Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"

[Russ Allbery]

Seconded.

Luca Boccassi  writes:

> Second version, taking into account feedback. Looking for seconds at
> this point:

> - GENERAL RESOLUTION STARTS -

> Debian Public Statement about the EU Cyber Resilience Act and the
> Product Liability Directive

> The European Union is currently preparing a regulation "on horizontal
> cybersecurity requirements for products with digital elements" known as
> the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
> phase of the legislative process. The act includes a set of essential
> cybersecurity and vulnerability handling requirements for manufacturers.
> It will require products to be accompanied by information and
> instructions to the user. Manufacturers will need to perform risk
> assessments and produce technical documentation and for critical
> components, have third-party audits conducted. Security issues under
> active exploitation will have to be reported to European authorities
> within 24 hours (1). The CRA will be followed up by an update to the
> existing Product Liability Directive (PLD) which, among other things,
> will introduce the requirement for products on the market using software
> to be able to receive updates to address security vulnerabilities.

> Given the current state of the electronics and computing devices market,
> constellated with too many irresponsible vendors not taking taking
> enough precautions to ensure and maintain the security of their products,
> resulting in grave issues such as the plague of ransomware (that, among
> other things, has often caused public services to be severely hampered or
> shut down entirely, across the European Union and beyond, to the
> detriment of its citizens), the Debian project welcomes this initiative
> and supports its spirit and intent.

> The Debian project believes Free and Open Source Software Projects to be
> very well positioned to respond to modern challenges around security and
> accountability that these regulations aim to improve for products
> commercialized on the Single Market. Debian is well known for its
> security track record through practices of responsible disclosure and
> coordination with upstream developers and other Free and Open Source
> Software projects. The project aims to live up to the commitment made in
> the Debian Social Contract: "We will not hide problems." (2)

> The Debian project welcomes the attempt of the legislators to ensure
> that the development of Free and Open Source Software is not negatively
> affected by these regulations, as clearly expressed by the European
> Commission in response to stakeholders' requests (1) and as stated in
> Recital 10 of the preamble to the CRA:

>  'In order not to hamper innovation or research, free and open-source
>   software developed or supplied outside the course of a commercial
>   activity should not be covered by this Regulation.'

> The Debian project however notes that not enough emphasis has been
> employed in all parts of these regulations to clearly exonerate Free
> and Open Source Software developers and maintainers from being subject
> to the same liabilities as commercial vendors, which has caused
> uncertainty and worry among such stakeholders.

> Therefore, the Debian project asks the legislators to enhance the
> text of these regulations to clarify beyond any reasonable doubt that
> Free and Open Source Software developers and contributors are not going
> to be treated as commercial vendors in the exercise of their duties when
> merely developing and publishing Free and Open Source Software, with
> special emphasis on clarifying grey areas, such as donations,
> contributions from commercial companies and developing Free and Open
> Source Software that may be later commercialised by a commercial vendor.
> It is fundamental for the interests of the European Union itself that
> Free and Open Source Software development can continue to thrive and
> produce high quality software components, applications and operating
> systems, and this can only happen if Free and Open Source Software
> developers and contributors can continue to work on these projects as
> they have been doing before these new regulations, especially but not
> exclusively in the context of nonprofit organizations, without being
> encumbered by legal requirements that are only appropriate for
> commercial companies and enterprises.

> ==

> Sources:

> (1) CRA proposals and links:
> 
> https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
> PLD proposals and links:
> 
> 

Re: Amendment to the original proposal

[Russ Allbery]

Gunnar Wolf  writes:

> Thank you very much Santiago!

> I am not sure whether your seconders must also second the amended
> version, but I reviewed it, and agree with the proposed changes (none of
> which seem to alter IMO the intent of the document).

3. The proposer of a ballot option may amend that option provided that
   none of the sponsors of that ballot option at the time the amendment is
   proposed disagree with that change within 24 hours. If any of them do
   disagree, the ballot option is left unchanged.

So no one needs to second the amended version.

-- 
Russ Allbery (r...@debian.org)  

Re: call for seconds - separate proposal text for 2023/vote_002

[Bart Martens]

On Fri, Nov 24, 2023 at 07:55:01AM -0600, Gunnar Wolf wrote:
> Hello Bart,

Hi Gunnar!

> 
> Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]:
> > Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> > as a separate proposal.
> 
> Thanks for your contribution to this discussion!

And thank you for your feedback.

> As I said in another
> thread, I believe that in a voting system such as the one we use in
> Debian, more versions is unambiguously better, and options should only
> be merged together in the case they are semantically equivalent.
> 
> > Debian Public Statement about the EU Cyber Resilience Act (CRA) and the
> > Product Liability Directive (PLD)
> > 
> > The CRA includes requirements for manufacturers of software, followed
> > up by the PLD with compulsory liability for software. The Debian
> > project has concerns on the impact on Free and Open-Source Software
> > (FOSS).
> > 
> > The CRA makes the use of FOSS in commercial context more difficult.
> > This goes against the philosophy of the Debian project. The Debian Free
> > Software Guidelines (DFSG) include "6. No Discrimination Against Fields
> > of Endeavor - The license must not restrict anyone from making use of
> > the program in a specific field of endeavor." A significant part of the
> > success of FOSS is its use in commercial context. It should remain
> > possible for anyone to produce, publish and use FOSS, without making it
> > harder for commercial entities or for any group of FOSS users.
> > 
> > The compulsory liability as meant in the PLD overrules the usual
> > liability disclaimers in FOSS licenses. This makes sharing FOSS with
> > the public more legally risky. The compulsory liability makes sense for
> > closed-source software, where the users fully depend on the
> > manufacturers. With FOSS the users have the option of helping
> > themselves with the source code, and/or hiring any consultant on the
> > market. The usual liability disclaimers in FOSS licenses should remain
> > valid without the risk of being overruled by the PLD.
> > 
> > The Debian project asks the EU to not draw a line between commercial
> > and non-commercial use of FOSS. Such line should instead be between
> > closed-source software and FOSS. FOSS should be entirely exempt from
> > the CRA and the PLD.
> 
> My issue with your text is that I read it –bluntly over-abridged– as
> «The CRA+PLD will make it harder to meaningfully develop Debian,
> because we are compelled by our own foundation documents not to
> distringuish between free and commercial. Many people use Debian in
> commercial settings. If you enact this legislation, some of our users
> be at risk of getting in trouble for using our fine intentions for
> their economic benefit, as they will be covered by your
> regulation. Please formally except us fully from your rules!»
> 
> That is, it basically means: "European Parliament/Council: Our
> foundation documents are at unease with the CRA and PLD".

That is praphrasing my proposal rather roughly, but let's focus on the point
you want to make.

> That is
> true, but a fair answer from them (if we warrant it!) could be "We
> represent more people and wider interests than yours. Your SC is over
> a quarter of a century old. Update your SC to comply with the changing
> times". Which could even make sense! (although it would make Debian
> stop being Debian!)
> 
> This reading is the main reason I'm not endorsing it, and still prefer
> our original proposal instead.

How would such hypothetical answer from the EU matter for preferring one
proposal over the other? I'm trying to understand your motive.

Allow me to point out some weak points in proposal A, motivating me to write my
separate proposal.

- 1.a. The phrase "with no legal restrictions" is incorrect in the sense that
  FOSS uses legal restrictions for keeping it FOSS.

- 1.b. I read "Knowing whether software is commercial or not". It is, in my
  understanding, about commercial use or non-commercial use.

- 1.b. Arguing that knowing what's commercial or not isn't feasible implies
  accepting such distinction when the EU can give a practical legal definition.

- 1.c. Stopping development would not exempt the author from CRA. Stopping the
  commercial use would.

- 1.d. This somewhat implies accepting CRA requirements for big companies.

- 2.a. Explaining that the 24h window would disrupt FOSS' well working system
  of responsible disclosures of security issues, implies accepting that the
  FOSS community would be legally required to provide security support.

- 2.b. Mentioning the efforts Debian is doing on security support in this
  context implies accepting that Debian is required to do so.

- 2.d. I don't feel comfortable with mentioning that Debian supports activists
  living under oppressive regimes.

- 2.e. Commercial companies can currently hide security issues in proprietary
  software. One could argue that this is worse than downplaying when reporting.

- 

Re: Call for seconds: Delegate to the DPL

[Jonathan Carter]

Hi Bill

On 2023/11/24 19:14, Bill Allombert wrote:

I offer the following ballot option for your consideration.

 - GENERAL RESOLUTION STARTS -

The Debian developers delegate to the Debian Project Leader the task of issuing
a Public Statement about the 'EU Cyber Resilience Act and the Product Liability
Directive' that addresses Debian interests in the matter.

 - GENERAL RESOLUTION ENDS -


I follow your logic in proposing this, although my interpretation of 
¶5.1.4[0] in our constitution leads me to believe that the DPL does not 
need any delegation for this, so perhaps the intention becomes more of 
"Let the DPL decide".


In February I posted[1] about the CRA to debian-project[1]. My intention 
was to get a few good people to spend some time to focus on this, since 
my available bandwidth for this was low (and continued to be since then).


I'm not sure that it's a good idea to leave it as a DPL task, it might 
delay an actual public statement by a month or even more. That said, I'm 
not completely against the idea, if this ends up happening I would 
likely combine the best current ideas in an etherpad and invite everyone 
to list and hammer out any remaining issues.


-Jonathan

[0] https://www.debian.org/devel/constitution
[1] 
https://lists.debian.org/msgid-search/1b2aee43-cea0-2fa8-ba93-cbee1b965...@debian.org

Call for seconds: Delegate to the DPL

[Bill Allombert]

Dear Developers,

I offer the following ballot option for your consideration.

- GENERAL RESOLUTION STARTS -

The Debian developers delegate to the Debian Project Leader the task of issuing
a Public Statement about the 'EU Cyber Resilience Act and the Product Liability
Directive' that addresses Debian interests in the matter.

- GENERAL RESOLUTION ENDS -

Respectfully submitted,
Bill.


signature.asc
Description: PGP signature

Re: Amendment to the original proposal (was: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive")

[Gunnar Wolf]

Thank you very much Santiago!

I am not sure whether your seconders must also second the amended
version, but I reviewed it, and agree with the proposed changes (none
of which seem to alter IMO the intent of the document).

Thus, re-seconded.

Santiago Ruano Rincón dijo [Fri, Nov 24, 2023 at 04:24:56PM +]:
> Hello there,
> 
> Here you can find a modified version that takes into account most of the
> reviews. It doesn't change the meaning of the original proposal, and
> hopefully improves it. Thanks again for all the comments.
> 
> A diff between both version is found below.
> 
> - GENERAL RESOLUTION STARTS -
> 
> Debian Public Statement about the EU Cyber Resilience Act and the
> Product Liability Directive
> 
> The European Union is currently preparing a regulation "on horizontal
> cybersecurity requirements for products with digital elements" known as
> the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
> phase of the legislative process. The act includes a set of essential
> cybersecurity and vulnerability handling requirements for manufacturers.
> It will require products to be accompanied by information and
> instructions to the user. Manufacturers will need to perform risk
> assessments and produce technical documentation and for critical
> components, have third-party audits conducted. Discovered security
> issues will have to be reported to European authorities within 24 hours
> (1). The CRA will be followed up by the Product Liability Directive
> (PLD) which will introduce compulsory liability for software. More
> information about the proposed legislation and its consequences in (2).
> 
> While a lot of these regulations seem reasonable, the Debian project
> believes that there are grave problems for Free Software projects
> attached to them. Therefore, the Debian project issues the following
> statement:
> 
> 1.  Free Software has always been a gift, freely given to society, to
> take and to use as seen fit, for whatever purpose. Free Software has
> proven to be an asset in our digital age and the proposed EU Cyber
> Resilience Act is going to be detrimental to it.
> a.  As the Debian Social Contract states, our goal is "make the best
> system we can, so that free works will be widely distributed and used."
> Imposing requirements such as those proposed in the act makes it legally
> perilous for others to redistribute our work and endangers our commitment
> to "provide an integrated system of high-quality materials with no legal
> restrictions that would prevent such uses of the system". (3)
> 
> b.  Knowing whether software is commercial or not isn't feasible,
> neither in Debian nor in most free software projects - we don't track
> people's employment status or history, nor do we check who finances
> upstream projects (the original projects that we integrate in our
> operating system).
> 
> c.  If upstream projects stop developing for fear of being in the
> scope of CRA and its financial consequences, system security will
> actually get worse instead of better.
> 
> d.  Having to get legal advice before giving a present to society
> will discourage many developers, especially those without a company or
> other organisation supporting them.
> 
> 2.  Debian is well known for its security track record through practices
> of responsible disclosure and coordination with upstream developers and
> other Free Software projects. We aim to live up to the commitment made
> in the Debian Social Contract: "We will not hide problems." (3)
> 
> a.  The Free Software community has developed a fine-tuned,
> tried-and-tested system of responsible disclosure in case of security
> issues which will be overturned by the mandatory reporting to European
> authorities within 24 hours (Art. 11 CRA).
> 
> b.  Debian spends a lot of volunteering time on security issues,
> provides quick security updates and works closely together with upstream
> projects, in coordination with other vendors. To protect its users,
> Debian regularly participates in limited embargos to coordinate fixes to
> security issues so that all other major Linux distributions can also have
> a complete fix when the vulnerability is disclosed.
> 
> c.  Security issue tracking and remediation is intentionally
> decentralized and distributed. The reporting of security issues to
> ENISA and the intended propagation to other authorities and national
> administrations would collect all software vulnerabilities in one place,
> greatly increasing the risk of leaking information about vulnerabilities
> to threat actors, representing a threat for all the users around the
> world, including European citizens.
> 
> d.  Activists use Debian (e.g. 

Amendment to the original proposal (was: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive")

[Santiago Ruano Rincón]

Hello there,

Here you can find a modified version that takes into account most of the
reviews. It doesn't change the meaning of the original proposal, and
hopefully improves it. Thanks again for all the comments.

A diff between both version is found below.

- GENERAL RESOLUTION STARTS -

Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive

The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discovered security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).

While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:

1.  Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a.  As the Debian Social Contract states, our goal is "make the best
system we can, so that free works will be widely distributed and used."
Imposing requirements such as those proposed in the act makes it legally
perilous for others to redistribute our work and endangers our commitment
to "provide an integrated system of high-quality materials with no legal
restrictions that would prevent such uses of the system". (3)

b.  Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects (the original projects that we integrate in our
operating system).

c.  If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.

d.  Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.

2.  Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Debian Social Contract: "We will not hide problems." (3)

a.  The Free Software community has developed a fine-tuned,
tried-and-tested system of responsible disclosure in case of security
issues which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).

b.  Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also have
a complete fix when the vulnerability is disclosed.

c.  Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.

d.  Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.

e.  Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.

3.  While proprietary software 

Re: call for seconds - separate proposal text for 2023/vote_002

[Gunnar Wolf]

Hello Bart,

Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]:
> Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> as a separate proposal.

Thanks for your contribution to this discussion! As I said in another
thread, I believe that in a voting system such as the one we use in
Debian, more versions is unambiguously better, and options should only
be merged together in the case they are semantically equivalent.

> Debian Public Statement about the EU Cyber Resilience Act (CRA) and the
> Product Liability Directive (PLD)
> 
> The CRA includes requirements for manufacturers of software, followed
> up by the PLD with compulsory liability for software. The Debian
> project has concerns on the impact on Free and Open-Source Software
> (FOSS).
> 
> The CRA makes the use of FOSS in commercial context more difficult.
> This goes against the philosophy of the Debian project. The Debian Free
> Software Guidelines (DFSG) include "6. No Discrimination Against Fields
> of Endeavor - The license must not restrict anyone from making use of
> the program in a specific field of endeavor." A significant part of the
> success of FOSS is its use in commercial context. It should remain
> possible for anyone to produce, publish and use FOSS, without making it
> harder for commercial entities or for any group of FOSS users.
> 
> The compulsory liability as meant in the PLD overrules the usual
> liability disclaimers in FOSS licenses. This makes sharing FOSS with
> the public more legally risky. The compulsory liability makes sense for
> closed-source software, where the users fully depend on the
> manufacturers. With FOSS the users have the option of helping
> themselves with the source code, and/or hiring any consultant on the
> market. The usual liability disclaimers in FOSS licenses should remain
> valid without the risk of being overruled by the PLD.
> 
> The Debian project asks the EU to not draw a line between commercial
> and non-commercial use of FOSS. Such line should instead be between
> closed-source software and FOSS. FOSS should be entirely exempt from
> the CRA and the PLD.

My issue with your text is that I read it –bluntly over-abridged– as
«The CRA+PLD will make it harder to meaningfully develop Debian,
because we are compelled by our own foundation documents not to
distringuish between free and commercial. Many people use Debian in
commercial settings. If you enact this legislation, some of our users
be at risk of getting in trouble for using our fine intentions for
their economic benefit, as they will be covered by your
regulation. Please formally except us fully from your rules!»

That is, it basically means: "European Parliament/Council: Our
foundation documents are at unease with the CRA and PLD". That is
true, but a fair answer from them (if we warrant it!) could be "We
represent more people and wider interests than yours. Your SC is over
a quarter of a century old. Update your SC to comply with the changing
times". Which could even make sense! (although it would make Debian
stop being Debian!)

This reading is the main reason I'm not endorsing it, and still prefer
our original proposal instead.

Greetings,

   - Gunnar.


signature.asc
Description: PGP signature

Re: call for seconds - separate proposal text for 2023/vote_002

[Kurt Roeckx]

On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote:
> Hello, I hereby welcome seconds for adding this text to 2023/vote_002
> as a separate proposal.

I'm currently counting 3 seconds for this.


Kurt

Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"

[Kurt Roeckx]

On Sun, Nov 19, 2023 at 11:21:47PM +, Luca Boccassi wrote:
> Second version, taking into account feedback. Looking for seconds at
> this point:

So I'm still only counting 4 seconds at this point.


Kurt