Re: recent changes to the CRA address FLOSS community concerns?

[Jonas Smedegaard]

Quoting Jonas Smedegaard (2023-12-09 09:53:37)
> Quoting Paul Wise (2023-12-09 04:07:45)
> > On IRC it was mentioned that there are updates to the CRA that may
> > address the concerns of the FLOSS community.
> >
> > These blogs have updates at the top:
> >
> > https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/
> >
> > 🥳
> > update, december 2023: The concerns expressed in this blog have been
> > heard and are being addressed in the final text. If you read on, do
> > so because you are interested in historical context, not because
> > you seek an understanding of how the CRA will apply in practice.
> >
> > https://berthub.eu/articles/posts/eu-cra-best-open-source-security/
> >
> > UPDATE: On December 1st the EU agreed on a version of the Cyber
> > Resilience Act that appears to have substantially addressed the
> > concerns in the post below. Further analysis awaits, but do know
> > that the text that follows is now mostly of historical interest!
> >
> > Does anyone have any more info about the changes?
>
> As I understand it, a good source for this is EDRi, but apparently they
> have no news yet about the December 1st decision - I would expect news
> about that to appear here:
> https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/

...or here: https://edri.org/our-work/


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private

[Jonas Smedegaard]

Quoting Paul Wise (2023-12-09 04:07:45)
> On IRC it was mentioned that there are updates to the CRA that may
> address the concerns of the FLOSS community.
>
> These blogs have updates at the top:
>
> https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/
>
> 🥳
> update, december 2023: The concerns expressed in this blog have been
> heard and are being addressed in the final text. If you read on, do
> so because you are interested in historical context, not because
> you seek an understanding of how the CRA will apply in practice.
>
> https://berthub.eu/articles/posts/eu-cra-best-open-source-security/
>
> UPDATE: On December 1st the EU agreed on a version of the Cyber
> Resilience Act that appears to have substantially addressed the
> concerns in the post below. Further analysis awaits, but do know
> that the text that follows is now mostly of historical interest!
>
> Does anyone have any more info about the changes?

As I understand it, a good source for this is EDRi, but apparently they
have no news yet about the December 1st decision - I would expect news
about that to appear here:
https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/

[Ilu]

Am 09.12.23 um 04:07 schrieb Paul Wise:

>
> Does anyone have any more info about the changes?
>

Yes, I've seen the leaked document. I (and not only I) think NL-labs
outlook is too optimistic. It's also necessary to understand that these
kind of statements (the "update, december 2023") are also part of the
political game of give and take.

The leaked rumor says there have been some improvements, mainly to
adress concerns from big platforms and foundations. Only point 3 from
vote A has been addressed. Small projects (point 4) and commercial
endeavours (point 1), like for example Freexian, are still out in the
rain. The reporting obligations for exploited vulnerabilities (point 2)
were doubled and so even became worse. PLD hasn't even been touched yet.
And all this is still only a proposal which needs to be voted on by
parliament (planned for March 2024).
After the parliamentary decision the executive authorities will have to
decide on the provisions for implementation and enforcement. Upcoming
new standards will play a big role. Lobbying will have to go on and
support from Debian will still be needed.

There is also no way and no necessity to adapt the GA text based on
unofficial rumors since ...

> ... the answer from the EU legislative body will not be to read and
> consider each bullet point we make --- ... the European legislative
> bodies will just see "oh, a biggish project opposes CRA".
(Gunnar Wolf am 25.11.23 um 16:59)

And that's all that's necessary.


Am 09.12.23 um 04:07 schrieb Paul Wise:
> Hi all,

[Bill Allombert]

Le Sat, Dec 09, 2023 at 11:41:08AM +0100, Ilu a écrit :
> There is also no way and no necessity to adapt the GA text based on
> unofficial rumors since ...
>
> > ... the answer from the EU legislative body will not be to read and
> > consider each bullet point we make --- ... the European legislative
> > bodies will just see "oh, a biggish project opposes CRA".
> (Gunnar Wolf am 25.11.23 um 16:59)

This is just Gunnar's opinion, not a fact.
It does not quite make sense for Debian to bet that EU will not read the
position statement. This denatures the purpose of this GR.
If the statement is not meant to be read by the EU, who are the actual
recipients ? This should have been clearly stated in the ballot.

Cheers,
--
Bill. <ball...@debian.org>

Imagine a large red swirl here.

[Florian Weimer]

* Paul Wise:

> Does anyone have any more info about the changes?

Isn't that the crux of the matter?

It appears that everyone in the EU political process is withholding
details, like the concrete text as it exists today. Selective leaks
are likely manipulative to some extent, perhaps trying to undermine
the credibility of the legislative process itself, without actually
caring much about FOSS.

An objective analysis would need the complete consolidated text,
including translations. The German version tends to be clearer what
commercial activity is supposed to mean, for example.

[Luca Boccassi]

The latest revision was published 10 days ago:

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_17000_2023_INIT