Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Manufacturer's responsibility


On 5 Aug 2024, at 17:56, Enzo Ribagnac via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi Olle,

To your original question: that's not what I meant.

Manufacturers cannot sell products without exercising due diligence on their open source components. Another words, I have to check that all my open source components are in line with some CRA requirements. 

One way to do that, is to check if the OSS components have the attestation granted by the given authority in the text. 

If the project doesn't have an attestation, then each manufacturer will have to "manually" check every single requirements, for every single components of the final product to be put on the market. If one OSS component does not pass the manual due diligence test, then the product cannot be put on the market…
Unless the manufacturer assumes full responsibility for that component (in practice forks the component) - right?

E.g product A, integrates a 100 OSS components without attestation, my company has to manually exercise a due diligence process for each of them, ensuring that each component is in line with each one of the related CRA requirements.

/O

Best,
Enzo

Le lun. 5 août 2024 à 16:35, Joe Murray via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> a écrit :
Olle wrote:
Even if the manufacturer can point to an attestation by an open source steward - won’t the manufacturer be fully responsible for the product they are placing on the market. I don’t think
there’s any provision in the CRA to forward the blame upstream in the software supply chain,
regardless if it’s commercial or open source component used.

In terms of liability for an incident, if the manufacturer can show they took reasonable steps to ensure the security of their product then they are not liable under a negligence standard of liability in common law jurisdictions, but they can still be liable under a strict liability standard. I am guessing that what the new European regime is creating is a way to allow manufacturers to show they took reasonable care in creating their digital product so that they are not liable for negligence, and that there is not a strict liability policy in place. 

What obligation do OSS Stewards have to fund the fixes for reported vulnerabilities?
 
Joe Murray, PhD (he/him)
President, JMA Consulting
416.466.1281

We respectfully acknowledge the autonomy of Indigenous peoples, and that JMA Consulting is located on the traditional territory of many nations including the Mississaugas of the Credit, the Anishnabeg, the Chippewa, the Haudenosaunee and the Wendat peoples which is now home to many diverse First Nations, Inuit and Métis peoples. We also acknowledge that Toronto is covered by Treaty 13 with the Mississaugas of the Credit.


On Mon, Aug 5, 2024 at 10:14 AM Olle E. Johansson via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:


On 5 Aug 2024, at 16:05, Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

On Mon, Aug 5, 2024 at 2:09 PM Greg Wallace via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
I have a slightly different understanding.

The manufacturer is responsible for the security of their product, including any third party components they include, regardless of how those components are licensed.

That's also my understanding from the webinar session with Benjamin.
 
HOW the manufacturer determines that their entire product is secure, up to the standard required for their category, is not completely prescribed by the CRA.

That's my understanding too. Though the harmonized standards will create a presumption of conformity, so there's a prescribed way to get a presumption of conformity.

An Attestation as to the security of an OSS project is ONE WAY a manufacturer can demonstrate that they performed appropriate due diligence. 

A third party audit could be another way. 

Questions I have here are: 
  • would the output of a third party audit be an Attestation?
 Article 25 allows it.
  • would this Attestation conform to some standard?
That's to be defined by the related delegated acts that the Commission is empowered to author. 

Even if the manufacturer can point to an attestation by an open source steward - won’t the manufacturer be fully responsible for the product they are placing on the market. I don’t think
there’s any provision in the CRA to forward the blame upstream in the software supply chain,
regardless if it’s commercial or open source component used.

Or?



  • if an Open Source Steward offers an Attestation, what obligations does a third party auditor have to consult with the Steward and/or conform to the Steward's Attestation?
I don't think there's any obligation of that nature in the CRA.
 
Of course I'm very interested in others' thoughts. Perhaps the answers are understood.

Separately: should we start collecting these questions and answers in an FAQ?

That’s a good idea.

/O
--tobie
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top