Upcoming EU Legislation (Cyber Resilience Act and Product Liability Directive)

[Ilulu]

Hi Debianites,

as a result of our discussions on DebConf23 and MiniDebConf Uruguay I
would like to alert a broader audience to some proposed legislation in
the European Union. I think Debian should take a public stand in this
debate. I would like Debian to discuss and decide about making a public
statement, as drafted here below.

Regards,
Ilu

\==================================================================================


Draft - Debian Public Statement about the EU Cyber Resilience Act and
the Product Liability Directive

The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).

While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:

1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it. ​​​​​​
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)

b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.

c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.

d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.

2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).

b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.

c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.

d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.

e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.

3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.

4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.

\==================================================================================


Sources:

(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive

(2) Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed
analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en

(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract

[Gunnar Wolf]

Ilulu dijo [Sun, Nov 12, 2023 at 01:58:42AM +0100]:

> Hi Debianites,
>
> as a result of our discussions on DebConf23 and MiniDebConf Uruguay I
> would like to alert a broader audience to some proposed legislation in
> the European Union. I think Debian should take a public stand in this
> debate. I would like Debian to discuss and decide about making a public
> statement, as drafted here below.
>
> Regards,
> Ilu

FWIW, in case you are not suscribed --- Santiago Ruano forwarded this
proposal to the debia...@lists.debian.org mailing list. Please
consider seconding it. Of course, I hope the Secretary agrees this
should constitute a call for votes and accepts our seconds, and starts
the GR process.

[Jeremy Stanley]

On 2023-11-12 01:58:42 +0100 (+0100), Ilulu wrote:
> as a result of our discussions on DebConf23 and MiniDebConf
> Uruguay I would like to alert a broader audience to some proposed
> legislation in the European Union. I think Debian should take a
> public stand in this debate.

[...]

On a related note, I've been talking informally with OSI leadership
about how SPI might get more involved in their efforts around this
problem on behalf of the projects we represent. I hadn't put much
time into it yet because (until now), I'd seen no clear evidence of
any SPI associated projects raising actual concerns about the CRA.

In July of this year, OSI and LF organized a series of
invitation-only meetings in Geneva they called the Open Source
Congress, primarily in order for non-profit foundations to discuss
the potential impact of in-progress legislation like the CRA on
free/libre open source software developer communities. I found out
after the fact, and when I asked a friend at OSI why SPI hadn't been
invited, I was told it was simply because *they forgot we exist*.

One of my goals is to make sure we have a seat at the table during
future such discussions, so anything we can do to coordinate
messaging between Debian and SPI would be great. What would help, I
think, is for representatives of Debian to officially state that
they'd like SPI to be involved in these and similar activities,
either along with or on behalf of the Debian community. As long as
there's clear public indication of that desire, it's much easier for
me to push related activities (through formal votes on resolutions)
from within the board of directors.
--
Jeremy Stanley

[Ilu]

I completely agree with Jeremy. This is absolutely important. EU
legislation is heavily influenced by lobbying and we should not shy away
from that. Lobbying for a good cause is good and also succesful if it's
done unanimously and coordinated, see "chat control" (CSAMR) as a recent
example.

I talked to the DPL in May and kind of delegated myself into the
lobbying process (which includes OSI and LF by the way) because there is
no formal Debian way of doing this (and I represent a derivative
distribution which shares my views).

I think SPI has limited possibilities to engage in these things due to
their US non-profit status, but I don't know US law, so I'm not sure
about that. From my point of view it would be better to join in with one
of the European groups, like EDRI or OFE, but I don't know the internal
workings of Debian well enough.

Ilu

Am 13.11.23 um 16:22 schrieb Jeremy Stanley:

[Jeremy Stanley]

On 2023-11-13 17:49:11 +0100 (+0100), Ilu wrote:
[...]

> I think SPI has limited possibilities to engage in these things
> due to their US non-profit status, but I don't know US law, so I'm
> not sure about that. From my point of view it would be better to
> join in with one of the European groups, like EDRI or OFE, but I
> don't know the internal workings of Debian well enough.

[...]

While SPI as an organization may not be able to directly lobby EU
legislators (in fact, the USA imposes restrictions limiting the ways
charities can engage in political lobbying even within the USA), EU
countries are also not the only ones working on upcoming
cybersecurity and software product safety regulations. SPI does work
with organizations based all around the World however, and
organizations within the EU may still take input and advice from
SPI, as well as rely on our public statements to help strengthen
their voices.
--
Jeremy Stanley

[Michael Lustfield]

I'm sure it wasn't the intention, but the questions presented in that
survey feel more like they are phishing for specific
people/information than curious about regular activities. It includes
a number of open-ended questions with three text boxes for each,
expecting the user to provide identifiable information. The wording
also feels like there's a specific point that someone is trying to
make, especially when it gets to "predatory practices."

There is no chance you will get "useful" data (worth studying) from
this survey, especially not with those questions. You could just as
well be asking, "do you agree that predatory practices are bad? by the
way, this includes being an end user."

On Wed, Nov 15, 2023 at 2:09 AM Mathieu O'Neil <mathie...@anu.edu.au> wrote:
>
> Hi Debian :-)
>
>
>
> Thanks again to all the participants in the 2016 Debian Project survey. An astounding 1,479 people responded to this first edition. The 2016 survey results are available in an open-access report published in 2021: 2016 Debian Project survey: Work and volunteers.
>
>
> The follow-up 2023 Debian Project survey: Sustainability is now open!
>
> https://dcpc.limesurvey.net/382488?lang=en
>
>
> We (researchers Mathieu O’Neil, Sebastien Broca, Xiaolan Cai, Angela Daly, Molly de Blanc, Cecilia Rikap, Sebastien Shulz and Stefano Zacchiroli) created this new survey, for three reasons.
>
>
> 1-We want to track the project’s evolution since 2016: what has changed, what remains the same when it comes to roles, contributor characteristics and the presence of paid work in the project.
>
>
>
> 2-We want to focus on the economic sustainability of Debian and FOSS, in the context of threats to openness posed by new mechanisms such as Software as a Service and potential threats to sustainability such as ‘free riding’. What should happen so that FOSS projects continue to be maintained appropriately?
>
>
>
> 3-We are interested to find out what the community thinks about the environmental impacts of FOSS development, and possible ways to reduce these impacts.
>
>
>
> We want to hear from as many Debian contributors as possible—whether you've submitted a bug report, attended a DebConf, reviewed translations, maintained packages, participated in Debian teams, or are a Debian Developer. Completing the survey should take 10-20 minutes, depending on your current involvement with the project.
>
>
>
> About the survey:
>
> We are using LimeSurvey, an online survey platform developed with free and open source code.
>
> Survey responses are anonymous, IP and HTTP information are not logged, and all questions are optional. As it is still likely possible to determine who a respondent is based on their answers, results will only be distributed in aggregate form, in a way that does not allow de-anonymisation.
>
> The results of the survey will be analyzed as part of ongoing research work by the organizers. A report discussing the results will be published under a DFSG-free license and distributed to the Debian community as soon as it's ready.
>
> The raw, disaggregated answers will not be distributed and will be kept under the responsibility of the organizers.
>
>
> We hope you will fill out the Debian Contributor Survey. The deadline for participation is: December 15, 2023.
>
> https://dcpc.limesurvey.net/382488?lang=en
>
>
>
> If you have any questions, don't hesitate to contact us via email at:
>
> Mathieu O’Neil mathie...@canberra.edu.au

[Jonathan Carter]

On 2023/11/15 07:39, Mathieu O'Neil wrote:
> Hi Debian :-)

Hi Mathieu, I'm sure that was also not intentional, but in addition to
what Michael has said, please don't hijack threads on our lists.

-Jonathan