Someone asked offlist what part of the CRA triggered the GPL-like requirement for upstreaming vulnerabilities, so I thought I'd share my answer here for everyone's benefit. It's in Article 12, section 6:
Manufacturers shall, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Annex I, Part II. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component, where appropriate in a machine-readable format.
Hope that's useful to others.
And just so y'all feel more comfortable asking questions on the list, just know that I didn't know the answer off the top of my head and had to look it up. There's a lot to absorb here, and it's entirely OK not to know the answers and/or make mistakes.
We're all in this together!
--tobie