On Mon, Jul 31, 2023 at 4:38 PM Dick Brooks < [email protected]> wrote:
> Microsoft owns GitHub, does that mean Microsoft is a commercial entity > contributing to open-source, under the EU CRA? > > Recent drafts clarified that repositories are not considered as a distributor or importer, so currently no. * I don’t have the exact text in front of me but that’s the gist. This is important for things like Maven Central and Pypi.org, npmjs etc. > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Mike > Linksvayer > *Sent:* Monday, July 31, 2023 4:19 PM > *To:* [email protected] > *Cc:* [email protected]; scrm-nist <[email protected]>; swsupplychain-eo < > [email protected]>; Steve Springett <[email protected]> > *Subject:* Re: [spdx] EU CRA is very supportive of SBOM > > > > On Mon, Jul 31, 2023 at 12:12 PM Brian Fox <[email protected]> wrote: > > On Mon, Jul 31, 2023 at 3:10 PM David Prater via lists.spdx.org <dprater= > [email protected]> wrote: > > Addressing the open-source business model by ensuring that no commercial > entities will participate in/contribute to open source work for fear of > being held responsible for that software is certainly an interesting > approach. That seems like the opposite of what you’re hoping for – getting > resources for the OS community. It’s difficult for me to imagine how this > legislation could have the intended effect. Seems more likely to me that > OSS software licenses will start including the clause “May not be > used/distributed in EU countries”. Hopefully I’m entirely mistaken. > > > > > > This ^^. > > > > Yes, this is the point of emphasis (in the title) of the blog post that > John Sullivan linked to 5 days ago: by making it more risky to provide or > accept in kind or financial support, open source will be weakened, and less > secure. SME manufacturers whose putative reps might want to push compliance > costs down to open source developers, will find out that rather than using > open source as a way to pool resources and obtain more functionality and > security for less, that instead they'll have to go back to paying for every > bit of the stack both in kind (oh the EULAs, license keys, sales > negotiations...) and financially. That'll be GREAT for EU manufacturers and > consumers. > > > > Writing great in all caps and skimming tortured analogies elsewhere in the > thread reminds me of how much I LOVE mailing lists. ;-) > > > > Anyway, the CRA's intentions are wholesome, its implementation a boomerang. > > > > Mike > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1741): https://lists.spdx.org/g/spdx/message/1741 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
