Re: This does not have to be a GR
Hi Kurt On 2023/11/22 01:37, Kurt Roeckx wrote: While Debian has stakes in the CRA, and should issue a statement if only to show we exists, I am quite sure that a GR is not necessary for Debian to issue such statement, and I am quite unconvinced the GR process is the best option for the purpose of drafting such statement. I note that this is not the first law proposal that impact Debian and we never did used the GR process for issuing a position statement. The DPL could delegate to a group of people knowledgeable in EU law to draft a statement that is congruent with the interest of Debian. > I'm not sure that the DPL has such authority, since it's a power giving to the developers by way of GR. I don't think that works, because then it could be argued that any delegation's decisions can be overridden by a GR and has thenceforth already been delegated. So, I believe it is possible to have such a delegation. Although, whether it would be a good idea is an entirely different issue. I do think we should have a proper discussion about how we want to treat comments on legislation (although not during this GR), because we've refrained from doing so when it affects both free software and Debian in other regions of the world. I would also like to point out that, in the current state, on Saturday the discussion period is over and a vote is automatically called. While I think this could use more discussion, I'm not currently planning on extending the discussion period for this vote unless there is sufficient demand for it. If there's more than one person who still wants to work on a proposal or if there's some aspect we need to explore further, then it can be extended. -Jonathan PS: While I didn't cite our constitution in this mail, I'm including a link here for convenience, since I often refer to it myself when I want to make sure whether I remember some detail correctly: https://www.debian.org/devel/constitution
Re: This does not have to be a GR
On Tue, Nov 21, 2023 at 10:26:09PM +0100, Bill Allombert wrote: > Dear Debian voters, > > While Debian has stakes in the CRA, and should issue a statement if > only to show we exists, I am quite sure that a GR is not necessary for Debian > to issue such statement, and I am quite unconvinced the GR process is the best > option for the purpose of drafting such statement. > > I note that this is not the first law proposal that impact Debian and we never > did used the GR process for issuing a position statement. > > The DPL could delegate to a group of people knowledgeable in EU law to draft > a statement that is congruent with the interest of Debian. I'm not sure that the DPL has such authority, since it's a power giving to the developers by way of GR. I would also like to point out that, in the current state, on Saturday the discussion period is over and a vote is automatically called. Kurt
Re: This does not have to be a GR
Bill Allombert dijo [Tue, Nov 21, 2023 at 10:26:09PM +0100]: > Dear Debian voters, > > While Debian has stakes in the CRA, and should issue a statement if > only to show we exists, I am quite sure that a GR is not necessary for Debian > to issue such statement, and I am quite unconvinced the GR process is the best > option for the purpose of drafting such statement. > > I note that this is not the first law proposal that impact Debian and we never > did used the GR process for issuing a position statement. We never did _successfully_ use it. We have _tried_ to use it (i.e. 2021_002). I suggesteed we do a GR to give the proposal, in case it gets accepted, more legitimacy. We can, IMO, express the project opinion via: ① A personal initiative / delegation from the DPL (that can stem from a request made to them or can be initiated by the DPL themself), ② The Technical Committee, requested formally by project members, or speaking of its own initiative (at some point, I argued that one of the the TC members could be the "Random DD" asking the Tc for their opinion on a given matter), or ③ The GR process. At this point, and in part given that GR 2021_003 introduced time limits, I think the GR process might produce the swiftest results, and it will yield the best legitimacy-wise (i.e. the whole project is invited to debate and improve the proposed text, and accept it above/below the approval threshold. > The DPL could delegate to a group of people knowledgeable in EU law to draft > a statement that is congruent with the interest of Debian. This text was in fact drafted by a lawyer (I don't know if by a _set_ of lawyers) and discussed among DDs at several in-person meetings before reaching this stage. I strongly advocated using the GR process, as it has already been subjected to a long discussion, and the timeframe for it to be usefully considered is drawing to an end. Please do note that I did not submit the text myself: I thought it would be better if Santiago, who was the only present DD with European nationality (French), to be the presenter (and me being "just" a seconder). But yes, I stand behind arguing for this document to be GR'ed. > EU law is significantly different from US law and publishing a statement that > either misrepresent the CRA or the current state of EU law is not likely to > be taken seriously, so we need some care. > > We have legitimate reasons to feel concerned by the impact of this law, but > all the more reasons to act cautiously. > > I advocated previously against using the GR process to issues statements > related to non-technical issues outside of Debian and I reiterate it here. I believe it is the right venue to process and discuss this kind of arguments. I'm willing to have this discussion as well --- but do note that the GR proposal has already been submitted. Of course, seconders can "un-second" it, and the Secretary might decide to withdraw the process if it happens. But I believe there is no reason for this to continue its course, maybe in parallel to this discussion. signature.asc Description: PGP signature
This does not have to be a GR
Dear Debian voters, While Debian has stakes in the CRA, and should issue a statement if only to show we exists, I am quite sure that a GR is not necessary for Debian to issue such statement, and I am quite unconvinced the GR process is the best option for the purpose of drafting such statement. I note that this is not the first law proposal that impact Debian and we never did used the GR process for issuing a position statement. The DPL could delegate to a group of people knowledgeable in EU law to draft a statement that is congruent with the interest of Debian. EU law is significantly different from US law and publishing a statement that either misrepresent the CRA or the current state of EU law is not likely to be taken seriously, so we need some care. We have legitimate reasons to feel concerned by the impact of this law, but all the more reasons to act cautiously. I advocated previously against using the GR process to issues statements related to non-technical issues outside of Debian and I reiterate it here. Cheers, -- Bill. Imagine a large red swirl here. signature.asc Description: PGP signature
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Tue, 21 Nov 2023 at 16:46, Salvo Tomaselli wrote: > > In data martedì 21 novembre 2023 16:13:32 CET, Luca Boccassi ha scritto: > > > Microsoft was not happy with having to unbundle Bing and Edge from > > Windows. > > It is still impossible to uninstall edge... https://arstechnica.com/gadgets/2023/11/europeans-can-soon-strip-bing-edge-other-microsoft-cruft-from-windows-11/
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Santiago Ruano Rincón dijo [Tue, Nov 21, 2023 at 01:15:40PM -0300]: > > > I second adding this version to the vote > > > > I'm getting a bad signature on this. > > > > > On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: > > > Second version, taking into account feedback. Looking for seconds at > > > this point: > > > > Maybe Santiago wants to adopt this text, rather than having 2 options? > > The initial proposal was made collectively, and now I realise I should > have signed with a "On behalf of the Debian fellows in Montevideo". So > it is not only me to decide. > > Anyway, IMHO, it is good to have more than one option. As one of the seconders --- I know it's up to Santiago to formally adopt or reject the modification to the text he submitted, but yes, this text was the result of –at least– a couple of hours of us working collectively over a text drafted by Ilu. It will surely have some English non-native weirdnesses, as highlighted by Wookey; I'm willing to adopt Wookey's suggestions, as they don't change tone or meaning. As for Luca's proposed version, it _is_ a worthy proposal, and I'll surely vote it above "Further Discussion". But it strongly changes the tone used. I'm happier with the original version. I believe this highlights the strength of Condorcet-based voting systems. If Santiago were to adopt the new text, we might get a situation –as happened in vote 2016-002 leading to 2016-004– where the "softer" version does not get the traction, where the original, "raw" version does. Thanks! - Gunnar. signature.asc Description: PGP signature
Re: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Thanks to those who have spotted errors and have proposed fixes! I am collecting more patches, and I will send an updated proposal as soon as possible. But I won't be able to do it earlier than tomorrow Wednesday, when I will be in the Northern hemisphere. El 21/11/23 a las 12:01, Miriam Ruiz escribió: > s/Discoverded/Discovered/ > s/fullfill/fulfill/ > > El dom, 19 nov 2023 a las 22:53, Debian Project Secretary - Kurt > Roeckx () escribió: > > > > A General Resolution has been started about a statement > > about the EU Legislation "Cyber Resilience Act and Product Liability > > Directive" > > > > More information can be found at: > > https://www.debian.org/vote/2023/vote_002 > > > > > > Kurt Roeckx > > Debian Project Secretary > > signature.asc Description: PGP signature
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
El 20/11/23 a las 08:53, Kurt Roeckx escribió: > On Mon, Nov 20, 2023 at 12:40:58AM +0100, Aigars Mahinovs wrote: > > I second adding this version to the vote > > I'm getting a bad signature on this. > > > On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: > > Second version, taking into account feedback. Looking for seconds at > > this point: > > Maybe Santiago wants to adopt this text, rather than having 2 options? The initial proposal was made collectively, and now I realise I should have signed with a "On behalf of the Debian fellows in Montevideo". So it is not only me to decide. Anyway, IMHO, it is good to have more than one option. Cheers, -- Santiago signature.asc Description: PGP signature
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Tue, 21 Nov 2023 at 08:14, Thomas Goirand wrote: > > On 11/20/23 00:21, Luca Boccassi wrote: > > Second version, taking into account feedback. Looking for seconds at > > this point: > > > > - GENERAL RESOLUTION STARTS - > > > > Debian Public Statement about the EU Cyber Resilience Act and the > > Product Liability Directive > > > > The European Union is currently preparing a regulation "on horizontal > > cybersecurity requirements for products with digital elements" known as > > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > > phase of the legislative process. The act includes a set of essential > > cybersecurity and vulnerability handling requirements for > > manufacturers. > > It will require products to be accompanied by information and > > instructions to the user. Manufacturers will need to perform risk > > assessments and produce technical documentation and for critical > > components, have third-party audits conducted. Security issues under > > active exploitation will have to be reported to European authorities > > within 24 hours (1). The CRA will be followed up by an update to the > > existing Product Liability Directive (PLD) which, among other things, > > will introduce the requirement for products on the market using > > software > > to be able to receive updates to address security vulnerabilities. > > > > Given the current state of the electronics and computing devices > > market, > > constellated with too many irresponsible vendors not taking taking > > enough precautions to ensure and maintain the security of their > > products, > > resulting in grave issues such as the plague of ransomware (that, among > > other things, has often caused public services to be severely hampered > > or > > shut down entirely, across the European Union and beyond, to the > > detriment of its citizens), the Debian project welcomes this initiative > > and supports its spirit and intent. > > > > The Debian project believes Free and Open Source Software Projects to > > be > > very well positioned to respond to modern challenges around security > > and > > accountability that these regulations aim to improve for products > > commercialized on the Single Market. Debian is well known for its > > security track record through practices of responsible disclosure and > > coordination with upstream developers and other Free and Open Source > > Software projects. The project aims to live up to the commitment made > > in > > the Debian Social Contract: "We will not hide problems." (2) > > > > The Debian project welcomes the attempt of the legislators to ensure > > that the development of Free and Open Source Software is not negatively > > affected by these regulations, as clearly expressed by the European > > Commission in response to stakeholders' requests (1) and as stated in > > Recital 10 of the preamble to the CRA: > > > > 'In order not to hamper innovation or research, free and open-source > >software developed or supplied outside the course of a commercial > >activity should not be covered by this Regulation.' > > > > The Debian project however notes that not enough emphasis has been > > employed in all parts of these regulations to clearly exonerate Free > > and Open Source Software developers and maintainers from being subject > > to the same liabilities as commercial vendors, which has caused > > uncertainty and worry among such stakeholders. > > > > Therefore, the Debian project asks the legislators to enhance the > > text of these regulations to clarify beyond any reasonable doubt that > > Free and Open Source Software developers and contributors are not going > > to be treated as commercial vendors in the exercise of their duties > > when > > merely developing and publishing Free and Open Source Software, with > > special emphasis on clarifying grey areas, such as donations, > > contributions from commercial companies and developing Free and Open > > Source Software that may be later commercialised by a commercial > > vendor. > > It is fundamental for the interests of the European Union itself that > > Free and Open Source Software development can continue to thrive and > > produce high quality software components, applications and operating > > systems, and this can only happen if Free and Open Source Software > > developers and contributors can continue to work on these projects as > > they have been doing before these new regulations, especially but not > > exclusively in the context of nonprofit organizations, without being > > encumbered by legal requirements that are only appropriate for > > commercial companies and enterprises. > > Hi, >
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On 11/20/23 00:21, Luca Boccassi wrote: Second version, taking into account feedback. Looking for seconds at this point: - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Security issues under active exploitation will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by an update to the existing Product Liability Directive (PLD) which, among other things, will introduce the requirement for products on the market using software to be able to receive updates to address security vulnerabilities. Given the current state of the electronics and computing devices market, constellated with too many irresponsible vendors not taking taking enough precautions to ensure and maintain the security of their products, resulting in grave issues such as the plague of ransomware (that, among other things, has often caused public services to be severely hampered or shut down entirely, across the European Union and beyond, to the detriment of its citizens), the Debian project welcomes this initiative and supports its spirit and intent. The Debian project believes Free and Open Source Software Projects to be very well positioned to respond to modern challenges around security and accountability that these regulations aim to improve for products commercialized on the Single Market. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free and Open Source Software projects. The project aims to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (2) The Debian project welcomes the attempt of the legislators to ensure that the development of Free and Open Source Software is not negatively affected by these regulations, as clearly expressed by the European Commission in response to stakeholders' requests (1) and as stated in Recital 10 of the preamble to the CRA: 'In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.' The Debian project however notes that not enough emphasis has been employed in all parts of these regulations to clearly exonerate Free and Open Source Software developers and maintainers from being subject to the same liabilities as commercial vendors, which has caused uncertainty and worry among such stakeholders. Therefore, the Debian project asks the legislators to enhance the text of these regulations to clarify beyond any reasonable doubt that Free and Open Source Software developers and contributors are not going to be treated as commercial vendors in the exercise of their duties when merely developing and publishing Free and Open Source Software, with special emphasis on clarifying grey areas, such as donations, contributions from commercial companies and developing Free and Open Source Software that may be later commercialised by a commercial vendor. It is fundamental for the interests of the European Union itself that Free and Open Source Software development can continue to thrive and produce high quality software components, applications and operating systems, and this can only happen if Free and Open Source Software developers and contributors can continue to work on these projects as they have been doing before these new regulations, especially but not exclusively in the context of nonprofit organizations, without being encumbered by legal requirements that are only appropriate for commercial companies and enterprises. Hi, Thanks a lot for taking the time to word out things this way. However, I really think this text is being too nice with the EU. The feeling in short is reading: - what you did was good - what you did was good - what you did was good - oh, btw, there's room for improvement... it'd be nice if... That's not at all my feeling about the CRA. I'm once more really unhappy about EU, I feel like
