comment: # (…or by running the Makefile with “make”) comment: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/)
comment: # (width: “1440”) comment: # (height: “810”) comment: # (help: true) comment: # (progress: true) comment: # (controlsBackArrows: “true”)
[Recital (15)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_15 ‘CRA applies to economic operators tha t have an intention to monetise a product’ [Recital (18)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18 ‘Open Source Software Contributors’ [Recital (19)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_19 ‘Open Source Software Stewards, light- touch regulatory regime, and CE mark implications’ [Recital (20)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_20 ‘Open Source package managers consider ations as “distributors”’ [Recital (21)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_21 ‘Voluntary security attestation progra ms for Open Source projects’ [Recital (22)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_22 ‘Submission of SBOMs for Open Source p rojects’ [Recital (24)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_24 ‘CRA relevance for the NIS2 directive’ [Recital (31)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_31 “Manufacturer’s liability due to lack of security updates” [Recital (34)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_34 ‘Exercise due diligence when integrati ng third-party components’ [Recital (37)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_37 ‘Software for testing purposes, alphas , betas’ [Recital (39)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_39 ‘Continued security updates’ [Recital (41)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_41 ‘Substantial modifications requires a new conformity assessment to be done’ [Recital (43)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_43 ‘Important products with digital eleme nts’ [Recital (44)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_44 ‘Class I and Class II products’ [Recital (45)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_45 ‘Class II products are subject to mandatory third-party conformity assessment’ [Recital (56)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_56 ‘On the download and installation of security updates, and notification of end of support’ [Recital (57)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_57 ‘On the requirement to be able to get security updates separately from functionality updates’ [Recital (60)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_60 ‘Support period’ [Recital (61)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_61 ‘Support period’ [Recital (62)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_62 ‘Support period’ [Recital (63)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_63 ‘Point of contact’ [Recital (64)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_64 ‘Secure by default’ [Recital (77)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_77 ‘Manufacturers should facilitate vulnerability analysis by drawing up an SBOM, though they are not obliged to make it public’ [Recital (117)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_117 ‘[…] establish voluntary security attestation programmes for assessing the conformity of products with digital elements qualifying as free and open-source software […]’
What might a CPAN Steward organization look like?
German Perl Workshop 2026
Salve J. Nilsen
(CPANSec, Oslo.pm)
🐘 Mastodon — @sjn\@chaos.social
Note:
Cyber Resilience Act - December 11, 2027
| comment: # ( | data-auto-animate) |
Cyber Resilience Act - December 11, 2027
CE-marked products are required to be cyber-secure
| comment: # ( | data-auto-animate) |
Cyber Resilience Act - December 11, 2027
CE-marked products are required to be cyber-secure
Manufacturers are liable for ALL the security of their products
| comment: # ( | data-auto-animate) |
Cyber Resilience Act - December 11, 2027
CE-marked products are required to be cyber-secure
Manufacturers are liable for ALL the security of their products
- …including Open Source components used in or in relation to these
| comment: # ( | data-auto-animate) |
Cyber Resilience Act - December 11, 2027
CE-marked products are required to be cyber-secure
Manufacturers are liable for ALL the security of their products
- …including Open Source components used in or in relation to these
- …and that the documentation and metadata is complete, correct and not misleading
| comment: # ( | data-auto-animate) |
Cyber Resilience Act - December 11, 2027
CE-marked products are required to be cyber-secure
Manufacturers are liable for ALL the security of their products
- …including Open Source components used in or in relation to these
- …and that the documentation and metadata is complete, correct and not misleading
- …and perform any risk assessments and due diligence required to remain compliant (CRA Annex I, Annex II)
| comment: # ( | data-auto-animate) |
Cyber Resilience Act - December 11, 2027
CE-marked products are required to be cyber-secure
Manufacturers are liable for ALL the security of their products
- …including Open Source components used in or in relation to these
- …and that the documentation and metadata is complete, correct and not misleading
- …and perform any risk assessments and due diligence required to remain compliant (CRA Annex I, Annex II)
At pain of substantial fines, or having their products taken off the EU market
The Problem
| comment: # ( | data-auto-animate) |
The Problem
- Products with tens of thousands of dependencies
| comment: # ( | data-auto-animate) |
The Problem
- Products with tens of thousands of dependencies
- Each dependency an Open Source project
| comment: # ( | data-auto-animate) |
The Problem
- Products with tens of thousands of dependencies
- Each dependency an Open Source project
- Each required to be cyber-secure and cared for
| comment: # ( | data-auto-animate) |
The Problem
- Products with tens of thousands of dependencies
- Each dependency an Open Source project
- Each required to be cyber-secure and cared for
- Each project has information to share
The Open Source Software Steward
| comment: # ( | data-auto-animate) |
The Open Source Software Steward
A new organization, imagined by the EU Commission to facilitate this work
| comment: # ( | data-auto-animate) |
The Open Source Software Steward
A new organization, imagined by the EU Commission to facilitate this work
…but without guidance on HOW it should work!
| comment: # ( | data-auto-animate) |
The Open Source Software Steward
A new organization, imagined by the EU Commission to facilitate this work
…but without guidance on HOW it should work!
(This talk addresses this!)
A community-owned non-profit Steward cooperative
based in the EEA
…for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN
…in order to fulfill any relevant Steward obligations,
- Cybersecurity policy
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN
…in order to fulfill any relevant Steward obligations,
- Cybersecurity policy
- Cooperate with, and respond to requests from market authorities
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN
…in order to fulfill any relevant Steward obligations,
- Cybersecurity policy
- Cooperate with, and respond to requests from market authorities
- Notify market authorities of severe incidents and vulnerabilities
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN
…in order to fulfill any relevant Steward obligations,
- Cybersecurity policy
- Cooperate with, and respond to requests from market authorities
- Notify market authorities of severe incidents and vulnerabilities
- Be the single point of contact for EU member state market authorities, on behalf of member projects
…and more!
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN
…in order to fulfill any relevant Steward obligations,
⚠️ limited to projects willing to have a Steward, AND that are in use by a Manufacturer
A community-owned non-profit Steward cooperative
based in the EEA
…allowing projects & communities become members of the cooperative,
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…allowing projects & communities become members of the cooperative,
- …by voluntarily fulfilling the necessary membership criteria,
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…allowing projects & communities become members of the cooperative,
- …by voluntarily fulfilling the necessary membership criteria,
- …where the criteria are the minimum necessary so their project may live up to the “light touch” regulatory requirements in the CRA
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…allowing projects & communities become members of the cooperative,
- …by voluntarily fulfilling the necessary membership criteria,
- …where the criteria are the minimum necessary so their project may live up to the “light touch” regulatory requirements in the CRA
Cybersecurity policy, correct metadata, contact information, etc.
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…allowing projects & communities become members of the cooperative,
- …by voluntarily fulfilling the necessary membership criteria,
- …where the criteria are the minimum necessary so their project may live up to the “light touch” regulatory requirements in the CRA
Cybersecurity policy, correct metadata, contact information, etc.
sustainability information, funding requirements, etc.
| comment: # ( | data-auto-animate) |
A community-owned non-profit Steward cooperative
based in the EEA
…allowing projects & communities become members of the cooperative,
and thereby become a co-owner of the Steward cooperative
A Steward that supports us
…For the Steward to become capable of supporting the projects, services and communities in-stream or up-stream of, or related Perl and CPAN
| comment: # ( | data-auto-animate) |
A Steward that supports us
…So the Steward may become capable of supporting the projects, services and communities in-stream or up-stream of, or related Perl and CPAN
- …in security, sustainability or compliance related matters,
| comment: # ( | data-auto-animate) |
A Steward that supports us
…So the Steward may become capable of supporting the projects, services and communities in-stream or up-stream of, or related Perl and CPAN
- …in security, sustainability or compliance related matters,
- …including support through donations or member dividends,
| comment: # ( | data-auto-animate) |
A Steward that supports us
…So the Steward may become capable of supporting the projects, services and communities in-stream or up-stream of, or related Perl and CPAN
- …in security, sustainability or compliance related matters,
- …including support through donations or member dividends,
- …while letting the Maintainers (members) retain full control of their project
A Steward that supports these communities
…By becoming a non-profit business to facilitate any necessary security-related documentation or work in the affected/member projects,
| comment: # ( | data-auto-animate) |
A Steward that supports these communities
…By becoming a non-profit business to facilitate any necessary security-related documentation or work in the affected/member projects,
- …required for Manufacturers, that use these projects in their products, to become and remain compliant with the CRA,
| comment: # ( | data-auto-animate) |
A Steward that supports these communities
…By becoming a non-profit business to facilitate any necessary security-related documentation or work in the affected/member projects,
- …required for Manufacturers, that use these projects in their products, to become and remain compliant with the CRA,
- …informed by aggregated usage information supplied, either in confidence or through anonymization, by Manufacturers,
| comment: # ( | data-auto-animate) |
A Steward that supports these communities
…By becoming a non-profit business to facilitate any necessary security-related documentation or work in the affected/member projects,
- …required for Manufacturers, that use these projects in their products, to become and remain compliant with the CRA,
- …informed by aggregated usage information supplied, either in confidence or through anonymization, by Manufacturers,
…enabling the issuing of voluntary security attestations by Maintainers and their Steward
Issuing VSAs
Issuing of voluntary security attestations by Maintainers and their Steward
| comment: # ( | data-auto-animate) |
Issuing VSAs
Issuing of voluntary security attestations by Maintainers and their Steward
- …suitable for communicating any time and release-scoped compliance and sustainability-relevant claims about a component project to Manufacturers,
| comment: # ( | data-auto-animate) |
Issuing VSAs
Issuing of voluntary security attestations by Maintainers and their Steward
- …suitable for communicating any time and release-scoped compliance- and sustainability-relevant claims about a component project to Manufacturers,
- …in a way that market authorities will accept to satisfy the Manufacturer’s obligation to perform due diligence of said component,
The CPAN Ecosystem Steward
…A custom-made Steward concept
- …taking into account the economical and cultural sustainability for its projects,
- …including the cultural and historical context and ways of working of these projects, services and communities,
- …in a way that ensures all revenues generated by the sale of attestations, and other support coming from this venture are directed towards non-profit activities, where it is needed (and welcome) in any member, affected or related communities
Note:
Thanks!
Salve J. Nilsen
🐘 Mastodon — @sjn\@chaos.social
🦆🦆