Re: [open-regulatory-compliance] More edge cases

[Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>]

On 4 Jul 2024, at 13:53, Christian (fukami) Horchert <chorchert@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

On 4 Jul 2024, at 13:30, Dirk-Willem van Gulik via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

2) BigCo sells support for Tomcat. Their customers obtain Tomcat direct from the ASF and then BigCo helps then install, configure.

Q1. Is BigCo subject to the CRA?

What is the product? Services and support are not within the scope of the CRA. It’s a product regulation.

This we are in agreement here.

My worry is getting into unwitting customers being instructed (or BigCo staff on-site) to do 'curl https://dist.apache.org/tomcat.sh | sh -' sort of blind install at the customer where the relation with BigCo is basically 'tomcat as a supported product' -- and very much akin to how you now by "XXX app server powered by Apache Tomcat' where XXX is some brand name.

So the service really needs to be that. A service. And not a product in disguise.

8) If BigCo employs ALL of committers of the Tomcat project and allows them to work on Tomcat tasks as part of their employment does that change the answers to Q1 & Q2? 

No. 

Ok - fair to surmise that you do not see a (legal, in the context of the CRA) distinction between a diverse open source community at some open source foundation maintaining code collectively and a single vendor effort where staff at  that vendor builds and maintains code. Which is then released under an open source license ?

I.e. the crux is wether that code is under an open source license or not. And if it is - it is not under the CRA ? Is that a fair summary ? Or am I oversimplifying things ?

With kind regards,

Dw