Thank you very much Santiago! I am not sure whether your seconders must also second the amended version, but I reviewed it, and agree with the proposed changes (none of which seem to alter IMO the intent of the document). Thus, re-seconded. Santiago Ruano Rincón dijo [Fri, Nov 24, 2023 at 04:24:56PM +0000]: > Hello there, > > Here you can find a modified version that takes into account most of the > reviews. It doesn't change the meaning of the original proposal, and > hopefully improves it. Thanks again for all the comments. > > A diff between both version is found below. > > ----- GENERAL RESOLUTION STARTS ----- > > Debian Public Statement about the EU Cyber Resilience Act and the > Product Liability Directive > > The European Union is currently preparing a regulation "on horizontal > cybersecurity requirements for products with digital elements" known as > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > phase of the legislative process. The act includes a set of essential > cybersecurity and vulnerability handling requirements for manufacturers. > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > components, have third-party audits conducted. Discovered security > issues will have to be reported to European authorities within 24 hours > (1). The CRA will be followed up by the Product Liability Directive > (PLD) which will introduce compulsory liability for software. More > information about the proposed legislation and its consequences in (2). > > While a lot of these regulations seem reasonable, the Debian project > believes that there are grave problems for Free Software projects > attached to them. Therefore, the Debian project issues the following > statement: > > 1. Free Software has always been a gift, freely given to society, to > take and to use as seen fit, for whatever purpose. Free Software has > proven to be an asset in our digital age and the proposed EU Cyber > Resilience Act is going to be detrimental to it. > a. As the Debian Social Contract states, our goal is "make the best > system we can, so that free works will be widely distributed and used." > Imposing requirements such as those proposed in the act makes it legally > perilous for others to redistribute our work and endangers our commitment > to "provide an integrated system of high-quality materials with no legal > restrictions that would prevent such uses of the system". (3) > > b. Knowing whether software is commercial or not isn't feasible, > neither in Debian nor in most free software projects - we don't track > people's employment status or history, nor do we check who finances > upstream projects (the original projects that we integrate in our > operating system). > > c. If upstream projects stop developing for fear of being in the > scope of CRA and its financial consequences, system security will > actually get worse instead of better. > > d. Having to get legal advice before giving a present to society > will discourage many developers, especially those without a company or > other organisation supporting them. > > 2. Debian is well known for its security track record through practices > of responsible disclosure and coordination with upstream developers and > other Free Software projects. We aim to live up to the commitment made > in the Debian Social Contract: "We will not hide problems." (3) > > a. The Free Software community has developed a fine-tuned, > tried-and-tested system of responsible disclosure in case of security > issues which will be overturned by the mandatory reporting to European > authorities within 24 hours (Art. 11 CRA). > > b. Debian spends a lot of volunteering time on security issues, > provides quick security updates and works closely together with upstream > projects, in coordination with other vendors. To protect its users, > Debian regularly participates in limited embargos to coordinate fixes to > security issues so that all other major Linux distributions can also have > a complete fix when the vulnerability is disclosed. > > c. Security issue tracking and remediation is intentionally > decentralized and distributed. The reporting of security issues to > ENISA and the intended propagation to other authorities and national > administrations would collect all software vulnerabilities in one place, > greatly increasing the risk of leaking information about vulnerabilities > to threat actors, representing a threat for all the users around the > world, including European citizens. > > d. Activists use Debian (e.g. through derivatives such as Tails), > among other reasons, to protect themselves from authoritarian > governments; handing threat actors exploits they can use for oppression > is against what Debian stands for. > > e. Developers and companies will downplay security issues because > a "security" issue now comes with legal implications. Less clarity on > what is truly a security issue will hurt users by leaving them vulnerable. > > 3. While proprietary software is developed behind closed doors, Free > Software development is done in the open, transparent for everyone. To > retain parity with proprietary software the open development process needs > to be entirely exempt from CRA requirements, just as the development of > software in private is. A "making available on the market" can only be > considered after development is finished and the software is released. > > 4. Even if only "commercial activities" are in the scope of CRA, the > Free Software community - and as a consequence, everybody - will lose a > lot of small projects. CRA will force many small enterprises and most > probably all self employed developers out of business because they > simply cannot fulfill the requirements imposed by CRA. Debian and other > Linux distributions depend on their work. If accepted as it is, > CRA will undermine not only an established community but also a > thriving market. CRA needs an exemption for small businesses and, at the > very least, solo-entrepreneurs. > > ========================================================================== > > > Sources: > > (1) CRA proposals and links: > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act > PLD proposals and links: > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive > > (2) Background information: > https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/ > https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation > https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/ > https://blog.opensource.org/author/webmink/ > Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en > > (3) Debian Social Contract No. 2, 3 and 4 > https://www.debian.org/social_contract > > ----- GENERAL RESOLUTION ENDS ----- > > > > --- vote.original 2023-11-23 23:06:59.323036166 +0000 > +++ vote.new 2023-11-23 23:24:20.434942609 +0000 > @@ -9,7 +9,7 @@ > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > -components, have third-party audits conducted. Discoverded security > +components, have third-party audits conducted. Discovered security > issues will have to be reported to European authorities within 24 hours > (1). The CRA will be followed up by the Product Liability Directive > (PLD) which will introduce compulsory liability for software. More > @@ -24,17 +24,18 @@ > take and to use as seen fit, for whatever purpose. Free Software has > proven to be an asset in our digital age and the proposed EU Cyber > Resilience Act is going to be detrimental to it. > - a. It is Debian's goal to "make the best system we can, so that > -free works will be widely distributed and used." Imposing requirements > -such as those proposed in the act makes it legally perilous for others > -to redistribute our works and endangers our commitment to "provide an > -integrated system of high-quality materials _with no legal restrictions_ > -that would prevent such uses of the system". (3) > + a. As the Debian Social Contract states, our goal is "make the best > +system we can, so that free works will be widely distributed and used." > +Imposing requirements such as those proposed in the act makes it legally > +perilous for others to redistribute our work and endangers our commitment > +to "provide an integrated system of high-quality materials with no legal > +restrictions that would prevent such uses of the system". (3) > > b. Knowing whether software is commercial or not isn't feasible, > neither in Debian nor in most free software projects - we don't track > people's employment status or history, nor do we check who finances > -upstream projects. > +upstream projects (the original projects that we integrate in our > +operating system). > > c. If upstream projects stop developing for fear of being in the > scope of CRA and its financial consequences, system security will > @@ -47,11 +48,11 @@ > 2. Debian is well known for its security track record through practices > of responsible disclosure and coordination with upstream developers and > other Free Software projects. We aim to live up to the commitment made > -in the Social Contract: "We will not hide problems." (3) > +in the Debian Social Contract: "We will not hide problems." (3) > > - a. The Free Software community has developed a fine-tuned, well > -working system of responsible disclosure in case of security issues > -which will be overturned by the mandatory reporting to European > + a. The Free Software community has developed a fine-tuned, > +tried-and-tested system of responsible disclosure in case of security > +issues which will be overturned by the mandatory reporting to European > authorities within 24 hours (Art. 11 CRA). > > b. Debian spends a lot of volunteering time on security issues, > @@ -80,7 +81,7 @@ > > 3. While proprietary software is developed behind closed doors, Free > Software development is done in the open, transparent for everyone. To > -keep even with proprietary software the open development process needs > +retain parity with proprietary software the open development process needs > to be entirely exempt from CRA requirements, just as the development of > software in private is. A "making available on the market" can only be > considered after development is finished and the software is released. > @@ -89,9 +90,9 @@ > Free Software community - and as a consequence, everybody - will lose a > lot of small projects. CRA will force many small enterprises and most > probably all self employed developers out of business because they > -simply cannot fullfill the requirements imposed by CRA. Debian and other > -Linux distributions depend on their work. It is not understandable why > -the EU aims to cripple not only an established community but also a > +simply cannot fulfill the requirements imposed by CRA. Debian and other > +Linux distributions depend on their work. If accepted as it is, > +CRA will undermine not only an established community but also a > thriving market. CRA needs an exemption for small businesses and, at the > very least, solo-entrepreneurs. > > @@ -101,7 +102,7 @@ > Sources: > > (1) CRA proposals and links: > -https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation > +https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act > PLD proposals and links: > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive > > @@ -110,8 +111,7 @@ > https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation > https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/ > https://blog.opensource.org/author/webmink/ > -Detailed > -analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en > +Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en > > (3) Debian Social Contract No. 2, 3 and 4 > https://www.debian.org/social_contract > > Cheers, > > -- Santiago --
Attachment:
signature.asc
Description: PGP signature