[open-regulatory-compliance] Does being categorized as Important or Crit

[Tobie Langel <tobie@xxxxxxxxxxxxxx>]

Joe Murray asks this really interesting question in a separate thread (see below for the full email): do the stricter conformity assessment of products categorised as Important or Critical impact their open source dependencies?

Of course, the burden of conformance falls on manufacturers, but can we imagine a situation where some open source projects allow manufacturers to meet the baseline requirements but not the stricter ones while others allow for both?

Curious what people think, here.

--tobie

---

Tobie Langel

Tech Lead Open Regulatory Compliance WG, Eclipse Foundation

Principal, UnlockOpen

On Sun, Jun 30, 2024 at 6:07 PM Joe Murray <joe.murray@xxxxxxxxxxxxxxxxx> wrote:

Some open source projects like Content Management Systems (WordPress, Drupal, Joomla) and CiviCRM are generally used in a way that makes each implementation unique due to selection and configuration of plugins, modules and extensions. The latter cannot run independently. Sometimes these plugins, modules and extensions implement or integrate as their primary function a critical or important category of functionality.  

1. So I take it that a) the maintainers of the plugins, modules and extensions would possibly be open source stewards and since they are not putting the functionality on the market would not be subject to the stricter conformity assessments. 

2. In some cases the primary purpose of an installation of the CMS is to provide a setup for a category III or IV function. In these cases the implementor is considered a manufacturer. And as they would need stricter conformity assessments, this would mean the software development practices of the plugin, extension, or module maintainer need to be in conformity, as well as those maintaining the core project. 

Did I get this right?

Joe Murray, PhD
President, JMA Consulting