| Re: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products) |
So I'm not really looking for an analysis of when open source will work in terms of attitudes, terminology or economics, but what the legal implications of CRA are on these communities and related entities.FWIW I position myself as a key player in stewarding CiviCRM but not of Wordpress, Drupal or Joomla. In reviewing the materials so far I realized that my micro-enterprise has done a couple of Drupal / CiviCRM projects whose primary function likely means thet constitute "Identity management systems and privileged access management software and hardware, including authentication and access control readers, including biometric readers" . I don't think the market for these CMS edge cases would justify significant changes in Drupal or WordPress development practices. But I am not yet knowledgeable about what the extra burden is for a Class I software project compared to a non-important one, and how much our communities may already have implemented the extra required processes.Joe Murray, PhD
President, JMA Consulting_______________________________________________On Sun, Jun 30, 2024 at 3:32 PM Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx> wrote:On 30 Jun 2024, at 19:58, Joe Murray <joe.murray@xxxxxxxxxxxxxxxxx> wrote:Yes, it would be necessary for the implementor to either not propose the use if the projects they are proposing are not conforming or do the work to help bring them into conformity. That would be the open source way. My concern is with implementations that are edge cases for the main project. My sense is it may be difficult to get them to adopt the stricter rigour if the great majority of use cases are not requiring it.Well - the second it is a ’them’ rather than the collective `us' of the community that maintains the open source it is IMHO game over. It is then every downstream manufacturer for themselves; and take on the full burden of bringing things into conformity.Open source only caters for the ‘us’. The them is happenstance — but is not part of the feedback loop that gives the win-win for the ‘us’ on the open source side. That needs self-interested contributions.So it is only the narrow case, I think, of enough of the open source community caring about conformity, that a part of it can be done in that open source community (even though it may not actually be strictly a part of the tasks that the governance of the open source steward sees on).With kind regards,DwOn Sun, Jun 30, 2024 at 1:02 PM Dirk-Willem van Gulik via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:On 30 Jun 2024, at 18:51, Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:_______________________________________________Joe Murray asks this really interesting question in a separate thread (see below for the full email): do the stricter conformity assessment of products categorised as Important or Critical impact their open source dependencies?Of course, the burden of conformance falls on manufacturers, but can we imagine a situation where some open source projects allow manufacturers to meet the baseline requirements but not the stricter ones while others allow for both?I would expect this to butt up against a fundamental open source tenet (e.g. 6, 8 and 10 in https://opensource.org/definition-annotated) about not trying to rule over your grave / downstream use. Because, as we have learned in the last 35+ years — the second you do this is the second you have subtle backstabbing & distrust between commercial parties with open source the conduit. And then the safe win-win of open source breaks down / is gone. And Trust Arrives on Foot and Leaves on Horseback, So I would not expect this at all. We’ve matured beyond that trap.What I do expect is the opposite — that some open source communities allow those in their community that place products on the market needing such assessment to collaborate at the open source foundation on exactly that.And that increasingly we see projects not just shipping source, makefiles, docs and release notes. But also that what is needed for conformity assessments.Now this may break the business models of some notified bodies — but that is not really an issue for opens source :)With kind regards,Dw._______________________________________________On Sun, Jun 30, 2024 at 6:07 PM Joe Murray <joe.murray@xxxxxxxxxxxxxxxxx> wrote:Some open source projects like Content Management Systems (WordPress, Drupal, Joomla) and CiviCRM are generally used in a way that makes each implementation unique due to selection and configuration of plugins, modules and extensions. The latter cannot run independently. Sometimes these plugins, modules and extensions implement or integrate as their primary function a critical or important category of functionality.1. So I take it that a) the maintainers of the plugins, modules and extensions would possibly be open source stewards and since they are not putting the functionality on the market would not be subject to the stricter conformity assessments.2. In some cases the primary purpose of an installation of the CMS is to provide a setup for a category III or IV function. In these cases the implementor is considered a manufacturer. And as they would need stricter conformity assessments, this would mean the software development practices of the plugin, extension, or module maintainer need to be in conformity, as well as those maintaining the core project.Did I get this right?Joe Murray, PhD
President, JMA Consulting
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org