Hi,
This text has not yet entered into force and there is no case law for it, however, here is my understanding, which nonetheless should not be understood as a legal advice:
There could be several manufacturers for one open source project. Nothing in this text ( as far as I recall) prevents this ( for instance the fact that company A provides doesn't mean that company B de facto only contributes). Under the circumstances described by Olle, several manufacturers would all have the same obligations as long as it can be proven that they follow the figure shared by Greg (manufacturer = providing + developed in CA + monetising).
Based on this, it is clear that the best option for those manufacturers would be to create a steward ensuring compliance or integrate an existing one that would ensure compliance (for instance because it follows the specs and guidance developed in this WG 😉 ).
Now, I think the question from Greg, based on the graph, could be summarized as: where do you draw the line between contributing and providing in order to identify manufacturers of OSS? Or maybe in more legal terms: what are the identifiable legal criteria constituting a providing of OSS?
For this one, the text states that guidances will be published later. Again, the specifications/documents developed by this WG on this will be sent to the European Commission services drafting the guidances.Â
Now, nothing states in the text that a project is legally obliged to have a manufacturer or steward. But then, all corporate users will have the same problem: if I integrate this component, I have to comply with the due diligence obligation, forcing my company to ensure that the component is safe and follow the principles of the text (sorry I don't recall the exact requirements right now). Therefore, without a clear provider and by choosing to not create or integrate a steward, manufacturers of products, integrating OSS components, would have chosen the non- pragmatic and cost ineffective decision to launch a long, changing, unstable and costly due diligence on such components... (One compliance manager informed about SW supply chain and the CRA, and in charge of such compliance, should normally very quickly see it...).
As the issue is clearly identified by Greg and others, I would suggest to start a work stream focusing on "Criteria for identifying providers of OSS" where the community exchange and find solutions to this. Only with a real, concrete document to send to the EC services can we hope to have an implementation in line with our reality.Â
Should one be interested in starting such work stream, I would suggest you get in touch with
@Tobie Langel that support such work (maybe it has already started ?)
Hope it helps, and wish you all a good summer.
Best,
Enzo
I see, thanks for the detail.
My sense ( and this is just my sense and IANAL) is that in this case, your relationship to this OSS that matters to the CRA is that of a manufacturer that places the SW on the market.Â
On Mon, Aug 5, 2024 at 7:44 AM Olle E. Johansson <
oej@xxxxxxxxxx> wrote:
Hi!
While this is a good slide there are still questions it doesn’t answer. I contribute to an open source project and sell services related to the use of that software. I’m in no way managing the project as a whole. There are many people from many - mostly small - companies all over Europe contributing to the project. There’s no company behind the project. We do distribute Debian packages of the product.
Are we all Open Source Stewards for the project? Are we all manufacturers since we monetise from the project by selling services?
/O
Hi Olle,
I find this slide from the recent webinar on Jul 22, Â 2024 | "The CRA obligations: Identifying the relevant obligations for the OSS community" helpful to suss out how CRA applies (if at all) to different types of open source:
Cheers,
Greg
Hi!
In Enzo’s presentation there are two examples, but both involves commercial companies and/or foundations.
What about stand-alone multi-organisation open source projects? How will they be affected?
In addition, there are discussions about whether projects that *ONLY* distribute source code and no binaries, no containers, are affected. Is source code (possibly on an open repository) seen as a product that is placed on the EU market?
Cheers,
/O
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
-- Greg WallaceDirector of Partnerships & Research
M +1 919-247-3165
--
Greg WallaceDirector of Partnerships & Research
M +1 919-247-3165
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
