FAQ Does each open-source project have to have a Manufacturer identified necessarily?

[rozhukov]

The first obvious answer is "no". But the intention of CRA is to protect the user. In this case it sounds like "as is" principle applies.

Example - Microsoft is a clear Manufacturer of Visual Studio, because monetizes it. Microsoft is a major contributor to VSCode, which is open-source and Microsoft doesn't monetize it directly. So, if user consumes VSCode - can they appeal to Microsoft as a Manufacturer or no?

[pete2160]

I would think not as there are no repositories for assigning or maintaining any vendor identifications to date.

[oej]

Also interesting: If there's an open source package created by an entity who is seen as a "manufacturer" and RedHat packages it as part of the linux distro. Are there now a manufacturer and a distributor? If RedHat applies patches - will they also become a manufacturer? Can there be two manufacturers?

[bagder]

An open source project is typically a source for the, yeah, source code. If two different (commercial) entities build and ship that project as part of their products, aren't both manufacturers ? If not, which one "wins" ?

[pete2160]

If two different entities (both commercial and non-commercial / non-profit) ship the content of a release as part of their products, both should be manufacturers. Each now has that included in their manifest and should publish within their SBOMs. However the package ID is now changed with three distinct IDs [this is where scanners begin to have reporting challenges]. Each manufacturer is now the source for that package. If the upstream stops maintaining that package (let's assume they rev up a version) and one manufacturer incorporates that update and the other does not, then the non-updated manufacturer would likely need to 'support' that package for fixes. So the 'winner' is the one supporting the package with a fork.

…

On Tue, Feb 11, 2025 at 3:35 AM Daniel Stenberg ***@***.***> wrote: An open source project is typically a source for the, yeah, source code. If two different (commercial) entities build and ship that project as part of their products, aren't both manufacturers ? If not, which one "wins" ? — Reply to this email directly, view it on GitHub <#114 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOLITHEK52AFPXJCUE7H3HD2PGY23AVCNFSM6AAAAABWFNI2TCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJQGEZDENRZGU> . You are receiving this because you commented.Message ID: ***@***.***>

[maertsen]

The first obvious answer is "no".

That would be my understanding.

But the intention of CRA is to protect the user. In this case it sounds like "as is" principle applies.

I have no idea what this means.

Example - Microsoft is a clear Manufacturer of Visual Studio, because monetizes it. Microsoft is a major contributor to VSCode, which is open-source and Microsoft doesn't monetize it directly.

I think this is an unfortunate example, because ever since MS shipped copilot, the following in recital 15 may very well trigger:

by an intention to monetise, for instance by providing a software platform through which the manufacturer monetises other services

Anyhow, substituting to remain somewhat on topic:

So, if user consumes [FOSS projects with a contributing actor that is also a manufacturer for a different product] - can they appeal to [Manufacturer] as a Manufacturer or no?

No, I don't think that argumentation makes sense.

[oej]

Do we have a clear text already in the FAQ or do we need to clarify

• Not all Open Source projects have a manufacturer nor a steward
• A manufacturer that use an Open Source component and distributes to customers has no obligation to support that Open Source component for non-customers