mastodon - Link to source

daniel:// stenberg://

1 month ago

daniel:// stenberg://
1 month ago

The "good" people at Emerson for some reason couldn't think for themselves when I responded to them on behalf of #curl and instead continue and send the same questions to the #libssh2 project with the same "demands".

"This is a gentle reminder regarding our earlier request for your input on the cybersecurity risk assessment of the software component “libssh2” version 1.11.0, as part of our compliance efforts with the EU Cyber Resilience Act (CRA)."

#curl #libssh2

in reply to daniel:// stenberg://

mastodon - Link to source

Robin Whittleton

in reply to daniel:// stenberg:// 1 month ago

just, wow

in reply to daniel:// stenberg://

mastodon - Link to source

synlogic

in reply to daniel:// stenberg:// 1 month ago

I admire anyone whose worked on FOSS as long as you have, sir, because the few times I've dipped my toe in the water I've found little reward and mostly pain. My dabbling with LatLearn (my Golang latency instrumentation lib) has been the closest to a net win for me so far. I suspect mainly because I've minimized my upkeep burden and have few users anyway loltears. But if randos emailed me out of the blue demanding I do unpaid work for them it would grow old fast!

in reply to daniel:// stenberg://

mastodon - Link to source

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 month ago

I replied.

From: Daniel Stenberg
To: (four persons with emails ending with @emerson.com)
Subject: Re: Cybersecurity Risk Assessment Request from Emerson for libssh2

On Wed, 30 Jul 2025, (redacted) wrote:

Hello,

As I have told you already on behalf of curl, there is similarly nobody that is going to do your work for free for the libssh2 project either.

Please STOP sending these rude and ignorant emails to Open Source projects.

Thanks,

/ Daniel

in reply to daniel:// stenberg://

mastodon - Link to source

synlogic

in reply to daniel:// stenberg:// 1 month ago

fairly & clearly worded on your part

in reply to daniel:// stenberg://

mastodon - Link to source

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 month ago

I have also offered them a contract to help them answer these questions for curl, but they have not yet taken me up on that. As time passes, it seems more and more unlikely that they will.

in reply to daniel:// stenberg://

mastodon - Link to source

Simon Michalke

in reply to daniel:// stenberg:// 1 month ago

you could send them the FOSS license of curl, maybe they will blindly submit it ^^

in reply to daniel:// stenberg://

mastodon - Link to source

Fubaroque

in reply to daniel:// stenberg:// 1 month ago

But, but… their deadlines!? 🤣

This entry was edited (1 month ago)

in reply to daniel:// stenberg://

mastodon - Link to source

Thomas Svensson 🖖

in reply to daniel:// stenberg:// 1 month ago

Much depends on how serious EU will be about enforcing this new regulation. I they don't, then these guys likely keep using in violation.

I'm loading up with 🍿

in reply to daniel:// stenberg://

mastodon - Link to source

Miketlester

in reply to daniel:// stenberg:// 1 month ago

Please forward the actual email thread to Michael.lester@emerson.com

Emerson appreciates the OSS community.

in reply to daniel:// stenberg://

mastodon - Link to source

Jeroen van Bergen

in reply to daniel:// stenberg:// 1 month ago

I am sure you will be able to cope with the disappointment.

in reply to daniel:// stenberg://

mastodon - Link to source

Miketlester

in reply to daniel:// stenberg:// 1 month ago

please forward the actual email from Emerson to Michael.lester@emerson.com so I can review it internally and check our process. I look forward to hearing from you.

in reply to daniel:// stenberg://

mastodon - Link to source

Troed Sångberg

in reply to daniel:// stenberg:// 1 month ago

do they have a legal@emerson account too perhaps? :D

in reply to daniel:// stenberg://

mastodon - Link to source

dendrite

in reply to daniel:// stenberg:// 1 month ago

Maybe if you tell them you have revoked their kicense

in reply to daniel:// stenberg://

mastodon - Link to source

Even Rouault

in reply to daniel:// stenberg:// 1 month ago

The libtiff project also got the same request from Emerson (sent to the listserv owner) for libtiff, mentionning a totally antiquated libtiff version (3.6.1). I didn't bother answering them

in reply to daniel:// stenberg://

mastodon - Link to source

Patrick Loftus 🖖

in reply to daniel:// stenberg:// 1 month ago

🎵 99 rows in the spreadsheet 99 rows. I send an email highlight one 98 rows to go! 🎵

in reply to daniel:// stenberg://

mastodon - Link to source

Thomas Svensson 🖖

in reply to daniel:// stenberg:// 1 month ago

I just think it is so funny of them to use "gentle reminder" to "request" others to save their bacon for free.

Their internal reasoning and strategizing to come up with that would be interesting to know.

This entry was edited (1 month ago)

in reply to Thomas Svensson 🖖

mastodon - Link to source

Varx

in reply to Thomas Svensson 🖖 1 month ago

@tsvenson This is worded exactly the way Ive seen when dealing with paid software licenses.

They're evidently mixing supported software where they have a paid license and FOSS software into the same risk analysis process which is stupid for obvious reasons.

@Thomas Svensson 🖖

in reply to Varx

mastodon - Link to source

daniel:// stenberg://

in reply to Varx 1 month ago

@varx @tsvenson in this case, since I have already been in contact with them about exactly that, they can no longer please ignorance. They now KNOW but they still decide to push forward like this.

@Varx @Thomas Svensson 🖖

in reply to daniel:// stenberg://

mastodon - Link to source

Thomas Svensson 🖖

in reply to daniel:// stenberg:// 1 month ago

It is likely that the compliance staff is quite clueless when it comes to open source licenses. Plus they are an ocean away from those who chose and implemented the use. Who could select open source as there are no contract and financial transactions involved.

I really hope EU is serious about enforcing this new regulation, so these freeloaders will have to make good to continue using open source.

@Varx

in reply to daniel:// stenberg://

mastodon - Link to source

Julian Andres Klode 🏳️‍🌈

in reply to daniel:// stenberg:// 3 weeks ago

Today they sent one for APT.

lists.debian.org/deity/2025/08…

Oh I see they even have HTML, neither Thunderbird nor Neomutt (duh) rendered that :D

Attached is my reply...

Reply from me:

If you need a supported version of APT, please get your APT
from a supplier you have signed a support contract with.

The 1.2.31 release you are refering to is outdated. A security
update and further bug fix releases have been released. Further
security updates can be received by subscribing to Ubuntu Pro,
or entering into a support contract with another supplier who
will backport patches from newer releases for you.

APT itself, as opposed to APT supplied via the means of a commercial
entity as part of a commercial operation, is not a commercial project
and not subject to the CRA.

Please don't spam open source projects with ridiculous non-sense
like this. This is not how the CRA works.

Cybersecurity Risk Assessment Request from Emerson for apt

^{lists.debian.org}

in reply to Julian Andres Klode 🏳️‍🌈

mastodon - Link to source

daniel:// stenberg://

in reply to Julian Andres Klode 🏳️‍🌈 3 weeks ago

@juliank just to nitpick: it is "subject to the CRA" for them

@Julian Andres Klode 🏳️‍🌈

in reply to daniel:// stenberg://

mastodon - Link to source

Julian Andres Klode 🏳️‍🌈

in reply to daniel:// stenberg:// 3 weeks ago

oh I guess should have said the APT project as opposed to the APT code they got from somewhere :D

⇧