Risks of misinformation

Possibly. What would you like the answer to this question to be and why? This is the sort of discussion we as a community should be having. Does it matter that the precise source code they're shipping is not available to non-customers?

Should Firefox/Chrome be held to a higher standard than OpenOffice or Gimp? How and why?

> By providing *services* associated with the software I also provide, I became a "manufacturer"

Sorry, I don't see this supported by any text, and it doesn't make any sense either. A manufacturer is someone that amongst other things, markets a product under a trademark they own. Whether you provide services associated with it is not relevant. What's really relevant here: the manufacturer is the person that can fix any problems.

> And the CRA is intended to cover far more than "safety issues"

Sure, this is confusing two things: when it comes to liability with respect to some (security) event, that's only relevant when talking about safety issues. The CRA covers many more things, but then you're only talking about non-conformity which is something else.

I guess the thing that surprises me most about this whole discussion is that I thought one of the big things about open-source is that people publishing/distributing code did so with a sense of "I made an effort to produce good code, as free of (security) bugs as I could manage". It seems that a sizable portion of the community doesn't feel this, or at least isn't willing to state it publically. That makes me sad, but I guess explains the dismal state of the software industry.

It's basically the "This is fine" meme, while the building burns down around you.