What about smaller forges, such as srht. And I know of at least 3 “distributed
forge” projects coming online, where there is no “forge”, but just small
components operated by individual developers.
From: spdx@lists.spdx.org On Behalf Of Brian Fox
Sent: Monday, July 31, 2023 2:09 PM
To:
On Mon, 2023-07-31 at 14:54 -0400, Dick Brooks wrote:
> Thanks for providing your feedback and insights Mike. It seems we
> agree on two important points:
>
> AGREE: “We can all agree that improving the security of software is
> necessary. Consumers deserve protections that they currently do not
On Mon, Jul 31, 2023 at 4:38 PM Dick Brooks <
d...@reliableenergyanalytics.com> wrote:
> Microsoft owns GitHub, does that mean Microsoft is a commercial entity
> contributing to open-source, under the EU CRA?
>
>
Recent drafts clarified that repositories are not considered as a
distributor or
Hello Everyone,
My apologies. I did not intended to deluge you with emails on this topic.
As you can see there are some rather passionate positions across the software
supply chain.
Please accept my apologies.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Microsoft owns GitHub, does that mean Microsoft is a commercial entity
contributing to open-source, under the EU CRA?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
On Mon, Jul 31, 2023 at 12:12 PM Brian Fox wrote:
> On Mon, Jul 31, 2023 at 3:10 PM David Prater via lists.spdx.org cisco@lists.spdx.org> wrote:
>
>> Addressing the open-source business model by ensuring that no commercial
>> entities will participate in/contribute to open source work for
The end user should have exactly as much recourse as they paid for (c;
Seriously though, in my opinion a more apt comparison would be that of a food
bank. As we know, food banks often give away food and other items that are
desperately needed. As we also know, many companies donate food to
On Mon, Jul 31, 2023 at 3:43 PM Warner Losh wrote:
>
>
> On Mon, Jul 31, 2023, 1:27 PM Dick Brooks <
> d...@reliableenergyanalytics.com> wrote:
>
>> You make a good point Brian. Clearly the restaurant owner bears
>> responsibility in your analogy.
>>
>>
>>
>> But what about the case where a
I’m fairly certain that this already has been settled in common law.
This also is related to manslaughter versus murder, which are considered to
have different culpability and penalty.
Thanks, David
--
David Edelsohn, Ph.D.
STSM, IBM Open Ecosystem, CTO GNU Toolchain
IBM T.J. Watson Research
I think the (potentially well-meaning) intent of the CRA does not matter if it
backfires the way it will, in it’s current form. It _might_ reach it’s goal,
because if any relevant OSS project/foundation withdraws usage rights for
European entities, that will kill any commercial software
On Mon, Jul 31, 2023, 1:27 PM Dick Brooks
wrote:
> You make a good point Brian. Clearly the restaurant owner bears
> responsibility in your analogy.
>
>
>
> But what about the case where a consumer takes the tainted cucumbers from
> the farm stand and gets sick/dies? Who is responsible then?
You make a good point Brian. Clearly the restaurant owner bears responsibility
in your analogy.
But what about the case where a consumer takes the tainted cucumbers from the
farm stand and gets sick/dies? Who is responsible then? Does the farmer bear
any responsibility for distributing
On Mon, Jul 31, 2023 at 3:10 PM David Prater via lists.spdx.org wrote:
> Addressing the open-source business model by ensuring that no commercial
> entities will participate in/contribute to open source work for fear of
> being held responsible for that software is certainly an interesting
>
Thanks for providing your feedback and insights Mike. It seems we agree on two
important points:
AGREE: “We can all agree that improving the security of software is necessary.
Consumers deserve protections that they currently do not have.”
AGREE: “I agree that the CRA is intended to
Definitely don’t intend to speak for Mike, but my assumption is that the link
he intended to include in his email is this:
https://news.apache.org/foundation/entry/save-open-source-the-impending-tragedy-of-the-cyber-resilience-act
Mike, humblest apologies if I’m mistaken. The link you included
FYI - for those interested in software supply chain public-private
partnerships - see email below. I attended the original session when it
aired and I found it worthwhile.
As you can see from the CC list, there are quite a number of interested
parties participating in this "cybersecurity team"
On Sun, Jul 30, 2023 at 8:05 AM Dick Brooks <
d...@reliableenergyanalytics.com> wrote:
> Mike,
>
>
>
> I agree. The CRA is raising questions about the open-source business
> model, which IMO is broken and needs to be fixed. Open-source developers
> and maintainers are very talented and work very
> If you think of this in another context, would you as a consumer accept a
> free food product that causes cancer to occur?
>
> Would you accept software that causes a malicious cyber incident to occur?
>
I think a better analogy would be: if you as an inspector/consumer find
spoiled food in a
*Reminder: Build Profile Meeting*
*When:*
Monday, July 31, 2023
1:00pm to 2:00pm
(UTC-05:00) America/Chicago
*Where:*
https://meet.jit.si/SPDXBuildProfile
*Organizer:* Brandon Lum l...@google.com (
l...@google.com?subject=Re:%20Event:%20Build%20Profile%20Meeting )
View Event (
Dick,
We can all agree that improving the security of software is necessary.
Consumers deserve protections that they currently do not have.
Regulation of the software industry is coming and is arguably overdue.
I agree that the CRA is intended to protect consumers. But it is also
definitely
*Reminder: SPDX tech team meeting*
*When:*
Tuesday, August 1, 2023
11:00am to 12:30pm
(UTC-05:00) America/Chicago
*Where:*
https://zoom.us/j/663426859
*Organizer:* Kate Stewart kstew...@linuxfoundation.org (
kstew...@linuxfoundation.org?subject=Re:%20Event:%20SPDX%20tech%20team%20meeting
)
Hello all,
For anyone who is interested, the Software Engineering Maintenance and
Evolution Research Unit (SEMERU) lab at William and Mary is running a new
survey relating to third-party software license compliance.
The target audience is "folks that have a background in law, preferably with a
Hi Bob & outreach team,
Just saw your email after Jordi and I joined the call – we just had a short
discussion on an “Ambassador Program” and a proposal for quick start guides.
Since we didn’t have a quorum, we didn’t make any decisions, but we can tee up
both conversations for next week.
*Reminder: Outreach team call*
*When:*
Monday, July 31, 2023
10:00am to 10:30am
(UTC-05:00) America/Chicago
*Where:*
Enclosed
View Event ( https://lists.spdx.org/g/Spdx-outreach/viewevent?eventid=1990117 )
*Description:*
We are having our weekly SPDX Outreach Team at:
Given Alexios and Phil
can't make today I offer that we should cancel today's meeting.
If anyone had a
critical issue please send it to the list for discussion.
Bob
Robert (Bob) Martin
Sr. Software and Supply Chain Assurance Principal Eng.
Cross
All, apologies. I’ve had a conflict arise and will not make this today’s
meeting.
From: alexios.zav...@intel.com
When: 11:00 AM - 11:30 AM July 31, 2023
Subject: SPDX Outreach Team call
Location: https://meet.jit.si/SPDXOutreachMeeting
Recurring invitation for the weekly meeting of the
26 matches
Mail list logo