventory what we need to address (vuln. handling, reporting, SBOMs, dealing with EOL) from the CRA text; rather than spending long unecessary time on a discussion that matter mainly for one organisation. We have a lot to do.
So lets not worry about making very pragmatic, proven and generic solution more `ideal' -- but focus on start scratching the CRA itch. We can always optimise later.
Especially because the real work will happen at the specification project level (which I have not seen concerns about - correct ?) - and not the governance level.
Dw.
—
Dirk-Willem van Gulik,
VP Public Affairs,
The Apcahe Software Foundation
On 10 Jun 2024, at 16:04, Omkhar Arasaratnam via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Hi folks,
Please add an agenda item to Thursday's meeting to discuss using a Document of Understanding (DOU) rather than Foundation membership for code-hosting non-profits that wish to participate in the CRA standards-setting process.
We understand entirely the fiduciary accountabilities associated with running and governing the Open Regulatory Compliance Working Group. We support the appropriate board, governance, and steering committees to ensure that the fees paid by members are used judiciously. This must continue to occur, irrespective of the approach taken by code-hosting non-profits.
Our interest, and the interest of several other code-hosting non-profits, is to ensure we can collaborate with minimal overhead, bound to the CRA only. The current proposal for Foundation Membership incurs a significant bureaucratic burden of Compliance Working Group membership, plus Eclipse membership, which is unnecessary and will stifle participation from Foundations with limited resources.
In addition, the current membership agreement is broadly constructed. We're only interested in setting up a method for collaborating on CRA. Future legislation can be considered in the future.
The overhead associated with Foundation membership has no upside for code-hosting non-profits whose only interest is setting technical standards.
As such, we'd like to allocate appropriate time on Thursday to discuss implementing a DOU in lieu of Foundation membership of code-hosting non-profits with this group.
--
Omkhar Arasaratnam
General Manager
OpenSSF | The Linux Foundation
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
