On Mon, Aug 11, 2025 at 10:34:13AM +0000, KATARE, SAURABH [EMR/MSOL/PUNE] wrote:
Hello,
I hope this message finds you well.
As part of our ongoing efforts to comply with the EU Cyber Resilience Act (CRA), we are currently conducting a cybersecurity risk assessment of third-party software vendors whose products or components are integrated into our systems.
To support this initiative, we kindly request your input on the following questions related to your software product "Advanced Linux Sound Architecture (ALSA)" with version v1.2.1.2. Please provide your responses directly in the table below and do reply to all added in this email,
Note, you do realize who you are asking for this information from, right? "ALSA" is NOT considered a manufacturer under the rules of the CRA, and as such does NOT have to provide any of this information.
YOU are considered a manufacturer under the CRA, so YOU have to follow the manufacturer rules of the CRA, not "ALSA". That's how the CRA works when you incorporate open source software into your product.
So please go and work on your auditing and processes, they need a lot of work. I can't wait to see what you are going to do when you run across the "Linux" package :)
If you have further questions, please let me know. As I am on the CRA Expert panel as a representitive for Linux and some other projects, I am pretty familiar with this process.
thanks,
greg k-h