WEBVTT

00:00.000 --> 00:16.200
This is in the panel on could compliance costs, sustained open source, a theory of voluntary

00:16.200 --> 00:18.360
attestations under the CRA.

00:18.360 --> 00:24.000
This is about Article 25, where in the Commission reserves the sort of delegated acts,

00:24.000 --> 00:32.560
they describe attestations as a mechanism for open source, maintainers, developers,

00:32.560 --> 00:39.040
stewards, et cetera, to provide something that helps the manufacturers have a reduced

00:39.040 --> 00:43.080
cost of compliance, which is effort of compliance, with the presumption that the manufacturers

00:43.080 --> 00:48.000
are then going to help support the open source community maintainers, et cetera.

00:48.000 --> 00:50.000
And then we've all been discussing how to do that.

00:50.000 --> 00:57.360
We have a, I'm able to black a former open source policy lead at CISA in the US now doing

00:57.360 --> 01:00.160
consulting over here, and with good angle line.

01:00.160 --> 01:01.160
Yeah.

01:01.160 --> 01:02.160
Hi, I'm Michael.

01:02.160 --> 01:07.880
I work at the BSI in Germany, the Federal Office for Cyber Security.

01:07.880 --> 01:14.560
And when I started three years ago, one of my task was to give some comments to the CRA,

01:14.560 --> 01:21.440
and from there I evolved into standardization, market surveillance for the CRA, and also

01:21.440 --> 01:29.120
doing some stuff around open source, and so I get to see our real open source as well.

01:29.120 --> 01:30.280
Hi, everyone.

01:30.280 --> 01:32.280
My name is Greg Wallace.

01:32.280 --> 01:34.880
Oh, thank you.

01:34.880 --> 01:39.280
And I've been involved in open source a lot of different open source projects from independent

01:39.280 --> 01:44.000
ones to corporate back ones to foundations.

01:44.000 --> 01:51.480
And really, I'm involved in this working group because, you know, for me, open source

01:51.480 --> 01:59.720
is really one of the most beautiful and important expressions of human ingenuity that we

01:59.720 --> 02:04.120
have experienced in our lifetimes, and it needs to be protected.

02:04.120 --> 02:08.760
And so, okay, thank you.

02:08.760 --> 02:21.240
So that's why I'm involved in this open source sustainability is really under pressure right

02:21.240 --> 02:22.240
now.

02:22.240 --> 02:27.400
And so, I think that if we work together and collaboratively in this working group in this

02:27.400 --> 02:32.880
ORC and bring all of our ideas together, I think we can come up with really good solutions

02:32.880 --> 02:38.000
to the challenge and make open source more sustainable, which I think is a very important

02:38.080 --> 02:40.280
infrastructure.

02:40.280 --> 02:41.280
And good afternoon.

02:41.280 --> 02:42.280
Thank you.

02:42.280 --> 02:43.280
This is a, I'm Tomas Bernewan.

02:43.280 --> 02:46.360
I'm one of the policy officers in the European Commission that is working directly

02:46.360 --> 02:48.640
in the CRA implementation.

02:48.640 --> 02:55.040
So I normally hold the pen on a lot of the guidance documents that have been published and

02:55.040 --> 03:00.000
that will be published very soon, and that will hopefully also ease some of the concerns

03:00.000 --> 03:04.360
that we've heard in this past couple of days of Fossil.

03:04.440 --> 03:07.440
So keep my question as for you.

03:07.440 --> 03:13.560
A little bit of a hot take answer to have you like, do you think this concept of voluntary

03:13.560 --> 03:18.280
security and the organization will benefit or burden open source communities and maintainers?

03:18.280 --> 03:22.760
Yeah, so, I think in the earlier part of the most of you listen, that there was the sentence

03:22.760 --> 03:28.920
that ended up in the international security strategy of the US, and where you say that we need

03:28.920 --> 03:33.760
to make sure that the burden is on the manufacturers and not on the open source developers.

03:33.760 --> 03:35.840
And that's exactly what the CRA encodes.

03:35.840 --> 03:41.400
There is no obligation for the developer to, in most cases, to do really anything.

03:41.400 --> 03:45.280
But the reason obligation for those who take your project and put it in their product to do

03:45.280 --> 03:47.160
what the CRA calls due diligence.

03:47.160 --> 03:50.560
So to make sure that they know what they're putting in and that they have assurances

03:50.560 --> 03:53.040
that what they're putting in is secure.

03:53.040 --> 03:58.920
So there is a natural incentive for manufacturers to invest time and resources in making

03:58.920 --> 04:03.320
sure that the projects that they rely on are adequately maintained and supported so that

04:03.320 --> 04:07.800
their due diligence is simplified and made possible.

04:07.800 --> 04:12.120
So that's really the starting point of the voluntary manifestation mechanism that the commission

04:12.120 --> 04:13.880
can put forward.

04:13.880 --> 04:16.280
And we want to make sure that it's something that doesn't burden.

04:16.280 --> 04:20.680
That doesn't the manufacturer, I mean, if they come and ask you, so that's really when

04:20.680 --> 04:24.680
we're coming from, and that's what we want to achieve, apologies.

04:24.680 --> 04:29.920
And to do that, we want you to help us, because we want to make it right, we want

04:29.920 --> 04:35.680
to make sure that it works for you and it puts resources back to you to make sure that

04:35.680 --> 04:38.520
you continue to develop into projects and maintain them actively.

04:38.520 --> 04:44.080
So yeah, I really think that it's a great opportunity on paper at least, so we need to make

04:44.080 --> 04:45.080
it right.

04:45.080 --> 04:51.480
Yeah, I think this is all a good example of what the last speaker was saying, the community

04:51.480 --> 04:56.440
has a chance right now to get more involved and speaking with the public sector and here

04:56.440 --> 04:57.680
it is in process.

04:57.680 --> 05:02.320
So with that, question to Michael, how we do it?

05:02.320 --> 05:07.720
So some coordination law, but when that is passed, we are the market surveillance for the

05:07.720 --> 05:08.720
CEO.

05:08.720 --> 05:12.600
So can you talk a little bit about the function that you're probably the best person that

05:12.600 --> 05:18.000
I know to talk to, how does an MSA interact in the context of open source and compliance

05:18.000 --> 05:20.000
with the community and with manufacturers?

05:20.000 --> 05:26.920
Yeah, so the thing is that a manufacturer can put a product onto the market and with

05:26.960 --> 05:31.880
the CEO market or on the European market and with the CEO market, he attests that his product

05:31.880 --> 05:37.800
complies to the regulations and it's not just the CIA, there are a lot of other regulations

05:37.800 --> 05:40.440
he has to comply to.

05:40.440 --> 05:51.080
When the product is on the market, the market surveillance has then the opportunity or they need

05:51.120 --> 05:57.320
to check those products and see if they are compliant to the regulations.

05:57.320 --> 06:04.400
So what we will do, they are like to raise to do it, we can sample certain products and

06:04.400 --> 06:09.320
just in coordination with other market surveillance on the national level and on the European

06:09.320 --> 06:15.400
level, decide on products and product categories, take them and see if they are compliant

06:15.440 --> 06:22.920
and there's also a reactive mechanism that if somebody says that a product might not be

06:22.920 --> 06:27.680
compliant, then we also take those products and check if they are compliant.

06:27.680 --> 06:34.320
If they are not compliant, then the first thing would be that we try with the manufacturer

06:34.320 --> 06:40.760
to make that product compliant again and that can go to the way that market surveillance

06:40.840 --> 06:48.200
can take products of the market of the European Union and can be very costly because

06:48.200 --> 06:55.320
there are eye substantial fines for manufacturers if they are products don't comply and

06:55.320 --> 06:59.480
if they did a lot of damage on the European market.

06:59.480 --> 07:04.040
This sounds really interesting to me as someone who has done a lot of open source developing

07:04.120 --> 07:11.160
and sometimes hacking on things. If I found a manufacturer was using my open source projects

07:11.160 --> 07:16.120
but they clearly modified it in ways that fix the vulnerabilities and never share those upstream

07:16.120 --> 07:21.640
is that the kind of thing I'd call the NSA for? Yes. Wonderful. With that to Greg,

07:21.640 --> 07:26.920
I think you did a bunch of work with the 3BSD project back when I was at CISA to figure out

07:26.920 --> 07:32.920
how to do attestations issue them and you built a collaboration with manufacturers to do exactly

07:32.920 --> 07:36.520
what to also and Michael are talking about. Can you tell us about that?

07:37.560 --> 07:44.440
Yeah, happy to. One of my previous jobs was at the 3BSD foundation and my job there was to work

07:44.440 --> 07:50.360
with the downstream commercial users. Also with the community but principally with the downstream

07:50.360 --> 07:58.600
commercial users. When CISA was coming up with the policy that Abit described earlier,

07:59.560 --> 08:09.080
it included a mechanism for open source projects to work with the companies that use their software

08:10.040 --> 08:19.400
to basically help them be compliant. So I sort of went to my colleague who's a director

08:19.400 --> 08:25.080
of technology at the foundation. I said, hey, what do you think about this? I looked at the

08:25.080 --> 08:32.920
attestation form and it looks like this is all stuff we already do. Would it make sense for us

08:32.920 --> 08:41.480
to create a program where we basically add this as a partnership benefit. So if you partner with

08:41.480 --> 08:50.360
the 3BSD foundation at any level, right, and the entry level was $10,000 US dollars, you would get

08:50.360 --> 08:58.040
access to this attestation. And my colleague Ed said, well, that's interesting but let's first

08:58.040 --> 09:03.560
talk to some of the companies that use 3BSD whose products are based on 3BSD and asked them

09:04.360 --> 09:09.880
what they would it help you. And so we did. And so these are very large technology companies.

09:09.880 --> 09:15.560
And we said, if we gave you this, would it make your life easier that we're already involved

09:15.560 --> 09:22.440
in the project already donating to the foundation? We also though, and I'll wrap up quickly,

09:22.440 --> 09:28.600
we also went to donation to the foundation and we said, hey, you know, we've got this new benefit.

09:28.600 --> 09:37.720
And I will tell you that the advocates for being involved, right, the champions for 3BSD

09:37.720 --> 09:43.800
in those manufacturers, it was a great thing for them because it gave them something that they could

09:43.800 --> 09:50.120
take to the bean counters, right, and say, hey, you always wanted to know why we should contribute

09:50.120 --> 09:56.440
to the upstream open source projects that we use. Here's a reason. And it was in their language,

09:56.440 --> 10:02.040
right? It's sort of something that they could say, oh, I got it. That's, you know, going to help

10:02.040 --> 10:10.600
us with our compliance. So yeah, we did do it. And I was really happy with it. And I think that

10:10.680 --> 10:17.960
with CRA, it's another opportunity to do something similar. So I'm hoping that through this

10:17.960 --> 10:24.440
working boat that is leading, we can come up with something that can be really scalable and

10:24.440 --> 10:31.080
replicable across the industry. Thank you. To rapid-fire questions, first for Michael and

10:31.080 --> 10:37.000
then to Masso and or however you both want to, do you agree? Do you think manufacturers should

10:37.080 --> 10:42.040
really care about these organizations? And what do you think about open source projects that

10:42.040 --> 10:46.840
don't have a foundation, don't have a legal entity, and by the current text as I understand it,

10:46.840 --> 10:52.120
wouldn't have a steward? Would they also benefit from this and how it manufacturers engage?

10:53.320 --> 11:01.000
So first on the point, should they care? They are responsible for everything in their product,

11:01.000 --> 11:07.240
including free and open source. So they should care. Now they have to, they have to do

11:07.240 --> 11:17.400
due diligence. And if the agitation is something which helps them to easier comply or show compliance

11:17.400 --> 11:24.360
in their products and if that's something which makes it even cheaper when they have an agitation

11:24.360 --> 11:29.240
instead of doing the due diligence and other stuff themselves, then I think it should be a

11:29.240 --> 11:38.280
business decision for them to use it. So just business and capitalism and why not use that

11:38.280 --> 11:44.600
for the advantage of open source? Yeah, I mean, on should they care? Obviously, if we

11:44.600 --> 11:50.040
agree with Michael, I mean, not only should they, but they have to. They're legally required to care,

11:50.600 --> 11:55.880
but I think to your question on how do we address the developers that are not really incorporated

11:55.960 --> 12:01.000
into foundation. I think where we're coming from, it's very, very important that this

12:01.000 --> 12:06.760
attestation project works for the big foundations, but especially works for the small projects.

12:06.760 --> 12:11.000
The ones that are so critical, they're critically understuffed and underrefrersed.

12:12.040 --> 12:17.640
And so the mechanism needs to cater, needs to be designed with the small developers in mind.

12:17.640 --> 12:23.400
And to one of the points that was on the on the slides earlier, will this trigger

12:23.400 --> 12:28.680
commerciality considerations? Like, if I give out an attestation, will I become the

12:28.680 --> 12:33.960
manufacturer of that project? I mean, I cannot obviously commit the commission as to an interpretation

12:33.960 --> 12:39.000
right now, but it would kind of defy the purpose of the attestations if that were the case.

12:39.000 --> 12:43.320
So I think we can be quite reassured that we will make it work in such a way that the

12:43.320 --> 12:50.840
maintainers really can leverage this on a voluntary basis and use it to get resources, to get better

12:50.840 --> 12:57.000
maintenance for their projects. And that also integrators will be happy for it because their

12:57.000 --> 13:01.880
due diligence will be easier and simplified. Now, you both said that you think manufacturers should

13:01.880 --> 13:07.960
or must care about this. A lot of the manufacturers I speak with, especially in behind-close

13:07.960 --> 13:12.840
doors, they don't seem to be taking s-bonds all that seriously, even though we're, I don't know,

13:12.840 --> 13:18.760
six, seven years down, journey of s-bonds. And so, so what do you, what do you think about that?

13:18.840 --> 13:24.200
Are many factors going to be ready for this? Then you'll be really good.

13:27.240 --> 13:35.320
So, should they care? They should care. And the CIA states or essentially requirements for the CIA

13:35.320 --> 13:42.360
it stated that manufacturers need to provide an s-bonds or a half an s-bonds at least top level.

13:42.360 --> 13:48.920
So, they might not have every components in the s-bonds still, they're responsible for

13:48.920 --> 13:54.200
everything in their product. So, even if they don't have an s-bonds and they don't need to

13:54.200 --> 13:59.080
provide it publicly, they need to show it to the market surveillance if they requested.

13:59.080 --> 14:04.520
Even if they don't have it, that doesn't mean they're not responsible for the stuff in there. So,

14:04.600 --> 14:07.880
again, they should care. And they must care.

14:11.880 --> 14:18.760
I'll just briefly comment. So, in the European Open Source week, I attended the

14:19.720 --> 14:26.440
open source software compliance and tools workshop that was put on by about code and a number of

14:26.440 --> 14:37.400
others. And what came out loud and clear is that the s-bonds and other tooling landscape is

14:37.400 --> 14:43.560
pretty immature right now. So, it's a critical ingredient to making everything work

14:44.920 --> 14:51.400
but the consensus seemed to be pretty clear that the tools have quite a ways to go before they are

14:51.400 --> 14:53.800
actually going to do what we expect them to do.

14:54.760 --> 14:59.160
Maybe just to other words, that I mean from the commission side and also our

14:59.160 --> 15:03.160
the European Union agency for cyber security is also supporting us in the reflections of

15:03.160 --> 15:10.200
S-bonds and of course, we are aware that special, traditional sectors as bomb uptake is a bit more

15:10.200 --> 15:16.040
limited and so it definitely there needs to be a path towards better integration of S-bonds.

15:16.040 --> 15:22.040
So, it's not something from tomorrow, it's going to be perfect but there's such an essential

15:22.120 --> 15:27.880
and critical tool for vulnerability management and for everything that is in the CRA that I mean,

15:27.880 --> 15:34.280
the future can only be moving in that direction and again, yeah, so not only should they care

15:34.280 --> 15:37.800
because they're legally required to but because it really makes life easier.

15:37.800 --> 15:43.800
Great. Another question to any or all of you, this week at Faustem and the events before Faustem

15:43.800 --> 15:49.480
there's been so much talk of digital sovereignty in Europe and the essential role of open

15:49.560 --> 15:55.160
so these hopefully for European digital sovereignty, do you think this concept,

15:55.800 --> 16:02.760
voluntary security administrations, has any relevance or essential role to play in encouraging

16:02.760 --> 16:09.640
growth of this European sovereign tech stack? Regardless of what it is.

16:10.600 --> 16:15.560
Yeah, maybe it's good looking forward.

16:15.560 --> 16:23.960
Yeah. So, yes, I mean this has been talked about so much and I'll maybe not directly answer

16:23.960 --> 16:29.320
your question to you of it because it's a little bit not super directly related to attestations

16:30.280 --> 16:35.240
but but I do think that open source is digital sovereignty.

16:36.200 --> 16:39.160
You know, I had a mentor when I was at the Linux Foundation

16:40.280 --> 16:45.560
who would say that open source is a dueocracy. That means the people who do the work get to

16:45.560 --> 16:53.960
make the decisions, right? It sounds obvious. So, if any organization, any institution, any group

16:53.960 --> 17:01.400
of countries wants any open source project to do something different than what it's doing now,

17:01.480 --> 17:05.560
there's a really direct simple way to change that, get involved.

17:07.000 --> 17:12.760
And if you can't get it to do what you want for whatever reason and this happens all the time,

17:13.640 --> 17:20.360
you fork it. It's really that simple. So, so I think open source is digital sovereignty.

17:22.040 --> 17:26.440
I guess the last thing I will say on this one is there's also a lot of talk about open source

17:26.440 --> 17:33.480
procurement and I really don't like that word because if all you're doing is procuring open source,

17:34.760 --> 17:39.880
you're missing out on the biggest benefit which is internalizing expertise.

17:41.000 --> 17:50.520
Because if all you do is procure open source, you won't really have, you won't have as much sovereignty

17:50.600 --> 17:56.120
than if as if you have the expertise internally so that you can maintain that software internally.

17:58.120 --> 18:03.160
Maybe from my side just to say that, of course, this CRA does not directly address these

18:03.160 --> 18:07.960
discussions because it's a technical type of legislation so it doesn't really concern itself.

18:07.960 --> 18:14.120
We're sovereignty discussions. I don't know personally, I haven't really made up my mind of

18:14.120 --> 18:18.680
whether the attestation itself should be a tool around that but what I can definitely encourage

18:18.680 --> 18:23.080
you if you have thoughts about it is the heavier sake consultation that was shown earlier

18:24.040 --> 18:29.480
that's really it's the commission that has put out a call for evidence reflecting exactly around

18:29.480 --> 18:35.000
this topics and I saw that there's already a lot of input that we received so a lot of work for

18:35.800 --> 18:41.080
as and the team working behind it but that's really the chance to indeed maybe try and

18:41.080 --> 18:46.600
tie all these topics together, the attestations, the CRA and more general sovereignty considerations.

18:47.160 --> 18:55.800
Then I guess I have one more question for all of you with ARCs. If all of this goes well,

18:55.800 --> 19:01.240
the CRA implementation goes all according to plan, attestations eventually have a mechanism

19:01.240 --> 19:08.680
that is defined, what do you see as sort of what will be achieved in the next five to 10 years

19:09.400 --> 19:13.560
and any other thoughts you have on the topic and then we'll take some questions from the audience

19:14.360 --> 19:19.160
after that. Well from my side I really hope that you know a part of the fact that everything

19:19.560 --> 19:24.040
goes well that in five to ten years we will look back and we will see that a lot more of this

19:24.040 --> 19:30.760
critical tiny blocks that support the entire ICT ecosystem have more people behind it have more

19:30.760 --> 19:36.200
resources they don't have to rely on just one random guy that does it how to goodness of his heart

19:36.200 --> 19:43.080
or her heart but actually gets supported to do it so that would be really the big achievement

19:44.200 --> 19:50.280
aside from better security for those thing integration but for the open source world if we can

19:50.280 --> 19:56.520
really achieve that I think it will be the CRA would have done its job quite well and probably also

19:56.520 --> 20:01.080
you with the attestation program and all of us together working on it.

20:05.800 --> 20:10.120
Yeah I don't have much to add to that I think you know this is a great opportunity to

20:11.080 --> 20:20.360
up level security across the board and I you know security cost money it doesn't matter what type of software

20:20.360 --> 20:27.480
it is that you're making and so independent maintainers in particular but really all open source creators

20:28.360 --> 20:34.360
need and should get support to do that work it's important work that has to be done and I think

20:34.600 --> 20:46.440
CRA is a really great step in our direction yeah and I hope that the CRA helps that manufacturers

20:46.440 --> 20:52.520
take more responsibility about the things they put into the products and a lot of them already do

20:53.320 --> 21:02.280
but for some might be a bit more they need to do and that they realize how open source helps

21:02.360 --> 21:08.840
in their products and then that they also realize it's a good idea to support the open source

21:08.840 --> 21:16.120
community so that they can do better even better open source and then the products itself also

21:16.120 --> 21:23.880
will get even better so we get winning side on the manufacturer side they can integrate easily

21:23.880 --> 21:29.240
all the open source they want and the winning side of the open source community they get more

21:29.240 --> 21:36.360
resources and more funding and more vehicle condition by the manufacturers who put dust off

21:36.360 --> 21:41.800
and their products right so I want to thank my panelists and then we'll take a question we have

21:41.800 --> 21:46.440
about 12 minutes I think and the questions so thank you all for joining me

21:50.440 --> 21:55.080
and feel free to direct your questions at the panelists or me since I didn't take questions on

21:55.080 --> 22:02.280
my presentation earlier as well I saw hand hand hand hand roughly in that order so I guess

22:03.480 --> 22:08.040
no third night great shouted out I'll repeat it back for the for the audience online

22:25.480 --> 22:38.280
so that was that was not a question but a compliment directed at Greg and the

22:38.280 --> 22:43.000
VBSD net BST community of which I only understood about a third of it so Greg if you want to

22:43.000 --> 22:49.640
summarize this yeah so I'll ask the small of it in some potentially many cases an

22:49.640 --> 22:55.400
organization's core competency is very different from the open source and so there's an opportunity

22:55.400 --> 22:59.960
to do both to have some internal expertise around some of the open source or maybe

23:00.840 --> 23:06.440
some level of internal expertise that's more shallow across all the open source so it can be a mix

23:07.000 --> 23:13.400
of approaches including having some vendors that that you know come in and bring their expertise

23:13.400 --> 23:18.120
yeah great so they had a question on the right side and then two questions on the middle

23:18.280 --> 23:22.440
and then a front so we have four in the queue still shouted out and then I'll repeat it back

23:22.440 --> 23:27.000
and try and keep your question short and only a question so we can get through all these in 10 minutes

23:48.440 --> 23:55.320
do you see any way if you need that over yeah I mean it's it's a question first

23:55.320 --> 23:59.400
I'm sorry I need to repeat the question the question is that according to the gentleman

24:00.360 --> 24:05.240
open source projects in Europe are less accountable than open source projects

24:05.960 --> 24:10.120
particularly in the US because the legal framework allowing for incorporation

24:10.120 --> 24:15.160
informations and similar things is different and it's yeah it's obviously it's a recurring

24:15.160 --> 24:19.880
question and some of the ever often talks about as well and she also mentioned it in the previous

24:19.880 --> 24:25.560
panel I mean it obviously as you can imagine it depends a lot on national lows there is limited

24:25.560 --> 24:32.120
competences at the U level to change that because it depends on how the different member states of the U

24:33.320 --> 24:40.040
define the that their tax treatment of of not for profits we will of course also start to

24:40.040 --> 24:46.600
reflection together with the attestation projects to see how to make it work and not be

24:46.600 --> 24:50.840
compromised by the fact that the foundations themselves maybe cannot charge for

24:50.840 --> 24:58.440
attestations or stuff like that yeah I'll add to that I think accountable may not translate

24:58.440 --> 25:04.280
as well into my model of these things but certainly engaging with the market is quite different

25:04.360 --> 25:09.720
as as to also was saying it's it's still really unclear from our research how to

25:09.720 --> 25:15.080
generalize these principles across each of the member states of the European Union and

25:15.080 --> 25:20.920
their local tax laws and business laws there's differences between them and I would hope

25:20.920 --> 25:25.880
there can be a global solution to this but I also don't know what that would be either so

25:25.880 --> 25:33.720
we had two questions in the middle nope nope they were a pathway if they're gone then

25:35.240 --> 25:39.240
nope oh you you came down okay it is you wait go ahead

25:42.840 --> 25:51.240
I don't have any theater background so I need to need the mic so first of all thanks for

25:51.240 --> 25:56.200
great presentation and great panel now we know much more about attestation actually this is

25:56.200 --> 26:03.640
not the question it's the same as black so in the same way as as we understood that the community

26:03.720 --> 26:13.240
will benefit hugely from ever's work on attestation we also recognize very recently in

26:13.240 --> 26:21.160
in operator compliance working group that the community might benefit equally from a better

26:21.160 --> 26:27.400
description of what the manufacturer offers of dual-relitms is and we heard from the presentation

26:27.480 --> 26:35.320
and from the panel that dual-relitms came up like many times so they are sort of a sibling

26:35.880 --> 26:44.040
papers I would say and this is the invite for anybody to join the fund on the dual-relitms

26:44.040 --> 26:50.920
as well thanks thanks Timo to the recap I think Timo was inviting you all to come

26:51.000 --> 26:58.600
participate in the eclipse ORC working group yes yeah great cool we have another question up here

26:58.600 --> 27:04.840
you understand the mic because you're right here it's an easy thank you thanks for the great

27:04.840 --> 27:13.000
talk from my side also open source is developed in open ways so all the information about the

27:13.000 --> 27:20.040
development of the resource is already available publicly can you share some of the examples

27:20.040 --> 27:26.760
what the open source projects could give for funds so what is the information what they could

27:26.760 --> 27:33.960
give as the attestation for money for the manufacturers I see okay first I'm going to

27:34.760 --> 27:40.440
respectfully disagree there are plenty of open source projects where some aspects the development are not

27:40.680 --> 27:46.680
open during the open stack projects I used to to be on the technical committee and do a

27:46.680 --> 27:52.680
much of work there we coined a term a corollary to the four freedoms of open source the four

27:52.680 --> 27:58.440
opens of open source development yes the source has to be open but also the development process should

27:58.440 --> 28:05.320
be open the roadmap should be open and the community should be open to anybody with those three

28:05.320 --> 28:11.560
additional components I think what you're saying is true and then it's very easy for a consumer

28:11.560 --> 28:17.320
of the open source or a business or a government to look at not just the code but also all of the

28:17.320 --> 28:23.960
other artifacts and make a sound assessment of the product health and safety without the other

28:23.960 --> 28:31.080
three opens with just the code that's really difficult but I think your question at its core was

28:31.960 --> 28:36.920
what else can an open source project give that help the manufacturer reduce their compliance I think

28:36.920 --> 28:42.360
for that I'm going to turn to the market surveillance authority manufacturers have to take care of

28:42.360 --> 28:49.560
the product for the complete life cycle of the product so there will be a support period and they

28:49.560 --> 28:56.360
have to fix vulnerabilities in that support period if in an open source component they integrated

28:56.840 --> 29:05.000
vulnerability devices they have to take care and mitigate that so at some point might be a good idea

29:05.720 --> 29:12.280
to go to a manufacturer if they can and ask if they can help manufacturer don't have to do it if it's

29:12.280 --> 29:17.800
just first then they have to find some other way to mitigate it but that could be something

29:17.960 --> 29:27.480
which open source developer could provide if he wants to and it's the institutions of

29:27.480 --> 29:34.280
the manufacturer for the company to increase we have five minutes for any remaining questions I saw

29:34.280 --> 29:42.280
hand hand hand yeah for four minutes five or four questions five minutes rapid fire just like

29:42.280 --> 29:51.880
really compressed your question we can't hear you down here sorry

30:12.440 --> 30:34.120
I'm sorry I didn't fully you're I'll repeat it okay I got it what happens if a

30:35.160 --> 30:40.280
foundation stands up and does this and provides some sort of an attestation and then a manufacturer

30:40.280 --> 30:47.320
comes forward later and says they got the attestation somehow but never paid for it what do you

30:47.320 --> 30:53.560
do to make sort of make sure or manage the relationships between the the foundation and the

30:53.560 --> 31:01.160
companies okay thank you thanks great question so that is a great question and I think that

31:01.160 --> 31:07.320
that's an area where we as a community have to do some work the way that we tried to approach that

31:08.040 --> 31:14.520
was sort of the honor system right we when we did it at the free BSD foundation

31:15.480 --> 31:23.160
for the sister regulation using the SSD F attestation we basically just signed it right so it was signed

31:23.720 --> 31:31.880
and each one was each attestation was unique to the manufacturer we didn't use that term but

31:31.880 --> 31:36.600
the manufacturer that received it right so there are much more sophisticated ways to solve this

31:36.600 --> 31:42.040
problem we do this all the time today with you know encryption mechanisms and things like that and I

31:42.040 --> 31:48.040
think that's what is probably going to be the easiest but I think it's it's it's it's a really great

31:48.040 --> 31:53.160
question I don't know that it will ever be a hundred percent solved I mean there's always going to be

31:53.160 --> 32:03.240
people who would rather go to great lengths to avoid this than and you know but I think if we can solve

32:03.240 --> 32:11.640
it for the 80 20 I think we will be in a good place it's an extra question and I think that's

32:11.640 --> 32:17.480
really where work has to happen or on mechanisms like that I've seen at this point just to final

32:17.480 --> 32:21.640
comment on this in the technical question I've seen a couple other folks in our our working group

32:21.640 --> 32:27.320
proposed vastly different models for how to address this it is really an area where we all do

32:27.320 --> 32:31.480
need to work together to figure out and and there may not be one answer there may be different

32:31.480 --> 32:37.000
models that work for different industries different sciences of of of stewarder projects don't

32:37.000 --> 32:41.640
know yet so please bring your ideas to the work there was a question on this at the room shout it out

32:41.640 --> 32:50.920
some people to be very good in front of the main activity can you say a little bit about why

32:52.920 --> 32:57.480
I think I might know the context of what about your asking I'm not going to point at it and

32:58.440 --> 33:03.400
the question was some people out there seem to be quite opposed to the idea of voluntary security

33:03.400 --> 33:10.120
organizations even though they're written in the CRA and and you know this is also had a program

33:10.120 --> 33:15.400
like this several years ago and the ideas out there plenty of manufacturers already do this with the

33:15.400 --> 33:23.560
open source in their products I think there might be some opposition to a diversity of economic

33:23.640 --> 33:27.640
models to sustain open source some people really like their model and don't want to change it

33:28.440 --> 33:33.080
I don't know might be other reasons, but yeah, not just on the comment on that next question

33:38.600 --> 33:40.600
Sure

33:53.640 --> 34:06.600
I'm going to repeat that now because excellent question the the separation between manufacturer

34:06.600 --> 34:11.720
and steward in my slides seems to be artificial there are plenty of companies that seem to be both

34:11.720 --> 34:17.240
for example Google with Chromion this is an example we've talked about in the CRA implementation

34:17.240 --> 34:21.400
and just policy discussions for years so I'm going to connect over to Samantha

34:23.800 --> 34:30.760
Yes, I mean the series of product specific legislation so what really matters is the individual product

34:30.760 --> 34:36.920
or project and that determines your legal entities role with regards to that specific thing

34:37.640 --> 34:42.760
so you might be a manufacturer for the thing that you commercialize and you make money out of it

34:43.160 --> 34:48.920
and you might be a steward for the thing that you open source and you let everyone use or you might

34:48.920 --> 34:53.400
be nothing if there is something that you're not really placing on the market

34:53.400 --> 34:59.080
I mean a man who fact somebody who is making money from something likely would qualify as a steward

34:59.080 --> 35:03.000
for the things that they open source so I don't really see a scenario where they're nothing to

35:03.000 --> 35:09.000
affect project but they might have caused something for hobby purposes and in that case they would

35:09.000 --> 35:14.840
be nothing to the project because it's not covered by the scope of the CRA so yeah it is possible

35:14.840 --> 35:20.280
to have these multiple roles depending on the individual product slash project that we're talking about

35:20.280 --> 35:24.920
That seems like a great place to end because we also just hit time so thanks for all the questions