@smallsees @giacomo no warranty and no money is where we start, where we are now. I can't see any open source project doing attestations unless given motivation and I can't figure out a motivation that would work better than the plain old money
@bagder What's the incentive for OSS projects to do CRA attestations?
I get some odd requests similar to this from large companies but I've always said go read the license, that's what you've got.
@smallsees I propose: money
go read the license, that's what you've gotThat is "NO WARRANTY".
@smallsees @giacomo no warranty and no money is where we start, where we are now. I can't see any open source project doing attestations unless given motivation and I can't figure out a motivation that would work better than the plain old money
@giacomo @smallsees I sell curl support as a business already today, No one needs to take anything away from any license.
If you too want to feedback on the idea of Open Source CRA attestations (basically projects officially saying that they are "good projects" in a CRA sense), here's the survey
@bagder
As usual, you make an excellent point. Also, thanks for sharing the survey!
In case anybody else can use some inspiration for how (not?) to phrase things, here's what I wrote:
Q: Do you have views, ideas, or questions about how this should work?
A: »It cannot work at all unless EU bodies, governments or manufacturers establish some kind of incentive for FOSS maintainers to even take part in this scheme (for example, by answering questions or providing information to auditors, manufacturers etc).
Here's the rationale:
All FOSS licenses explicitly exclude warranties. Consequently, maintainers like myself have no obligation to perform any work, much less for free. This would only change when, separate from the license, there's some contractual relationship with somebody who sponsors that work. Note: it does not matter whether that work is coding, triaging, bugfixing, researching or attesting something.
…«
1/2
@bagder Thanks, I gave my feedback.
Among other things I pointed out that under the terms of your typical FLOSS license, the software is provided without warranty of any kind.
When push comes to shove, it might pitch attestations against FLOSS licenses, unless they're de-fanged to the point of being cosmetic.
If you ask me, this feels like a warmed up anti-FLOSS campaign in the guise of trying to make it seem more respectable.
while you wait on the survey to come back to life, here's the relevant associated FOSDEM 2026 talk:
https://fosdem.org/2026/schedule/event/QEZ3LB-cra_-_role_of_free_software_and_q_a/
@bagder i need to watch this but my deep feeling has been that this is based on a world that doesn't exist
@Di4na the attestation thing seems to so far mostly be an idea or ambition they ask a lot of questions about. But I've been around for a while, I don't make any illusions that this will fundamentally change anything.
I just try to feedback reality-check kind of stuff. Based on how open source actually works according to me.
@bagder I think you broke their survey ...
