|
My 2 cents:
First, this is not really unique to CMS or plugins, many software products / projects have different usages and configurations.
1) IMO there is nothing to suggest that producers of plugins qualify as an open-source steward, at least no dependent on the type of plugin they make. And why do you think they are not putting the functionality on the market? I would say this depends more
on the nature of their product. If it’s a FOSS project without any income, they might not have any obligations. If they are licensing it, they are probably a manufacturer, even if part of it is FOSS.
2) Could you give an example for such a case? Based on the limited info you provided, I think there is no clear answer. Like f.e. in case you use Wordpress for Identity Management for some reason, I don’t think Wordpress can be expected to need stricter
measures because of that. And if you do customization projects, i.e. for specific clients, I would anticipate that any provisions for FOSS do not apply to you, unless you or your clients make all their source available (and then I would have to look at things
more closely and it might be too early to say)
(This is not legal advice though, and would need a more thorough case by case investigation)
--
Dr. Florian Idelberger
Karlsruher Institut für Technologie (KIT)
Zentrum für Angewandte Rechtswissenschaft (ZAR)
Institut für Informations- und Wirtschaftsrecht
Vincenz-Prießnitz-Str. 3, D-76131 Karlsruhe
E-Mail: florian.idelberger@xxxxxxx
KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft
Am 30.06.2024 um 18:07 schrieb Joe Murray via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>:
Some open source projects like Content Management Systems (WordPress, Drupal, Joomla) and CiviCRM are generally used in a way that makes each implementation unique due to selection and configuration of plugins, modules and extensions. The latter
cannot run independently. Sometimes these plugins, modules and extensions implement or integrate as their primary function a critical or important category of functionality.
1. So I take it that a) the maintainers of the plugins, modules and extensions would possibly be open source stewards and since they are not putting the functionality on the market would not be subject to the stricter conformity assessments.
2. In some cases the primary purpose of an installation of the CMS is to provide a setup for a category III or IV function. In these cases the implementor is considered a manufacturer. And as they would need stricter conformity assessments,
this would mean the software development practices of the plugin, extension, or module maintainer need to be in conformity, as well as those maintaining the core project.
Did I get this right?
Joe Murray, PhD
President, JMA Consulting
Thanks Greg,
LMK if you need write access to any of the documents.
thank you Tobie!
I will be joining the operating systems consultation and am happy to take notes.
Greg
FreeBSD Foundation
Someone reached out privately to ask why their category of software wasn't part of those initial consultations.
I'll share the answer here because I'm sure others are wondering about this too. (As a side note, feel free to ask questions directly to the mailing list. You'll get an answer faster, usually from someone much more knowledgeable than me, and everyone gets
to learn from your question. There are no stupid questions; we're all trying to figure this out as we go, so don't feel bad for not knowing something.)
Now the answer to the question: the CRA categorises a subset of products as "Important" or "Critical". These products will have to go through a stricter conformity assessment because the impact of a vulnerability or security issue would have greater consequences.
Product categories which aren't listed in Annex III and IV or the CRA aren't considered as "Important" or "Critical" and so won't be part of those initial consultations. It doesn't mean they'll be exempt, they'll just be subject to the regular conformity assessment
not a stricter version.
You might still be interested in joining some calls about adjacent topics, but you shouldn't be directly impacted by these stricter conformity requirements if your product category isn't listed here. Also, these stricter requirements are for
manufacturers, not open source stewards.
Hope this is helpful!
--tobie
---
Tobie Langel
Tech Lead Open Regulatory Compliance WG, Eclipse Foundation
Principal, UnlockOpen
Thanks for the feedback, Marta. This is super helpful.
--tobie
Hello all,
I attended calls on Wednesday last week and here are my general notes (will put more detail on each specific subject in the documents linked by Toby). This is a kind of "what I wanted to know before I attended" message.
Of course, those are my personal notes and there might be errors.
Goal: the goal of those meetings is to discuss definitions of the categories of products on the list of important and critical products with digital elements of the CRA. There is one meeting per product category. There was a call about VPNs, and a separate
one on "boot managers", and so on. It seems that there's pressure on them to come with the definitions as soon as possible. They want to collect materials and then publish definition proposals "after summer". During that second consultation period, they will
be asking for written feedback.
What does one of such meetings look like: it is an informal discussion. It starts with an introduction part, the same for all calls, with the reminder of the goals of the CRA and types of products (FOSS is listed separately). The Commission people present
definitions they have found elsewhere (with the help of ENISA) and ask for comments or suggestions. I classify the discussions as rich and highly technical.
The number of attendees varied from around 30 to more than 60. Not everyone did talk. You raise your hand "virtually" and can comment verbally or in the chat.
There is no recording (on purpose) and they don't share their slides (also on purpose). They clearly say that those definitions are for discussion purposes only. There will be no written summary.
They have not promised to take any specific feedback into account, they were taking notes of the questions and suggestions.
FAQ from the calls I attended
1. What if a product has a function that is on the important/critical list or it is having multiple functions on a list?
It must be the main function of the product to put it on the list. If a product just has a function, but the main function is different, this is the categorisation of the main function that applies.
2. What about FOSS?
FOSS is self-assessment, except for critical products.
3. What about products on the important/critical list that include FOSS components?
The manufacturers will have to do due diligence.
4. What are the 3 years transition periods when the standards will be known 2 years in it and leave 1 year for manufacturers?
This one was asked in various forms in all the calls I attended. The rough answer is: there is much to do to create standards.
5. Can we change the names of categories?
No, they can't be changed anymore. Definitions can cover the part of the functionality that makes sense from the security point of view.
Kind regards,
Marta
Hi all,
I also generated a google doc (I know!) for each individual consultation that can be used as a scratchpad before and during the call. The idea is to move the finalized meeting notes into GitLab (I can help with this). The scratchpads are linked directly from
the coordination spreadsheet.
I gave editing permission to everyone who signed-up for this topic via the survey and who has a Google account linked to the email they shared. Everyone else has the ability to comment. Feel free to request editing permission if you would like to participate
and didn't get access.
Hopefully, this setup won't be too cumbersome to use and will help us coordinate. If you're unhappy with it, feel free to rely on the mailing list instead, and I'll do my best to update the docs and GitLab accordingly.
Comments and suggestions on how to improve this workflow are more than welcomed.
TL;DR
Thanks,
--tobie
---
Tobie Langel
Tech Lead Open Regulatory Compliance WG, Eclipse Foundation
Principal, UnlockOpen
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
|
