WEBVTT 00:00.000 --> 00:10.000 Please take your seats as quick as possible, we are starting. 00:10.000 --> 00:12.000 Can you take a seat please? 00:12.000 --> 00:13.000 Yeah. 00:13.000 --> 00:14.000 Good. 00:14.000 --> 00:15.000 Thanks very much. 00:15.000 --> 00:17.000 Guys, take your seats up there. 00:17.000 --> 00:19.000 All right. 00:27.000 --> 00:28.000 All right. 00:31.000 --> 00:33.000 All right, guys. 00:33.000 --> 00:34.000 Take your seat please. 00:34.000 --> 00:36.000 Thank you so much. 00:36.000 --> 00:38.000 And we are moving on. 00:38.000 --> 00:41.000 And that's going to be a lightning talk, but, you know, the last one. 00:41.000 --> 00:42.000 Of course. 00:42.000 --> 00:45.000 The next up is Sinti and Casey. 00:45.000 --> 00:50.000 We'll talk about building Sierra Rady open source communities. 00:50.000 --> 00:52.000 The critical role of community managers. 00:52.000 --> 00:53.000 So important one. 00:53.000 --> 00:55.000 Please give all the applause to the next speakers. 00:55.000 --> 01:06.000 Thank you. 01:06.000 --> 01:07.000 Thank you. 01:07.000 --> 01:09.000 Hello everybody. 01:09.000 --> 01:10.000 I am Sintiya. 01:10.000 --> 01:13.000 I'm a PM at GitHub and joining me today. 01:13.000 --> 01:16.000 The super lighting fast talk is Casey. 01:16.000 --> 01:17.000 Hi everyone. 01:17.000 --> 01:22.000 Casey, I come here as an independent person. 01:22.000 --> 01:27.000 Yeah, but I'm working with World Health Organization. 01:27.000 --> 01:33.000 WHA on open source related work previously on healthy emergencies. 01:33.000 --> 01:38.000 And now on medical records related things. 01:38.000 --> 01:41.000 So very happy to speak to people about that. 01:41.000 --> 01:44.000 But here today on an independent capacity. 01:45.000 --> 01:47.000 Okay. 01:59.000 --> 02:02.000 Sorry about that slide. 02:02.000 --> 02:05.000 It seems like everything had gone wrong. 02:05.000 --> 02:08.000 But please excuse us. 02:08.000 --> 02:12.000 And also, excuse us if this has already been covered. 02:12.000 --> 02:15.000 But I thought if everyone is bit like me. 02:15.000 --> 02:18.000 And sometimes bit confused what like CRA actually means. 02:18.000 --> 02:24.000 And what it covers, I thought it might be helpful to start with bit of very, very brief context. 02:24.000 --> 02:34.000 So CRA does introduce what they call like mandatory cyber security requirements for hardware and software product throughout their whole life cycle. 02:34.000 --> 02:38.000 And we'll talk about what that means in a second. 02:38.000 --> 02:46.000 And it is meant to complement European cyber security rules and strengthen the security of the whole what they call supply chain. 02:46.000 --> 02:52.000 So in the recital which is if you ever look at the actual legislation. 02:52.000 --> 02:58.000 If you ever go to the exact source on European Commission. 02:58.000 --> 03:01.000 Anyone have trouble how to navigate that. 03:01.000 --> 03:04.000 I'm very happy to support you on that. 03:04.000 --> 03:14.000 So what in the recital which is the first like line items that they give people it goes into act which is like actual law so to say. 03:14.000 --> 03:25.000 So it's mentorship cyber security from a post market issue from to a regulatory obligation that's embedded in product governance. 03:25.000 --> 03:33.000 And it's meant to treat cyber security as what they call collective supply chain responsibility not just the manufacturer concern. 03:33.000 --> 03:43.000 I saw from the previous question that like that someone mentioned that our clients would be considered manufacturers on their cyber security. 03:43.000 --> 03:46.000 Cyber resilience act and so on. 03:46.000 --> 03:54.000 And then very briefly we'll talk about the scope of application for CRA. 03:54.000 --> 04:01.000 And to that the most important thing the bottom circles like cut but that's meant to be open source stewards. 04:01.000 --> 04:05.000 Like yeah, unfortunate but like that had happened. 04:05.000 --> 04:13.000 So it does so how it applies is like twofold one is like what they call in a covered product categories. 04:13.000 --> 04:22.000 So they specified and like it's basically connected hardware device and examples like IoT network equipment. 04:22.000 --> 04:29.000 And then software that's embedded and connected devices that's the wording that they use in the legislation. 04:29.000 --> 04:41.000 And then also like non tangible digital product basically software where supply that's part of a product with digital element. 04:41.000 --> 04:51.000 And then it does have some exemptions so one is basically like if it's covered by other regulations that's often more strict. 04:51.000 --> 05:02.000 Such as medical device for human use and accessories for such device that's a regulation you 2017-746. 05:02.000 --> 05:10.000 And then another is the IVDR in vitro diagnostic medical devices for human use and accessories for such device. 05:10.000 --> 05:16.000 They often have even more stricter requirement than the CRA so that's mentioned. 05:16.000 --> 05:25.000 Another is if it is already if there is already like a comparable certification scheme. 05:25.000 --> 05:34.000 And then another is the product that's developed exclusively for national security defense or military purpose or processing classified information. 05:34.000 --> 05:45.000 And then the other ones I thought it might be a bit more interesting like unfinished product prototypes but then provided like you have to make it very clear that this is a prototype. 05:45.000 --> 05:49.000 And then also mentioned that this does not comply with CRA. 05:49.000 --> 05:57.000 And they're placed on the market solely for testing and says that's covered by other kind of legislations. 05:57.000 --> 06:02.000 And then I will quickly, how much time? 06:02.000 --> 06:04.000 Yeah, okay. 06:04.000 --> 06:06.000 Oh, sorry. 06:06.000 --> 06:14.000 And then another bit like how it's applied is that they use a term called economic operators. 06:14.000 --> 06:21.000 So as in like a product is placed in the market as in it has a commercial bit to it. 06:21.000 --> 06:24.000 Like so that's what they meant by economic operators. 06:24.000 --> 06:28.000 And then it does have three different categories of that economic operator. 06:28.000 --> 06:33.000 One is like manufacturer, the ones that manufactures and then another is the importer. 06:33.000 --> 06:35.000 And then another bit is distributor. 06:35.000 --> 06:42.000 And I'm sure like it's like preaching to the converted like to talk to people in this room. 06:42.000 --> 06:46.000 Like where does the open source of stewards or community fit? 06:46.000 --> 06:52.000 And that's the term that they had introduced here as well. 06:52.000 --> 07:01.000 And I will just like we wouldn't have time to go through the obligations that they have set out for different categories of economic operators. 07:01.000 --> 07:05.000 But we'll quickly just talk about the obligations of manufacturers. 07:05.000 --> 07:10.000 So there's a general obligation and a reporting obligation to that. 07:10.000 --> 07:16.000 So the general one, one through like I would say two. 07:16.000 --> 07:22.000 It's like a normal healthy software like development lifecycle. 07:22.000 --> 07:30.000 It's like yes cyber security is taken into account in planning designing developing sort of thing. 07:30.000 --> 07:39.000 And then there is quite like heavy reporting obligation which if we have time like we will like get to that. 07:39.000 --> 07:52.000 But then other like interesting things are the like how long that that this should be ensured that basically the safety of the product should be ensured. 07:52.000 --> 07:59.000 And how long the security updates should be made available once the product has been placed into the market. 07:59.000 --> 08:07.000 And then another bit like number five which I thought interesting very clear and understandable instruction for the users. 08:07.000 --> 08:11.000 And then reporting bit also interesting. 08:11.000 --> 08:21.000 It does have a quite like stringent timeline on like as soon as the manufacturer identifies a issue. 08:21.000 --> 08:31.000 That like within 24 hours to inform the like sister or any or any about the vulnerabilities. 08:31.000 --> 08:39.000 And then as they mitigate like work on it like patch it the vinyl report to be made available within like 24 hours. 08:39.000 --> 08:47.000 And then we'll like talk about the specifics like with the like false community of sorry. 08:47.000 --> 08:49.000 There we go. 08:49.000 --> 08:51.000 Yeah. 08:51.000 --> 09:01.000 So when the proposal of the legislation was introduced in 2022 and the vinyl version introduced like at the November of 2024. 09:01.000 --> 09:16.000 There had been a lot of advocacy or like work from the open source communities like if you were to actually read through and compare the two legislations to drafts like it's quite different. 09:16.000 --> 09:27.000 And the specifics on the open source like this is the best place to look for that would be article 24 like that's dedicated space for that. 09:27.000 --> 09:36.000 And then it is asking to establish and document of very viable cybersecurity policy and ensure effective vulnerability handling. 09:36.000 --> 09:41.000 It does not specify how or what it should look like but then it does say that. 09:41.000 --> 09:45.000 And then um, cooperate with market surveillance authorities. 09:45.000 --> 09:53.000 Um, I don't know like if people had heard about this term, it's a term that had been also like introduced there. 09:53.000 --> 10:02.000 So market, market surveillance authorities are meant to be national ones and that's chosen by each member state and the European Union. 10:02.000 --> 10:06.000 And they are to ensure the implementation of the CRA. 10:06.000 --> 10:12.000 So each member state can choose one or more existing new authorities and such. 10:12.000 --> 10:14.000 Um, okay. 10:14.000 --> 10:16.000 To me, oh my gosh, okay. 10:16.000 --> 10:18.000 I'm so sorry. 10:18.000 --> 10:19.000 Yeah. 10:19.000 --> 10:24.000 And um, with that I just want to, I'll skip this slide. 10:24.000 --> 10:27.000 The concerns that had been raised. 10:27.000 --> 10:33.000 But just want to end with the point that like for open source communities, what CRA. 10:33.000 --> 10:39.000 At least like from the law, what it actually values is the evidence of process, not necessarily perfection. 10:39.000 --> 10:42.000 And yeah, with that I'll learn to Cynthia. 10:42.000 --> 10:43.000 Awesome. 10:43.000 --> 10:44.000 Thank you. 10:44.000 --> 10:45.000 I don't know. 10:45.000 --> 10:46.000 All right. 10:46.000 --> 10:49.000 So I'm going to go through. 10:49.000 --> 10:52.000 So I want to highlight a little bit more on. 10:52.000 --> 10:55.000 Thank you for going over about CRA. 10:55.000 --> 10:56.000 What it means. 10:56.000 --> 11:01.000 Um, and as you know, we have to December 2027 when it's in full effect. 11:01.000 --> 11:07.000 Um, but I want to highlight some of the concerns if anybody here might be a community manager or a maintainer for project. 11:07.000 --> 11:12.000 Here are some concerns that community managers had highlighted with the CRA. 11:12.000 --> 11:19.000 Of course, I want to highlight the CRA really values the evidence of the process and it just has to be completely perfect. 11:19.000 --> 11:23.000 There is time right now, but we definitely want to get started. 11:23.000 --> 11:28.000 And also there's some concerns for the community managers that might feel that downstream. 11:28.000 --> 11:32.000 So companies, manufacturers might push questions upstream to the project. 11:32.000 --> 11:36.000 So you want to be able to reduce uncertainty. 11:36.000 --> 11:38.000 Um, ahead of time as soon as possible. 11:38.000 --> 11:45.000 I know the thing to consider is, um, being able to really support the maintainers and support the community under the area. 11:45.000 --> 11:53.000 So these are the concerns that the community has, both the fear of burdens on the open source software. 11:53.000 --> 11:57.000 And of course, the cost community really has done a lot of advocacy. 11:57.000 --> 11:59.000 So it's really great. 11:59.000 --> 12:02.000 Um, and there has been updates to that desk. 12:02.000 --> 12:04.000 Um, it was mentioned earlier. 12:04.000 --> 12:08.000 Um, and to go through with the timing that we have here. 12:08.000 --> 12:09.000 I want to highlight. 12:09.000 --> 12:11.000 It's going to slowly. 12:11.000 --> 12:13.000 There we go. 12:13.000 --> 12:20.000 Some things, um, to really be ready across the project as we're scaling CRA readiness. 12:20.000 --> 12:22.000 Of course, this is not legal advice. 12:22.000 --> 12:23.000 I'm not a lawyer. 12:23.000 --> 12:24.000 I'm not your lawyer. 12:24.000 --> 12:31.000 Uh, so I just want to highlight here are some things that you may want to consider when you're preparing your project to under the CRA. 12:31.000 --> 12:36.000 So of course, um, first figure out if your project does fall under the CRA. 12:36.000 --> 12:43.000 I believe there's a couple of really great tools out there for assessments to see if your project would fall under that. 12:43.000 --> 12:45.000 Of course, think about also organizing. 12:45.000 --> 12:50.000 Um, your repo, your projects to have all CRA related documents. 12:50.000 --> 12:54.000 And you're contributing file in your repo somewhere where new. 12:54.000 --> 13:00.000 Um, uh, contributors can figure that out somewhere where it's very clear documentation. 13:00.000 --> 13:03.000 To reduce any confusion in communication. 13:03.000 --> 13:06.000 For any CRA related documentation, whether this is what happens. 13:06.000 --> 13:09.000 This is, um, the type of verbiage that you always use. 13:09.000 --> 13:13.000 So with that also consider perhaps using issue templates. 13:13.000 --> 13:17.000 Whenever there is a security, um, vulnerability, any vulnerability, 13:17.000 --> 13:24.000 vulnerability reporting, having templates that have the same across, um, your project makes a little bit easier for new contributors to join. 13:24.000 --> 13:25.000 And I have zero minutes. 13:25.000 --> 13:29.000 The last thing I want to highlight is clarify the role between your technical writers and the community managers. 13:29.000 --> 13:34.000 So it's very clear who will do what when there's a new version that comes through during onboarding. 13:34.000 --> 13:36.000 Uh, thank you so much. 13:36.000 --> 13:38.000 Uh, we ran out of time. 13:38.000 --> 13:41.000 And, um, it was all virtual. 13:41.000 --> 13:43.000 Thank you very much, ladies. 13:43.000 --> 13:44.000 That's fantastic. 13:45.000 --> 13:49.000 The best presentations are given when the technical things go wrong. 13:49.000 --> 13:52.000 I mean, that's, that's great to overcame this. 13:52.000 --> 13:54.000 Please give it another round of applause. 13:54.000 --> 13:56.000 That's, that's just fantastic.