Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Stewards, open source projects etc 
On Tue, 6 Aug 2024, Greg Wallace via open-regulatory-compliance wrote:

> I wonder if this may be a relatively straightforward situation of demand
> and supply.
>
>    - DEMAND: Attestations help Manufacturers comply
>    - SUPPLY: OSS projects are well positioned to provide Attestations for
>    their code and how it is developed (though this is not required of them by
>    the CRA nor by any OSS license)

Yes, what we have here is the first few components that are needed for
establishing a new market. :-)

The last few bits shouldn't be too difficult to figure out?

e.g. a way for the seller to withold their product until payment is
completed; A way to set prices according to market demand; Some basic
mechanisms for ensuring competition; and as you say, the demand for
Attestations and a Supply from relevant trusted parties.


> A "Donation for Attestation" framework would have OSS Projects make
> Attestations available to donating Manufacturers under fair and reasonable
> terms  (e.g. graduated donations based on Manufacturer size).

I'd go for a monthly subscription and maybe a kick-starter like auction
for motivating OSS maintainers/projects to enter this market. :)


> Ensuring OSS Projects meet Manufacturers' security requirements as
> threats evolve will require ongoing investment. If we leave the source
> of funds for these investments up to the traditional mechanism of
> at-will donations by Manufacturers to OSS Projects, Projects risk
> receiving insufficient funds and we are left with the free rider
> problem. I would argue that this is suboptimal for Manufacturers
> (especially the "good ones" who invest in OSS), for Projects, and for
> the security of our shared digital society, for which OSS is a key
> foundation.

I completely agree.


> A "Donation for Attestation" model addresses these shortcomings by
> enforcing a degree of equitability, which brings the important side
> benefit of creating funding diversity for the Project to protect against
> any one large donor's change of direction or fortunes. "Donation for
> Attestation" provides the funds for the Project to build and maintain
> security processes and tooling and to produce the Attestations. And
> "Donation for Attestation" is a durable funding mechanism since
> Attestations are attached to major releases.

Maybe? I think it's also worth keeping in mind thatr the Attestation + OSS
Steward thing also can be used to fund security work in the ecosystems
used for packaging and distribution, and (maybe more importantly) other
"boring" work (= having no volunteers) that is necessary in any sizable
OSS community.

And since the OSS Steward has to be a non-profit, I'd say this is already
well within scope of what was intended by the lawmakers </speculation> :-D


- Salve

-- 
#!/usr/bin/env perl
sub AUTOLOAD{$AUTOLOAD=~/.*::(\d+)/;seek(DATA,$1,0);print# Salve Joshua Nilsen
getc DATA}$"="'};&{'";@_=unpack("C*",unpack("u*",':50,$'.#    <sjn@xxxxxx>
'3!=0"59,6!`%%P\0!1)46%!F.Q`%01,`'."\n"));eval "&{'@_'}";  __END__ is near! :)

Back to the top