Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
3 views
Skip to first unread message
Wookey
Nov 19, 2023, 10:00:06 PM11/19/23
to
On 2023-11-19 22:45 +0100, Debian Project Secretary - Kurt Roeckx wrote:
>
> More information can be found at:
> https://www.debian.org/vote/2023/vote_002
This is generally good, but can we fix the typos and English-as-2nd-language issues before voting?
Or is it too late already? I don't feel we should be putting out an
official project statement with mistakes/English like this. And
(assuming we are going to fix this) it feels wrong to vote on a text
before it is finalised.
Things I noticed:
1) Discoverded -> Discovered
2) "a fine-tuned, well working system "
This is very peculiar, not really correct, english. At the very least 'well-working' needs hyphenating. "well-functioning"? "tried-and-tested"? Maybe just re-arrange the sentence.
3) "to keep even with" -> "to retain parity with"
4) "It is not understandable why" -> "It is not comprehensible why"
or probably better:
"It is not understandable why the EU aims to" -> "It makes no sense for the EU to aim to"
HTH (did none of the seconders notice this stuff?). I guess I should
join -project or -vote some day...
Wookey
--
Principal hats: Debian, Wookware, ARM
http://wookware.org/
>
> More information can be found at:
> https://www.debian.org/vote/2023/vote_002
This is generally good, but can we fix the typos and English-as-2nd-language issues before voting?
Or is it too late already? I don't feel we should be putting out an
official project statement with mistakes/English like this. And
(assuming we are going to fix this) it feels wrong to vote on a text
before it is finalised.
Things I noticed:
1) Discoverded -> Discovered
2) "a fine-tuned, well working system "
This is very peculiar, not really correct, english. At the very least 'well-working' needs hyphenating. "well-functioning"? "tried-and-tested"? Maybe just re-arrange the sentence.
3) "to keep even with" -> "to retain parity with"
4) "It is not understandable why" -> "It is not comprehensible why"
or probably better:
"It is not understandable why the EU aims to" -> "It makes no sense for the EU to aim to"
HTH (did none of the seconders notice this stuff?). I guess I should
join -project or -vote some day...
Wookey
--
Principal hats: Debian, Wookware, ARM
http://wookware.org/
Charles Plessy
Nov 19, 2023, 10:20:04 PM11/19/23
to
Hello everybody,
thank you for preparing this!
Quick comments form somebody who does not have the time to follow
debian-vote:
"make the best system we can": Maybe this is a good opportunity to point
at our social contract, to show to the readers who have no idea what
Debian is how important that the statement is for us, and that it
predates the discussions on the CRA.
The word "upstream" appears for the first time in point 1b. I am unsure
with people with superficial knowledge of what we are doing know what
"upstream" means.
"The social contract": maybe "Our social contract" is clearer?
2d as it is written feels anti-government, and why would governments
listen the needs of an anti-government organisation? The point on
centralisation is already made in 2c. It may be remindwd there that
threat actors include unlawful governments (and that in EU there as as
many governments as members).
Then, I would suggest to center 2d on the protection of activists.
Maybe it could be said that Debian accept anonymous contributions for
that reason, and that (to my knowledge) the CRA does not take that kind
of situation into account.
"the EU aims to cripple": this is a strong statement that will annoy all
readers who believe that the EU aims to make a better world and possibly
reduce the support for and impact of the GR. Maybe "If accepted as it
is, CRA will cripple"
I hope you find my comments helpful. Even if the GR text does not
change, I will vote for it anyway.
Finally, the conclusion calls for exemptions for small businesses, but
why not explicitely call for a clear excemption for large free software
projects such as Debian, given all the uncertainty that the CRA would
create. After all, we compete with commercial products, we aim to have
users beyond our community, and we do send strong signals to our users
that they can put a lot of trust on us. In that sense, it may be argued
one day by others that we are doing some kind of commerce.
Have a nice day,
Charles
thank you for preparing this!
Quick comments form somebody who does not have the time to follow
debian-vote:
"make the best system we can": Maybe this is a good opportunity to point
at our social contract, to show to the readers who have no idea what
Debian is how important that the statement is for us, and that it
predates the discussions on the CRA.
The word "upstream" appears for the first time in point 1b. I am unsure
with people with superficial knowledge of what we are doing know what
"upstream" means.
"The social contract": maybe "Our social contract" is clearer?
2d as it is written feels anti-government, and why would governments
listen the needs of an anti-government organisation? The point on
centralisation is already made in 2c. It may be remindwd there that
threat actors include unlawful governments (and that in EU there as as
many governments as members).
Then, I would suggest to center 2d on the protection of activists.
Maybe it could be said that Debian accept anonymous contributions for
that reason, and that (to my knowledge) the CRA does not take that kind
of situation into account.
"the EU aims to cripple": this is a strong statement that will annoy all
readers who believe that the EU aims to make a better world and possibly
reduce the support for and impact of the GR. Maybe "If accepted as it
is, CRA will cripple"
I hope you find my comments helpful. Even if the GR text does not
change, I will vote for it anyway.
Finally, the conclusion calls for exemptions for small businesses, but
why not explicitely call for a clear excemption for large free software
projects such as Debian, given all the uncertainty that the CRA would
create. After all, we compete with commercial products, we aim to have
users beyond our community, and we do send strong signals to our users
that they can put a lot of trust on us. In that sense, it may be argued
one day by others that we are doing some kind of commerce.
Have a nice day,
Charles
Luca Boccassi
Nov 20, 2023, 5:20:05 AM11/20/23
to
> "the EU aims to cripple": this is a strong statement that will annoy
> all
> readers who believe that the EU aims to make a better world and
> possibly
> reduce the support for and impact of the GR. Maybe "If accepted as
> it
> is, CRA will cripple"
There are many such problems with the proposed text. An alternative
> all
> readers who believe that the EU aims to make a better world and
> possibly
> reduce the support for and impact of the GR. Maybe "If accepted as
> it
> is, CRA will cripple"
text that aims to solve them is currently looking for seconds:
https://lists.debian.org/debian-vote/2023/11/msg00065.html
--
Kind regards,
Luca Boccassi
Santiago Ruano Rincón
Nov 21, 2023, 11:30:04 AM11/21/23
to
Thanks to those who have spotted errors and have proposed fixes!
I am collecting more patches, and I will send an updated proposal as
soon as possible. But I won't be able to do it earlier than tomorrow
Wednesday, when I will be in the Northern hemisphere.
El 21/11/23 a las 12:01, Miriam Ruiz escribió:
> s/Discoverded/Discovered/
> s/fullfill/fulfill/
>
> El dom, 19 nov 2023 a las 22:53, Debian Project Secretary - Kurt
> Roeckx (<secr...@debian.org>) escribió:
> >
> > A General Resolution has been started about a statement
> > about the EU Legislation "Cyber Resilience Act and Product Liability
> > Directive"
> > Kurt Roeckx
> > Debian Project Secretary
> >
I am collecting more patches, and I will send an updated proposal as
soon as possible. But I won't be able to do it earlier than tomorrow
Wednesday, when I will be in the Northern hemisphere.
El 21/11/23 a las 12:01, Miriam Ruiz escribió:
> s/Discoverded/Discovered/
> s/fullfill/fulfill/
>
> El dom, 19 nov 2023 a las 22:53, Debian Project Secretary - Kurt
> Roeckx (<secr...@debian.org>) escribió:
> >
> > A General Resolution has been started about a statement
> > about the EU Legislation "Cyber Resilience Act and Product Liability
> > Directive"
> > Kurt Roeckx
> > Debian Project Secretary
> >
Santiago Ruano Rincón
Nov 24, 2023, 11:30:04 AM11/24/23
to
Hello there,
Here you can find a modified version that takes into account most of the
reviews. It doesn't change the meaning of the original proposal, and
hopefully improves it. Thanks again for all the comments.
A diff between both version is found below.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discovered security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. As the Debian Social Contract states, our goal is "make the best
system we can, so that free works will be widely distributed and used."
Imposing requirements such as those proposed in the act makes it legally
perilous for others to redistribute our work and endangers our commitment
to "provide an integrated system of high-quality materials with no legal
restrictions that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects (the original projects that we integrate in our
operating system).
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Debian Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned,
tried-and-tested system of responsible disclosure in case of security
issues which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also have
a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
retain parity with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fulfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. If accepted as it is,
CRA will undermine not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2) Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
--- vote.original 2023-11-23 23:06:59.323036166 +0000
+++ vote.new 2023-11-23 23:24:20.434942609 +0000
@@ -9,7 +9,7 @@
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
-components, have third-party audits conducted. Discoverded security
+components, have third-party audits conducted. Discovered security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
@@ -24,17 +24,18 @@
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
- a. It is Debian's goal to "make the best system we can, so that
-free works will be widely distributed and used." Imposing requirements
-such as those proposed in the act makes it legally perilous for others
-to redistribute our works and endangers our commitment to "provide an
-integrated system of high-quality materials _with no legal restrictions_
-that would prevent such uses of the system". (3)
+ a. As the Debian Social Contract states, our goal is "make the best
+system we can, so that free works will be widely distributed and used."
+Imposing requirements such as those proposed in the act makes it legally
+perilous for others to redistribute our work and endangers our commitment
+to "provide an integrated system of high-quality materials with no legal
+restrictions that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
-upstream projects.
+upstream projects (the original projects that we integrate in our
+operating system).
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
@@ -47,11 +48,11 @@
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
-in the Social Contract: "We will not hide problems." (3)
+in the Debian Social Contract: "We will not hide problems." (3)
- a. The Free Software community has developed a fine-tuned, well
-working system of responsible disclosure in case of security issues
-which will be overturned by the mandatory reporting to European
+ a. The Free Software community has developed a fine-tuned,
+tried-and-tested system of responsible disclosure in case of security
+issues which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
@@ -80,7 +81,7 @@
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
-keep even with proprietary software the open development process needs
+retain parity with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
@@ -89,9 +90,9 @@
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
-simply cannot fullfill the requirements imposed by CRA. Debian and other
-Linux distributions depend on their work. It is not understandable why
-the EU aims to cripple not only an established community but also a
+simply cannot fulfill the requirements imposed by CRA. Debian and other
+Linux distributions depend on their work. If accepted as it is,
+CRA will undermine not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
@@ -101,7 +102,7 @@
Sources:
(1) CRA proposals and links:
-https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
+https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
@@ -110,8 +111,7 @@
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
-Detailed
-analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
+Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
Cheers,
-- Santiago
Here you can find a modified version that takes into account most of the
reviews. It doesn't change the meaning of the original proposal, and
hopefully improves it. Thanks again for all the comments.
A diff between both version is found below.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discovered security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. As the Debian Social Contract states, our goal is "make the best
system we can, so that free works will be widely distributed and used."
Imposing requirements such as those proposed in the act makes it legally
perilous for others to redistribute our work and endangers our commitment
to "provide an integrated system of high-quality materials with no legal
restrictions that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects (the original projects that we integrate in our
operating system).
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Debian Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned,
tried-and-tested system of responsible disclosure in case of security
issues which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also have
a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
retain parity with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fulfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. If accepted as it is,
CRA will undermine not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2) Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
--- vote.original 2023-11-23 23:06:59.323036166 +0000
+++ vote.new 2023-11-23 23:24:20.434942609 +0000
@@ -9,7 +9,7 @@
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
-components, have third-party audits conducted. Discoverded security
+components, have third-party audits conducted. Discovered security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
@@ -24,17 +24,18 @@
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
- a. It is Debian's goal to "make the best system we can, so that
-free works will be widely distributed and used." Imposing requirements
-such as those proposed in the act makes it legally perilous for others
-to redistribute our works and endangers our commitment to "provide an
-integrated system of high-quality materials _with no legal restrictions_
-that would prevent such uses of the system". (3)
+ a. As the Debian Social Contract states, our goal is "make the best
+system we can, so that free works will be widely distributed and used."
+Imposing requirements such as those proposed in the act makes it legally
+perilous for others to redistribute our work and endangers our commitment
+to "provide an integrated system of high-quality materials with no legal
+restrictions that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
-upstream projects.
+upstream projects (the original projects that we integrate in our
+operating system).
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
@@ -47,11 +48,11 @@
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
-in the Social Contract: "We will not hide problems." (3)
+in the Debian Social Contract: "We will not hide problems." (3)
- a. The Free Software community has developed a fine-tuned, well
-working system of responsible disclosure in case of security issues
-which will be overturned by the mandatory reporting to European
+ a. The Free Software community has developed a fine-tuned,
+tried-and-tested system of responsible disclosure in case of security
+issues which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
@@ -80,7 +81,7 @@
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
-keep even with proprietary software the open development process needs
+retain parity with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
@@ -89,9 +90,9 @@
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
-simply cannot fullfill the requirements imposed by CRA. Debian and other
-Linux distributions depend on their work. It is not understandable why
-the EU aims to cripple not only an established community but also a
+simply cannot fulfill the requirements imposed by CRA. Debian and other
+Linux distributions depend on their work. If accepted as it is,
+CRA will undermine not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
@@ -101,7 +102,7 @@
Sources:
(1) CRA proposals and links:
-https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
+https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
@@ -110,8 +111,7 @@
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
-Detailed
-analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
+Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
Cheers,
-- Santiago
Gunnar Wolf
Nov 24, 2023, 11:40:04 AM11/24/23
to
Thank you very much Santiago!
I am not sure whether your seconders must also second the amended
version, but I reviewed it, and agree with the proposed changes (none
of which seem to alter IMO the intent of the document).
Thus, re-seconded.
Santiago Ruano Rincón dijo [Fri, Nov 24, 2023 at 04:24:56PM +0000]:
--
I am not sure whether your seconders must also second the amended
version, but I reviewed it, and agree with the proposed changes (none
of which seem to alter IMO the intent of the document).
Thus, re-seconded.
Santiago Ruano Rincón dijo [Fri, Nov 24, 2023 at 04:24:56PM +0000]:
Russ Allbery
Nov 24, 2023, 6:30:03 PM11/24/23
to
Gunnar Wolf <gw...@debian.org> writes:
> Thank you very much Santiago!
> I am not sure whether your seconders must also second the amended
> version, but I reviewed it, and agree with the proposed changes (none of
> which seem to alter IMO the intent of the document).
3. The proposer of a ballot option may amend that option provided that
> Thank you very much Santiago!
> I am not sure whether your seconders must also second the amended
> version, but I reviewed it, and agree with the proposed changes (none of
> which seem to alter IMO the intent of the document).
none of the sponsors of that ballot option at the time the amendment is
proposed disagree with that change within 24 hours. If any of them do
disagree, the ballot option is left unchanged.
So no one needs to second the amended version.
--
Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
Santiago Ruano Rincón
Nov 25, 2023, 9:10:04 AM11/25/23
to
Hello again,
Sorry for this, but I would like to take into account some (minor)
additional changes. Some of them are indeed important. As the last time,
a diff can be found at the bottom of the mail.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It is currently in the final "trilogue"
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects (the original projects that we integrate in our
operating system).
c. If upstream projects stop making available their code
d. Having to get legal advice before giving a gift to society
This greatly increases the risk of leaking information about vulnerabilities
(2) Debian Social Contract No. 2, 3 and 4
--- vote.new 2023-11-23 23:24:20.434942609 +0000
+++ vote.new.new 2023-11-25 13:38:26.425208433 +0000
@@ -3,17 +3,16 @@
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
-the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
+the Cyber Resilience Act (CRA). It is currently in the final "trilogue"
+assessments and produce technical documentation and, for critical
-information about the proposed legislation and its consequences in (2).
+(PLD) which will introduce compulsory liability for software.
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
@@ -29,7 +28,7 @@
+restrictions that would prevent such uses of the system". (2)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
@@ -37,11 +36,12 @@
+ c. If upstream projects stop making available their code
+for fear of being in the
+actually get worse rather than better.
- d. Having to get legal advice before giving a present to society
+ d. Having to get legal advice before giving a gift to society
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
-projects, in coordination with other vendors. To protect its users,
+projects and in coordination with other vendors. To protect its users,
-greatly increasing the risk of leaking information about vulnerabilities
+administrations would collect all software vulnerabilities in one place.
+This greatly increases the risk of leaking information about vulnerabilities
-https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
-https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
-https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
-https://blog.opensource.org/author/webmink/
-Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
-
-(3) Debian Social Contract No. 2, 3 and 4
+(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
Thank you all,
-- Santiago
Sorry for this, but I would like to take into account some (minor)
additional changes. Some of them are indeed important. As the last time,
a diff can be found at the bottom of the mail.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and, for critical
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
components, have third-party audits conducted. Discovered security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software.
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software.
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. As the Debian Social Contract states, our goal is "make the best
system we can, so that free works will be widely distributed and used."
Imposing requirements such as those proposed in the act makes it legally
perilous for others to redistribute our work and endangers our commitment
to "provide an integrated system of high-quality materials with no legal
restrictions that would prevent such uses of the system". (2)
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. As the Debian Social Contract states, our goal is "make the best
system we can, so that free works will be widely distributed and used."
Imposing requirements such as those proposed in the act makes it legally
perilous for others to redistribute our work and endangers our commitment
to "provide an integrated system of high-quality materials with no legal
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects (the original projects that we integrate in our
operating system).
for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse rather than better.
scope of CRA and its financial consequences, system security will
d. Having to get legal advice before giving a gift to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Debian Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned,
tried-and-tested system of responsible disclosure in case of security
issues which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects and in coordination with other vendors. To protect its users,
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Debian Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned,
tried-and-tested system of responsible disclosure in case of security
issues which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also have
a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place.
security issues so that all other major Linux distributions can also have
a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
This greatly increases the risk of leaking information about vulnerabilities
--- vote.new 2023-11-23 23:24:20.434942609 +0000
+++ vote.new.new 2023-11-25 13:38:26.425208433 +0000
@@ -3,17 +3,16 @@
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
+the Cyber Resilience Act (CRA). It is currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
-assessments and produce technical documentation and for critical
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
+assessments and produce technical documentation and, for critical
components, have third-party audits conducted. Discovered security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
-(PLD) which will introduce compulsory liability for software. More
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
-information about the proposed legislation and its consequences in (2).
+(PLD) which will introduce compulsory liability for software.
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
Imposing requirements such as those proposed in the act makes it legally
perilous for others to redistribute our work and endangers our commitment
to "provide an integrated system of high-quality materials with no legal
-restrictions that would prevent such uses of the system". (3)
perilous for others to redistribute our work and endangers our commitment
to "provide an integrated system of high-quality materials with no legal
+restrictions that would prevent such uses of the system". (2)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
upstream projects (the original projects that we integrate in our
operating system).
- c. If upstream projects stop developing for fear of being in the
operating system).
+ c. If upstream projects stop making available their code
+for fear of being in the
scope of CRA and its financial consequences, system security will
-actually get worse instead of better.
+actually get worse rather than better.
- d. Having to get legal advice before giving a present to society
+ d. Having to get legal advice before giving a gift to society
will discourage many developers, especially those without a company or
other organisation supporting them.
@@ -57,7 +57,7 @@
other organisation supporting them.
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
+projects and in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also have
a complete fix when the vulnerability is disclosed.
@@ -65,8 +65,8 @@
security issues so that all other major Linux distributions can also have
a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
-administrations would collect all software vulnerabilities in one place,
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
-greatly increasing the risk of leaking information about vulnerabilities
+administrations would collect all software vulnerabilities in one place.
+This greatly increases the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
@@ -106,12 +106,5 @@
world, including European citizens.
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
-(2) Background information:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
-https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
-https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
-https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
-https://blog.opensource.org/author/webmink/
-Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
-
-(3) Debian Social Contract No. 2, 3 and 4
+(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
Thank you all,
-- Santiago
0 new messages