What about smaller forges, such as srht. And I know of at least 3 “distributed forge” projects coming online, where there is no “forge”, but just small components operated by individual developers.
From: [email protected] <[email protected]> On Behalf Of Brian Fox Sent: Monday, July 31, 2023 2:09 PM To: [email protected] Cc: Steve Springett <[email protected]>; [email protected]; scrm-nist <[email protected]>; swsupplychain-eo <[email protected]> Subject: RE: [EXTERNAL] [spdx] EU CRA is very supportive of SBOM CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. On Mon, Jul 31, 2023 at 4:38 PM Dick Brooks <[email protected]<mailto:[email protected]>> wrote: Microsoft owns GitHub, does that mean Microsoft is a commercial entity contributing to open-source, under the EU CRA? Recent drafts clarified that repositories are not considered as a distributor or importer, so currently no. * I don’t have the exact text in front of me but that’s the gist. This is important for things like Maven Central and Pypi.org, npmjs etc. Thanks, Dick Brooks [cid:[email protected]] [cid:[email protected]] Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> ™ http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/> Email: [email protected]<mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Mike Linksvayer Sent: Monday, July 31, 2023 4:19 PM To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]>; scrm-nist <[email protected]<mailto:[email protected]>>; swsupplychain-eo <[email protected]<mailto:[email protected]>>; Steve Springett <[email protected]<mailto:[email protected]>> Subject: Re: [spdx] EU CRA is very supportive of SBOM On Mon, Jul 31, 2023 at 12:12 PM Brian Fox <[email protected]<mailto:[email protected]>> wrote: On Mon, Jul 31, 2023 at 3:10 PM David Prater via lists.spdx.org<http://lists.spdx.org> <[email protected]<mailto:[email protected]>> wrote: Addressing the open-source business model by ensuring that no commercial entities will participate in/contribute to open source work for fear of being held responsible for that software is certainly an interesting approach. That seems like the opposite of what you’re hoping for – getting resources for the OS community. It’s difficult for me to imagine how this legislation could have the intended effect. Seems more likely to me that OSS software licenses will start including the clause “May not be used/distributed in EU countries”. Hopefully I’m entirely mistaken. This ^^. Yes, this is the point of emphasis (in the title) of the blog post that John Sullivan linked to 5 days ago: by making it more risky to provide or accept in kind or financial support, open source will be weakened, and less secure. SME manufacturers whose putative reps might want to push compliance costs down to open source developers, will find out that rather than using open source as a way to pool resources and obtain more functionality and security for less, that instead they'll have to go back to paying for every bit of the stack both in kind (oh the EULAs, license keys, sales negotiations...) and financially. That'll be GREAT for EU manufacturers and consumers. Writing great in all caps and skimming tortured analogies elsewhere in the thread reminds me of how much I LOVE mailing lists. ;-) Anyway, the CRA's intentions are wholesome, its implementation a boomerang. Mike -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1742): https://lists.spdx.org/g/spdx/message/1742 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
