Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Hi, On 11/13/23 02:47, Lisandro Damián Nicanor Pérez Meyer wrote: Similarly, where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature. So basically this means Qt will be considered a commercial product _even_ if it's totally open source (at least in the way we ship it in Debian). Even more, it can even be argued that if we ship it _and_ I get to patch it (we do), then I might be responsible for it, which to me makes no sense at all. It likely applies to systemd. Simon
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, Nov 12, 2023 at 01:03:38PM -0600, Simon Quigley wrote: > Just for good measure, seconded. This is the 5th second. Kurt
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Just for good measure, seconded. If this does go through, I am curious about the wider impact this has on the free software and open source community, outside the EU. As a United States citizen, I fear fragmentation in software availability and licenses that could potentially "wall off" the EU further from the rest of the world. Deeply concerning to see. On 11/12/23 09:10 AM, Santiago Ruano Rincón wrote: Dear Debian Fellows, Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have discussed during the MiniDebConf UY 2023 with other Debian Members, I would like to call for a vote about issuing a Debian public statement regarding the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). The CRA is in the final stage in the legislative process in the EU Parliament, and we think it will impact negatively the Debian Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before the time the vote ends (if it takes place), we think it is important to take a public stand about it. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Discoverded security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. More information about the proposed legislation and its consequences in (2). While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement: 1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it. a. It is Debian's goal to "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our works and endangers our commitment to "provide an integrated system of high-quality materials _with no legal restrictions_ that would prevent such uses of the system". (3) b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects. c. If upstream projects stop developing for fear of being in the scope of CRA and its financial consequences, system security will actually get worse instead of better. d. Having to get legal advice before giving a present to society will discourage many developers, especially those without a company or other organisation supporting them. 2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Social Contract: "We will not hide problems." (3) a. The Free Software community has developed a fine-tuned, well working system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA). b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects, in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed. c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
"Art. 3 (1) ‘product with digital elements’ means any software or hardware product ... (18) ‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements ... and markets them under his or her name or trademark, whether for payment or free of charge; (23) ‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity ..." Am 12.11.23 um 19:19 schrieb Luca Boccassi: > I don't see how the fact that Github is > not responsible for software hosted on its platform goes to imply that > ever such software is a product. Whether something is or is not a > product on the market is already quite clear, and the sources cited in > the original mail themselves say that the CRA does not change this > aspect. Because everybody agrees that software is a product. And if you can download the product on github or elsewhere, it's made available. There is an explicit exemption only for the platform, not for the uploader. It's fine if you think your software is not a product, but be aware that european market authorities will not agree with you. > Are you responsible for the warranty for > software you push to Github if someone git clones it? Of course not. Not yet, but this will change, depending on whether the activity is considered commercial or not. Of course the details are still unclear. In your example, pushing to your repo might not count as "making available" (thanks to a lot of lobbying), but tagging a release probably does. What about CI artifacts? Nobody knows. > Because repositories on Github are not products on the single market. Obviously repositories are not products. Software is. I'm not spreading fud. I've read the stuff, I'm working on this since FOSDEM, I have the necessary background and I participate in weekly meetings with several big FOSS organisations/foundations. This workgroup had frequent consultations with EU representatives. We are not spending considerable time on non-issues. Ilu
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, 12 Nov 2023 at 18:11, Ilulu wrote: > Am 12.11.23 um 19:01 schrieb Luca Boccassi: > > Yes - if it's "made available on the market", which is in the first > > bit that was snipped. Pushing a repository on Gitlab is not "making > > available on the market". > > You are wrong. It is. That's why the proposal has: > > "(10d) The sole act of hosting free and open-source software on open > repositories does not in itself constitute making available on the > market of a product with digital elements. As such, most package > managers, code hosting and collaboration platforms should not be > considered as distributors under the meaning of this Regulation." > > ... which means that GITHUB is not responsible for the repo you pushed. Sure, it would be very strange if it was. > But you are. You are the manufacturer of that software product, you make > it available, and whether this is "on the market" = commercial depends > on a lot of things: how many donations you get and from whom, who your > employer is, or who else is working on that repo ... and so on, > depending on how the wording of CRA-Recital 10 will turn out in the end. > You better ask your lawyer. But this is a non-sequitur. I don't see how the fact that Github is not responsible for software hosted on its platform goes to imply that ever such software is a product. Whether something is or is not a product on the market is already quite clear, and the sources cited in the original mail themselves say that the CRA does not change this aspect. There are many, many, many regulations affecting products put on the single market - I've already cited one that should be familiar to everyone, warranties. Are you responsible for the warranty for software you push to Github if someone git clones it? Of course not. Because repositories on Github are not products on the single market.
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Am 12.11.23 um 19:01 schrieb Luca Boccassi: Yes - if it's "made available on the market", which is in the first bit that was snipped. Pushing a repository on Gitlab is not "making available on the market". You are wrong. It is. That's why the proposal has: "(10d) The sole act of hosting free and open-source software on open repositories does not in itself constitute making available on the market of a product with digital elements. As such, most package managers, code hosting and collaboration platforms should not be considered as distributors under the meaning of this Regulation." ... which means that GITHUB is not responsible for the repo you pushed. But you are. You are the manufacturer of that software product, you make it available, and whether this is "on the market" = commercial depends on a lot of things: how many donations you get and from whom, who your employer is, or who else is working on that repo ... and so on, depending on how the wording of CRA-Recital 10 will turn out in the end. You better ask your lawyer.
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, 12 Nov 2023 at 17:47, Lisandro Damián Nicanor Pérez Meyer wrote: > > Hi, > > On Sun, 12 Nov 2023 at 14:35, Ilulu wrote: > > > [snip] > > (10a) For example, a fully decentralised development model, where no > > single commercial entity exercises control over what is accepted into > > the project’s code base, should be taken as an indication that the > > product has been developed in a non-commercial setting. On the other > > hand, where free and open source software is developed by a single > > organisation or an asymmetric community, where a single organisation is > > generating revenues from related use in business relationships, this > > should be considered to be a commercial activity. Similarly, where the > > main contributors to free and open-source projects are developers > > employed by commercial entities and when such developers or the employer > > can exercise control as to which modifications are accepted in the code > > base, the project should generally be considered to be of a commercial > > nature. > > So basically this means Qt will be considered a commercial product > _even_ if it's totally open source (at least in the way we ship it in > Debian). Even more, it can even be argued that if we ship it _and_ I > get to patch it (we do), then I might be responsible for it, which to > me makes no sense at all. Yes - if it's "made available on the market", which is in the first bit that was snipped. Pushing a repository on Gitlab is not "making available on the market". Selling QT as a supported toolkit to third parties that then integrate it in their products or services or use it internally, is. If you do the former, nothing changes for you. If you do the latter, then you are affected - and that's a _good_ thing!
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, 12 Nov 2023 at 17:35, Ilulu wrote: > > Am 12.11.23 um 18:09 schrieb Luca Boccassi: > > We do know whether something is commercial or not though ... > > I sincerely doubt that. Just to illustrate this I'm citing a part (only > a part) of one of the regulation drafts which are presently considered > in trilogue. > > "(10) Only free and open-source made available on the market in the > course of a commercial activity should be covered by this Regulation. > Whether a free and open-source product has been made available as part > of a commercial activity should be assessed on a product-by-product > basis, looking at both the development model and the supply phase of the > free and open-source product with digital elements. > (10a) For example, a fully decentralised development model, where no > single commercial entity exercises control over what is accepted into > the project’s code base, should be taken as an indication that the > product has been developed in a non-commercial setting. On the other > hand, where free and open source software is developed by a single > organisation or an asymmetric community, where a single organisation is > generating revenues from related use in business relationships, this > should be considered to be a commercial activity. Similarly, where the > main contributors to free and open-source projects are developers > employed by commercial entities and when such developers or the employer > can exercise control as to which modifications are accepted in the code > base, the project should generally be considered to be of a commercial > nature. > (10b) With regards to the supply phase, in the context of free and > open-source software, a commercial activity might be characterized not > only by charging a price for a product, but also by charging a price for > technical support services, when this does not serve only the > recuperation of actual costs, by providing a software platform through > which the manufacturer monetises other services, or by the use of > personal data for reasons other than exclusively for improving the > security, compatibility or interoperability of the software. Accepting > donations without the intention of making a profit should not > count as a commercial activity, unless such donations are made by > commercial entities and are recurring in nature." That all looks exceedingly clear to me: if you are selling a product or a service, then just because the software is free software doesn't exempt you from being liable for its security. That's good! Great, even. If a for-profit private company, say, sells a phone running Debian, just because Debian is open source doesn't mean it should get away with not providing security support to its customers. Just as it doesn't discount it from the minimum warranty period - if you buy the phone and it doesn't work, they can't just say "sorry it's the open source software's fault, no refund/exchange", and so on. It seems clear to me what the intent of the legislators is here: avoid loopholes. Another ad-absurdum: if Microsoft were to push all the code behind Azure to Github, it shouldn't mean that it should be exempt from providing security support to its customers according to this legislation, just because it's open source. That sounds like a good thing to me! As far as I can see, the key thing here is always that there's a product put on the single market. Pushing a repository to Github is not putting a product on the market. Publishing Debian images on debian.org is not putting a product on the market. Selling a service that uses a Debian image is - and then the service provider is the party responsible.
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Hi, On Sun, 12 Nov 2023 at 14:35, Ilulu wrote: > [snip] > (10a) For example, a fully decentralised development model, where no > single commercial entity exercises control over what is accepted into > the project’s code base, should be taken as an indication that the > product has been developed in a non-commercial setting. On the other > hand, where free and open source software is developed by a single > organisation or an asymmetric community, where a single organisation is > generating revenues from related use in business relationships, this > should be considered to be a commercial activity. Similarly, where the > main contributors to free and open-source projects are developers > employed by commercial entities and when such developers or the employer > can exercise control as to which modifications are accepted in the code > base, the project should generally be considered to be of a commercial > nature. So basically this means Qt will be considered a commercial product _even_ if it's totally open source (at least in the way we ship it in Debian). Even more, it can even be argued that if we ship it _and_ I get to patch it (we do), then I might be responsible for it, which to me makes no sense at all.
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Am 12.11.23 um 18:38 schrieb Luca Boccassi: Which definitions does the proposal use? Could you please quote them? The first two links do not provide any, as far as I can see. The third link (a blog post, not a piece of legislation) explicitly says: "the Cyber Resilience Act does not define commercial activity". The first two links are aggregated pages from the European Parliament's website. They link to the relevant legal documents under the sections "References" and "Further reading". Have fun :-)
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, 12 Nov 2023 at 17:29, Scott Kitterman wrote: > On November 12, 2023 5:09:26 PM UTC, Luca Boccassi wrote: > >On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón > > wrote: > >> > >> Dear Debian Fellows, > >> > >> Following the email sent by Ilu to debian-project (Message-ID: > >> <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have > >> discussed during the MiniDebConf UY 2023 with other Debian Members, I > >> would like to call for a vote about issuing a Debian public statement > >> regarding > >> the EU Cyber Resilience Act (CRA) and the Product Liability Directive > >> (PLD). The CRA is in the final stage in the legislative process in the > >> EU Parliament, and we think it will impact negatively the Debian > >> Project, users, developers, companies that rely on Debian, and the FLOSS > >> community as a whole. Even if the CRA will be probably adopted before > >> the time the vote ends (if it takes place), we think it is important to > >> take a public stand about it. > >> > >> - GENERAL RESOLUTION STARTS - > >> > >> Debian Public Statement about the EU Cyber Resilience Act and the > >> Product Liability Directive > >> > >> The European Union is currently preparing a regulation "on horizontal > >> cybersecurity requirements for products with digital elements" known as > >> the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > >> phase of the legislative process. The act includes a set of essential > >> cybersecurity and vulnerability handling requirements for > >> manufacturers. > >> It will require products to be accompanied by information and > >> instructions to the user. Manufacturers will need to perform risk > >> assessments and produce technical documentation and for critical > >> components, have third-party audits conducted. Discoverded security > >> issues will have to be reported to European authorities within 24 hours > >> (1). The CRA will be followed up by the Product Liability Directive > >> (PLD) which will introduce compulsory liability for software. More > >> information about the proposed legislation and its consequences in (2). > > > >These all seem like good things to me. For too long private > >corporations have been allowed to put profit before accountability and > >user safety, which often results in long lasting damage for citizens, > >monetary or worse. It's about time the wild-west was reined in. > > > >> While a lot of these regulations seem reasonable, the Debian project > >> believes that there are grave problems for Free Software projects > >> attached to them. Therefore, the Debian project issues the following > >> statement: > >> > >> 1. Free Software has always been a gift, freely given to society, to > >> take and to use as seen fit, for whatever purpose. Free Software has > >> proven to be an asset in our digital age and the proposed EU Cyber > >> Resilience Act is going to be detrimental to it. > >> a. It is Debian's goal to "make the best system we can, so that > >> free works will be widely distributed and used." Imposing requirements > >> such as those proposed in the act makes it legally perilous for others > >> to redistribute our works and endangers our commitment to "provide an > >> integrated system of high-quality materials _with no legal > >> restrictions_ > >> that would prevent such uses of the system". (3) > > > >Debian does not sell products in the single market. Why would any > >requirement be imposed, how, and on whom? SPI? Debian France? > > > >> b. Knowing whether software is commercial or not isn't feasible, > >> neither in Debian nor in most free software projects - we don't track > >> people's employment status or history, nor do we check who finances > >> upstream projects. > > > >We do know whether something is commercial or not though - for > >example, we don't have to provide Debian with warranty to our users, > >because we know publishing images on debian.org is not a commercial > >activity. > >The second statement I find hard to follow, what would employment > >status have to do with this? > > > >> c. If upstream projects stop developing for fear of being in the > >> scope of CRA and its financial consequences, system security will > >> actually get worse instead of better. > > > >Why would projects stop developing? If it's a product sold on the > >single market, then it's right that it is subject to these rules. If > >it's not a product, then these rules don't affect it, just like rules > >on warranties. > > > >> d. Having to get legal advice before giving a present to society > >> will discourage many developers, especially those without a company or > >> other organisation supporting them. > > > >Same as above. If you are not selling anything, why would you need > >legal advice, any more than you already do?
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Am 12.11.23 um 18:09 schrieb Luca Boccassi: > We do know whether something is commercial or not though ... I sincerely doubt that. Just to illustrate this I'm citing a part (only a part) of one of the regulation drafts which are presently considered in trilogue. "(10) Only free and open-source made available on the market in the course of a commercial activity should be covered by this Regulation. Whether a free and open-source product has been made available as part of a commercial activity should be assessed on a product-by-product basis, looking at both the development model and the supply phase of the free and open-source product with digital elements. (10a) For example, a fully decentralised development model, where no single commercial entity exercises control over what is accepted into the project’s code base, should be taken as an indication that the product has been developed in a non-commercial setting. On the other hand, where free and open source software is developed by a single organisation or an asymmetric community, where a single organisation is generating revenues from related use in business relationships, this should be considered to be a commercial activity. Similarly, where the main contributors to free and open-source projects are developers employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature. (10b) With regards to the supply phase, in the context of free and open-source software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, when this does not serve only the recuperation of actual costs, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Accepting donations without the intention of making a profit should not count as a commercial activity, unless such donations are made by commercial entities and are recurring in nature." Am 12.11.23 um 18:17 schrieb Scott Kitterman: > Then I would encourage you to do a bit of research on the topic. Given the definitions being used in the proposal, Debian and most, if not all, of it's upstreams are squarely within the realm of affected software. If this is passed, I am seriously considering ceasing all free software work, because it's not at all clear it's possible to avoid legal liability for things that I can't reasonably control as a single developer. Exactly. Ilu Am 12.11.23 um 18:09 schrieb Luca Boccassi: On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón wrote: Dear Debian Fellows, Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have discussed during the MiniDebConf UY 2023 with other Debian Members, I would like to call for a vote about issuing a Debian public statement regarding the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). The CRA is in the final stage in the legislative process in the EU Parliament, and we think it will impact negatively the Debian Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before the time the vote ends (if it takes place), we think it is important to take a public stand about it. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Discoverded security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. More information about the proposed legislation and its consequences in (2). These all seem like good things to me. For too long private corporations have been allowed to put profit before accountability and user safety, which often results in long lasting damage for citizens, monetary or worse. It's about time the wild-west was reined in. While a lot of these
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On November 12, 2023 5:09:26 PM UTC, Luca Boccassi wrote: >On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón > wrote: >> >> Dear Debian Fellows, >> >> Following the email sent by Ilu to debian-project (Message-ID: >> <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have >> discussed during the MiniDebConf UY 2023 with other Debian Members, I >> would like to call for a vote about issuing a Debian public statement >> regarding >> the EU Cyber Resilience Act (CRA) and the Product Liability Directive >> (PLD). The CRA is in the final stage in the legislative process in the >> EU Parliament, and we think it will impact negatively the Debian >> Project, users, developers, companies that rely on Debian, and the FLOSS >> community as a whole. Even if the CRA will be probably adopted before >> the time the vote ends (if it takes place), we think it is important to >> take a public stand about it. >> >> - GENERAL RESOLUTION STARTS - >> >> Debian Public Statement about the EU Cyber Resilience Act and the >> Product Liability Directive >> >> The European Union is currently preparing a regulation "on horizontal >> cybersecurity requirements for products with digital elements" known as >> the Cyber Resilience Act (CRA). It's currently in the final "trilogue" >> phase of the legislative process. The act includes a set of essential >> cybersecurity and vulnerability handling requirements for manufacturers. >> It will require products to be accompanied by information and >> instructions to the user. Manufacturers will need to perform risk >> assessments and produce technical documentation and for critical >> components, have third-party audits conducted. Discoverded security >> issues will have to be reported to European authorities within 24 hours >> (1). The CRA will be followed up by the Product Liability Directive >> (PLD) which will introduce compulsory liability for software. More >> information about the proposed legislation and its consequences in (2). > >These all seem like good things to me. For too long private >corporations have been allowed to put profit before accountability and >user safety, which often results in long lasting damage for citizens, >monetary or worse. It's about time the wild-west was reined in. > >> While a lot of these regulations seem reasonable, the Debian project >> believes that there are grave problems for Free Software projects >> attached to them. Therefore, the Debian project issues the following >> statement: >> >> 1. Free Software has always been a gift, freely given to society, to >> take and to use as seen fit, for whatever purpose. Free Software has >> proven to be an asset in our digital age and the proposed EU Cyber >> Resilience Act is going to be detrimental to it. >> a. It is Debian's goal to "make the best system we can, so that >> free works will be widely distributed and used." Imposing requirements >> such as those proposed in the act makes it legally perilous for others >> to redistribute our works and endangers our commitment to "provide an >> integrated system of high-quality materials _with no legal restrictions_ >> that would prevent such uses of the system". (3) > >Debian does not sell products in the single market. Why would any >requirement be imposed, how, and on whom? SPI? Debian France? > >> b. Knowing whether software is commercial or not isn't feasible, >> neither in Debian nor in most free software projects - we don't track >> people's employment status or history, nor do we check who finances >> upstream projects. > >We do know whether something is commercial or not though - for >example, we don't have to provide Debian with warranty to our users, >because we know publishing images on debian.org is not a commercial >activity. >The second statement I find hard to follow, what would employment >status have to do with this? > >> c. If upstream projects stop developing for fear of being in the >> scope of CRA and its financial consequences, system security will >> actually get worse instead of better. > >Why would projects stop developing? If it's a product sold on the >single market, then it's right that it is subject to these rules. If >it's not a product, then these rules don't affect it, just like rules >on warranties. > >> d. Having to get legal advice before giving a present to society >> will discourage many developers, especially those without a company or >> other organisation supporting them. > >Same as above. If you are not selling anything, why would you need >legal advice, any more than you already do? The EU Single Market has >many, many rules, this is not the first and won't be the last. > >> 2. Debian is well known for its security track record through practices >> of responsible disclosure and coordination with upstream
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón wrote: > > Dear Debian Fellows, > > Following the email sent by Ilu to debian-project (Message-ID: > <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have > discussed during the MiniDebConf UY 2023 with other Debian Members, I > would like to call for a vote about issuing a Debian public statement > regarding > the EU Cyber Resilience Act (CRA) and the Product Liability Directive > (PLD). The CRA is in the final stage in the legislative process in the > EU Parliament, and we think it will impact negatively the Debian > Project, users, developers, companies that rely on Debian, and the FLOSS > community as a whole. Even if the CRA will be probably adopted before > the time the vote ends (if it takes place), we think it is important to > take a public stand about it. > > - GENERAL RESOLUTION STARTS - > > Debian Public Statement about the EU Cyber Resilience Act and the > Product Liability Directive > > The European Union is currently preparing a regulation "on horizontal > cybersecurity requirements for products with digital elements" known as > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > phase of the legislative process. The act includes a set of essential > cybersecurity and vulnerability handling requirements for manufacturers. > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > components, have third-party audits conducted. Discoverded security > issues will have to be reported to European authorities within 24 hours > (1). The CRA will be followed up by the Product Liability Directive > (PLD) which will introduce compulsory liability for software. More > information about the proposed legislation and its consequences in (2). These all seem like good things to me. For too long private corporations have been allowed to put profit before accountability and user safety, which often results in long lasting damage for citizens, monetary or worse. It's about time the wild-west was reined in. > While a lot of these regulations seem reasonable, the Debian project > believes that there are grave problems for Free Software projects > attached to them. Therefore, the Debian project issues the following > statement: > > 1. Free Software has always been a gift, freely given to society, to > take and to use as seen fit, for whatever purpose. Free Software has > proven to be an asset in our digital age and the proposed EU Cyber > Resilience Act is going to be detrimental to it. > a. It is Debian's goal to "make the best system we can, so that > free works will be widely distributed and used." Imposing requirements > such as those proposed in the act makes it legally perilous for others > to redistribute our works and endangers our commitment to "provide an > integrated system of high-quality materials _with no legal restrictions_ > that would prevent such uses of the system". (3) Debian does not sell products in the single market. Why would any requirement be imposed, how, and on whom? SPI? Debian France? > b. Knowing whether software is commercial or not isn't feasible, > neither in Debian nor in most free software projects - we don't track > people's employment status or history, nor do we check who finances > upstream projects. We do know whether something is commercial or not though - for example, we don't have to provide Debian with warranty to our users, because we know publishing images on debian.org is not a commercial activity. The second statement I find hard to follow, what would employment status have to do with this? > c. If upstream projects stop developing for fear of being in the > scope of CRA and its financial consequences, system security will > actually get worse instead of better. Why would projects stop developing? If it's a product sold on the single market, then it's right that it is subject to these rules. If it's not a product, then these rules don't affect it, just like rules on warranties. > d. Having to get legal advice before giving a present to society > will discourage many developers, especially those without a company or > other organisation supporting them. Same as above. If you are not selling anything, why would you need legal advice, any more than you already do? The EU Single Market has many, many rules, this is not the first and won't be the last. > 2. Debian is well known for its security track record through practices > of responsible disclosure and coordination with upstream developers and > other Free Software projects. We aim to live up to the commitment made > in the Social Contract: "We will not hide problems." (3) >
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Hi, Thanks for pushing this forward. Seconded. Cheers, Nicolas On Sun, Nov 12, 2023 at 12:10:21PM -0300, Santiago Ruano Rincón wrote: > Dear Debian Fellows, > > Following the email sent by Ilu to debian-project (Message-ID: > <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have > discussed during the MiniDebConf UY 2023 with other Debian Members, I > would like to call for a vote about issuing a Debian public statement > regarding > the EU Cyber Resilience Act (CRA) and the Product Liability Directive > (PLD). The CRA is in the final stage in the legislative process in the > EU Parliament, and we think it will impact negatively the Debian > Project, users, developers, companies that rely on Debian, and the FLOSS > community as a whole. Even if the CRA will be probably adopted before > the time the vote ends (if it takes place), we think it is important to > take a public stand about it. > > - GENERAL RESOLUTION STARTS - > > Debian Public Statement about the EU Cyber Resilience Act and the > Product Liability Directive > > The European Union is currently preparing a regulation "on horizontal > cybersecurity requirements for products with digital elements" known as > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > phase of the legislative process. The act includes a set of essential > cybersecurity and vulnerability handling requirements for manufacturers. > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > components, have third-party audits conducted. Discoverded security > issues will have to be reported to European authorities within 24 hours > (1). The CRA will be followed up by the Product Liability Directive > (PLD) which will introduce compulsory liability for software. More > information about the proposed legislation and its consequences in (2). > > While a lot of these regulations seem reasonable, the Debian project > believes that there are grave problems for Free Software projects > attached to them. Therefore, the Debian project issues the following > statement: > > 1. Free Software has always been a gift, freely given to society, to > take and to use as seen fit, for whatever purpose. Free Software has > proven to be an asset in our digital age and the proposed EU Cyber > Resilience Act is going to be detrimental to it. > a. It is Debian's goal to "make the best system we can, so that > free works will be widely distributed and used." Imposing requirements > such as those proposed in the act makes it legally perilous for others > to redistribute our works and endangers our commitment to "provide an > integrated system of high-quality materials _with no legal restrictions_ > that would prevent such uses of the system". (3) > > b. Knowing whether software is commercial or not isn't feasible, > neither in Debian nor in most free software projects - we don't track > people's employment status or history, nor do we check who finances > upstream projects. > > c. If upstream projects stop developing for fear of being in the > scope of CRA and its financial consequences, system security will > actually get worse instead of better. > > d. Having to get legal advice before giving a present to society > will discourage many developers, especially those without a company or > other organisation supporting them. > > 2. Debian is well known for its security track record through practices > of responsible disclosure and coordination with upstream developers and > other Free Software projects. We aim to live up to the commitment made > in the Social Contract: "We will not hide problems." (3) > a. The Free Software community has developed a fine-tuned, well > working system of responsible disclosure in case of security issues > which will be overturned by the mandatory reporting to European > authorities within 24 hours (Art. 11 CRA). > > b. Debian spends a lot of volunteering time on security issues, > provides quick security updates and works closely together with upstream > projects, in coordination with other vendors. To protect its users, > Debian regularly participates in limited embargos to coordinate fixes to > security issues so that all other major Linux distributions can also > have a complete fix when the vulnerability is disclosed. > > c. Security issue tracking and remediation is intentionally > decentralized and distributed. The reporting of security issues to > ENISA and the intended propagation to other authorities and national > administrations would collect all software vulnerabilities in one place, > greatly
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
I have also been part of the discussion on the Mini DebConf and I second this. On 12/11/23 12:10, Santiago Ruano Rincón wrote: Dear Debian Fellows, Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have discussed during the MiniDebConf UY 2023 with other Debian Members, I would like to call for a vote about issuing a Debian public statement regarding the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). The CRA is in the final stage in the legislative process in the EU Parliament, and we think it will impact negatively the Debian Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before the time the vote ends (if it takes place), we think it is important to take a public stand about it. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Discoverded security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. More information about the proposed legislation and its consequences in (2). While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement: 1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it. a. It is Debian's goal to "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our works and endangers our commitment to "provide an integrated system of high-quality materials _with no legal restrictions_ that would prevent such uses of the system". (3) b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects. c. If upstream projects stop developing for fear of being in the scope of CRA and its financial consequences, system security will actually get worse instead of better. d. Having to get legal advice before giving a present to society will discourage many developers, especially those without a company or other organisation supporting them. 2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Social Contract: "We will not hide problems." (3) a. The Free Software community has developed a fine-tuned, well working system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA). b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects, in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed. c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to ENISA and the intended propagation to other authorities and national administrations would collect all software vulnerabilities in one place, greatly increasing the risk of leaking information about vulnerabilities to threat actors, representing a threat for all the
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, Nov 12, 2023 at 12:10:21PM -0300, Santiago Ruano Rincón wrote: > I > would like to call for a vote about issuing a Debian public statement > regarding > the EU Cyber Resilience Act (CRA) and the Product Liability Directive > (PLD). I also second this vote, reporter verbatim hereafter. > - GENERAL RESOLUTION STARTS - > > Debian Public Statement about the EU Cyber Resilience Act and the > Product Liability Directive > > The European Union is currently preparing a regulation "on horizontal > cybersecurity requirements for products with digital elements" known as > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > phase of the legislative process. The act includes a set of essential > cybersecurity and vulnerability handling requirements for manufacturers. > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > components, have third-party audits conducted. Discoverded security > issues will have to be reported to European authorities within 24 hours > (1). The CRA will be followed up by the Product Liability Directive > (PLD) which will introduce compulsory liability for software. More > information about the proposed legislation and its consequences in (2). > > While a lot of these regulations seem reasonable, the Debian project > believes that there are grave problems for Free Software projects > attached to them. Therefore, the Debian project issues the following > statement: > > 1. Free Software has always been a gift, freely given to society, to > take and to use as seen fit, for whatever purpose. Free Software has > proven to be an asset in our digital age and the proposed EU Cyber > Resilience Act is going to be detrimental to it. > a. It is Debian's goal to "make the best system we can, so that > free works will be widely distributed and used." Imposing requirements > such as those proposed in the act makes it legally perilous for others > to redistribute our works and endangers our commitment to "provide an > integrated system of high-quality materials _with no legal restrictions_ > that would prevent such uses of the system". (3) > > b. Knowing whether software is commercial or not isn't feasible, > neither in Debian nor in most free software projects - we don't track > people's employment status or history, nor do we check who finances > upstream projects. > > c. If upstream projects stop developing for fear of being in the > scope of CRA and its financial consequences, system security will > actually get worse instead of better. > > d. Having to get legal advice before giving a present to society > will discourage many developers, especially those without a company or > other organisation supporting them. > > 2. Debian is well known for its security track record through practices > of responsible disclosure and coordination with upstream developers and > other Free Software projects. We aim to live up to the commitment made > in the Social Contract: "We will not hide problems." (3) > a. The Free Software community has developed a fine-tuned, well > working system of responsible disclosure in case of security issues > which will be overturned by the mandatory reporting to European > authorities within 24 hours (Art. 11 CRA). > > b. Debian spends a lot of volunteering time on security issues, > provides quick security updates and works closely together with upstream > projects, in coordination with other vendors. To protect its users, > Debian regularly participates in limited embargos to coordinate fixes to > security issues so that all other major Linux distributions can also > have a complete fix when the vulnerability is disclosed. > > c. Security issue tracking and remediation is intentionally > decentralized and distributed. The reporting of security issues to > ENISA and the intended propagation to other authorities and national > administrations would collect all software vulnerabilities in one place, > greatly increasing the risk of leaking information about vulnerabilities > to threat actors, representing a threat for all the users around the > world, including European citizens. > > d. Activists use Debian (e.g. through derivatives such as Tails), > among other reasons, to protect themselves from authoritarian > governments; handing threat actors exploits they can use for oppression > is against what Debian stands for. > > e. Developers and companies will downplay security issues because > a "security" issue now comes with legal implications. Less clarity on > what is truly a
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
We discussed the text quoted below (that is, the full text that Santiago just sent), and I find its wide discussion and, at least, understanding of utmost importance to the free software community as a whole. I wholeheartedly second the call for votes with this text. Santiago Ruano Rincón dijo [Sun, Nov 12, 2023 at 12:10:21PM -0300]: > Dear Debian Fellows, > > Following the email sent by Ilu to debian-project (Message-ID: > <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have > discussed during the MiniDebConf UY 2023 with other Debian Members, I > would like to call for a vote about issuing a Debian public statement > regarding > the EU Cyber Resilience Act (CRA) and the Product Liability Directive > (PLD). The CRA is in the final stage in the legislative process in the > EU Parliament, and we think it will impact negatively the Debian > Project, users, developers, companies that rely on Debian, and the FLOSS > community as a whole. Even if the CRA will be probably adopted before > the time the vote ends (if it takes place), we think it is important to > take a public stand about it. > > - GENERAL RESOLUTION STARTS - > > Debian Public Statement about the EU Cyber Resilience Act and the > Product Liability Directive > > The European Union is currently preparing a regulation "on horizontal > cybersecurity requirements for products with digital elements" known as > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > phase of the legislative process. The act includes a set of essential > cybersecurity and vulnerability handling requirements for manufacturers. > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > components, have third-party audits conducted. Discoverded security > issues will have to be reported to European authorities within 24 hours > (1). The CRA will be followed up by the Product Liability Directive > (PLD) which will introduce compulsory liability for software. More > information about the proposed legislation and its consequences in (2). > > While a lot of these regulations seem reasonable, the Debian project > believes that there are grave problems for Free Software projects > attached to them. Therefore, the Debian project issues the following > statement: > > 1. Free Software has always been a gift, freely given to society, to > take and to use as seen fit, for whatever purpose. Free Software has > proven to be an asset in our digital age and the proposed EU Cyber > Resilience Act is going to be detrimental to it. > a. It is Debian's goal to "make the best system we can, so that > free works will be widely distributed and used." Imposing requirements > such as those proposed in the act makes it legally perilous for others > to redistribute our works and endangers our commitment to "provide an > integrated system of high-quality materials _with no legal restrictions_ > that would prevent such uses of the system". (3) > > b. Knowing whether software is commercial or not isn't feasible, > neither in Debian nor in most free software projects - we don't track > people's employment status or history, nor do we check who finances > upstream projects. > > c. If upstream projects stop developing for fear of being in the > scope of CRA and its financial consequences, system security will > actually get worse instead of better. > > d. Having to get legal advice before giving a present to society > will discourage many developers, especially those without a company or > other organisation supporting them. > > 2. Debian is well known for its security track record through practices > of responsible disclosure and coordination with upstream developers and > other Free Software projects. We aim to live up to the commitment made > in the Social Contract: "We will not hide problems." (3) > a. The Free Software community has developed a fine-tuned, well > working system of responsible disclosure in case of security issues > which will be overturned by the mandatory reporting to European > authorities within 24 hours (Art. 11 CRA). > > b. Debian spends a lot of volunteering time on security issues, > provides quick security updates and works closely together with upstream > projects, in coordination with other vendors. To protect its users, > Debian regularly participates in limited embargos to coordinate fixes to > security issues so that all other major Linux distributions can also > have a complete fix when the vulnerability is disclosed. > > c. Security issue tracking and remediation is intentionally > decentralized and distributed. The
Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Dear Debian Fellows, Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have discussed during the MiniDebConf UY 2023 with other Debian Members, I would like to call for a vote about issuing a Debian public statement regarding the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). The CRA is in the final stage in the legislative process in the EU Parliament, and we think it will impact negatively the Debian Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before the time the vote ends (if it takes place), we think it is important to take a public stand about it. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Discoverded security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. More information about the proposed legislation and its consequences in (2). While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement: 1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it. a. It is Debian's goal to "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our works and endangers our commitment to "provide an integrated system of high-quality materials _with no legal restrictions_ that would prevent such uses of the system". (3) b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects. c. If upstream projects stop developing for fear of being in the scope of CRA and its financial consequences, system security will actually get worse instead of better. d. Having to get legal advice before giving a present to society will discourage many developers, especially those without a company or other organisation supporting them. 2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Social Contract: "We will not hide problems." (3) a. The Free Software community has developed a fine-tuned, well working system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA). b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects, in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed. c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to ENISA and the intended propagation to other authorities and national administrations would collect all software vulnerabilities in one place, greatly increasing the risk of leaking information about vulnerabilities to threat actors, representing a threat for all the users around the world, including European citizens. d. Activists use Debian (e.g. through derivatives such as Tails), among other reasons, to protect themselves from