in reply to daniel:// stenberg://

mastodon - Link to source

Seth Larson

Thank you for sharing this! It's likely that we'll be receiving this form soon, too. This helps us "get ahead" and have a template response ready beforehand.

IANAL, but adding a reminder for readers that open source stewards don't have many obligations under the Cyber Resilience Act and maintainers/contributors have zero. This form is likely being sent out to all "suppliers" (in the eyes of the company using the software) regardless of whether they know your obligations or not.

in reply to daniel:// stenberg://

mastodon - Link to source

Seth Larson

Maybe? I'm kinda hopeful that we'll go through a period of "learning" where there'll be plenty of unwelcome forms being emailed to maintainers, we'll make a lot of noise, the industry will see that noise, and then people will learn that they are responsible for their open source component security and cold-emailing random people doesn't change that

That seems to be what happened with the SSDF, albeit at a much smaller scale than the CRA (US Gov versus any digital company selling in EU).

This entry was edited (1 month ago)
in reply to daniel:// stenberg://

mastodon - Link to source

Thomas Svensson 🖖

I'd say this is an opportunity for #FOSS maintainers to collaborate taking advantage of. These companies that have been fortunate to earn tons of money by using open software without contributing back, can no longed do that if they want to keep doing business in the EU.

What could be a good EU based FOSS interest group to manage this smartly, collect _fees_ to distribute to maintainer of the used software.

Does @opencollective have an EU presence?

#foss @Open Collective
in reply to daniel:// stenberg://

mastodon - Link to source

Bradley Kuhn

Thanks for your post & your counter 😆

I'm curious: you characterize the EU #CRA as requiring #SBOM's *specifically*. I know the License Compliance Industrial Complex wants it to be true, but I researched this issue for my #FOSDEM 2025 talk…
fosdem.org/2025/schedule/event…
… & IIUC CRA *doesn't* specify SBOMs specifically.
IMO, if the vendor gives the customer complete, Corresponding Source & a 100% @reproducible_builds they've complied with CRA. No one has shown me anything that disproves that.


FOSDEM 2025 - Is There Really an SBOM Mandate?

fosdem.org
#fosdem #SBOM #cra @Reproducible Builds
This entry was edited (1 month ago)
in reply to Bradley Kuhn

mastodon - Link to source

daniel:// stenberg://

@bkuhn @reproducible_builds @msw I mention it because that's major thing for lots of manufacturers. If you say you can avoid them I believe you but I think that's beside the point. Many (most?) manufacturers will still do them I bet, insist on them and use them. And the point for me isn't really the SBOM or not, but that manufacturers need control and awareness of the components and dependencies. That's why they will send forms like this.
@Reproducible Builds @Matt "msw" Wilson @Bradley Kuhn
in reply to daniel:// stenberg://

mastodon - Link to source

Bradley Kuhn

Oh, I agree: confused users will request #SBOM's b/c they think they're useful (… even though they aren't).

My point is: we're still at a moment where we can influence actual implementation of CRA in practice (regulations are being written now).

The best approach? Convince regulators that complete, corresponding source &
@reproducible_builds are *actually* useful to customers for FOSS.

#SBOM's are only useful for proprietary software. SBOMs for FOSS is make-work.

Cc: @msw @lexelas

#SBOM @Reproducible Builds @lexelas @Matt "msw" Wilson
in reply to daniel:// stenberg://

mastodon - Link to source

Bradley Kuhn

wrote:
> I think of SBOMs as a way for us to charge

So does the Compliance Industrial Complex. They've been planning for this. 💰's on the table when make-work becomes mandatory regulation.

I doubt small FOSS business'll get a piece of that pie easily. #SBOM game is already rigged to favor Big Tech.

But, I hope I'm wrong & you make a living from it!

Let's reserve the right to “I told you so” each other when one of us turns out wrong in 5-10 years. ☺

Cc: @msw @lexelas
@jeremiah_

#SBOM @Jeremiah C. Foster 🇸🇪🇺🇸🍥 @lexelas @Matt "msw" Wilson
in reply to daniel:// stenberg://

mastodon - Link to source

Bradley Kuhn

wrote:
> I'm mostly floating along trying to survive and have fun doing it.

I'm admittedly slightly envious. Such comments remind me in my deepest & truest heart, I'd rather be a FOSS developer again than a FOSS policy wonk who is constantly too busy at that to code.

I felt morally obligated to work on policy so FOSS developers could have fun while I did all the horrible work. Then it became a career.

The experience taught me it's possible to be *too* altruistic sometimes.😆

Cc: @msw

@Matt "msw" Wilson
This entry was edited (1 month ago)
in reply to daniel:// stenberg://

mastodon - Link to source

Matt "msw" Wilson

I think that the money-value of SBOMs (as an "information good", i.e. a digital artifact that you produce and sell) isn't particularly high.

What people want is an assurance that you are implementing, and promise to perform in the future, secure software development processes that include supply chain risk management tools and methods.

SBOMs might be something that can be produced as a side effect (i.e., "evidence of performance")...

@bkuhn @reproducible_builds @lexelas

@Reproducible Builds @lexelas @Bradley Kuhn
in reply to Colin Watson

mastodon - Link to source

daniel:// stenberg://

@cjwatson they did get back but of course never signed up nor paid for anything so I did not answer any questions. They were also unpleasant enough to ask me to respond to the questions while they worked out the contract details, which now looks like a blatant second attempt to the get answers for free. Emerson is the company I had contact with.
@Colin Watson