Microsoft owns GitHub, does that mean Microsoft is a commercial entity contributing to open-source, under the EU CRA?
Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Mike Linksvayer Sent: Monday, July 31, 2023 4:19 PM To: [email protected] Cc: [email protected]; scrm-nist <[email protected]>; swsupplychain-eo <[email protected]>; Steve Springett <[email protected]> Subject: Re: [spdx] EU CRA is very supportive of SBOM On Mon, Jul 31, 2023 at 12:12 PM Brian Fox <[email protected] <mailto:[email protected]> > wrote: On Mon, Jul 31, 2023 at 3:10 PM David Prater via lists.spdx.org <http://lists.spdx.org> <[email protected] <mailto:[email protected]> > wrote: Addressing the open-source business model by ensuring that no commercial entities will participate in/contribute to open source work for fear of being held responsible for that software is certainly an interesting approach. That seems like the opposite of what you’re hoping for – getting resources for the OS community. It’s difficult for me to imagine how this legislation could have the intended effect. Seems more likely to me that OSS software licenses will start including the clause “May not be used/distributed in EU countries”. Hopefully I’m entirely mistaken. This ^^. Yes, this is the point of emphasis (in the title) of the blog post that John Sullivan linked to 5 days ago: by making it more risky to provide or accept in kind or financial support, open source will be weakened, and less secure. SME manufacturers whose putative reps might want to push compliance costs down to open source developers, will find out that rather than using open source as a way to pool resources and obtain more functionality and security for less, that instead they'll have to go back to paying for every bit of the stack both in kind (oh the EULAs, license keys, sales negotiations...) and financially. That'll be GREAT for EU manufacturers and consumers. Writing great in all caps and skimming tortured analogies elsewhere in the thread reminds me of how much I LOVE mailing lists. ;-) Anyway, the CRA's intentions are wholesome, its implementation a boomerang. Mike -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1738): https://lists.spdx.org/g/spdx/message/1738 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
