Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)
Hello all,
This question was asked in one of the calls (in the context of a company having the same base platform and then proposing it as different products that fall under different levels of self assessment/important/critical). From what I remember, there was no clear answer to that.

I would say that it would impact (or should impact) the choice of the open source dependencies - so that the manufacturer prefers to use those that have better processes and require less work to justify their security level in the due diligence. For example, if there is a project stating in their readme that they are in beta or early development, or that they do not provide security fixes, the justification is harder to make.

Kind regards,
Marta

On Sun, Jun 30, 2024 at 6:51 PM Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Joe Murray asks this really interesting question in a separate thread (see below for the full email): do the stricter conformity assessment of products categorised as Important or Critical impact their open source dependencies?

Of course, the burden of conformance falls on manufacturers, but can we imagine a situation where some open source projects allow manufacturers to meet the baseline requirements but not the stricter ones while others allow for both?

Curious what people think, here.

--tobie

---
Tobie Langel
Tech Lead Open Regulatory Compliance WG, Eclipse Foundation
Principal, UnlockOpen

On Sun, Jun 30, 2024 at 6:07 PM Joe Murray <joe.murray@xxxxxxxxxxxxxxxxx> wrote:
Some open source projects like Content Management Systems (WordPress, Drupal, Joomla) and CiviCRM are generally used in a way that makes each implementation unique due to selection and configuration of plugins, modules and extensions. The latter cannot run independently. Sometimes these plugins, modules and extensions implement or integrate as their primary function a critical or important category of functionality.  

1. So I take it that a) the maintainers of the plugins, modules and extensions would possibly be open source stewards and since they are not putting the functionality on the market would not be subject to the stricter conformity assessments. 

2. In some cases the primary purpose of an installation of the CMS is to provide a setup for a category III or IV function. In these cases the implementor is considered a manufacturer. And as they would need stricter conformity assessments, this would mean the software development practices of the plugin, extension, or module maintainer need to be in conformity, as well as those maintaining the core project. 

Did I get this right?

Joe Murray, PhD
President, JMA Consulting


_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top