"It is important that whatever is done in the name of Open Source attestations motivates the manufacturers to do their part. If attestations for OSS should have a possibility to work, there needs to be motivations and incentives for OSS projects to submit such attestations and contribute to the process. Good Will is not going to be a strong enough driving factor."
Me, providing feedback on the idea.
If you too want to feedback on the idea of Open Source CRA attestations (basically projects officially saying that they are "good projects" in a CRA sense), here's the survey
while you wait on the survey to come back to life, here's the relevant associated FOSDEM 2026 talk:
https://fosdem.org/2026/schedule/event/QEZ3LB-cra_-_role_of_free_software_and_q_a/
@bagder i need to watch this but my deep feeling has been that this is based on a world that doesn't exist
@Di4na the attestation thing seems to so far mostly be an idea or ambition they ask a lot of questions about. But I've been around for a while, I don't make any illusions that this will fundamentally change anything.
I just try to feedback reality-check kind of stuff. Based on how open source actually works according to me.
@bagder What's the incentive for OSS projects to do CRA attestations?
I get some odd requests similar to this from large companies but I've always said go read the license, that's what you've got.
@smallsees @giacomo no warranty and no money is where we start, where we are now. I can't see any open source project doing attestations unless given motivation and I can't figure out a motivation that would work better than the plain old money
Money from? To? Through?
Also, let's assume I'm the xz-utils or the log4j maintainer who in full good faith believe the distributed binaries are perfectly safe.
I attest this and get the money.
What should happen when the attack get discovered?
Nothing?
More money to the maintainer?
Maintainer refunds?
go read the license, that's what you've gotThat is "NO WARRANTY".
It's fun someone want requires warranties over something explicitly shared without.
I guess that without moving to new licenses with warranties, CRA will just harm users.
@smallsees@social.dropbear.xyz
@giacomo @bagder The survey had a few questions about that. To me the only way it could impact the maintainer is if they made a statement you knew was false and even then I'm a bit iffy about that.
For another question, I said that I'll return the $0 for the software. Also what is a contract with no consideration?
I'd be happy if vendors (think software appliances) didn't ship software that is several versions behind and 10+ years old
@giacomo @smallsees I sell curl support as a business already today, No one needs to take anything away from any license.
@bagder Thanks, I gave my feedback.
Among other things I pointed out that under the terms of your typical FLOSS license, the software is provided without warranty of any kind.
When push comes to shove, it might pitch attestations against FLOSS licenses, unless they're de-fanged to the point of being cosmetic.
If you ask me, this feels like a warmed up anti-FLOSS campaign in the guise of trying to make it seem more respectable.
How much money would you ask to strip line 12 to 18 from #curl's license?
@smallsees@social.dropbear.xyz
Thanks, I gave feedback.
Basically the whole idea is stupid to me. I pointed out that nothing should happen without contracts being signed between attester and manufacturer, that if things end up being wrong that should be handled in the contract, and that you can't force unpaid volunteers to do anything because they can always choose to walk away from volunteering anyway.
- replies
- 1
- announces
- 0
- likes
- 2
@wouter How does a contract between attesters and manufacturers help involve/channel resources towards the upstream projects (maintainers)?
It doesn't. But then, none of this does. This whole law is about trying to force volunteers into doing things without being paid for that. I call BS.
If you want guarantees, pay someone for that. What happens next is between you and whomever you end up paying.
@bagder @smallsees @giacomo I'm nowhere near as famous or influential as curl and Daniel. My rule is that if you want me to do something that I have no particular interest in doing, you need to pay me. Giving me other incentives like "your software is more secure" (OpenSSF) or "we'll let you distribute it via our system" (PyPI) or "we won't use your software" (numerous big companies) doesn't work. If I don't want to do it for other reasons, I'll just find something entirely different to do.