[comment]: # (Compile this presentation with the command below) [comment]: # (mdslides gpw2026-steward-proposal.md --include ../media) [comment]: # (...or by running the Makefile with "make") [comment]: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/) [Recital (10)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_10 'CRA relevance for supply chains' [Recital (15)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_15 'CRA applies to economic operators tha t have an intention to monetise a product' [Recital (18)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18 'Open Source Software Contributors' [Recital (19)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_19 'Open Source Software Stewards, light- touch regulatory regime, and CE mark implications' [Recital (20)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_20 'Open Source package managers consider ations as "distributors"' [Recital (21)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_21 'Voluntary security attestation progra ms for Open Source projects' [Recital (22)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_22 'Submission of SBOMs for Open Source p rojects' [Recital (24)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_24 'CRA relevance for the NIS2 directive' [Recital (31)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_31 "Manufacturer's liability due to lack of security updates" [Recital (34)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_34 'Exercise due diligence when integrati ng third-party components' [Recital (37)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_37 'Software for testing purposes, alphas , betas' [Recital (39)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_39 'Continued security updates' [Recital (41)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_41 'Substantial modifications requires a new conformity assessment to be done' [Recital (43)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_43 'Important products with digital eleme nts' [Recital (44)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_44 'Class I and Class II products' [Recital (45)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_45 'Class II products are subject to mandatory third-party conformity assessment' [Recital (56)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_56 'On the download and installation of security updates, and notification of end of support' [Recital (57)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_57 'On the requirement to be able to get security updates separately from functionality updates' [Recital (60)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_60 'Support period' [Recital (61)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_61 'Support period' [Recital (62)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_62 'Support period' [Recital (63)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_63 'Point of contact' [Recital (64)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_64 'Secure by default' [Recital (77)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_77 'Manufacturers should facilitate vulnerability analysis by drawing up an SBOM, though they are not obliged to make it public' [Recital (117)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_117 '[…] establish voluntary security attestation programmes for assessing the conformity of products with digital elements qualifying as free and open-source software […]' [Chapter I]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#cpt_I 'General Provisions' [Article 1]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_1 'Subject Matter' [Article 2]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_2 'Scope' [Article 3]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_3 'Definitions' [Article 9]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_9 'Obligations of Manufacturers' [Article 9(1)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_9.tit_1 'Stakeholder consultation' [Chapter II]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#cpt_II 'Obligations of Economic Operators and Provisions in relation to Free and Open-Source Software' [Article 13]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_13 'Obligations of Manufacturers' [Article 13(2)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.002 'Manufacturers shall undertake a cybersecurity risk assessment' [Article 13(5)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.005 'Manufacturers shall exercise due diligence when integrating components, including FOSS' [Article 13(6)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.006 'Manufacturers shall share relevant code or documentation with the supplier or maintainer of the component' [Article 13(12)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.012 'Manufacturers shall before placing a product on the market, draw up technical documentation' [Article 13(14)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.014 'Manufacturers shall ensure that procedures are in place for products to remain in conformity with this Regulation' [Article 13(15)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.015 'Manufacturers shall ensure that their products is identifiable' [Article 13(16)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.016 'Manufacturers shall indicate their name and identification' [Article 13(17)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.017 'Manufacturers shall designate a single point of contact for reporting vulnerabilities' [Article 13(18)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.018 'Manufacturers shall ensure products are accompanied by documentation listed in Annex II, and available for at least 10 years' [Article 13(19)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.019 'Manufacturers shall shall clearly mark the end date of the support period' [Article 13(20)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#013.020 'Manufacturers shall provide a copy of or the exact internet addrees to the EU declaration of conformity' [Article 14]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_14 'Reporting obligations of manufacturers' [Article 14(1)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#014.001 'A manufacturer shall notify any actively exploited vulnerability contained in the product that it becomes aware of' [Article 14(2)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#014.002 'A manufacturer shall notify within 24 hours, 72 hours and 14 days' [Article 14(3)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#014.003 'A manufacturer shall notify any severe incident having an impact on the security of the product that it becomes aware of' [Article 14(8)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#014.008 'After becoming aware of an incident or vulnerability, the manufacturer shall inform the impacted users of the product, and about risk mitigation and any corrective measures that users can deploy' [Article 15]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_15 'Voluntary reporting' [Article 16]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_16 'Establishment of a single reporting platform' [Article 17]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_17 'Other provisions related to reporting' [Article 18]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_18 'Authorised representatives' [Article 19]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_19 'Obligations of importers' [Article 19(1)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#019.001 'Importers shall only place products on the market that comply with requirements in Annex I part I' [Article 20]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_20 'Obligations of distributors' [Article 21]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_21 'Cases in which obligations of manufacturers apply to importers and distributors' [Article 22]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_22 'Other cases in which obligations of manufacturers apply' [Article 23]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_23 'Identification of economic operators' [Article 23(2)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#023.002 'Be able to present supplier information for 10 years' [Article 24]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_24 'Obligations of open-source software Stewards' [Article 25]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_25 'Security attestation of free and open-source software' [Article 26]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_26 'Guidance' [Chapter III]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#cpt_III 'Conformity of the product with digital elements' [Article 28]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_28 'EU declaration of conformity' [Article 30]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_30 'Rules and conditions for affixing the CE marking' [Article 30(3)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#030.003 'The CE marking shall be affixed before the product with digital elements is placed on the market' [Article 32]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_32 'Conformity assessment procedures' [Chapter IV]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#cpt_IV 'Notification of Conformity Assessment Bodies' [Article 47]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_47 'Operational obligations of notified bodies' [Chapter V]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#cpt_V 'Market Surveillance and Enforcement' [Article 52]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_52 'Market surveillance and control of products' [Article 52(3)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#052.003 'Market surveillance authorities shall also be responsible for carrying out market surveillance activities in relation to the obligations for open-source software Stewards.' [Article 52(11)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#052.011 'Market surveillance authorities shall inform consumers of where to submit complaints that could indicate non-compliance with this Regulation and facilitate reporting of vulnerabilities, incidents and cyber threats' [Article 54]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_54 'Procedure concerning products presenting a significant cybersecurity risk' [Article 54(1)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#054.001 '[If a market authority finds] sufficient reason to consider that a product, including its vulnerability handling, presents a significant cybersecurity risk, it shall carry out an evaluation of the product concerned in respect of its compliance with all the requirements laid down in this Regulation.' [Article 54(5)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#054.005 '[If the economic operator does] not take adequate corrective action, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict that product from being made available, to withdraw it from that market or to recall it.' [Article 58]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_58 'Formal non-compliance' [Chapter VII]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#cpt_VII 'Confidentiality and Penalties' [Article 64]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_64 'Penalties' [Article 64(4)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#064.004 'Supplying incorrect, incomplete or misleading information may be fined up to 5M EUR or 1% of global turnover' [Article 64(10)(b)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#064.010 'Rules on administrative fines shall not apply to Open Source Software Stewards' [Chapter VIII]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#cpt_VIII 'Transitional and final provisions' [Article 71]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_71 'Entry into force and application' [Article 71(2)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#071.002 'This Regulation shall apply from 11 December 2027. However, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026.' [Annex I]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_I 'Essential Cybersecurity Requirements' [Annex I, Part I]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#d1e47-68-1 'Cybersecurity requirements relating to the properties of products with digital elements' [Annex I, Part II]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#d1e143-68-1 'Vulnerability handling requirements' [Annex II]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_II 'Information and Instructions to the User' [Annex V]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_V 'EU Declaration of Conformity' [Annex VII]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#anx_VII 'Content of the Technical Documentation' [Regulation (EU) 2019/881, Article (48)]:https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32019R0881#art_48 'Request for a European cybersecurity certification scheme' [EU Blue Guide]:https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.C_.2022.247.01.0001.01.ENG&toc=OJ%3AC%3A2022%3A247%3ATOC 'The Blue Guide on the implementation of EU product rules (2022/C 247/01)' ## What might a CPAN Steward organization look like? German Perl Workshop 2026 Salve J. Nilsen (CPANSec, Oslo.pm) 🐘 Mastodon — @sjn\@chaos.social Note:

## Cyber Resilience Act - December 11, 2027

## Cyber Resilience Act - December 11, 2027 CE-marked products are required to be cyber-secure

## Cyber Resilience Act - December 11, 2027 CE-marked products are required to be cyber-secure Manufacturers are liable for ALL the security of their products

## Cyber Resilience Act - December 11, 2027 CE-marked products are required to be cyber-secure Manufacturers are liable for ALL the security of their products - …including Open Source components used in or in relation to these

## Cyber Resilience Act - December 11, 2027 CE-marked products are required to be cyber-secure Manufacturers are liable for ALL the security of their products - …including Open Source components used in or in relation to these - …and that the documentation and metadata is complete, correct and not misleading

## Cyber Resilience Act - December 11, 2027 CE-marked products are required to be cyber-secure Manufacturers are liable for ALL the security of their products - …including Open Source components used in or in relation to these - …and that the documentation and metadata is complete, correct and not misleading - …and perform any risk assessments and due diligence required to remain compliant (CRA [Annex I](), [Annex II]())

## Cyber Resilience Act - December 11, 2027 CE-marked products are required to be cyber-secure Manufacturers are liable for ALL the security of their products - …including Open Source components used in or in relation to these - …and that the documentation and metadata is complete, correct and not misleading - …and perform any risk assessments and due diligence required to remain compliant (CRA [Annex I](), [Annex II]()) At pain of substantial fines, or having their products taken off the EU market

## The Problem

## The Problem - Products with tens of thousands of dependencies

## The Problem - Products with tens of thousands of dependencies - Each dependency an Open Source project

## The Problem - Products with tens of thousands of dependencies - Each dependency an Open Source project - Each required to be cyber-secure and cared for

## The Problem - Products with tens of thousands of dependencies - Each dependency an Open Source project - Each required to be cyber-secure and cared for - Each project has information to share

## The Open Source Software Steward

## The Open Source Software Steward A new organization, imagined by the EU Commission to facilitate this work

## The Open Source Software Steward A new organization, imagined by the EU Commission to facilitate this work …but without guidance on HOW it should work!

## The Open Source Software Steward A new organization, imagined by the EU Commission to facilitate this work …but without guidance on HOW it should work! (This talk addresses this!)

## A community-owned non-profit **Steward** cooperative<br>based in the EEA …for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN

## A community-owned non-profit **Steward** cooperative<br>based in the EEA …for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN …in order to fulfill any relevant Steward obligations, - Cybersecurity policy

## A community-owned non-profit **Steward** cooperative<br>based in the EEA …for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN …in order to fulfill any relevant Steward obligations, - Cybersecurity policy - Cooperate with, and respond to requests from market authorities

## A community-owned non-profit **Steward** cooperative<br>based in the EEA …for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN …in order to fulfill any relevant Steward obligations, - Cybersecurity policy - Cooperate with, and respond to requests from market authorities - Notify market authorities of severe incidents and vulnerabilities

## A community-owned non-profit **Steward** cooperative<br>based in the EEA …for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN …in order to fulfill any relevant Steward obligations, - Cybersecurity policy - Cooperate with, and respond to requests from market authorities - Notify market authorities of severe incidents and vulnerabilities - Be the single point of contact for EU member state market authorities, on behalf of member projects …and more!

## A community-owned non-profit **Steward** cooperative<br>based in the EEA …for projects, infrastructure communities or other communities that are published on CPAN or otherwise related to Perl or CPAN …in order to fulfill any relevant Steward obligations, ⚠️ **limited to projects willing to have a Steward, AND that are in use by a Manufacturer**

## A community-owned non-profit Steward **cooperative** <br> based in the EEA …allowing projects & communities become **members** of the cooperative,

## A community-owned non-profit Steward **cooperative** <br> based in the EEA …allowing projects & communities become **members** of the cooperative, - …by voluntarily fulfilling the necessary membership criteria,

## A community-owned non-profit Steward **cooperative**<br> based in the EEA …allowing projects & communities become **members** of the cooperative, - …by voluntarily fulfilling the necessary membership criteria, - …where the criteria are the minimum necessary so their project may live up to the "light touch" regulatory requirements in the CRA

## A community-owned non-profit Steward **cooperative**<br> based in the EEA …allowing projects & communities become **members** of the cooperative, - …by voluntarily fulfilling the necessary membership criteria, - …where the criteria are the minimum necessary so their project may live up to the "light touch" regulatory requirements in the CRA Cybersecurity policy, correct metadata, contact information, etc.

## A community-owned non-profit Steward **cooperative**<br> based in the EEA …allowing projects & communities become **members** of the cooperative, - …by voluntarily fulfilling the necessary membership criteria, - …where the criteria are the minimum necessary so their project may live up to the "light touch" regulatory requirements in the CRA Cybersecurity policy, correct metadata, contact information, etc. sustainability information, funding requirements, etc.

## A **community-owned** non-profit Steward cooperative<br> based in the EEA …allowing projects & communities become **members** of the cooperative, **and thereby become a *co-owner* of the Steward cooperative**

## A Steward that supports us …For the Steward to become capable of supporting the projects, services and communities in-stream or up-stream of, or related Perl and CPAN

## A Steward that supports us …For the Steward may become capable of supporting the projects, services and communities in-stream or up-stream of, or related Perl and CPAN - …in security, sustainability or compliance related matters,

## A Steward that supports us …For the Steward may become capable of supporting the projects, services and communities in-stream or up-stream of, or related Perl and CPAN - …in security, sustainability or compliance related matters, - …including support through donations or member dividends,

## A Steward that supports us …For the Steward may become capable of supporting the projects, services and communities in-stream or up-stream of, or related Perl and CPAN - …in security, sustainability or compliance related matters, - …including support through donations or member dividends, - …while letting the Maintainers (members) retain full control of their project

## A Steward that supports these communities …By becoming a non-profit **business** to facilitate any necessary security-related documentation or work in the affected/member projects,

## A Steward that supports these communities …By becoming a non-profit **business** to facilitate any necessary security-related documentation or work in the affected/member projects, - …required for Manufacturers, that use these projects in their products, to become and remain compliant with the CRA,

## A Steward that supports these communities …By becoming a non-profit **business** to facilitate any necessary security-related documentation or work in the affected/member projects, - …required for Manufacturers, that use these projects in their products, to become and remain compliant with the CRA, - …informed by aggregated usage information supplied, either in confidence or through anonymization, by Manufacturers,

## A Steward that supports these communities …By becoming a non-profit **business** to facilitate any necessary security-related documentation or work in the affected/member projects, - …required for Manufacturers, that use these projects in their products, to become and remain compliant with the CRA, - …informed by aggregated usage information supplied, either in confidence or through anonymization, by Manufacturers, …enabling the issuing of **voluntary security attestations** by Maintainers and their Steward

## Issuing VSAs Issuing of **voluntary security attestations** by Maintainers and their Steward

## Issuing VSAs Issuing of **voluntary security attestations** by Maintainers and their Steward - …suitable for communicating any time and release-scoped compliance- and sustainability-relevant claims about a component project to Manufacturers,

## Issuing VSAs Issuing of **voluntary security attestations** by Maintainers and their Steward - …suitable for communicating any time and release-scoped compliance- and sustainability-relevant claims about a component project to Manufacturers, - …in a way that market authorities will accept to satisfy the Manufacturer's obligation to perform due diligence of said component,

## The CPAN Ecosystem Steward …A custom-made Steward concept - …taking into account the economical and cultural sustainability for its projects, - …including the cultural and historical context and ways of working of these projects, services and communities, - …in a way that ensures all revenues generated by the sale of attestations, and other support coming from this venture are directed towards non-profit activities, where it is needed (and welcome) _in any member, affected or related communities_ Note:

# Thanks! Salve J. Nilsen 🐘 Mastodon — @sjn\@chaos.social 🦆🦆