Be silent on being manufacturer + steward for same bits

Deal with a difference in interpretation by *not*
stating a claim one way or the other.

@maertsen believes that it's possible to be both a manufacturer
and a steward for the same sequence of bits but in different
contexts. Others don't agree with this interpretation.

We don't have the authority to interpret the CRA.
So let's resolve this by saying what *is* clearly known,
citing authority (in this case the EC), and stay silent where it's
not clear what the interpretation is.

If there's a formal interpretation stated later, we can change this
text to reflect that.

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

docs/CRA-Brief-Guide-for-OSS-Developers.md

@@ -34,7 +34,7 @@ If you’re putting a PDE on the market in the course of a commercial activity,
 
 Manufacturers may integrate OSS components into their product that is put on the market. The CRA ***does*** apply to manufacturers, because they are putting PDEs on the market with commercial intent. The manufacturer is responsible for all parts of the product, including components from third parties. The manufacturer must [perform “due diligence”](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_13) to determine what components to use, and must also [report component vulnerabilities](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_13) to the component maintainer and upstream fixes if they have any. Using an OSS component in a product makes the manufacturer responsible for its use. As a result, it’s expected that some OSS will be more thoroughly assessed, and it’s likely that there will be a preference for more secure OSS. Manufacturers may sometimes [change how they interact with non-commercial OSS](https://eviltux.com/2025/04/25/what-open-source-developers-need-to-know-about-the-eu-cyber-resilience-act-cra/) due to the CRA. So even developers not directly subject to the CRA should learn more about the CRA and work to create more secure software.  These Manufacturer requirements may generate more interest in your software and your practices, which may spawn requests to the project for documentation, patches, or other artifacts such as a Software Bill of Materials (SBOM).
 
-Organizations that [systematically provide sustained support for developing OSS intended for commercial activities](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_3), but don’t fill another role like “manufacturer” for that software, may be considered an “Open Source Software Stewards” under the CRA. Stewards have fewer obligations than manufacturers, but they have a few [obligations](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_24) such as providing a coordinated vulnerability disclosure (CVD) policy, cooperating with market surveillance at their request, providing certain kinds of documentation, reporting known actively exploited vulnerabilities, notifying about severe incidents, informing impacted users, and providing mitigation. There is no requirement for an OSS project to have a steward. However, an OSS project may *choose* to be supported by a steward (who must then meet its obligations).
+Organizations that [systematically provide sustained support for developing OSS intended for commercial activities](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_3), but don’t fill another role like “manufacturer”, may be considered an “Open Source Software Stewards” under the CRA. It's known that an organization can be a steward for one program and also a manufacturer for a different program ([Benjamin Bögel, FOSDEM 2024, time 18:10](https://fosdem.org/2024/schedule/event/fosdem-2024-3683-the-regulators-are-coming-one-year-on/)). Stewards have fewer obligations than manufacturers, but they have a few [obligations](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_24) such as providing a coordinated vulnerability disclosure (CVD) policy, cooperating with market surveillance at their request, providing certain kinds of documentation, reporting known actively exploited vulnerabilities, notifying about severe incidents, informing impacted users, and providing mitigation. There is no requirement for an OSS project to have a steward. However, an OSS project may *choose* to be supported by a steward (who must then meet its obligations).
 
 ### CE marking compliance with the EU product legislation