[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [open-regulatory-compliance] Stewards, open source projects etc
|
On Tue, 6 Aug 2024, Greg Wallace via open-regulatory-compliance wrote:
> I wonder if this may be a relatively straightforward situation of demand
> and supply.
>
> - DEMAND: Attestations help Manufacturers comply
> - SUPPLY: OSS projects are well positioned to provide Attestations for
> their code and how it is developed (though this is not required of them by
> the CRA nor by any OSS license)
Yes, what we have here is the first few components that are needed for
establishing a new market. :-)
The last few bits shouldn't be too difficult to figure out?
e.g. a way for the seller to withold their product until payment is
completed; A way to set prices according to market demand; Some basic
mechanisms for ensuring competition; and as you say, the demand for
Attestations and a Supply from relevant trusted parties.
> A "Donation for Attestation" framework would have OSS Projects make
> Attestations available to donating Manufacturers under fair and reasonable
> terms (e.g. graduated donations based on Manufacturer size).
I'd go for a monthly subscription and maybe a kick-starter like auction
for motivating OSS maintainers/projects to enter this market. :)
> Ensuring OSS Projects meet Manufacturers' security requirements as
> threats evolve will require ongoing investment. If we leave the source
> of funds for these investments up to the traditional mechanism of
> at-will donations by Manufacturers to OSS Projects, Projects risk
> receiving insufficient funds and we are left with the free rider
> problem. I would argue that this is suboptimal for Manufacturers
> (especially the "good ones" who invest in OSS), for Projects, and for
> the security of our shared digital society, for which OSS is a key
> foundation.
I completely agree.
> A "Donation for Attestation" model addresses these shortcomings by
> enforcing a degree of equitability, which brings the important side
> benefit of creating funding diversity for the Project to protect against
> any one large donor's change of direction or fortunes. "Donation for
> Attestation" provides the funds for the Project to build and maintain
> security processes and tooling and to produce the Attestations. And
> "Donation for Attestation" is a durable funding mechanism since
> Attestations are attached to major releases.
Maybe? I think it's also worth keeping in mind thatr the Attestation + OSS
Steward thing also can be used to fund security work in the ecosystems
used for packaging and distribution, and (maybe more importantly) other
"boring" work (= having no volunteers) that is necessary in any sizable
OSS community.
And since the OSS Steward has to be a non-profit, I'd say this is already
well within scope of what was intended by the lawmakers </speculation> :-D
- Salve
--
#!/usr/bin/env perl
sub AUTOLOAD{$AUTOLOAD=~/.*::(\d+)/;seek(DATA,$1,0);print# Salve Joshua Nilsen
getc DATA}$"="'};&{'";@_=unpack("C*",unpack("u*",':50,$'.# <sjn@xxxxxx>
'3!=0"59,6!`%%P\0!1)46%!F.Q`%01,`'."\n"));eval "&{'@_'}"; __END__ is near! :)