[{"data":1,"prerenderedAt":920},["ShallowReactive",2],{"content-en-\u002Frfc\u002F0002-cra-readiness":3},{"id":4,"title":5,"author":6,"body":7,"date":61,"description":903,"extension":904,"meta":905,"navigation":906,"path":907,"robots":908,"seo":909,"stem":910,"tags":911,"__hash__":919},"content_en\u002Frfc\u002F0002-cra-readiness.md","RFC-0002 — EU Cyber Resilience Act (CRA) readiness posture","Pau Aliagas",{"type":8,"value":9,"toc":875},"minimark",[10,14,102,107,127,131,136,152,188,192,212,216,223,227,234,238,288,292,321,325,363,367,397,401,413,417,423,511,515,523,527,537,540,570,574,585,589,600,604,607,729,733,747,764,769,775,779,853,857,864,867],[11,12,5],"h1",{"id":13},"rfc-0002-eu-cyber-resilience-act-cra-readiness-posture",[15,16,17,30],"table",{},[18,19,20],"thead",{},[21,22,23,27],"tr",{},[24,25,26],"th",{},"Field",[24,28,29],{},"Value",[31,32,33,42,55,62,70,94],"tbody",{},[21,34,35,39],{},[36,37,38],"td",{},"Status",[36,40,41],{},"Published",[21,43,44,47],{},[36,45,46],{},"Author",[36,48,49,50],{},"Pau Aliagas ",[51,52,54],"a",{"href":53},"mailto:pau@xiboplayer.org","pau@xiboplayer.org",[21,56,57,59],{},[36,58,41],{},[36,60,61],{},"2026-04-16",[21,63,64,67],{},[36,65,66],{},"Supersedes",[36,68,69],{},"—",[21,71,72,75],{},[36,73,74],{},"Related",[36,76,77,81,82,81,86,81,90],{},[51,78,80],{"href":79},"\u002Frfc\u002F0001-oss-as-is-posture","RFC-0001 (AS-IS OSS posture)",", ",[51,83,85],{"href":84},"\u002Fsecurity","Security page",[51,87,89],{"href":88},"\u002Fsecurity\u002Fcode-signing","Code-signing policy",[51,91,93],{"href":92},"\u002Flegal\u002Fprivacy","Privacy policy",[21,95,96,99],{},[36,97,98],{},"Review trigger",[36,100,101],{},"Any of: (a) ENISA implementing act on Article 14 published, (b) Commission delegated act on the OSS scope, (c) 2027-12-11 CRA full applicability date",[103,104,106],"h2",{"id":105},"_1-summary","1. Summary",[108,109,110,111,115,116,118,119,122,123,126],"p",{},"This RFC documents the xiboplayer project's public posture on EU\nRegulation 2024\u002F2847 — the ",[112,113,114],"strong",{},"Cyber Resilience Act (CRA)"," — as of\n",[112,117,61],{},", ahead of the regulation's main obligations taking\neffect on ",[112,120,121],{},"2027-12-11"," and the manufacturer reporting obligations\non ",[112,124,125],{},"2026-09-11",". The public xiboplayer binaries and source are\ndistributed AS-IS under AGPL-3.0-or-later and rely on the\nfree-and-open-source-software carve-out codified in Article 2(5) and\nRecital 18 of the Regulation. We ship this RFC publicly, dated, and\nsigned so that customers, redistributors, and market-surveillance\nauthorities have a written record of what we claim, what we decline,\nand what we have actually built on the ground by today.",[103,128,130],{"id":129},"_2-scope","2. Scope",[132,133,135],"h3",{"id":134},"_21-in-scope-of-this-rfc","2.1 In scope of this RFC",[108,137,138,139,151],{},"Every artefact the xiboplayer project ",[112,140,141,142,146,147,150],{},"publishes or distributes from\nan ",[143,144,145],"code",{},"xiboplayer.org"," \u002F ",[143,148,149],{},"xibo-players.github.io"," surface",", including:",[153,154,155,163,173,178],"ul",{},[156,157,158,159,162],"li",{},"Source code on ",[143,160,161],{},"github.com\u002Fxibo-players\u002F*"," under AGPL-3.0-or-later",[156,164,165,166,169,170],{},"Binary releases on ",[143,167,168],{},"dl.xiboplayer.org"," (RPM, DEB repos), GitHub\nReleases, and pre-built kiosk images on ",[143,171,172],{},"images.xiboplayer.org",[156,174,175,176],{},"Hosted documentation on ",[143,177,145],{},[156,179,180,181,184,185],{},"Every repo's ",[143,182,183],{},"SECURITY.md"," and the canonical\n",[51,186,187],{"href":187},"\u002F.well-known\u002Fsecurity.txt",[132,189,191],{"id":190},"_22-out-of-scope-of-this-rfc","2.2 Out of scope of this RFC",[153,193,194,200,206],{},[156,195,196,199],{},[112,197,198],{},"The Xibo CMS itself"," — upstream project run by Xibo Signage Ltd;\nthey speak for their own CRA posture",[156,201,202,205],{},[112,203,204],{},"Downstream integrators"," — anyone shipping xiboplayer inside a\ncommercial product (integrator appliances, OEM signage packages,\npaid hosted services) becomes their own CRA \"manufacturer\" for\ntheir product; this RFC does not transfer that obligation to\nupstream",[156,207,208,211],{},[112,209,210],{},"Third-party dependencies"," (Electron, Chromium, Node, Android\nruntime, Tizen WRT, webOS runtime) — those are their vendors'\nproblem and show up in our SBOM for traceability only",[132,213,215],{"id":214},"_23-maintainer-status","2.3 Maintainer status",[108,217,218,219,222],{},"The public project is ",[112,220,221],{},"maintainer-led, single-developer-primary","\n(Pau Aliagas, Catalonia, European Union) with community contributions\nvia GitHub. There is no legal entity that \"places the binaries on the\nmarket\" in the commercial sense — a fact material to §5.",[103,224,226],{"id":225},"_3-what-we-do-today-2026-04-16","3. What we do today (2026-04-16)",[108,228,229,230,233],{},"All items below are live, in-tree, and verifiable. This is a statement\nof fact, ",[112,231,232],{},"not"," a statement of future commitment.",[132,235,237],{"id":236},"_31-coordinated-disclosure-channel","3.1 Coordinated disclosure channel",[153,239,240,246,265,270,281],{},[156,241,242,245],{},[143,243,244],{},"security@xiboplayer.org"," — monitored inbox; forwards to the\nmaintainer",[156,247,248,249,252,253,256,257,260,261,264],{},"PGP key for encrypted reports:\n",[143,250,251],{},"991E 74C3 A033 673F 4FCF 25B8 B7D2 5A81 02F6 3D6A","\n(UID ",[143,254,255],{},"xiboplayer Security \u003Csecurity@xiboplayer.org>","), published on\n",[143,258,259],{},"keys.openpgp.org"," and ",[143,262,263],{},"keyserver.ubuntu.com"," since 2026-04-14",[156,266,267,269],{},[143,268,183],{}," present in the SDK repo and propagating to all\nplayer-repo templates",[156,271,272,274,275],{},[51,273,187],{"href":187}," per\n",[51,276,280],{"href":277,"rel":278},"https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Frfc9116\u002F",[279],"nofollow","RFC 9116",[156,282,283,284,287],{},"GitHub Security Advisories enabled on all ",[143,285,286],{},"xibo-players\u002F*"," repos;\nprivate-advisory workflow available to researchers who prefer GitHub\nover email",[132,289,291],{"id":290},"_32-software-bill-of-materials-sbom","3.2 Software Bill of Materials (SBOM)",[153,293,294,314],{},[156,295,296,299,300,303,304,309,310,313],{},[112,297,298],{},"CycloneDX JSON 1.5+ produced and attached to every release"," of the\n",[143,301,302],{},"xiboplayer"," SDK as of v0.7.x, via\n",[51,305,308],{"href":306,"rel":307},"https:\u002F\u002Fgithub.com\u002Fxibo-players\u002Fxiboplayer\u002Fblob\u002Fmain\u002F.github\u002Fworkflows\u002Fpublish.yml",[279],".github\u002Fworkflows\u002Fpublish.yml","\nusing ",[143,311,312],{},"anchore\u002Fsbom-action@v0",".",[156,315,316,317,320],{},"We ship SBOMs for ",[112,318,319],{},"downstream transparency",", not as a compliance\nattestation — see §5.3.",[132,322,324],{"id":323},"_33-signed-commits-and-signed-releases","3.3 Signed commits and signed releases",[153,326,327,334,348],{},[156,328,329,330,333],{},"Release tags on ",[143,331,332],{},"xibo-players\u002Fxiboplayer"," from v0.7.0 onward are\nGPG-signed. A deep-sign audit on 2026-04-10 covered the full\nv0.7.0~1..HEAD range (509 commits, 18 tags); 96% signed cleanly\nat that checkpoint. The v0.7.0..HEAD range as of 2026-04-16\nmaintains 100% signing coverage.",[156,335,336,337,339,340,343,344,347],{},"RPM and DEB packages published to ",[143,338,168],{}," are signed\nwith ",[143,341,342],{},"packages@xiboplayer.org","\n(",[143,345,346],{},"04A9 1796 92E8 6CF1 1D10 3CBF 5A30 EA2B B69D 32F2","), live since\n2026-03-30",[156,349,350,351,353,354,343,357,360,361],{},"ISO images on ",[143,352,172],{}," are signed with\n",[143,355,356],{},"images@xiboplayer.org",[143,358,359],{},"0B21 BFF6 6C83 EB4B 0E05 CF54 5F90 8630 B780 45FF","), CI\nintegration pending per the\n",[51,362,89],{"href":88},[132,364,366],{"id":365},"_34-vulnerability-management-in-ci","3.4 Vulnerability management in CI",[153,368,369,378,384],{},[156,370,371,374,375,377],{},[112,372,373],{},"Dependabot"," enabled across all ",[143,376,286],{}," repos for the\ndependency ecosystems in use (npm, pnpm, GitHub Actions, Cargo,\ngems)",[156,379,380,383],{},[112,381,382],{},"CodeQL"," runs on SDK PRs and weekly on main",[156,385,386,392,393,396],{},[112,387,388,391],{},[143,389,390],{},"anchore\u002Fscan-action"," \u002F grype"," runs against every built SBOM\nwith ",[143,394,395],{},"severity-cutoff: critical, fail-build: true"," — a CRITICAL-severity\nCVE in a direct dependency blocks the release pipeline",[132,398,400],{"id":399},"_35-transparency-artefacts-already-live","3.5 Transparency artefacts already live",[153,402,403,408],{},[156,404,405,407],{},[51,406,93],{"href":92}," — effective 2026-04-15. States\nplainly: the player software has no telemetry, no phone-home, no\nmaintainer-side data collection",[156,409,410,412],{},[51,411,89],{"href":88}," — documents every\nsigning authority, the approval chain, and an independent-verification\nrecipe",[103,414,416],{"id":415},"_4-what-we-do-not-do-yet-honest-gaps","4. What we do not do yet (honest gaps)",[108,418,419,420,422],{},"We are deliberately explicit about what today's posture does ",[112,421,232],{},"\ninclude, so downstream consumers do not infer obligations we have not\nassumed.",[15,424,425,435],{},[18,426,427],{},[21,428,429,432],{},[24,430,431],{},"Gap",[24,433,434],{},"Current state",[31,436,437,449,459,476,486,500],{},[21,438,439,446],{},[36,440,441,442,445],{},"Formal ",[112,443,444],{},"CE marking"," under CRA Annex I \u002F III",[36,447,448],{},"None. No Declaration of Conformity signed for any xiboplayer artefact",[21,450,451,456],{},[36,452,453],{},[112,454,455],{},"Third-party security audit",[36,457,458],{},"None commissioned",[21,460,461,466],{},[36,462,463],{},[112,464,465],{},"Formal ISO\u002FIEC 29147 vulnerability-disclosure policy",[36,467,468,470,471,475],{},[143,469,183],{}," + security.txt + RFC-0001 constitute a ",[472,473,474],"em",{},"de facto"," policy but no formal conformance claim",[21,477,478,483],{},[36,479,480],{},[112,481,482],{},"Mandatory auto-update enforcement",[36,484,485],{},"We ship update paths (PWA service-worker swap, RPM repo refresh, APK OTA for Android) but never force them; the deployer controls the upgrade cadence",[21,487,488,494],{},[36,489,490,493],{},[112,491,492],{},"Open-source steward"," (Art. 24) registration",[36,495,496,497],{},"Declined — see ",[51,498,499],{"href":79},"RFC-0001 §4.1",[21,501,502,508],{},[36,503,504,507],{},[112,505,506],{},"Conformity assessment module"," (self-assessment vs notified body)",[36,509,510],{},"N\u002FA — see CE marking row",[103,512,514],{"id":513},"_5-legal-interpretation-our-read-not-legal-counsel","5. Legal interpretation (our read, not legal counsel)",[108,516,517,518,522],{},"This section is a good-faith interpretation of the regulation as\npublished in the Official Journal on 2024-11-20\n(",[51,519,520],{"href":520,"rel":521},"https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Freg\u002F2024\u002F2847\u002Foj",[279],"). None of it is\nlegal advice and it will be revised when authoritative guidance\ncontradicts or refines it.",[132,524,526],{"id":525},"_51-why-we-lean-on-the-oss-carve-out","5.1 Why we lean on the OSS carve-out",[108,528,529,532,533,536],{},[112,530,531],{},"Article 2(5)",", read with ",[112,534,535],{},"Recital 18",", exempts from the\nRegulation's scope free and open-source software that is not placed\non the market in the course of a commercial activity.",[108,538,539],{},"Our posture leans on three facts:",[541,542,543,549,555],"ol",{},[156,544,545,548],{},[112,546,547],{},"The public binaries are free."," There is no paid tier, paid\nsupport, paid SaaS, paid feature flag, commercial dual-license,\nor promotional funnel to a paid product on the OSS-branded\nsurfaces.",[156,550,551,554],{},[112,552,553],{},"No regular-and-continuous revenue stream linked to the binaries.","\nThe guidance in Recital 18 about \"not characterised by a\ncommercial activity\" specifically calls out absence of revenue.\nInfrastructure is currently donated in-kind (Cloudflare R2 free\ntier, GitHub free public repos, self-hosted build host).",[156,556,557,560,561,563,564,566,567,569],{},[112,558,559],{},"The distribution surface is project-focused."," The\n",[143,562,145],{}," domain, ",[143,565,168],{}," package repos, and\n",[143,568,161],{}," sources exist to serve the open-source\nproject itself, not to funnel users toward a paid product.",[132,571,573],{"id":572},"_52-why-our-sboms-are-not-a-compliance-claim","5.2 Why our SBOMs are not a compliance claim",[108,575,576,577,580,581,584],{},"CRA Annex I §2(1) requires manufacturers to \"",[472,578,579],{},"identify and document\nvulnerabilities and components contained in products with digital\nelements, including by drawing up a software bill of materials","\".\nBecause we do not claim manufacturer status, our SBOMs are not filed\nunder this obligation; they are published under an ",[112,582,583],{},"OSS-hygiene\nrationale"," so that downstream commercial integrators can satisfy\ntheir own Annex I §2(1) obligation without duplicating our work.",[132,586,588],{"id":587},"_53-why-we-do-not-publish-a-response-time-sla","5.3 Why we do not publish a response-time SLA",[108,590,591,592,595,596,599],{},"A published SLA — even one as narrow as \"72 h acknowledgement \u002F\n30 d fix\" — creates an enforceable commitment that a market-surveillance\nauthority can read as evidence of ",[472,593,594],{},"manufacturer-like"," behaviour,\nwhich in turn weakens the Article 2(5) defence.\n",[51,597,598],{"href":79},"RFC-0001 §3.3"," explicitly refuses\nsuch language on the OSS surface for this reason. This is a material\ndeparture from the most common \"mature OSS project\" template (which\ntends to publish 72 h \u002F 90 d numbers). We believe the departure is\nthe right call under current EU law and will revisit if authoritative\nguidance (ENISA implementing act; Commission delegated act) contradicts\nit.",[103,601,603],{"id":602},"_6-commitments","6. Commitments",[108,605,606],{},"These are the hard commitments we make under this RFC. Each has an\nowner, a date, and a verifiable artefact. Missing a committed date\ntriggers a written amendment within 30 days stating the slip and the\nnew date.",[15,608,609,625],{},[18,610,611],{},[21,612,613,616,619,622],{},[24,614,615],{},"ID",[24,617,618],{},"Commitment",[24,620,621],{},"Artefact",[24,623,624],{},"Due",[31,626,627,654,676,692,708],{},[21,628,629,634,646,649],{},[36,630,631],{},[112,632,633],{},"C-1",[36,635,636,637,642,643],{},"Publish a dated Vulnerability Disclosure Policy conforming in structure to ",[51,638,641],{"href":639,"rel":640},"https:\u002F\u002Fwww.iso.org\u002Fstandard\u002F72311.html",[279],"ISO\u002FIEC 29147:2018"," on ",[143,644,645],{},"xiboplayer.org\u002Fsecurity\u002Fvulnerability-disclosure",[36,647,648],{},"Public URL + changelog entry",[36,650,651],{},[112,652,653],{},"2026-12-31",[21,655,656,661,664,671],{},[36,657,658],{},[112,659,660],{},"C-2",[36,662,663],{},"Ship CycloneDX SBOMs on every release of all primary player repos (SDK, Electron, Chromium, Android, webOS, Tizen, AI)",[36,665,666,667,670],{},"Release asset ",[143,668,669],{},"*-sbom.cdx.json"," attached on each GitHub Release",[36,672,673],{},[112,674,675],{},"2026-09-30",[21,677,678,683,686,689],{},[36,679,680],{},[112,681,682],{},"C-3",[36,684,685],{},"Register on the EU single reporting platform under the role that applies (maintainer \u002F steward \u002F not-applicable)",[36,687,688],{},"Public acknowledgement on this page",[36,690,691],{},"Within 90 days of ENISA opening registration",[21,693,694,699,702,705],{},[36,695,696],{},[112,697,698],{},"C-4",[36,700,701],{},"Amend this RFC within 30 days of any EU-authoritative guidance (ENISA implementing act, Commission delegated act, court ruling) that contradicts §5",[36,703,704],{},"RFC-0002 amendment changelog",[36,706,707],{},"Rolling",[21,709,710,715,721,724],{},[36,711,712],{},[112,713,714],{},"C-5",[36,716,717,718,720],{},"Deep-sign the entire ",[143,719,332],{}," commit history that feeds into any release consumed by downstream integrators, to the extent technically feasible given the git-subtree history",[36,722,723],{},"Audit note in the code-signing policy",[36,725,726],{},[112,727,728],{},"2026-07-31",[103,730,732],{"id":731},"_7-first-mover-signal","7. First-mover signal",[108,734,735,736,738,739,742,743,746],{},"We publish this RFC on ",[112,737,61],{}," — ",[112,740,741],{},"19 months"," before the main\nCRA applicability date of 2027-12-11, and ",[112,744,745],{},"five months"," before the\nArt. 14 manufacturer reporting obligations kick in on 2026-09-11. We\ndo so knowing that:",[153,748,749,752,761],{},[156,750,751],{},"The FOSS scope in Article 2(5) and Recital 18 will likely be\nrefined by delegated acts whose text is not yet public",[156,753,754,755,760],{},"ENISA implementing guidance on the reporting platform is still in\nconsultation as of 2026-04-16\n(",[51,756,759],{"href":757,"rel":758},"https:\u002F\u002Fdigital-strategy.ec.europa.eu\u002Fen\u002Fpolicies\u002Fcyber-resilience-act",[279],"Commission CRA landing page",")",[156,762,763],{},"The vast majority of small-to-medium OSS signage projects in the\nEU space have published nothing comparable on 2026-04-16. Shipping\na dated, signed posture document ahead of that curve is itself the\npoint: we would rather be visible, dated, and corrigible than\nsilent and deniable",[108,765,766],{},[112,767,768],{},"If authoritative EU guidance published after 2026-04-16 contradicts\nany interpretation in §5, we commit (see C-4) to amending this RFC\nwithin 30 days of the contradicting authority's publication, with a\nfull changelog entry — and, if the amendment materially changes\ndownstream obligations, a blog post flagging the change.",[108,770,771,772,313],{},"This is not a claim of compliance. It is a claim of ",[112,773,774],{},"good-faith\ntransparency at a date",[103,776,778],{"id":777},"_8-references","8. References",[153,780,781,787,793,800,806,813,819,826,833,840],{},[156,782,783],{},[51,784,786],{"href":520,"rel":785},[279],"EU Regulation 2024\u002F2847 (Cyber Resilience Act), OJ L 2024\u002F2847, 20 November 2024",[156,788,789],{},[51,790,792],{"href":757,"rel":791},[279],"European Commission — Cyber Resilience Act policy page",[156,794,795],{},[51,796,799],{"href":797,"rel":798},"https:\u002F\u002Fwww.enisa.europa.eu\u002Ftopics\u002Fcyber-resilience-act",[279],"ENISA — Cyber Resilience Act publications",[156,801,802],{},[51,803,805],{"href":639,"rel":804},[279],"ISO\u002FIEC 29147:2018 — Vulnerability disclosure",[156,807,808],{},[51,809,812],{"href":810,"rel":811},"https:\u002F\u002Fwww.iso.org\u002Fstandard\u002F69725.html",[279],"ISO\u002FIEC 30111:2019 — Vulnerability handling processes",[156,814,815],{},[51,816,818],{"href":277,"rel":817},[279],"RFC 9116 — A File Format to Aid in Security Vulnerability Disclosure",[156,820,821],{},[51,822,825],{"href":823,"rel":824},"https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fagpl-3.0.en.html",[279],"AGPL-3.0 licence text",[156,827,828],{},[51,829,832],{"href":830,"rel":831},"https:\u002F\u002Fnews.apache.org\u002Ffoundation\u002Fentry\u002Fthe-apache-software-foundation-position-on-the-cyber-resilience-act",[279],"Apache Software Foundation — CRA position, 2024",[156,834,835],{},[51,836,839],{"href":837,"rel":838},"https:\u002F\u002Flinuxfoundation.eu\u002Fcyber-resilience-act",[279],"Linux Foundation Europe — CRA resource centre",[156,841,842,843,846,847,846,849,846,851],{},"Internal: ",[51,844,845],{"href":79},"RFC-0001 — OSS AS-IS posture",",\n",[51,848,85],{"href":84},[51,850,89],{"href":88},[51,852,93],{"href":92},[103,854,856],{"id":855},"_9-changelog","9. Changelog",[153,858,859],{},[156,860,861,863],{},[112,862,61],{}," — Initial publication (Pau Aliagas).",[865,866],"hr",{},[108,868,869],{},[472,870,871,872,874],{},"RFC-0002 is authored by Pau Aliagas ",[51,873,54],{"href":53}," on behalf\nof the xiboplayer open-source project, in Catalonia, European Union.\nIt is not legal advice.",{"title":876,"searchDepth":877,"depth":877,"links":878},"",3,[879,881,886,893,894,899,900,901,902],{"id":105,"depth":880,"text":106},2,{"id":129,"depth":880,"text":130,"children":882},[883,884,885],{"id":134,"depth":877,"text":135},{"id":190,"depth":877,"text":191},{"id":214,"depth":877,"text":215},{"id":225,"depth":880,"text":226,"children":887},[888,889,890,891,892],{"id":236,"depth":877,"text":237},{"id":290,"depth":877,"text":291},{"id":323,"depth":877,"text":324},{"id":365,"depth":877,"text":366},{"id":399,"depth":877,"text":400},{"id":415,"depth":880,"text":416},{"id":513,"depth":880,"text":514,"children":895},[896,897,898],{"id":525,"depth":877,"text":526},{"id":572,"depth":877,"text":573},{"id":587,"depth":877,"text":588},{"id":602,"depth":880,"text":603},{"id":731,"depth":880,"text":732},{"id":777,"depth":880,"text":778},{"id":855,"depth":880,"text":856},"xiboplayer's public posture on EU Regulation 2024\u002F2847. What the open-source project does, what it deliberately does not, and what it commits to. Published 2026-04-16.","md",{},true,"\u002Frfc\u002F0002-cra-readiness",null,{"title":5,"description":903},"rfc\u002F0002-cra-readiness",[912,913,914,915,916,917,918],"rfc","cra","compliance","security","oss","eu","regulation","2sfZosLI7remCmKqaClqc4sUyQMXbg9ub19DrwZpTuw",1777112059919]