Maintainers First: Re-centering Open Source Projects

In discussions surrounding the Cyber Resilience Act (CRA) and security attestations, a critical debate has emerged: Should the focus be on stewards or maintainers of open source projects? This article argues for a fundamental shift in perspective, advocating for the prioritization of maintainers and the projects themselves, rather than placing stewards at the forefront. This re-centering is crucial for aligning with the realities of the open source ecosystem, the intent of the CRA, and the long-term sustainability of open source security.

The Imperative for a Maintainer-Centric Approach

The heart of the issue lies in the economic and security opportunity presented by attestations. Attestations, as envisioned by the CRA, offer a pathway for manufacturers to support the open source projects they rely on financially, thereby enhancing the cyber-resilience of the entire ecosystem. This creates a win-win-win scenario: manufacturers streamline their due diligence, end-users benefit from improved security, and maintainers gain the resources necessary to bolster their projects. However, a steward-centric model risks narrowing this opportunity, potentially favoring traditional membership-fee structures that have proven insufficient for the broader open source landscape.

To truly leverage the potential of attestations, we must treat them as a business-model design problem. This requires exploring innovative revenue streams that protect the non-manufacturer status of maintainers, build upon the inherent strengths of open source, and deliver the compliance value the market demands. Focusing solely on stewards limits the scope of possibilities and fails to address the diverse needs and structures within the open source world. Prioritizing maintainers allows for the development of more flexible and effective models that can adapt to the unique characteristics of individual projects and communities.

The Open Source Ecosystem: A Reality Check

One of the most compelling arguments for a maintainer-centric approach is the simple fact that most open source projects are not stewarded. Manufacturers heavily depend on these non-stewarded projects, and any attestation model that overlooks this reality is fundamentally flawed. Data from Black Duck's 2024 audit of commercial codebases provides a stark illustration: hundreds of thousands of unique JavaScript and Rust packages are used in commercial software, yet only a tiny fraction of these projects are stewarded by foundations. This demonstrates that the overwhelming majority of open source used by manufacturers is not and will never be stewarded.

Existing foundations, even if they desired to, could not possibly accommodate the vast number of open source projects currently in use. Furthermore, imposing a stewardship model on all projects is neither scalable nor reflective of how open source communities organically organize themselves. The diverse governance models that make open source work must be respected and supported, not shoehorned into a one-size-fits-all framework. The current framing, which suggests that non-stewarded projects should ultimately “become stewarded,” is not only unrealistic but also detrimental to the vibrant and decentralized nature of open source.

The CRA's Intent: Projects and Developers at the Forefront

The legal text of the Cyber Resilience Act itself reinforces the importance of focusing on projects and developers, not stewards. Article 25 and Recital 21 of the CRA explicitly refer to