What about smaller forges, such as srht.  And I know of at least 3 “distributed 
forge” projects coming online, where there is no “forge”, but just small 
components operated by individual developers.

From: [email protected] <[email protected]> On Behalf Of Brian Fox
Sent: Monday, July 31, 2023 2:09 PM
To: [email protected]
Cc: Steve Springett <[email protected]>; [email protected]; scrm-nist 
<[email protected]>; swsupplychain-eo <[email protected]>
Subject: RE: [EXTERNAL] [spdx] EU CRA is very supportive of SBOM


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.




On Mon, Jul 31, 2023 at 4:38 PM Dick Brooks 
<[email protected]<mailto:[email protected]>> 
wrote:
Microsoft owns GitHub, does that mean Microsoft is a commercial entity 
contributing to open-source, under the EU CRA?

Recent drafts clarified that repositories are not considered as a distributor 
or importer, so currently no. * I don’t have the exact text in front of me but 
that’s the gist. This is important for things like Maven Central and Pypi.org, 
npmjs etc.



Thanks,

Dick Brooks
[cid:[email protected]]  [cid:[email protected]]
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and 
report!<https://reliableenergyanalytics.com/products> ™
http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/>
Email: [email protected]<mailto:[email protected]>
Tel: +1 978-696-1788


From: [email protected]<mailto:[email protected]> 
<[email protected]<mailto:[email protected]>> On Behalf Of Mike Linksvayer
Sent: Monday, July 31, 2023 4:19 PM
To: [email protected]<mailto:[email protected]>
Cc: [email protected]<mailto:[email protected]>; scrm-nist 
<[email protected]<mailto:[email protected]>>; swsupplychain-eo 
<[email protected]<mailto:[email protected]>>; Steve Springett 
<[email protected]<mailto:[email protected]>>
Subject: Re: [spdx] EU CRA is very supportive of SBOM

On Mon, Jul 31, 2023 at 12:12 PM Brian Fox 
<[email protected]<mailto:[email protected]>> wrote:
On Mon, Jul 31, 2023 at 3:10 PM David Prater via 
lists.spdx.org<http://lists.spdx.org> 
<[email protected]<mailto:[email protected]>> wrote:
Addressing the open-source business model by ensuring that no commercial 
entities will participate in/contribute to open source work for fear of being 
held responsible for that software is certainly an interesting approach. That 
seems like the opposite of what you’re hoping for – getting resources for the 
OS community. It’s difficult for me to imagine how this legislation could have 
the intended effect. Seems more likely to me that OSS software licenses will 
start including the clause “May not be used/distributed in EU countries”. 
Hopefully I’m entirely mistaken.


This ^^.

Yes, this is the point of emphasis (in the title) of the blog post that John 
Sullivan linked to 5 days ago: by making it more risky to provide or accept in 
kind or financial support, open source will be weakened, and less secure. SME 
manufacturers whose putative reps might want to push compliance costs down to 
open source developers, will find out that rather than using open source as a 
way to pool resources and obtain more functionality and security for less, that 
instead they'll have to go back to paying for every bit of the stack both in 
kind (oh the EULAs, license keys, sales negotiations...) and financially. 
That'll be GREAT for EU manufacturers and consumers.

Writing great in all caps and skimming tortured analogies elsewhere in the 
thread reminds me of how much I LOVE mailing lists. ;-)

Anyway, the CRA's intentions are wholesome, its implementation a boomerang.

Mike



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1742): https://lists.spdx.org/g/spdx/message/1742
Mute This Topic: https://lists.spdx.org/mt/100370207/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to