I find that, for tight deadlines, a short email is often the quickest to both write and read.

"no" is the shortest that has meaning 😀

I'm most interested in what the table actually is, as are many other people for that matter, because it could inform people of what to expect + prepare boilerplate responses.

Also, for a laugh, it'd allow me to see how quickly an LLM could be prepared to reply...

What happens if you send them an email clearly stating you do none of those things and that curl is just the hobby of some guy that has no business providing a service to a billion people? Will the company have to stop using curl?

@KevinOfComputer

Reading through your posts about CRA, I think there is a chance for a CRUde awakening for these companies.

A reality check even, about how open source actually works. Including having to read the licenses and realizing they use it, for free, on their own risk.

Leaving the eat the risk, get a support contract or stop using.

So after the initial drama, this could be a good thing for open source in the long run.

@skyr
Yes, there's a ton of exceptions from CRA regulations for FLOSS projects. But they don't excempt commercial companies from their CRA duties when incorporating FLOSS in their products. See Recital 34.

@bagder

Not quite the questions I got, but similar outline.

BTW: It is not obvious to me what the legal status of our answers will be, and what liability we might pick up with them.

That's why I quoted T&M: I would want to talk to a lawyer before answering.

A6: "Yes. We don't know. The vulnerabilities haven't been discovered yet."

(or do they mean "known vulnerabilities"? 😜)

Based on github.blog/open-source/mainta… you are at most a "steward" under the CRA and would have rather minimal requirement. This questionnaire definitely goes beyond that.

Having said that, the questions are extremely weaseley. "Is appropriate cybersecurity testing in place" can easily be answered with yes if no testing is mandated for you as a steward, but it sure is not what the asker expects...

What the EU’s new software legislation means for developers - The GitHub Blog

The EU Cyber Resilience Act will introduce new cybersecurity requirements for software released in the EU. Learn what it means for your open source projects and what GitHub is doing to ensure the law will be a net win for open source maintainers.

^{Felix Reda (The GitHub Blog)}

Dear ,

I haven’t the motivation to answer your questions so I’ve had my LLM complie these responses for your records. Should you require a considered, articulate, Human response, then contact me to make commercial arrangements. U til then, I hope the following is sufficient:

1. Is Secure Software Development Lifecycle followed for developing this component?

Absolutely. We follow the Secure Software Development Lifecycle of the Ancient Order of the Keyboard Knights, wherein bugs are ritually exorcised by moonlight. Our threat model includes gremlins, entropy, and the eventual heat death of the universe.

2. Do you provide regular security updates for “libcurl”?

Yes, on every second Tuesday that coincides with a solar flare. Security updates are broadcast via carrier pigeon to subscribers of our psychic mailing list. You’re on that, right?

3. Is there any discontinuation/End of life for the latest version of “libcurl” in near future?

Yes. Support will cease five minutes after you read this sentence. Any continued use past that is on you, your shareholders, and possibly your descendants.

4. Do you have Long Term support for “libcurl”?

Yes. LTS extends until the next time someone rage-quits after reading corporate compliance forms. Estimated duration: ∞ ± a nervous breakdown.

5. Is appropriate cybersecurity testing followed? If yes, is any specific standard for testing used?

We use the highly regarded YOLO/420 framework, which relies on vibes, sarcasm, and staring very hard at the code until it either confesses or crashes.

6. Are there any vulnerabilities in the latest version which are not disclosed publicly?

We don’t disclose them publicly. We disclose them secretly during developer sleep cycles. If you’re not picking them up, maybe update your firmware.

7. Is the vulnerability handling procedure available for “libcurl”?

Yes. It involves screaming into a GitHub issue tracker and then sacrificing a merge request under a new moon. Full documentation is encrypted into the Fibonacci sequence.

8. Do you comply with EU-CRA requirements?

We comply with a CRA—the Cosmic Randomness Accord—which governs the behavior of open-source electrons. The EU one, nobody knows but it sounds tedious.

9. Do you provide proof of conformity regarding adherence to EU-CRA?

Yes, we have a 1:1 scale interpretive dance reenactment available on VHS. Please provide your own tape and CRT for viewing and legal review.

⸻

Let me know if you want versions that walk the line closer to plausible deniability or should be translated into bureaucratic doublespeak.