Minor tweaks

david-a-wheeler · david-a-wheeler · commit dae5f0221907 · 2025-05-30T11:18:04.000-04:00
* Spell out title ("open source software"). This increases the
  likelihood that search engines will find this document,
  and is also helpful to readers who might not know the abbreviation.
* Clarify that steward is a per-software role
  (an organization can be a manufacturer for one program
  and a steward for another).

Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/docs/CRA-Brief-Guide-for-OSS-Developers.md b/docs/CRA-Brief-Guide-for-OSS-Developers.md
@@ -1,4 +1,4 @@
-# CRA Brief Guide for OSS Developers
+# CRA Brief Guide for Open Source Software (OSS) Developers
 
 The European Union (EU) Cyber Resilience Act (CRA) is a law that applies to software, hardware, products containing them, and their backend services, *if* they are [made available](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_1) on the European market. The law applies *regardless* of where its developer(s) are located. This brief document aims to provide a straightforward guide for those who develop open source software (OSS). Note that *this guide is not legal advice*, it’s just an overview to help you understand the situation.
 
@@ -34,7 +34,7 @@ If you’re putting a PDE on the market in the course of a commercial activity,
 
 Manufacturers may integrate OSS components into their product that is put on the market. The CRA ***does*** apply to manufacturers, because they are putting PDEs on the market with commercial intent. The manufacturer is responsible for all parts of the product, including components from third parties. The manufacturer must [perform “due diligence”](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_13) to determine what components to use, and must also [report component vulnerabilities](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_13) to the component maintainer and upstream fixes if they have any. Using an OSS component in a product makes the manufacturer responsible for its use. As a result, it’s expected that some OSS will be more thoroughly assessed, and it’s likely that there will be a preference for more secure OSS. Manufacturers may sometimes [change how they interact with non-commercial OSS](https://eviltux.com/2025/04/25/what-open-source-developers-need-to-know-about-the-eu-cyber-resilience-act-cra/) due to the CRA. So even developers not directly subject to the CRA should learn more about the CRA and work to create more secure software.  These Manufacturer requirements may generate more interest in your software and your practices, which may spawn requests to the project for documentation, patches, or other artifacts such as a Software Bill of Materials (SBOM).
 
-Organizations that [systematically provide sustained support for developing one or more OSS projects intended for commercial activities](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_3), but don’t fill another role like “manufacturer”, may be considered “Open Source Software Stewards” under the CRA. Stewards have fewer obligations than manufacturers, but they have a few [obligations](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_24) such as providing a coordinated vulnerability disclosure (CVD) policy, cooperating with market surveillance at their request, providing certain kinds of documentation, reporting known actively exploited vulnerabilities, notifying about severe incidents, informing impacted users, and providing mitigation. There is no requirement for an OSS project to have a steward. However, an OSS project may *choose* to be supported by a steward (who must then meet its obligations).
+Organizations that [systematically provide sustained support for developing OSS intended for commercial activities](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_3), but don’t fill another role like “manufacturer” for that software, may be considered an “Open Source Software Stewards” under the CRA. Stewards have fewer obligations than manufacturers, but they have a few [obligations](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_24) such as providing a coordinated vulnerability disclosure (CVD) policy, cooperating with market surveillance at their request, providing certain kinds of documentation, reporting known actively exploited vulnerabilities, notifying about severe incidents, informing impacted users, and providing mitigation. There is no requirement for an OSS project to have a steward. However, an OSS project may *choose* to be supported by a steward (who must then meet its obligations).
 
 ### CE marking compliance with the EU product legislation
 
