Exactly. At the same time the same businesses are claiming record profits, and not contributing to that central piece of foss software at all in any way (like the car manifacturers mentioned in the post).
Yep. I wonder if that CRA compliance stuff won’t change that. Industries with strict demands on safety should be putting in work and resources to ensure that those demands are actually met, but how the CRA deals with FOSS took a bit of work to not be a complete disaster, and I can’t imagine it’s easy for FOSS projects to work out the details there.
As in:
The automotive industry absolutely should be CRA compliant,
it’d be nice for everyone if cURL was known to be CRA compliant,
compliance doesn’t appear by magic, someone has to put in work,
companies that should be CRA compliant should help with that work.
In the case where they don’t want to pitch in, well, something cURL-equivalent but known CRA-compliant won’t just fall off the back of a wagon, which means the companies that need compliance have a problem.
Then again, apparently the HPE Nonstop ecosystem has git available on their platform all through the spare-time efforts of all of one dude, which absolutely shows that critical systems are willing to rely on precarious software, so I’m not gonna hold my breath.
You put it well. Big Companies who rely on these libraries should put in the work. They have the money and resources to help FOSS projects reach compliance.
Exactly. At the same time the same businesses are claiming record profits, and not contributing to that central piece of foss software at all in any way (like the car manifacturers mentioned in the post).
Yep. I wonder if that CRA compliance stuff won’t change that. Industries with strict demands on safety should be putting in work and resources to ensure that those demands are actually met, but how the CRA deals with FOSS took a bit of work to not be a complete disaster, and I can’t imagine it’s easy for FOSS projects to work out the details there.
As in:
In the case where they don’t want to pitch in, well, something cURL-equivalent but known CRA-compliant won’t just fall off the back of a wagon, which means the companies that need compliance have a problem.
Then again, apparently the HPE Nonstop ecosystem has
gitavailable on their platform all through the spare-time efforts of all of one dude, which absolutely shows that critical systems are willing to rely on precarious software, so I’m not gonna hold my breath.You put it well. Big Companies who rely on these libraries should put in the work. They have the money and resources to help FOSS projects reach compliance.