[coreboot] 2025-08-06 - coreboot Leadership Meetings Minutes

[mina--- via coreboot]

# 2025-08-06 - coreboot Leadership Meetings Minutes



## Open Action Items
  * 2024-11-27
    * [Open] Send out poll with regards to  LLM usage (requested by SFC)
  * 2024-10-30
    * [Open] Add clarification to docs,“do not use gerrit change-id or CB: 
format in reference to already-merged patches.”
  * 2024-10-16
    * [Open] Matt: Set up a meeting to discuss board status alternatives and 
send out invites. 
      * Decouple data collection with uploading
      * Require gerrit credentials or other auth to push
      * Json format?
      * https://github.com/chrultrabook/linux-tools/blob/main/debugging.sh
  * 2024-09-18
    * [Open] Jon: Schedule a dedicated meeting to discuss the Coverity defects 
and action plan.
      * Werner: Send out an invite for the meeting. 
        Sent out a poll to find a time slot: 
https://rallly.co/invite/1c8J3azXAcje
  * 2024-05-01
    * [Open] Nick Van Der Harst volunteered for Dutch. "gogo gogo" would like 
to translate to Russian(?).
  * 2024-01-10
          * Nico: (https://review.coreboot.org/q/topic:enforce_region_api)
      *  [Open] Daniel: Look at how we want to localize (non-console) strings 
for coreboot. Long-term project.



## Announcements & Events
  * OSFC 2025 
    Dates: October 7–10, 2025



## coreboot Leadership Meeting - Late GMT


## Attendees

Martin Roth, Mina Asante, Jay Talbott, Carl Turner, Michal Kopec, Alicja 
Michalska, Ziang Wang, Karthik R, Julius Werner.


## Minutes


### [Subrata] Developing a self-test framework in coreboot
  * Mailing list:
(https://mail.coreboot.org/archives/list/coreboot@coreboot.org/thread/ZLHWZGWU2PMP5CIHQ7DBM3XSYTAXQPA/)
  * Spec: 
(https://drive.google.com/file/d/1TyOxw_acrextI-GVI2IE4omdg0f1evyn/view) 
    * [Subrata] Hold to present at the next leadership meeting. (Again)

### [Martin] Discuss the EU-CRA
  * Summary of the EU-CRA
  * (https://en.wikipedia.org/wiki/Cyber_Resilience_Act)
  
*(https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14449-Technical-description-of-important-and-criticalproducts-with-digital-elements_en)
  * (https://www.linuxfoundation.org/research/cra-readiness?hsLang=en)

```
The European Union's Cyber Resilience Act (EU-CRA) is a comprehensive 
regulation aimed at improving
the cybersecurity of "products with digital elements" -meaning both hardware 
and software -sold
within the EU. The CRA mandates that these products meet strict cybersecurity 
requirements
throughout their lifecycle, such as secure-by-default settings, incident 
reporting, vulnerability
management, and regular security updates. Products covered by the CRA range 
from everyday consumer
electronics to large-scale enterprise systems, though some categories like 
medical devices and cars
are governed separately.

Key Provisions & Timeline
The CRA officially entered into force on December 10, 2024.
Most obligations will become mandatory on September 11, 2026, with full 
application commencing on
December 11, 2027.

Impact on Open Source Projects
The initial drafts of the CRA raised substantial concern in the open source 
community, as its
requirements could have placed undue liability and compliance burdens on 
individual contributors
and small non-commercial projects. However, after extensive advocacy and 
negotiations, the final
text provides important clarifications and exemptions:
Non-commercial Open Source Exemption: If you maintain or contribute to open 
source software purely
in a non-commercial capacity (i.e., you do not sell or distribute it 
commercially), the CRA does
not apply to you. The regulation is designed to target commercial actors and 
companies that deploy
open source in products for profit.
Commercial Open Source: If an entity distributes open source software as part 
of a commercial
activity—including selling, offering paid support, or bundling in commercial 
hardware/software—they
must comply with the CRA as "manufacturers" or "distributors." This means they 
bear the primary
responsibility for security obligations.
Open Source Stewards: The final legislation introduces the "open source 
steward" concept,
recognizing organizations like the Linux Foundation or Eclipse Foundation. 
These entities play a
coordination or support role in fostering security practices in open source 
projects but are not
automatically liable unless involved in commercial distribution
```
* Werner and I had a meeting with the FSFE to discuss the EU-CRA.

```
No obligations for the project itself, only the manufacturer (user of the 
project) is responsible.

Clear for coreboot as such: It is used to enable/build commercial products. The 
only responsible
entity is the manufacturer of the final product.

It is expected very little from the project itself:

* provide a proper documentation of the project
* document the CVE-policy (mention how fast you can react, what the contact 
address is, when and where fixes are announced ...)
* be available for market surveillance authorities in cases of questions

coreboot does not have the obligation to fix vulnerabilities. If a fix is 
provided, make sure it is
documented and made available to all users. It is enough to have it merged on 
main and document it
properly. Putting in release notes can already be enough, too.

There seems to be an incentive to join forces with other users to form a single 
entity for all
CRA-related obligations.

Three bullet points when it comes to reporting obligations:

* report vulnerabilities
* report incidents
* volunteer reporting on other issues

Obligation to report is only for known and exploitable bugs/vulnerabilities. If 
a bug /vulnerability is under embargo/not public yet, this obligation does not 
apply. In case of doubt, reach out to market surveillance authorities and ask.

Voluntary security attestation → What does it mean in the context of OSS?
```


##  coreboot Leadership Meeting - Early GMT


##  Attendees

Ziang Wang, Mina Asante, Shuo Liu, Subrata Banik, Pravana, Avi Udey.


## Minutes

No minutes taken.



## Completed Action Items
   * Martin: Review the list of people with +2 rights and update it before the 
next release.



# Next Leadership Meetings Date
  * August 20, 2025.
  * [coreboot Calendar](https://coreboot.org/calendar.html).



# Notice
Decisions shown here are not necessarily final and are based
on the current information available. If there are questions or comments
about decisions made, or additional information to present, please put
it on the leadership meeting agenda and show up if possible to discuss
it.

Of course items may also be discussed on the mailing list, but as it's
difficult to interpret tone over email, controversial topics frequently
do not have good progress in those discussions. For particularly
difficult issues, it may be best to try to schedule another meeting.

We now host two leadership meetings, one in early GMT and one in late GMT, to 
better accommodate
participants from the Asian time zones. 
Kindly note that both sessions use the same meeting notes and Google Meet link.




# coreboot leadership meetings notes
https://docs.google.com/document/d/1NRXqXcLBp5pFkHiJbrLdv3Spqh1Hu086HYkKrgKjeDQ
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org