Re: [open-regulatory-compliance] Manufacturer's responsibility

[Greg Wallace <greg@xxxxxxxxxxxxxxxxxxxxx>]

I have a slightly different understanding.

The manufacturer is responsible for the security of their product, including any third party components they include, regardless of how those components are licensed. 

HOW the manufacturer determines that their entire product is secure, up to the standard required for their category, is not completely prescribed by the CRA.

An Attestation as to the security of an OSS project is ONE WAY a manufacturer can demonstrate that they performed appropriate due diligence. 

A third party audit could be another way. 

Questions I have here are: 

• would the output of a third party audit be an Attestation? 
• would this Attestation conform to some standard?
• if an Open Source Steward offers an Attestation, what obligations does a third party auditor have to consult with the Steward and/or conform to the Steward's Attestation?  

Of course I'm very interested in others' thoughts. Perhaps the answers are understood. 

Thank you!

Greg

On Mon, Aug 5, 2024 at 7:41 AM Olle E. Johansson via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi!

Hopefully a final question based on Enzo’s excellent presentation (go watch it if you haven’t).

If I understood Enzo right, a manufacturer can’t include a open source component without a valid attestation.

The way I see it is if a manufacturer includes Open Source software and that project either dies, remains or becomes non-compliant it will still be the responsibility of the manufacturer to make sure the full product placed on the EU market is compliant.

Is this an invalid assumption?

Cheers,
/O
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

--

Greg Wallace

Director of Partnerships & Research

M +1 919-247-3165

Schedule a meeting

Get your FreeBSD Gear