Prepare Inventory for V1 release #228
Conversation
Update Inventory title to provide a short title "CRA Resource Inventory" while keeping the title descriptive. Update intro paragraph accordingly. Signed-off-by: Tobie Langel <[email protected]>
|
Hi! I'm not a member of the steering committee, but I do have opinions. My apologies for not chiming in earlier. In general, coming from ORCWG, I feel that summaries should critically reflect on the extent to which documents have content tailored for dealing with FOSS. If they don't, but are still seen as industry standards, this should be noted. If they do, this should be emphasized as an inspiration for the CRA-standards where approriate. I have specific concerns about both sections 5 and 6, as follows:
|
|
Hi Maarten, thanks for weighing in! I agree that the resources in section 5 are biased towards a "traditional view" on supplier relationships, but I am not aware of resources that focus more on the relationship of organizations with upstream projects. Are there other resources that you can think of, that would be more relevant for this category and that do have this focus? In this first iteration, the summaries are taking the documents at face value, describing the intent of the documents that were submitted. I'll do a second pass to see if there's mentions of interacting with upstream in a productive way for the resources currently in the list, but if it's not in the document I don't think the information would belong in a summary. Regarding the inconsistency for section 6, do you suggest we copy over the FAQ answer as a disclaimer to the section? |
|
I see two possible ways forward here:
I think both approaches are viable, the first one is probably easier to implement to arrive at an MVP. |
|
Love the input, @maertsen, thank you! We're striving for community consensus, not steering committee approval, so your input is absolutely relevant. I pondered referencing relevant future ORC deliverables in the inventory where we have such concerns and I like @maximbaele's suggestion to add an "ORC comment" note where relevant. For example, what if we added to section 5 something along the lines of: Note The due diligence obligation of manufacturers outlined in Article 13(5) of the CRA is the cornerstone of the relationship between manufacturers and the open source ecosystem. The CRA finally formalizes the long-held understanding that manufacturers are responsible for the security of the open source components that they integrate in their products. Yet the relationship between manufacturers and the open source projects they integrate remains underspecified. Most of the references we have collected assume the existence of a contractual relationship between a manufacturer and a supplier that addresses compliance obligations. This is of course different when integrating open source components, as no such agreement exists. Neither open source software stewards nor the maintainers of open source projects are suppliers. Open source software is provided as is. Not only do manufacturers need to exercise due diligence when they decide to integrate open source projects in their products. They also need to support and contribute to these projects to ensure that they meet their own compliance requirements. ORC plans to examine this relationship in an upcoming white paper on the due diligence obligations of manufacturers. |
|
@felixreda thanks for framing this so clearly. I believe the intent is to collect the references in this inventory in a fairly neutral way, and then to dig into the specifics in our various white papers. I'm attempting to bridge that gap with the note in my above comment. Does it help? |
|
Thanks for all the thoughtful responses. I think this discussion is quite likely to lead to a suitable solution to my concerns and I appreciate that a lot. I like Tobie's note, but would firm up its conclusion should we indeed believe it to be the case, as Maxim noted, that no suitable resources are available. I believe that would be a useful finding, both to identify the gap and to point it out in related policy discussions. @maximbaele wrote:
Yes, I think it can serve as a useful starting point for another note in the style Tobie is suggesting. But I do note this is also an opportunity to provide examples of resources that the group feels would be useful to encapsulated by the CRA's notion of attestation. There's no reason why that concept in the future could not say, give a code review some level of status within the CRA. Just one example, this is obviously to be explored (elsewhere?), which is why I'm trying to avoid the impression of a foregone connection between these similarly named concepts. |
|
Added an example of what this could look like in situ here: https://github.com/orcwg/cra-hub/blob/tobie-inventory-callouts/inventory.md#5-due-diligence-requirements. |
|
Your latest comment, @maertsen, makes me more confortable referencing our upcoming deliverables, as they're specifically designed to address the holes you've been pointing out. For example, we have a planned deliverable on security attestations that's described here: https://github.com/orcwg/orcwg/blob/main/cyber-resilience-sig/deliverables.md#33-white-paper-on-security-attestations |
|
I propose to merge #244 with Eclipse Foundation policies and practices added to the appropriate section as examples. |
Signed-off-by: Tobie Langel <[email protected]>
Signed-off-by: Tobie Langel <[email protected]>
Signed-off-by: Tobie Langel <[email protected]>
With the changes in #227 merged, the @orcwg/inventory-task-force-leads believe the Inventory is ready for a V1 release and requests a review from the members of the Cyber Resilience SIG for approval.
The final version of the document is visible here: https://github.com/orcwg/cra-hub/blob/tobie-inventory-v1-release/inventory.md
Please review the whole document and approve this pull request if you're ready to endorse it as a V1 or suggest modifications otherwise.
Thank you!