Re: [open-regulatory-compliance] CRA discussion topics and activities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] CRA discussion topics and activities

From: "Salve J. Nilsen" <sjn-eclipse-foundation-oss-cyber-spec@xxxxxxx>
Date: Mon, 17 Jun 2024 11:30:57 +0200 (CEST)
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>

Hei!

Here are a few more topics & ideas for consideration! I hope this is
useful.


Tobie Langel via open-regulatory-compliance said:

> Hi all,
>
> I'm preparing a form to gather your input on CRA-related discussion topics
> and activities you'd like to get involved with.
>
[snip]
>
> Any pressing topics I'm missing?
>
> Thanks for your input,

Regarding "CRA impact on Open Source Stewards / foundations"

- Question: To what extent is "code-hosting" a requirement? The CRA's
formulation seems to be somewhat allowing of different models of
operation; And since the CPAN predates the Perl Foundation by several
years (and has always been operating independently), I'm wondering if the
"code-hosting" requirement for this forum is a bit too strict...


Other additions:

- Fully and separately enumerate CRA impact on different entities having
roles throughout the supply-chain; e.g. Language ecosystem providers, OS
packaging providers, Container registries.

- Clarify to which extent the "Importer" role in CRA applies to FOSS
supply-chain entities.

- Clarify to which extent the "Distributor" role in the CRA applies to
FOSS supply-chain entities.

- Clarify if, or to what extent, or how a Manufacturer's liability
landscape is influenced by the cooperation with a OSS Steward.

- Create an overview of existing communities that have created (or are in
the process of creating) relevant standards, resources or guides.

- Create and guide on how the interaction between Manufacturers and OSS
Stewards may influence the long-term sustainability of OSS projects,
including what criteria should be fulfilled to help "long tail" OSS
projects converge towards this.


Thank you Tobie for working on this! I have more to add to these lists,
but I'm a bit wary of pushing too much at one time. :-)


- Salve J. Nilsen (CPAN Security Group)

-- 
#!/usr/bin/env perl
sub AUTOLOAD{$AUTOLOAD=~/.*::(\d+)/;seek(DATA,$1,0);print# Salve Joshua Nilsen
getc DATA}$"="'};&{'";@_=unpack("C*",unpack("u*",':50,$'.#    <sjn@xxxxxx>
'3!=0"59,6!`%%P\0!1)46%!F.Q`%01,`'."\n"));eval "&{'@_'}";  __END__ is near! :)

References:
- [open-regulatory-compliance] CRA discussion topics and activities
  - From: Tobie Langel

Prev by Date: Re: [open-regulatory-compliance] CRA discussion topics and activities
Next by Date: Re: [open-regulatory-compliance] CRA discussion topics and activities
Previous by thread: Re: [open-regulatory-compliance] CRA discussion topics and activities
Next by thread: [open-regulatory-compliance] [ACTION REQUIRED] Please fill-in survey on CRA discussion topics
Index(es):
- Date
- Thread

Breadcrumbs