On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón
<santiag...@riseup.net> wrote:
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID:
<4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS
community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
These all seem like good things to me. For too long private
corporations have been allowed to put profit before accountability and
user safety, which often results in long lasting damage for citizens,
monetary or worse. It's about time the wild-west was reined in.
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
Debian does not sell products in the single market. Why would any
requirement be imposed, how, and on whom? SPI? Debian France?
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
We do know whether something is commercial or not though - for
example, we don't have to provide Debian with warranty to our users,
because we know publishing images on debian.org is not a commercial
activity.
The second statement I find hard to follow, what would employment
status have to do with this?
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
Why would projects stop developing? If it's a product sold on the
single market, then it's right that it is subject to these rules. If
it's not a product, then these rules don't affect it, just like rules
on warranties.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
Same as above. If you are not selling anything, why would you need
legal advice, any more than you already do? The EU Single Market has
many, many rules, this is not the first and won't be the last.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
Well, actually the CVE system has a lot of critics - see recent LWN
articles for some examples. So a public authority taking over from
Mitre and other private companies doesn't sound so horrible to me, in
principle - devil's in the details of course.
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
This already happens with CVEs though? By a private, unaccountable,
for profit corporation.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
Again, I don't see how this is any different than the status quo.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
Companies already routinely downplay or outright neglect security
issues in their products. It seems the intent of the legislation is to
try and fix precisely that. One might be skeptical on the ability of
the proposed legislation to improve the situation, of course, but
that's a different story.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
To be brutally honest, if some private corporations' viability depends
on being able to ignore glaring security issues that can harm their
users, then I for one am all for them going out of business. Just like
if a company's existence relies on the ability to breach privacy with
impunity and is hampered by the GDPR, and so on.
To do a reductio ad absurdum to illustrate my point, if a free
software project's existence depended exclusively on an oil&gas
corporation being able to pollute the environment and worsen climate
change with impunity because the author is employed there, would it be
worth it? The answer for me is categorically no. Especially given it's
free software! The whole point of it is that someone else can maintain
it, or the author can find a different source of income, and the
project can continue - it's free, it's by definition not locked in one
corporation.
All in all, given how the situation is explained here, I do not
understand where the issue is, for us as a project or as free software
developers. I do not see any convincing argument at all as to why this
is detrimental to Debian or free software, and the only link that is
made is tenuous at best: maybe some free software developer is also
employed by a company who is negatively affected by this. There are
many, many things that can negatively affect anyone's employer, I do
not see why, by itself, this should warrant a project statement.
