Another year has gone by in #opensource, marked by the start of the annual ritual of #FOSDEM...
The Cyber Resilience Act implementation is ongoing. While I've been involved in the development of the Vertical standard for Operating Systems for the past several months, I have also been contributing to CEN's Horizontal standard for vulnerability management -- a better use of my skills, perhaps, though a more frustrating experience overall.
Working within the strictures of CEN/CENELEC to develop a vulnerability handling standard that accurately reflects the modern realities of open source software's integral role in commercial products and the essential collaboration that must exist between corporations and communities, has been, frankly, very challenging. Many established participants seem to hold on to views of open source that are out of sync with the realities of the last decade. I've done what I could -- a speech to the ETSI SECURITY conference and several presentations inside ETSI and CEN meetings. For this iteration of #FOSDEM, I won't be talking about those standards ...
Instead of talking about standards, I will present on the topic of Voluntary Security Attestations -- CRA's little-discussed Article 25 -- which have the potential to fundamentally alter, for the better, the relationship between OSS maintainers and the companies that rely on OSS.
https://fosdem.org/2026/schedule/event/PTHENV-sustaining-foss-with-attestations/
Find me Sunday afternoon, 15:20 - 16:20 in the EU Policy track... Or at one of the many other events around BXL over the long weekend -- I'll be here Thursday-Tuesday!
