Skip to content

Uploading minutes from the last meetings #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jrico-eclipse wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Uploading minutes from the last meetings #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
de5f556
Uploading minutes from the last meetings
jrico-eclipse Mar 13, 2026
18fc879
Fixing styles and links format
jrico-eclipse Mar 13, 2026
a795f5f
fixing link styles
jrico-eclipse Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 83 additions & 0 deletions minutes/2026-02-24-mom-cra-attestations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
## Agenda

| Min | Agenda Topics | Moderator |
| ----- | ----- | ----- |
| 0 | Welcome & approve agenda | |
| 5 | Approval of the minutes from the previous meeting [here](https://github.com/orcwg/cra-attestations/pull/21) | |
| 10 | CRA Expert Group meeting prep | |
| 15 | Update to [README & overview](https://github.com/orcwg/cra-attestations) | |
| 20 | | |
| 25 | [Tobie’s Paper](https://docs.google.com/document/d/1OvETnBXGYSpzlSYGG18eDhgLwP50WOD4LnGwPtp19Ak/edit?tab=t.0) \- presentation and discussion | |
| 30 | | |
| 35 | | |
| 40 | | |
| 45 | | |
| 50 | | |
| 55 | AOB | |

## Participants

- Æva Black
- Mathias Schindler
- Alice Sowerby (FreeBSD Foundation)
- Pierre Pronchery (FreeBSD Foundation)
- Sebastian Tiemann (Open Elements)
- Greg Wallace (NetActuate, FreeBSD Enterprise WG)
- Salve J. Nilsen (CPANSec)
- Georg Kunz (Ericsson)
- Tobie Langel
- Jordan Maris (OSI)
- Seth Larson (PSF)
- Timo Perälä (Nokia)
- Dirk-Willem van Gulik (ASF) \-- arrived 30 mins late.
- GANitak (Open Source contributor)

## Notes

### Welcome & approve previous minutes

- Please comment on Greg’s VSA Access Terms Proposal if interested. If you plan to review, please let Greg know
- Æva has cleaned up and added to the docs on the repo \- please review: [https://github.com/orcwg/cra-attestations](https://github.com/orcwg/cra-attestations) and also please keep the proposals coming\!
- Expert Group [meeting](https://ec.europa.eu/transparency/expert-groups-register/screen/meetings/consult?lang=en&meetingId=68505&fromExpertGroups=3967) is next week. Æva will be attending as an invited expert to present on open source attestations. The list of participants is public. See: [https://cra.orcwg.org/faq/cra-itself/cra-expert-group/](https://cra.orcwg.org/faq/cra-itself/cra-expert-group/) and the minutes will be published here as well.
- Any input?:
- Has Jordan submitted questions regarding Steward Opt-out and Economic Operators?
- Has not submitted yet.
- Spoke to Tommasso \- if you meet requirements, you are a Steward, but there are very specific things you must do to meet requirements, and so if you don’t do them, you’re not a Steward.
- RE: Economic Operators \- OSI not involved, AEva has had some conversations \- it’s a complex topic.
- Is a Steward an Economic Operator? Some conflicting guidance according to different regulations. This is important since, if Steward \= EO, then things that CRA does not address, but other regs DO address may apply. It’s better to get this clarified now, versus in 5 years when things are more consolidated than they are now
- This group is seeking clarity on the topic.

- Tobie’s paper \- [Security Attestations Under the EU CRA](https://docs.google.com/document/d/1OvETnBXGYSpzlSYGG18eDhgLwP50WOD4LnGwPtp19Ak/edit?tab=t.0)
- Paper based on [Tobie’s presentation at FOSDEM](https://fosdem.org/2026/schedule/event/AATKG8-cra-security-attestations-in-practice/)
- Based on need for Manus to do due diligence on one end, and the desire of OSS community (and by EU) to be able to rely on secure open source software.
- What are economically reasonable options to shift security left to Maintainers, where there is expertise and efficiencies, and have that work be funded by Manus.
- Manus have to demonstrate that they’ve done Due Diligence. And they need a credible way to maintain the security of their PDEs regardless of what happens upstream
- Addresses perception that Stewards will “solve” this.
- in many/most ecosystems, there are vastly more OSS projects that are NON stewarded than that are.
- And Stewards will do a subset of things Manus need under CRA
- (third point)
- Attestations fill this gap
- Attestations are a unique token of exchange to make the relat between maintainers and Manus work.
- 4 ways Manus can fulfill their CRA obligations
- 1: Big Tech (and others) do this in house via mirror/fork
- 2: Commercial contract \- either service or vendors that package OSS and “sell” to you
- 3: Rely on Stewards (insufficient)
- 4: Attestations
- Manus can pick and choose \- they will choose the one with greatest utility (fastest, cheapest, best…)
- So, Attestations operate in a competitive market
- Question \- The delegated acts will shape this reality. How do you anticipate this effect? And, does the end of the paper address the question?
- Public signals (non monetizable)
- Private security info (low monetization) \- maybe useful for large stewards
- Volume of security incidents/PRs/
- Question about the legality of sharing embargoed info about in-process CVE remediation in exchange for membership fees or such

- Manus do not have to use Attestations to meet their requirements, and public signals are public, so that doesn’t leave much for Maintainers to provide that Manus will pay for. So, the real value if long-term maintenance of OSS. Attestations should be the mechanism to enable this, while being protective of Maintainers and avoiding turning liability to them
- Paper proposes Maintainer Pods as a potential solution that are effectively Stewards, but from the point of the view of the law are not.
- Alistair \- some projects should get marked as “Depricated” could be a large percent of all OSS packages, which would then reduce the size of the population of “viable” projects, so perhaps the burden for the remaining ones to become stewarded would be lower
- Jordan \- Commission has wide purview with the delegated act and the delegated act will likely change the current state of play in terms of Maintainers, Stewards, and Attestations. Some projects may want to move under a Steward based on the Delegated Act. There may even be some tax breaks for Stewards / Maintainers
- Mathias \- took a deep dive into article \*\* to see what the EU might do in a delegated act. Their leeway is not unlimited. Document available in the Matrix channel \- please review and provide feedback.
- GDPR reference is interesting \- implementation in Germany was trivial since there was an existing privacy law in place. But elsewhere in Europe it was a bit harder.
- Mathias wrote a Draft Delegated Act \- Ping Mathias if you want to read it

###

80 changes: 80 additions & 0 deletions minutes/2026-03-10-mom-cra-attestations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
## Agenda

| Min | Agenda Topics | Moderator |
| ----- | ----- | ----- |
| 0 | Welcome & approve agenda | |
| 5 | Approval of the minutes from the previous meeting [2026-02-24-mom-cra-attestations](./2026-02-24-mom-cra-attestations.md) | |
| 10 | Discuss Survey Result Status | |
| 15 | Joint Statement in Support | |
| 20 | | |
| 25 | CRA EG Readout | |
| 30 | Discussion of the new Draft Guidance | |
| 35 | | |
| 40 | | |
| 45 | | |
| 50 | AOB | |
| 55 | | |

## Participants

- Juan Rico ( Eclipse Foundation)
- Greg Wallace (NetActuate, FreeBSD Enterprise WG)
- Æva Black (Null Point Studio)
-
- Mathias Schindler (GitHub)
- Dirk-Willem van Gulik (Apache Software Foundation (ASF))
- Pierre Pronchery (FreeBSD Foundation)
- Sebastian Tiemann (Open Elements)
- Francisco Picolini (OpenNebula Systems)
- Anne Dickison (FreeBSD Foundation)
- Salve J. Nilsen (CPANSec)

## Notes

### Welcome & approve previous minutes

- Approved and merged

- Greg thanked prior contributors to his proposal, and asked contributors to the proposal to have a look at the next version, which should be ready in a day or two

### Survey Result Status / Call for Volunteers

- Call for volunteers to analyze the results:
- Greg

### Joint Statement?

- [Draft Joint Statement](https://docs.google.com/document/d/1KOO0ZkknEE96w4iscYZh0kUdUJhE4g167KTqam3Xtqc/edit?usp=sharing)
- Will be brought before ORC steering committee early next week. Could have additional signatories. If approved & supported, then would be posted publicly via social media, maybe press release, and sent to EC directly.
- Notes
- Mathias \- asks if scope is fixed or flexible at this point
- Jordan \- supportive, and notes that it lacks mention of the controversial aspects such as the actual funding mechanism. (These should be ironed out soon.)
- Æva \- could we avoid the bikeshedding by keeping funding comments general?
- Jordan \- perhaps we should, maybe not in this letter, articulate the need for flexibility in funding models.
- Gregor \- asks for folks to connect to develop funding model paper further around “public interest open source foundations”
-

###

### CRA-EG Summary

- Æva presented the work we are doing
- Comments received \- Under the MSA, Third-party attestations (e.g., by an independent testing laboratory) are perceived as more reliable than a manufacturer’s own statements, but this is not the case for open source. We may want to incorporate some clarification about this into our outputs.
- The presentation depicted how attestation could support manufacturers' due diligence obligations.
- (no public link)
- Mathias asks whether there was a discussion about due diligence regarding 3rd party components, and whether any additional clarity was received.

### New CRA Draft Guidance

- Link\! [https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act\_en](https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en)
- (link seems to have issues, try this?) [blob:https://ec.europa.eu/b59a4856-8d52-42d2-ad08-4ff809390f45](https://ec.europa.eu/b59a4856-8d52-42d2-ad08-4ff809390f45)
- Link to a Google doc for comments \- [Draft Annex CRA guidance - CRA-EG](https://docs.google.com/document/d/1teqYvaLHmMifChKiss7QT_cYjeyFsHyTlwR_9JfbkK0/edit?tab=t.0)
- (( lengthy group discussion followed ))
- SJN \- reflects on the flow chart on p.15
- Suggests steward functions like a cooperative organization “Attesting” to secure development practices. CPAN cannot issue attestations for all packages on CPAN, only the maintainers of each package could do so.
- Seth
- Attestations are more valuable from a user’s perspective. If too many gaps (in dependency tree) then there is still too much work (on the manufacturing side) for there to be value in the attestations. So “closing” dependency chains is worth more.

### AOB

-