Community
The CRA isn't coming for your open source community
<p>Many open source contributors, maintainers, and communities are anxious about the Cyber Resilience Act (CRA) and its potential impact on open source. It’s easy to feel that these obligations aimed at commercial vendors will somehow end up falling on volunteer maintainers, community projects, and the broader open source ecosystem. But that's not the whole story.</p>
<p>Thanks to strong, coordinated advocacy from the community, the European Commission actually understands the open source ecosystem far better than many believe. The CRA not only clarifies where responsibility lies—squarely on the vendors who profit from open-source components, as it should—but also introduces meaningful tools to improve sustainability, including the new attestation program, which has real potential to channel support back into the ecosystem.</p>
<p>A well-designed law, however, doesn’t mean there will be no impact.</p>
<p>Drawing on direct involvement in the CRA implementation process through the ORC WG and the CRA Expert Group, Tobie will walk through how these changes will affect open source communities in practice, why the underlying structure of the CRA makes sense, and how the open source communities can position themselves to benefit from it if they so wish to deliver more secure software more sustainably.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ub5230 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 2/1/26 |
<p>The Community Devroom co-organizers will welcome attendees and give an overview of the day’s sessions.</p>
|
| 2/1/26 |
<p><strong><em>What happens when your project grows up faster than you do?</em></strong></p> <p>The dynamics of the FOSS world allow for young and passionate developers to make real, lasting contributions; sometimes in places where they would otherwise never be taken seriously. As <a href="https://www.theregister.com/2022/10/26/rolling_rhino_reboot"><em>The Register</em> put it</a>, Rhino Linux was started by a "<em>teen dream team</em>". We had a bold, fast-paced start that threw us headfirst ...
|
| 2/1/26 |
<p>The four essential freedoms defined by the Free Software Foundation — freedom 0: the freedom to run the software; freedom 1: the freedom to study and change it; freedom 2: the freedom to redistribute; freedom 3: the freedom to distribute modified versions — are widely cited as the foundation of free software. https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms</p> <p>But what does “freedom” mean when people with disabilities cannot meaningfully use, extend, and share ...
|
| 2/1/26 |
<p>Open source communities thrive when every contributors can participate fully and safely. Neurodivergent contributors bring unique strengths such as pattern detection, hyperfocus, creativity, and non-linear problem-solving. But they also face invisible barriers that can limit their access and growth. This talk explores practical scenarios for fostering neuroinclusive communities from onboarding and mentorship to culture-building and leadership. Attendees will leave with lessons they can apply ...
|
| 2/1/26 |
<p>In the last several years, a number of open source companies have attracted significant attention after announcing license changes. Not surprisingly, these shifts sparked backlash from open source enthusiasts, prompting some to create community-driven forks under open source foundations.</p> <p>Now there is growing skepticism toward (single) company backed open source projects, with many arguing that open source projects should be run by neutral foundations to prevent future bait-and-switch ...
|
| 2/1/26 |
<p>Ten years, 1,600 release votes, and a clear lesson: open collaboration works. Discover how Apache Incubator projects turned release reviews from rule-checking into mentoring, and what this decade of data reveals about building healthier open source communities. Description: What can we learn from a decade of release votes in open source communities? From 2015 to 2025, over 1,600 Apache Incubator release vote threads showed how project collaboration and growth have changed. In this talk, ...
|
| 2/1/26 |
<p>As open source became mainstream, companies started to allow or even encourage their employees to get involved upstream and even started to open source their projects. Having more people being paid to work on open source software sounds great at first. However, when people don’t get the education and support to integrate upstream work and mindset into their daily work the open source projects, and eventually the boarder ecosystem, suffer.</p> <p>This phenomenon affects everyone from ...
|
