| Min | Agenda Topics | Moderator |
|---|---|---|
| 0 | Welcome & approve agenda | |
| 5 | Approval of the minutes from the previous meeting 2026-02-24-mom-cra-attestations �� | |
| 10 | Discuss Survey Result Status | |
| 15 | Joint Statement in Support | |
| 20 | ||
| 25 | CRA EG Readout | |
| 30 | Discussion of the new Draft Guidance | |
| 35 | ||
| 40 | ||
| 45 | ||
| 50 | AOB | |
| 55 |
- Juan Rico ( Eclipse Foundation)
- Greg Wallace (NetActuate, FreeBSD Enterprise WG)
- Æva Black (Null Point Studio)
- Mathias Schindler (GitHub)
- Dirk-Willem van Gulik (Apache Software Foundation (ASF))
- Pierre Pronchery (FreeBSD Foundation)
- Sebastian Tiemann (Open Elements)
- Francisco Picolini (OpenNebula Systems)
- Anne Dickison (FreeBSD Foundation)
- Salve J. Nilsen (CPANSec)
-
Approved and merged
-
Greg thanked prior contributors to his proposal, and asked contributors to the proposal to have a look at the next version, which should be ready in a day or two
- Call for volunteers to analyze the results:
- Greg
- Draft Joint Statement
- Will be brought before ORC steering committee early next week. Could have additional signatories. If approved & supported, then would be posted publicly via social media, maybe press release, and sent to EC directly.
- Notes
- Mathias - asks if scope is fixed or flexible at this point
- Jordan - supportive, and notes that it lacks mention of the controversial aspects such as the actual funding mechanism. (These should be ironed out soon.)
- Æva - could we avoid the bikeshedding by keeping funding comments general?
- Jordan - perhaps we should, maybe not in this letter, articulate the need for flexibility in funding models.
- Gregor - asks for folks to connect to develop funding model paper further around “public interest open source foundations”
- Æva presented the work we are doing
- Comments received - Under the MSA, Third-party attestations (e.g., by an independent testing laboratory) are perceived as more reliable than a manufacturer’s own statements, but this is not the case for open source. We may want to incorporate some clarification about this into our outputs.
- The presentation depicted how attestation could support manufacturers' due diligence obligations.
- (no public link)
- Mathias asks whether there was a discussion about due diligence regarding 3rd party components, and whether any additional clarity was received.
- Link! https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en
- (link seems to have issues, try this?) blob:https://ec.europa.eu/b59a4856-8d52-42d2-ad08-4ff809390f45
- Link to a Google doc for comments - Draft Annex CRA guidance - CRA-EG
- (( lengthy group discussion followed ))
- SJN - reflects on the flow chart on p.15
- Suggests steward functions like a cooperative organization “Attesting” to secure development practices. CPAN cannot issue attestations for all packages on CPAN, only the maintainers of each package could do so.
- Seth
- Attestations are more valuable from a user’s perspective. If too many gaps (in dependency tree) then there is still too much work (on the manufacturing side) for there to be value in the attestations. So “closing” dependency chains is worth more.