Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] CRA discussion topics and activities
  • From: "Fendt, Oliver" <oliver.fendt@xxxxxxxxxxx>
  • Date: Fri, 14 Jun 2024 11:29:50 +0000
  • Accept-language: de-DE, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iOsQzrKS/RxgtpE89o0BxXcsbO13gsDwrAhvJRcfi6U=; b=GtdxC1pafISl9wkW2QWvY1qzKoVhNfeRitk34q51bV67SqfD6E+Ivi6NQ3V9x3eBlN5P7Z2TuxDK4YTagb3eDDRhmdrnHxhFqjo4YpIa0MFff5VeGl+iMTOcPiiySX0gt+EFmmSX1dU+iCj+MItXBjUckw1QxphQWIQ8bty5yOnAqjJszXYtnumpyE/GHtNKFA6Ln+8pt9Is+Stb8brro1CpRfcpUSjrVJgrXEnZwLM7Dm7skouwvIFQFuzdAw2oh+FCySpqTg+5nQOOCHIs+7Mk75cqjl5kixdMC8lQ9C3AUEBTP2PhtLHJ5tOvVGu/ZTArBDDroBuhk5ak7EKXoA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SqFc0XzVFpgIxJSybJkO7ur6s5Bj6LXzv372lPYSNK0S5HU4BmAgkQFPJhs7qIXfDZt40UOyFGzfwsT7wXqoe7+3yi+CNUzvorNq6hu/Zyh4Hs8ZzW6PG6eYxatyVXYnu6T0zoUv6dIXbV28Z4XoeSYtDjGDRXHH5HjiDkM22KHLoEfWM3ZFWFda0OzbUpGyaA1VVN5ljil0VgxD98XNxwWLyC7ylBrBS4meZPN/Jj0TdOKorasF8CnqfBQBRU6n8LsOEMOVvNzFNyaqnJGmna/QyGJfYMgipR/WqJWDJ7HYykkpz+A5pjJ0OlHI55chyYZLX4QMPj/mOTEuTz4ELA==
  • Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
  • List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
  • Msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=da1e11ee-6292-452d-817b-7f0c5c621a3b; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-06-14T11:26:07Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
  • Thread-index: AQHavjlMPBRAD2Ns1EilvEZoDSCri7HHAmsAgAAcb9A=
  • Thread-topic: [open-regulatory-compliance] CRA discussion topics and activities

Hi,

 

yes I agree to you that this will impose some additional setup and governance for some OSS projects.

Luckly there are already good practices defined how to tackle the reporting of sec vulnerabilities, which are already implemented in many OSS projects.

Documentation of how this can be setup is available for example here:

https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

 

Ciao

Oliver

 

Von: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> Im Auftrag von Tobias Frech via open-regulatory-compliance
Gesendet: Freitag, 14. Juni 2024 11:44
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Tobias Frech <tobias@xxxxxxxxxx>
Betreff: Re: [open-regulatory-compliance] CRA discussion topics and activities

 

Hi!
While getting up to date with my knowledge about the CRA I was surprised to learn integrators will need to fix security issues and/or to provide fixes back to the OSS projects. I think this will lead to a set of new requirements for OSS projects to publish ways of contact and probably standard rates for support work.
Where would you put such thoughts?

Best
Tobias (iJUG e.V.)

 

Am 14. Juni 2024 10:59:39 MESZ schrieb Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>:

Hi all,

I'm preparing a form to gather your input on CRA-related discussion topics and activities you'd like to get involved with.

Here's a list of general topics taken from Gaël's presentation yesterday:

- CRA reading group
- Building support documentation (glossary, collecting references, etc.)
- How to ensure effective participation in the EU standardization process
- How to provide input to the EU Commission in general (and about product categorisation in particular)
- CRA impact on Open Source Stewards / foundations
- CRA impact on open source consumers (SMEs / enterprise / OSPOs)
- CRA impact on single-vendor open source

And here's a list of the more technical topics he shared:

- Standards for identifiers (CPEs), version numbers, end-of-live status & dates, referencing (transitive) dependencies, etc
- Standards for releases, recall, EOL
- Secure by design
- Open source supply chain security
- Vulnerability handling
- Software lifecycle; including post EOL vulnerabilities

Any pressing topics I'm missing?

Thanks for your input,

--tobie

---
Tobie Langel
Tech Lead ORC WG, Eclipse Foundation
Principal, UnlockOpen

--
Frech IT GmbH / Am Brünnele 7 / 71642 Ludwigsburg
phone : +49-(0)7141-9113037 / HR B 744851 / AG Stuttgart

Geschäftsführer: Tobias Frech
mobile: +49-(0)172-7112352 / email: tobias@xxxxxxxxxx

Back to the top