Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
call for seconds - separate proposal text for 2023/vote_002
2 views
Skip to first unread message
Bart Martens
Nov 22, 2023, 1:30:05 PM11/22/23
to
Hello, I hereby welcome seconds for adding this text to 2023/vote_002
as a separate proposal.
START OF PROPOSAL TEXT
Debian Public Statement about the EU Cyber Resilience Act (CRA) and the
Product Liability Directive (PLD)
The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).
The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free
Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the
success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it
harder for commercial entities or for any group of FOSS users.
The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for
closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the
market. The usual liability disclaimers in FOSS licenses should remain
valid without the risk of being overruled by the PLD.
The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between
closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.
END OF PROPOSAL TEXT
as a separate proposal.
START OF PROPOSAL TEXT
Debian Public Statement about the EU Cyber Resilience Act (CRA) and the
Product Liability Directive (PLD)
The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).
The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free
Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the
success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it
harder for commercial entities or for any group of FOSS users.
The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for
closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the
market. The usual liability disclaimers in FOSS licenses should remain
valid without the risk of being overruled by the PLD.
The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between
closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.
END OF PROPOSAL TEXT
ChangZhuo Chen (陳昌倬)
Nov 22, 2023, 1:40:05 PM11/22/23
to
On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote:
> Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> as a separate proposal.
seconded
> Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> as a separate proposal.
--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B
Bill Allombert
Nov 22, 2023, 2:40:05 PM11/22/23
to
Le Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens a écrit :
>
> The Debian project asks the EU to not draw a line between commercial
> and non-commercial use of FOSS.
But the EU already does, all the time, really. This is simply not
>
> The Debian project asks the EU to not draw a line between commercial
> and non-commercial use of FOSS.
realistic.
Cheers,
--
Bill. <ball...@debian.org>
Imagine a large red swirl here.
Simon Richter
Nov 23, 2023, 2:40:05 AM11/23/23
to
Hi,
Seconded.
Simon
Simon
Simon Richter
Nov 23, 2023, 4:10:05 AM11/23/23
to
Hi,
Since my signature got lost on the way, retrying:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Seconded.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEtjuqOJSXmNjSiX3Tfr04e7CZCBEFAmVfE2QACgkQfr04e7CZ
CBHWYgf+KO0K7qpGRSRR88nM3YKJ8iRgPVUMM7sSnn+WSpUvcJPmY/tjk9Iqx55Q
72AhS2G/RCrv0YXkY4JUQbP/sg5VUSd+MKhPCPQieutfblEFowYymI65rBWro5J2
lHNTkXhUEEVgmB/KSKo1+iar50zPxssJ5GzCSWLH8vbkQ69tTPFP6LImADUdMdxX
i71tbjflzAO4pzwCWhQ9+IKvoxbgPGTJqGHPH16r+cbTNWpHdIncSzGoxT+tE6KT
F1ICOZ88BxwpsD5MEPyavQujE2io+4PJEkmjy1vmgK+vqvLsW0WdNOhkVutFtrsa
gjXhb9HCD75D7gv11RHfzdgm/ceJCw==
=xdEd
-----END PGP SIGNATURE-----
Simon
Since my signature got lost on the way, retrying:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEtjuqOJSXmNjSiX3Tfr04e7CZCBEFAmVfE2QACgkQfr04e7CZ
CBHWYgf+KO0K7qpGRSRR88nM3YKJ8iRgPVUMM7sSnn+WSpUvcJPmY/tjk9Iqx55Q
72AhS2G/RCrv0YXkY4JUQbP/sg5VUSd+MKhPCPQieutfblEFowYymI65rBWro5J2
lHNTkXhUEEVgmB/KSKo1+iar50zPxssJ5GzCSWLH8vbkQ69tTPFP6LImADUdMdxX
i71tbjflzAO4pzwCWhQ9+IKvoxbgPGTJqGHPH16r+cbTNWpHdIncSzGoxT+tE6KT
F1ICOZ88BxwpsD5MEPyavQujE2io+4PJEkmjy1vmgK+vqvLsW0WdNOhkVutFtrsa
gjXhb9HCD75D7gv11RHfzdgm/ceJCw==
=xdEd
-----END PGP SIGNATURE-----
Simon
Laura Arjona Reina
Nov 23, 2023, 11:42:51 AM11/23/23
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello all,
Hash: SHA512
El Wed, 22 Nov 2023 19:16:48 +0100
Bart Martens <ba...@debian.org> escribió:
Kind regards,
Laura Arjona Reina
https://wiki.debian.org/LauraArjona
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEZin0RNRxg3W3fj8cTDhhvcxwa3QFAmVffFcACgkQTDhhvcxw
a3R0TAv/abNEOcO8skEQSyrj0EXJkyYtOQlpHd+22ZDEbu4ebMH4naC4tkF1IKKO
rEQR4DyTUGnY5VdHn1BePX6/vTred7o/NoFkAjDTm0oU88Xdj1/P/M8e4pDhRoWy
wh/Z5MxEy7x06C2YipDkyBPark8+VwapLzQD5Z2QtX1N3ZlwdbkOgbLpxA0grpEc
dzQEZm7IOgSRSCre56F7lHqvzoLfLhmwYjJHCOfmWyc91FcIqXwG1/UWXMywZAPk
od4ESfCzlDiow2+PSXP3J9VVtlNXzyz7seBmswK8CN3NrGJAEP/2/MnpMxyBvLLp
DM7l3MYugoiCiMNk1yBP7972lZnJRD/u+2jiZBRUYQyJxHgA0uAYO+IR+DavoE3y
++7qErWH6CKzLsOqAC69j4FlUE5w0RAu7bCDTlowGLjbDkq2q3xX/Qn9GU/XZCIm
8gdtMThSZZSZ2C6zYm+wQDsZZV46aM7A7tfxEOUjjn4LSRifURKFZ5ME0qe/ZxcM
FTWauMeA
=s2Fs
-----END PGP SIGNATURE-----
Kurt Roeckx
Nov 24, 2023, 8:30:06 AM11/24/23
to
On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote:
> Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> as a separate proposal.
I'm currently counting 3 seconds for this.
> Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> as a separate proposal.
Kurt
Gunnar Wolf
Nov 24, 2023, 9:00:05 AM11/24/23
to
Hello Bart,
Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]:
thread, I believe that in a voting system such as the one we use in
Debian, more versions is unambiguously better, and options should only
be merged together in the case they are semantically equivalent.
My issue with your text is that I read it –bluntly over-abridged– as
«The CRA+PLD will make it harder to meaningfully develop Debian,
because we are compelled by our own foundation documents not to
distringuish between free and commercial. Many people use Debian in
commercial settings. If you enact this legislation, some of our users
be at risk of getting in trouble for using our fine intentions for
their economic benefit, as they will be covered by your
regulation. Please formally except us fully from your rules!»
That is, it basically means: "European Parliament/Council: Our
foundation documents are at unease with the CRA and PLD". That is
true, but a fair answer from them (if we warrant it!) could be "We
represent more people and wider interests than yours. Your SC is over
a quarter of a century old. Update your SC to comply with the changing
times". Which could even make sense! (although it would make Debian
stop being Debian!)
This reading is the main reason I'm not endorsing it, and still prefer
our original proposal instead.
Greetings,
- Gunnar.
Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]:
> Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> as a separate proposal.
Thanks for your contribution to this discussion! As I said in another
> as a separate proposal.
thread, I believe that in a voting system such as the one we use in
Debian, more versions is unambiguously better, and options should only
be merged together in the case they are semantically equivalent.
«The CRA+PLD will make it harder to meaningfully develop Debian,
because we are compelled by our own foundation documents not to
distringuish between free and commercial. Many people use Debian in
commercial settings. If you enact this legislation, some of our users
be at risk of getting in trouble for using our fine intentions for
their economic benefit, as they will be covered by your
regulation. Please formally except us fully from your rules!»
That is, it basically means: "European Parliament/Council: Our
foundation documents are at unease with the CRA and PLD". That is
true, but a fair answer from them (if we warrant it!) could be "We
represent more people and wider interests than yours. Your SC is over
a quarter of a century old. Update your SC to comply with the changing
times". Which could even make sense! (although it would make Debian
stop being Debian!)
This reading is the main reason I'm not endorsing it, and still prefer
our original proposal instead.
Greetings,
- Gunnar.
Bart Martens
Nov 24, 2023, 4:30:04 PM11/24/23
to
On Fri, Nov 24, 2023 at 07:55:01AM -0600, Gunnar Wolf wrote:
> Hello Bart,
Hi Gunnar!
>
> Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]:
> > Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> > as a separate proposal.
>
> Thanks for your contribution to this discussion!
And thank you for your feedback.
That is praphrasing my proposal rather roughly, but let's focus on the point
you want to make.
> That is
> true, but a fair answer from them (if we warrant it!) could be "We
> represent more people and wider interests than yours. Your SC is over
> a quarter of a century old. Update your SC to comply with the changing
> times". Which could even make sense! (although it would make Debian
> stop being Debian!)
>
> This reading is the main reason I'm not endorsing it, and still prefer
> our original proposal instead.
How would such hypothetical answer from the EU matter for preferring one
proposal over the other? I'm trying to understand your motive.
Allow me to point out some weak points in proposal A, motivating me to write my
separate proposal.
- 1.a. The phrase "with no legal restrictions" is incorrect in the sense that
FOSS uses legal restrictions for keeping it FOSS.
- 1.b. I read "Knowing whether software is commercial or not". It is, in my
understanding, about commercial use or non-commercial use.
- 1.b. Arguing that knowing what's commercial or not isn't feasible implies
accepting such distinction when the EU can give a practical legal definition.
- 1.c. Stopping development would not exempt the author from CRA. Stopping the
commercial use would.
- 1.d. This somewhat implies accepting CRA requirements for big companies.
- 2.a. Explaining that the 24h window would disrupt FOSS' well working system
of responsible disclosures of security issues, implies accepting that the
FOSS community would be legally required to provide security support.
- 2.b. Mentioning the efforts Debian is doing on security support in this
context implies accepting that Debian is required to do so.
- 2.d. I don't feel comfortable with mentioning that Debian supports activists
living under oppressive regimes.
- 2.e. Commercial companies can currently hide security issues in proprietary
software. One could argue that this is worse than downplaying when reporting.
- 3. Software development in the open is in fact making unfinished software
available on the market.
- 3. Asking to exempt unfinished software being developed in the open, implies
accepting that it becomes no longer exempt when it's ready for use.
- 4. This implies, almost states explicitly, accepting CRA requirements for big
companies.
I invite you to compare the two proposals on the points listed above. In short,
my proposal defends commercial use of FOSS and the usual liability disclaimers
in FOSS licenses.
To be clear, for avoiding misunderstandings, the EU regulation can be a good
thing, when it requires manufacturers of closed products to provide security
support for the pieces of FOSS they use in their products. Then we're talking
about compulsory liability for those close products as a whole. My focus aims
at protecting the liberty of not providing support whenever the users can help
themselves with the available source code.
Has my proposal sufficient seconds by now? If not... you know what to do.
Cheers,
Bart
>
> Greetings,
>
> - Gunnar.
> Hello Bart,
Hi Gunnar!
>
> Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]:
> > Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> > as a separate proposal.
>
> Thanks for your contribution to this discussion!
you want to make.
> That is
> true, but a fair answer from them (if we warrant it!) could be "We
> represent more people and wider interests than yours. Your SC is over
> a quarter of a century old. Update your SC to comply with the changing
> times". Which could even make sense! (although it would make Debian
> stop being Debian!)
>
> This reading is the main reason I'm not endorsing it, and still prefer
> our original proposal instead.
proposal over the other? I'm trying to understand your motive.
Allow me to point out some weak points in proposal A, motivating me to write my
separate proposal.
- 1.a. The phrase "with no legal restrictions" is incorrect in the sense that
FOSS uses legal restrictions for keeping it FOSS.
- 1.b. I read "Knowing whether software is commercial or not". It is, in my
understanding, about commercial use or non-commercial use.
- 1.b. Arguing that knowing what's commercial or not isn't feasible implies
accepting such distinction when the EU can give a practical legal definition.
- 1.c. Stopping development would not exempt the author from CRA. Stopping the
commercial use would.
- 1.d. This somewhat implies accepting CRA requirements for big companies.
- 2.a. Explaining that the 24h window would disrupt FOSS' well working system
of responsible disclosures of security issues, implies accepting that the
FOSS community would be legally required to provide security support.
- 2.b. Mentioning the efforts Debian is doing on security support in this
context implies accepting that Debian is required to do so.
- 2.d. I don't feel comfortable with mentioning that Debian supports activists
living under oppressive regimes.
- 2.e. Commercial companies can currently hide security issues in proprietary
software. One could argue that this is worse than downplaying when reporting.
- 3. Software development in the open is in fact making unfinished software
available on the market.
- 3. Asking to exempt unfinished software being developed in the open, implies
accepting that it becomes no longer exempt when it's ready for use.
- 4. This implies, almost states explicitly, accepting CRA requirements for big
companies.
I invite you to compare the two proposals on the points listed above. In short,
my proposal defends commercial use of FOSS and the usual liability disclaimers
in FOSS licenses.
To be clear, for avoiding misunderstandings, the EU regulation can be a good
thing, when it requires manufacturers of closed products to provide security
support for the pieces of FOSS they use in their products. Then we're talking
about compulsory liability for those close products as a whole. My focus aims
at protecting the liberty of not providing support whenever the users can help
themselves with the available source code.
Has my proposal sufficient seconds by now? If not... you know what to do.
Cheers,
Bart
>
> Greetings,
>
> - Gunnar.
Holger Levsen
Nov 28, 2023, 8:03:04 AM11/28/23
to
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
The upcoming clima apocalypse is the big elephant in every room now.
Daniel Kahn Gillmor
Nov 29, 2023, 6:00:05 PM11/29/23
to
On Wed 2023-11-22 19:31:34 +0000, Bill Allombert wrote:
> Le Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens a écrit :
>>
>> The Debian project asks the EU to not draw a line between commercial
>> and non-commercial use of FOSS.
>
> But the EU already does, all the time, really. This is simply not
> realistic.
Are you saying that the EU draws the line between commercial and
> Le Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens a écrit :
>>
>> The Debian project asks the EU to not draw a line between commercial
>> and non-commercial use of FOSS.
>
> But the EU already does, all the time, really. This is simply not
> realistic.
non-commercial uses of *any* software, generally? Or any business
process, which happens to sometimes include software?
Liability rules that apply only for commercial business, whether the
business deals with software or not, are not at issue here, right?
If you're saying that there are EU software liability policies, that
apply strictly to F/LOSS software (not software generally), and which
discriminate against fields of endeavor like commercial
vs. non-commercial, could you point to some examples? I'm quite
ignorant of EU law, so feel free to point me to obvious examples that
everyone already knows.
--dkg
0 new messages