[{"data":1,"prerenderedAt":540},["ShallowReactive",2],{"content-en-\u002Frfc\u002F0001-oss-as-is-posture":3},{"id":4,"title":5,"author":6,"body":7,"date":62,"description":524,"extension":525,"meta":526,"navigation":527,"path":528,"robots":529,"seo":530,"stem":531,"tags":532,"__hash__":539},"content_en\u002Frfc\u002F0001-oss-as-is-posture.md","RFC-0001 — xiboplayer OSS AS-IS redistribution posture","Pau Aliagas",{"type":8,"value":9,"toc":500},"minimark",[10,14,114,119,138,142,145,148,151,161,165,170,196,200,203,230,233,237,240,291,294,298,302,305,319,322,326,329,333,336,340,344,347,350,367,370,374,377,381,384,388,391,447,451,488,491],[11,12,5],"h1",{"id":13},"rfc-0001-xiboplayer-oss-as-is-redistribution-posture",[15,16,17,30],"table",{},[18,19,20],"thead",{},[21,22,23,27],"tr",{},[24,25,26],"th",{},"Field",[24,28,29],{},"Value",[31,32,33,42,55,63,71,86,94],"tbody",{},[21,34,35,39],{},[36,37,38],"td",{},"Status",[36,40,41],{},"Published (pending external legal review)",[21,43,44,47],{},[36,45,46],{},"Author",[36,48,49,50],{},"Pau Aliagas ",[51,52,54],"a",{"href":53},"mailto:pau@xiboplayer.org","pau@xiboplayer.org",[21,56,57,60],{},[36,58,59],{},"Created",[36,61,62],{},"2026-04-14",[21,64,65,68],{},[36,66,67],{},"Published on site",[36,69,70],{},"2026-04-16",[21,72,73,76],{},[36,74,75],{},"Affected repos",[36,77,78,82,83],{},[79,80,81],"code",{},"xiboplayer",", all 11 player platforms, ",[79,84,85],{},"xiboplayer-www",[21,87,88,91],{},[36,89,90],{},"Supersedes",[36,92,93],{},"—",[21,95,96,99],{},[36,97,98],{},"Related",[36,100,101,105,106,105,110],{},[51,102,104],{"href":103},"\u002Frfc\u002F0002-cra-readiness","RFC-0002 CRA-readiness",", ",[51,107,109],{"href":108},"\u002Fsecurity","Security page",[51,111,113],{"href":112},"\u002Fsecurity\u002Fcode-signing","Code-signing policy",[115,116,118],"h2",{"id":117},"_1-summary","1. Summary",[120,121,122,123,127,128,131,132,134,135,137],"p",{},"The public xiboplayer project is distributed ",[124,125,126],"strong",{},"AS-IS under\nAGPL-3.0-or-later",", in the same posture as any other open-source\nproject (Linux, PostgreSQL, React). The xiboplayer project does ",[124,129,130],{},"not","\nmake CRA manufacturer claims, does ",[124,133,130],{}," register as a CRA\nopen-source steward, and does ",[124,136,130],{}," offer warranties, SLAs, or\ncompliance commitments of any kind on the public OSS binaries.",[115,139,141],{"id":140},"_2-motivation","2. Motivation",[120,143,144],{},"EU Regulation 2024\u002F2847 (Cyber Resilience Act, \"CRA\") places\nobligations on parties that \"place products with digital elements on\nthe market\" in the EU. The regulation explicitly excludes free and\nopen-source software that is not itself placed on the market in the\ncourse of a commercial activity (Recital 18, Article 2(5)).",[120,146,147],{},"xiboplayer is developed and published as free and open-source software\nunder AGPL-3.0-or-later. Maintainers do not sell the binaries, do not\noffer paid support for the OSS binaries, and do not promote them as a\ncommercial product. This places the project in the same legal category\nas the overwhelming majority of well-known OSS projects — which ship\nAS-IS, with license-provided disclaimers, and leave CRA compliance to\ndownstream commercial integrators.",[120,149,150],{},"The natural, lowest-friction posture is therefore:",[152,153,154],"ul",{},[155,156,157,160],"li",{},[124,158,159],{},"Public xiboplayer",": AS-IS OSS, no compliance claim, standard OSS\ndisclaimer.",[115,162,164],{"id":163},"_3-posture","3. Posture",[166,167,169],"h3",{"id":168},"_31-legal-posture-of-public-xiboplayer","3.1 Legal posture of public xiboplayer",[152,171,172,178,187,190,193],{},[155,173,174,175],{},"All public artefacts (source, RPM, DEB, APK, WGT, IPK, zip, container\nimages) are ",[124,176,177],{},"distributed AS-IS under AGPL-3.0-or-later",[155,179,180,181],{},"The standard AGPL disclaimer applies in full:\n",[182,183,184],"blockquote",{},[120,185,186],{},"THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT.",[155,188,189],{},"No CRA manufacturer claim, no steward registration, no Annex I\ncompliance statement, no CE marking, no Declaration of Conformity",[155,191,192],{},"No support commitment, no SLA, no security-patch timeline promise",[155,194,195],{},"Maintainers act as OSS contributors, not as any regulated party",[166,197,199],{"id":198},"_32-oss-hygiene-we-keep-not-a-cra-commitment","3.2 OSS hygiene we keep (not a CRA commitment)",[120,201,202],{},"These are standard OSS project practices unrelated to CRA, kept\nbecause they're cheap and downstream consumers expect them:",[152,204,205,211,221,224,227],{},[155,206,207,210],{},[79,208,209],{},"SECURITY.md"," in each repo — GitHub convention; invites bug reports",[155,212,213,216,217,220],{},[79,214,215],{},"\u002F.well-known\u002Fsecurity.txt"," on ",[79,218,219],{},"xiboplayer.org"," — RFC 9116 industry norm",[155,222,223],{},"GitHub Security Advisories — free GitHub feature",[155,225,226],{},"CycloneDX SBOM on every release — so downstream redistributors don't have to duplicate the work",[155,228,229],{},"GPG-signed releases",[120,231,232],{},"None of these are presented as legal commitments. They are what good\nOSS projects do.",[166,234,236],{"id":235},"_33-what-we-explicitly-do-not-do","3.3 What we explicitly DO NOT do",[120,238,239],{},"To prevent any ambiguity that could be read as an implicit commitment:",[152,241,242,249,255,261,267,273,279,285],{},[155,243,244,245,248],{},"No ",[124,246,247],{},"security response SLA"," published anywhere public",[155,250,244,251,254],{},[124,252,253],{},"support window"," or \"supported versions\" policy",[155,256,244,257,260],{},[124,258,259],{},"commitment"," to fix any specific class of vulnerability within\nany timeframe",[155,262,244,263,266],{},[124,264,265],{},"Annex I essential-requirements"," statement of compliance",[155,268,244,269,272],{},[124,270,271],{},"CE marking"," of any artefact",[155,274,244,275,278],{},[124,276,277],{},"EU Declaration of Conformity"," signed",[155,280,244,281,284],{},[124,282,283],{},"registration"," as a CRA steward with ENISA",[155,286,244,287,290],{},[124,288,289],{},"5-year support commitment"," (AGPL says \"as is, forever\" —\nlegally: no guarantee we'll patch anything)",[120,292,293],{},"This restraint is intentional. Every one of the above, once made,\ncreates potential legal obligation. AS-IS OSS means no such\nobligations.",[115,295,297],{"id":296},"_4-alternatives-considered-and-rejected","4. Alternatives considered and rejected",[166,299,301],{"id":300},"_41-open-source-steward-art-24-registration","4.1 Open-source steward (Art. 24) registration",[120,303,304],{},"Rejected. The steward regime still requires:",[152,306,307,310,313,316],{},[155,308,309],{},"Documented cybersecurity policy (public)",[155,311,312],{},"Cooperation with EU market surveillance (ongoing obligation)",[155,314,315],{},"ENISA actively-exploited-vuln notification (24 h — a legal\ncommitment)",[155,317,318],{},"Coordinated disclosure facilitation (process obligation)",[120,320,321],{},"These are small individually but collectively create a named-entity\nobligation that has to be staffed and maintained. For a small team\nwithout dedicated compliance capacity, AS-IS OSS is materially\nsimpler and safer.",[166,323,325],{"id":324},"_42-full-manufacturer-compliance-on-oss","4.2 Full manufacturer compliance on OSS",[120,327,328],{},"Rejected. Heavy cost, material product-liability exposure, and no\nproportionate benefit for a non-commercial OSS project.",[166,330,332],{"id":331},"_43-silent-no-statement-at-all","4.3 Silent \u002F no statement at all",[120,334,335],{},"Rejected. Without an explicit AS-IS statement a court might interpret\ncommercial-looking channels (e.g. a paid-infrastructure-hosted release\ndomain) as implicit placing on the market. An explicit AS-IS\ndisclaimer forecloses that argument.",[115,337,339],{"id":338},"_5-risks-and-open-questions","5. Risks and open questions",[166,341,343],{"id":342},"_51-classification-is-distribution-of-the-oss-binaries-itself-a-commercial-activity","5.1 Classification: is distribution of the OSS binaries itself a \"commercial activity\"?",[120,345,346],{},"CRA Article 2(5) excludes OSS not placed on the market commercially.\nRecital 18 clarifies that \"in the context of free and open-source\nsoftware that is made available on the market in the course of a\ncommercial activity, and only in that context, this Regulation should\napply\".",[120,348,349],{},"Whether our distribution counts as \"commercial activity\" depends on\nfacts, not on what we say. Factors likely to weigh in our favour:",[152,351,352,355,358,364],{},[155,353,354],{},"Binaries are free",[155,356,357],{},"Source is fully open under AGPL",[155,359,360,361,363],{},"Distribution domain (",[79,362,219],{},") is project-focused, not\ncommercial",[155,365,366],{},"No paid features, tiers, or upsells on the OSS side",[120,368,369],{},"The explicit AS-IS language in §3.1 is the legal shield. AGPL's\ndisclaimer plus the explicit non-commercial positioning are the\nmechanisms by which we intend to remain outside CRA's \"commercial\nactivity\" test.",[166,371,373],{"id":372},"_52-competitor-triggered-complaint","5.2 Competitor-triggered complaint",[120,375,376],{},"A competitor could file a complaint with an EU market surveillance\nauthority asserting we are placing OSS on the market commercially.\nMitigation: the AS-IS posture documented here is the defence; having\nit written, signed, and consistently applied is what makes it\ncredible.",[166,378,380],{"id":379},"_53-downstream-commercial-redistributors","5.3 Downstream commercial redistributors",[120,382,383],{},"Anyone who redistributes xiboplayer in a commercial context becomes\ntheir own manufacturer for CRA purposes. That is their obligation,\nnot the OSS project's — and nothing in this RFC is intended to\ntransfer compliance from the redistributor to upstream.",[115,385,387],{"id":386},"_6-artefacts","6. Artefacts",[120,389,390],{},"This posture is backed by the following concrete files and URLs,\neach of which is the ground truth for a specific claim above:",[152,392,393,398,405,420,425,434],{},[155,394,395,397],{},[79,396,209],{}," in each xibo-players repo — disclosure channel",[155,399,400,404],{},[51,401,403],{"href":402},"mailto:security@xiboplayer.org","security@xiboplayer.org"," — monitored inbox",[155,406,407,408,411,412,415,416,419],{},"PGP key for the inbox: ",[79,409,410],{},"991E 74C3 A033 673F 4FCF 25B8 B7D2 5A81 02F6 3D6A","\n(published on ",[79,413,414],{},"keys.openpgp.org"," and ",[79,417,418],{},"keyserver.ubuntu.com",")",[155,421,422,424],{},[51,423,215],{"href":215}," — RFC 9116 descriptor",[155,426,427,428],{},"CycloneDX SBOM attached to every SDK release on\n",[51,429,433],{"href":430,"rel":431},"https:\u002F\u002Fgithub.com\u002Fxibo-players\u002Fxiboplayer\u002Freleases",[432],"nofollow","github.com\u002Fxibo-players\u002Fxiboplayer\u002Freleases",[155,435,436,437,440,441,444,445],{},"RPM and DEB packages signed with ",[79,438,439],{},"packages@xiboplayer.org","\n(",[79,442,443],{},"04A9 1796 92E8 6CF1 1D10 3CBF 5A30 EA2B B69D 32F2",") — see\n",[51,446,113],{"href":112},[115,448,450],{"id":449},"_7-references","7. References",[152,452,453,461,468,475,480,484],{},[155,454,455,460],{},[51,456,459],{"href":457,"rel":458},"https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Freg\u002F2024\u002F2847\u002Foj",[432],"EU Regulation 2024\u002F2847 — Cyber Resilience Act","\n(Article 2(5), Recitals 14–24 for OSS scope)",[155,462,463],{},[51,464,467],{"href":465,"rel":466},"https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fagpl-3.0.en.html",[432],"AGPL-3.0 text",[155,469,470],{},[51,471,474],{"href":472,"rel":473},"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9116\u002F",[432],"RFC 9116 — security.txt",[155,476,477],{},[51,478,479],{"href":103},"RFC-0002 CRA-readiness posture",[155,481,482],{},[51,483,109],{"href":108},[155,485,486],{},[51,487,113],{"href":112},[489,490],"hr",{},[120,492,493],{},[494,495,496,497,499],"em",{},"RFC-0001 is authored by Pau Aliagas ",[51,498,54],{"href":53}," on behalf\nof the xiboplayer open-source project, in Catalonia, European Union.\nIt is not legal advice. This RFC is published pending external\ncounsel review.",{"title":501,"searchDepth":502,"depth":502,"links":503},"",3,[504,506,507,512,517,522,523],{"id":117,"depth":505,"text":118},2,{"id":140,"depth":505,"text":141},{"id":163,"depth":505,"text":164,"children":508},[509,510,511],{"id":168,"depth":502,"text":169},{"id":198,"depth":502,"text":199},{"id":235,"depth":502,"text":236},{"id":296,"depth":505,"text":297,"children":513},[514,515,516],{"id":300,"depth":502,"text":301},{"id":324,"depth":502,"text":325},{"id":331,"depth":502,"text":332},{"id":338,"depth":505,"text":339,"children":518},[519,520,521],{"id":342,"depth":502,"text":343},{"id":372,"depth":502,"text":373},{"id":379,"depth":502,"text":380},{"id":386,"depth":505,"text":387},{"id":449,"depth":505,"text":450},"The public xiboplayer project is distributed AS-IS under AGPL-3.0-or-later, in the same posture as any other OSS project. No CRA manufacturer claim, no steward registration, no warranties, no SLAs. Published 2026-04-16.","md",{},true,"\u002Frfc\u002F0001-oss-as-is-posture",null,{"title":5,"description":524},"rfc\u002F0001-oss-as-is-posture",[533,534,535,536,537,538],"rfc","cra","compliance","oss","agpl","posture","Qv0EdWdDNSeTlRJVx__nwkccIAoVTIagTG5gPRVsuYo",1777112059906]