Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Stewards, open source projects etc
I'm in a similar situation to Olle. 

My sense is that OSS contributors are not liable for the fixes we do for the community, but we are liable to our own clients for whom we are manufacturers. 

To the extent that there are (lots of) OSS projects without stewards, I'm unclear what the methods are for them to get or produce attestations that the software they are publishing is developed in a secure fashion. Are there (perverse) incentives for these projects to not create an attestation as they would accrue liability if an incident occur that led to damages? For example, my understanding is that in the case of leakage of PII, a common method to mitigate the damage is to provide packages costing about USD$180 each to users to help them prevent identity theft. 

Joe Murray, PhD (he/him)
President, JMA Consulting
416.466.1281

We respectfully acknowledge the autonomy of Indigenous peoples, and that JMA Consulting is located on the traditional territory of many nations including the Mississaugas of the Credit, the Anishnabeg, the Chippewa, the Haudenosaunee and the Wendat peoples which is now home to many diverse First Nations, Inuit and Métis peoples. We also acknowledge that Toronto is covered by Treaty 13 with the Mississaugas of the Credit.


On Mon, Aug 5, 2024 at 7:52 AM Greg Wallace via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
I see, thanks for the detail.

My sense ( and this is just my sense and IANAL) is that in this case, your relationship to this OSS that matters to the CRA is that of a manufacturer that places the SW on the market. 

On Mon, Aug 5, 2024 at 7:44 AM Olle E. Johansson <oej@xxxxxxxxxx> wrote:
Hi!

While this is a good slide there are still questions it doesn’t answer. I contribute to an open source project and sell services related to the use of that software. I’m in no way managing the project as a whole. There are many people from many - mostly small - companies all over Europe contributing to the project. There’s no company behind the project. We do distribute Debian packages of the product.

Are we all Open Source Stewards for the project? Are we all manufacturers since we monetise from the project by selling services?

/O

On 5 Aug 2024, at 13:17, Greg Wallace <greg@xxxxxxxxxxxxxxxxxxxxx> wrote:

Hi Olle,

I find this slide from the recent webinar on Jul 22,  2024 | "The CRA obligations: Identifying the relevant obligations for the OSS community" helpful to suss out how CRA applies (if at all) to different types of open source:



Cheers,
Greg

On Mon, Aug 5, 2024 at 7:10 AM Olle E. Johansson via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Hi!

In Enzo’s presentation there are two examples, but both involves commercial companies and/or foundations.

What about stand-alone multi-organisation open source projects? How will they be affected?


In addition, there are discussions about whether projects that *ONLY* distribute source code and no binaries, no containers, are affected. Is source code (possibly on an open repository) seen as a product that is placed on the EU market?

Cheers,
/O


_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org


--
Greg Wallace
Director of Partnerships & Research
M +1 919-247-3165



--
Greg Wallace
Director of Partnerships & Research
M +1 919-247-3165
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top