2026-03-16 –, Room Wintergarten
The Cyber Resilience Act (CRA) will require FOSS projects to step up their security and, following the logic of the FOSS ecosystem, produce attestation for their software.
This talk introduces fair-share cost tokens - a feature which supports financial flows along open source software supply chains. (No blockchain)
The goal of this talk is to provide an overview of the economic component of the CRA attestation project [1].
Fair-share cost tokens are cryptographically signed tokens which allow manufacturers to prove that they are making their "fair" contribution to the
health of their FOSS Ecosystem. Whenever a commercial software producer - a manufacturer in terms of the CRA - includes FOSS code maintained by a legal entity - an Open Source Software Steward in terms of the CRA - the token is used for attestation. Thus, the two parties can create a communication channel in case of a security incident. The same mechanisms should allow to bring resources deeper into the supply chain, as it can also be used by software stewards to allocate resources towards stewards whoms codebase they are using.
Frameworks like SCITT [2] and Omnibor [3] could allow for their technical implementation. However, some policy work is required to make the situation of potential FOSS projects in the EU compatible with 501 (c) 3´s in the US.
[1] https://github.com/orcwg/cra-attestations
[2] https://datatracker.ietf.org/wg/scitt/about/
[3] https://omnibor.io/project/
Gregor - Little Detritus - Bransky is a c-base member and german digital rights activist.
Core of his activist work is striving for public intrest tech that impowers people instead of surveiling them, for the last five years he has been trying to find buisness models for public digital infrastructures.
He will guide you through the 700 square meters c-base accessible to humans. He works on privacy preserving digital platforms and infrastructures which empower users to make data-based decisions.