Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)
  • From: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
  • Date: Sun, 30 Jun 2024 17:17:43 +0000
  • Accept-language: de-DE, en-US
  • Arc-authentication-results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.17.62.50) smtp.rcpttodomain=eclipse.org smtp.mailfrom=vdma.org; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=vdma.org; dkim=pass (signature was verified) header.d=vdma.org; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=vdma.org] dkim=[1,1,header.d=vdma.org] dmarc=[1,1,header.from=vdma.org])
  • Arc-authentication-results: i=2; mx.avanan.net; arc=pass; dkim=none header.d=none
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vdma.org; dmarc=pass action=none header.from=vdma.org; dkim=pass header.d=vdma.org; arc=none
  • Arc-message-signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DwKxj73+PyxE3u1jn+igxLX0oanFmpj71pq/xwAjsGQ=; b=Px1cavYla4JfixMI/pL+VjzMOY9wAxJ2QVnaR/P4Utwnyiy9a5GbmSXSTKErGThYb4eaXWaBMvEfEAjh0cAp1NqxiZWl7WfYpZPwOJ5/FdZ3epybireX3phVih+75bfRMoJ5FQCWjN4NEiQq/j9xmZXkcxaJWkkw+FzUtI9U6KrANFyUbojQIY9NkX1DCLL9g21A7quu08AGPFsvMJgHk0rDs6vVdXTUTsweL3+vu91iLSLE3cOPDZRG8FLcbRfcTBuLJJw/wFd8k0dSzYcEhTBMRTdm7pTemWL9O4jDpXOs2Wusm916ismcUSp/4GBB5N3x/VJTw3E9+nUiJO3uGg==
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=avanan.net; s=arcselector01; t=1719767876; h=from : to : subject : date : message-id : content-type : mime-version; bh=DwKxj73+PyxE3u1jn+igxLX0oanFmpj71pq/xwAjsGQ=; b=jAijUHuhLJ+Z+jPIRyf7HUpWU4Mv6uNgUNIEgf97jMEIIWVsw9+bX1Qfj01avkKMhqx8X gR8nWgWg2wYUDN4cnO2QcrKY9D9YIpURD6iOzgG1GYIJL88BNNMHm8wBxaiRgahFKG1JPQ4 LwW18A/nTpJ3iQFxgnAmi7cNZfW5MpY=
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DwKxj73+PyxE3u1jn+igxLX0oanFmpj71pq/xwAjsGQ=; b=Rtctm0Roqwhm1vWbHeGnhARLiD4+Sj9OAv+8tgfghVJfRK6SxnjryaRp4S79n68Cy/fWfYB+Zu/FeiZn9Gpd8sCbSoMNVLE67kTg7cAxGCQfMmQolBw1pGdSTRezSG+HEZ78k9awc5WLC5B4o+GO4D6ZkvBnQbwHmkR5N9GWHBxWM6rkEYnfwXJmWouSJGs5f4e6tqNiXVUdcA/eCOHI9l848wQrWtua4dpXmA9NgRXhRA6VZQKdjwTzXMExrz1owdXbbv+EiKX3kI6NZ5P1WhZhuVWQjJZd5i5GOoiyKFBUxh/wctxa1Y4RHem8wmDRVW4BZb01OsqL6ksu9oRIsA==
  • Arc-seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=lAG6J1kS8zip6US/uAHyyxKrrz9H3aRgDyNP/Nw/RqaGJCyGKj7mYs84s5Ixqb55VQpkrMTEXnvuzwLIPNoWH99Mzb4L5NP+YPWidjQBY7mMf0X5BlTeOAzH4vSOokOVjixAaqKRzDuxyJSjTq18ooRxzZXHX4FP8J/J2San9UGRvvsJQm+m8qU08SvONeQ2HgSIfBcKzvY6mHLfvkHclRpKNEy4ScF6rqWnF/Ubsv9gpA/pdtmiMnLv2w2j0avG4Ym7OTBNfPaWUxQf7d8L2YqBahd073RN+XBOdMa5feeF/0xUpjA4yD7u139Xc4p/+wLqSBaDkCoM7aIqotvdCw==
  • Arc-seal: i=2; cv=pass; a=rsa-sha256; d=avanan.net; s=arcselector01; t=1719767876; b=NkxMs6eCm/IGgPvCa7iUUKRdYw1scS4BVFPeEO1HwILJSyEWJUTk85BPMsQ2QUP46Wa9X 9SKxrtLmF7ZBrKb5nCqaWIx6SSGR8hrFWuk3uGe4jbdvM0V/zoXIMaDPo4WUc3FwvacOcQX afFM+CftBTtkTr0gfhqR4fGpqXvcsHQ=
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WHJ46HyhENNEykG9d6F06ZE9mEgCU1j3Hl5KZGvoXQP5SJRRETiGBuB247q1BR7+YkuH1dgFoSx27hVmU/Ppe6OwsgeDU2PqS0ifQyDxkEaPKhyi2ZMEJkWkudWMa7JnAyGG5f+Igh+Vu3GvstfV573GiaOTI54rRwN8pybfhYyUYWn0XR/xuMA7PhgakQ8oPKKY81xu/DlE3+08/7BzYvozreU8BH9jEWTb7h6U2jt+WuW9ASRO3QBDH381AAxg9ikKdE8IK1gnPbRkWRK4EGHKAzQLWu1VV4mxPna0PyFXKgBD5R6oCf6bYNW3MKjdjk8l+Rpwme5TEYLUJR5NlQ==
  • Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
  • List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHayw3RDrgBXyy2gEWKPnkRp+IN9bHgjLp4
  • Thread-topic: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)
Dear Tobie,

since the difference between products listed in Annex III / IV and the other products with digital elements is only upon the available conformity assessment procedure, it is upon the harmonized standards (and Notified Bodies internal procedures) to distinct between different levels of resilience, and from seeing this in CEN/CLC/TC13, this might be something we see in the future.

If a component supports the manufacturer of the product in reaching the CRA goals, like support period and vulnerability management, the manufacturers will take this advantages clearly into consideration.

Vice versa, if I manufacture a product that can be used as a component in both, non-important and important products, what would be the burden to develop different versions of the same product…?

Best regards,

Steffen
Industrial Security @ VDMA

Am 30.06.2024 um 18:51 schrieb Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>:


Joe Murray asks this really interesting question in a separate thread (see below for the full email): do the stricter conformity assessment of products categorised as Important or Critical impact their open source dependencies?

Of course, the burden of conformance falls on manufacturers, but can we imagine a situation where some open source projects allow manufacturers to meet the baseline requirements but not the stricter ones while others allow for both?

Curious what people think, here.

--tobie

---
Tobie Langel
Tech Lead Open Regulatory Compliance WG, Eclipse Foundation
Principal, UnlockOpen

On Sun, Jun 30, 2024 at 6:07 PM Joe Murray <joe.murray@xxxxxxxxxxxxxxxxx> wrote:
Some open source projects like Content Management Systems (WordPress, Drupal, Joomla) and CiviCRM are generally used in a way that makes each implementation unique due to selection and configuration of plugins, modules and extensions. The latter cannot run independently. Sometimes these plugins, modules and extensions implement or integrate as their primary function a critical or important category of functionality.  

1. So I take it that a) the maintainers of the plugins, modules and extensions would possibly be open source stewards and since they are not putting the functionality on the market would not be subject to the stricter conformity assessments. 

2. In some cases the primary purpose of an installation of the CMS is to provide a setup for a category III or IV function. In these cases the implementor is considered a manufacturer. And as they would need stricter conformity assessments, this would mean the software development practices of the plugin, extension, or module maintainer need to be in conformity, as well as those maintaining the core project. 

Did I get this right?

Joe Murray, PhD
President, JMA Consulting


_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top