Open Source Software Steward Security Policy fosters development of secure PwDE: what it applies to?

[mrybczyn]

In the discussion on the Stewards whitepaper, we have two possible interpretation of the phrase "Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. "

It could apply to:

1. the FOSS project under the Steward (encouraging best development practices)
2. integration of the FOSS project in other Products (encouraging secure options etc)

Taking into account the definition of open source steward that used the term 'product with digital elements', I tend to understand it as (1), but both are possible. In an ideal case the policy should encourage both :)

The definition of the steward from article 3 is:
‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

[tobie]

It's definitely (1). The product here is the the open source project itself, and the "developers of that product" are the open source maintainers and contributors. The requirements for the policy aren't about upstream integration, as this would put a burden on stewards to educate their users to improve their security posture in general, which is clearly outside of their remit.

In an ideal case the policy should encourage both :)

What's critical is to have clarity as to what the requirements are. For stewards, the requirements of Article 24 are about the open source projects they host.

Attestations, on the other hand, are all about facilitating manufacturer due diligence; i.e. making sure that the project can be integrated in a secure and resilient manner and that compliance with the legislation can be easily demonstrated. That's where things like safe defaults and good documentation comes in and helps with (2). But that's not a requirement for stewards, it is a voluntary activity that any project can provide as part of the attestation program and that every project should consider getting resourced for.