Re: call for seconds - separate proposal text for 2023/vote_002
On Wed 2023-11-22 19:31:34 +, Bill Allombert wrote: > Le Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens a écrit : >> >> The Debian project asks the EU to not draw a line between commercial >> and non-commercial use of FOSS. > > But the EU already does, all the time, really. This is simply not > realistic. Are you saying that the EU draws the line between commercial and non-commercial uses of *any* software, generally? Or any business process, which happens to sometimes include software? Liability rules that apply only for commercial business, whether the business deals with software or not, are not at issue here, right? If you're saying that there are EU software liability policies, that apply strictly to F/LOSS software (not software generally), and which discriminate against fields of endeavor like commercial vs. non-commercial, could you point to some examples? I'm quite ignorant of EU law, so feel free to point me to obvious examples that everyone already knows. --dkg signature.asc Description: PGP signature
Re: call for seconds - separate proposal text for 2023/vote_002
On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote: > Hello, I hereby welcome seconds for adding this text to 2023/vote_002 > as a separate proposal. > > START OF PROPOSAL TEXT > > Debian Public Statement about the EU Cyber Resilience Act (CRA) and the > Product Liability Directive (PLD) > > The CRA includes requirements for manufacturers of software, followed > up by the PLD with compulsory liability for software. The Debian > project has concerns on the impact on Free and Open-Source Software > (FOSS). > > The CRA makes the use of FOSS in commercial context more difficult. > This goes against the philosophy of the Debian project. The Debian Free > Software Guidelines (DFSG) include "6. No Discrimination Against Fields > of Endeavor - The license must not restrict anyone from making use of > the program in a specific field of endeavor." A significant part of the > success of FOSS is its use in commercial context. It should remain > possible for anyone to produce, publish and use FOSS, without making it > harder for commercial entities or for any group of FOSS users. > > The compulsory liability as meant in the PLD overrules the usual > liability disclaimers in FOSS licenses. This makes sharing FOSS with > the public more legally risky. The compulsory liability makes sense for > closed-source software, where the users fully depend on the > manufacturers. With FOSS the users have the option of helping > themselves with the source code, and/or hiring any consultant on the > market. The usual liability disclaimers in FOSS licenses should remain > valid without the risk of being overruled by the PLD. > > The Debian project asks the EU to not draw a line between commercial > and non-commercial use of FOSS. Such line should instead be between > closed-source software and FOSS. FOSS should be entirely exempt from > the CRA and the PLD. > > END OF PROPOSAL TEXT seconded, thank you. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ The upcoming clima apocalypse is the big elephant in every room now. signature.asc Description: PGP signature
Re: call for seconds - separate proposal text for 2023/vote_002
On Fri, Nov 24, 2023 at 07:55:01AM -0600, Gunnar Wolf wrote: > Hello Bart, Hi Gunnar! > > Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]: > > Hello, I hereby welcome seconds for adding this text to 2023/vote_002 > > as a separate proposal. > > Thanks for your contribution to this discussion! And thank you for your feedback. > As I said in another > thread, I believe that in a voting system such as the one we use in > Debian, more versions is unambiguously better, and options should only > be merged together in the case they are semantically equivalent. > > > Debian Public Statement about the EU Cyber Resilience Act (CRA) and the > > Product Liability Directive (PLD) > > > > The CRA includes requirements for manufacturers of software, followed > > up by the PLD with compulsory liability for software. The Debian > > project has concerns on the impact on Free and Open-Source Software > > (FOSS). > > > > The CRA makes the use of FOSS in commercial context more difficult. > > This goes against the philosophy of the Debian project. The Debian Free > > Software Guidelines (DFSG) include "6. No Discrimination Against Fields > > of Endeavor - The license must not restrict anyone from making use of > > the program in a specific field of endeavor." A significant part of the > > success of FOSS is its use in commercial context. It should remain > > possible for anyone to produce, publish and use FOSS, without making it > > harder for commercial entities or for any group of FOSS users. > > > > The compulsory liability as meant in the PLD overrules the usual > > liability disclaimers in FOSS licenses. This makes sharing FOSS with > > the public more legally risky. The compulsory liability makes sense for > > closed-source software, where the users fully depend on the > > manufacturers. With FOSS the users have the option of helping > > themselves with the source code, and/or hiring any consultant on the > > market. The usual liability disclaimers in FOSS licenses should remain > > valid without the risk of being overruled by the PLD. > > > > The Debian project asks the EU to not draw a line between commercial > > and non-commercial use of FOSS. Such line should instead be between > > closed-source software and FOSS. FOSS should be entirely exempt from > > the CRA and the PLD. > > My issue with your text is that I read it –bluntly over-abridged– as > «The CRA+PLD will make it harder to meaningfully develop Debian, > because we are compelled by our own foundation documents not to > distringuish between free and commercial. Many people use Debian in > commercial settings. If you enact this legislation, some of our users > be at risk of getting in trouble for using our fine intentions for > their economic benefit, as they will be covered by your > regulation. Please formally except us fully from your rules!» > > That is, it basically means: "European Parliament/Council: Our > foundation documents are at unease with the CRA and PLD". That is praphrasing my proposal rather roughly, but let's focus on the point you want to make. > That is > true, but a fair answer from them (if we warrant it!) could be "We > represent more people and wider interests than yours. Your SC is over > a quarter of a century old. Update your SC to comply with the changing > times". Which could even make sense! (although it would make Debian > stop being Debian!) > > This reading is the main reason I'm not endorsing it, and still prefer > our original proposal instead. How would such hypothetical answer from the EU matter for preferring one proposal over the other? I'm trying to understand your motive. Allow me to point out some weak points in proposal A, motivating me to write my separate proposal. - 1.a. The phrase "with no legal restrictions" is incorrect in the sense that FOSS uses legal restrictions for keeping it FOSS. - 1.b. I read "Knowing whether software is commercial or not". It is, in my understanding, about commercial use or non-commercial use. - 1.b. Arguing that knowing what's commercial or not isn't feasible implies accepting such distinction when the EU can give a practical legal definition. - 1.c. Stopping development would not exempt the author from CRA. Stopping the commercial use would. - 1.d. This somewhat implies accepting CRA requirements for big companies. - 2.a. Explaining that the 24h window would disrupt FOSS' well working system of responsible disclosures of security issues, implies accepting that the FOSS community would be legally required to provide security support. - 2.b. Mentioning the efforts Debian is doing on security support in this context implies accepting that Debian is required to do so. - 2.d. I don't feel comfortable with mentioning that Debian supports activists living under oppressive regimes. - 2.e. Commercial companies can currently hide security issues in proprietary software. One could argue that this is worse than downplaying when reporting. -
Re: call for seconds - separate proposal text for 2023/vote_002
Hello Bart, Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]: > Hello, I hereby welcome seconds for adding this text to 2023/vote_002 > as a separate proposal. Thanks for your contribution to this discussion! As I said in another thread, I believe that in a voting system such as the one we use in Debian, more versions is unambiguously better, and options should only be merged together in the case they are semantically equivalent. > Debian Public Statement about the EU Cyber Resilience Act (CRA) and the > Product Liability Directive (PLD) > > The CRA includes requirements for manufacturers of software, followed > up by the PLD with compulsory liability for software. The Debian > project has concerns on the impact on Free and Open-Source Software > (FOSS). > > The CRA makes the use of FOSS in commercial context more difficult. > This goes against the philosophy of the Debian project. The Debian Free > Software Guidelines (DFSG) include "6. No Discrimination Against Fields > of Endeavor - The license must not restrict anyone from making use of > the program in a specific field of endeavor." A significant part of the > success of FOSS is its use in commercial context. It should remain > possible for anyone to produce, publish and use FOSS, without making it > harder for commercial entities or for any group of FOSS users. > > The compulsory liability as meant in the PLD overrules the usual > liability disclaimers in FOSS licenses. This makes sharing FOSS with > the public more legally risky. The compulsory liability makes sense for > closed-source software, where the users fully depend on the > manufacturers. With FOSS the users have the option of helping > themselves with the source code, and/or hiring any consultant on the > market. The usual liability disclaimers in FOSS licenses should remain > valid without the risk of being overruled by the PLD. > > The Debian project asks the EU to not draw a line between commercial > and non-commercial use of FOSS. Such line should instead be between > closed-source software and FOSS. FOSS should be entirely exempt from > the CRA and the PLD. My issue with your text is that I read it –bluntly over-abridged– as «The CRA+PLD will make it harder to meaningfully develop Debian, because we are compelled by our own foundation documents not to distringuish between free and commercial. Many people use Debian in commercial settings. If you enact this legislation, some of our users be at risk of getting in trouble for using our fine intentions for their economic benefit, as they will be covered by your regulation. Please formally except us fully from your rules!» That is, it basically means: "European Parliament/Council: Our foundation documents are at unease with the CRA and PLD". That is true, but a fair answer from them (if we warrant it!) could be "We represent more people and wider interests than yours. Your SC is over a quarter of a century old. Update your SC to comply with the changing times". Which could even make sense! (although it would make Debian stop being Debian!) This reading is the main reason I'm not endorsing it, and still prefer our original proposal instead. Greetings, - Gunnar. signature.asc Description: PGP signature
Re: call for seconds - separate proposal text for 2023/vote_002
On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote: > Hello, I hereby welcome seconds for adding this text to 2023/vote_002 > as a separate proposal. I'm currently counting 3 seconds for this. Kurt
Re: call for seconds - separate proposal text for 2023/vote_002
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello all, El Wed, 22 Nov 2023 19:16:48 +0100 Bart Martens escribió: > Hello, I hereby welcome seconds for adding this text to 2023/vote_002 > as a separate proposal. > > START OF PROPOSAL TEXT > > Debian Public Statement about the EU Cyber Resilience Act (CRA) and > the Product Liability Directive (PLD) > > The CRA includes requirements for manufacturers of software, followed > up by the PLD with compulsory liability for software. The Debian > project has concerns on the impact on Free and Open-Source Software > (FOSS). > > The CRA makes the use of FOSS in commercial context more difficult. > This goes against the philosophy of the Debian project. The Debian > Free Software Guidelines (DFSG) include "6. No Discrimination Against > Fields of Endeavor - The license must not restrict anyone from making > use of the program in a specific field of endeavor." A significant > part of the success of FOSS is its use in commercial context. It > should remain possible for anyone to produce, publish and use FOSS, > without making it harder for commercial entities or for any group of > FOSS users. > > The compulsory liability as meant in the PLD overrules the usual > liability disclaimers in FOSS licenses. This makes sharing FOSS with > the public more legally risky. The compulsory liability makes sense > for closed-source software, where the users fully depend on the > manufacturers. With FOSS the users have the option of helping > themselves with the source code, and/or hiring any consultant on the > market. The usual liability disclaimers in FOSS licenses should remain > valid without the risk of being overruled by the PLD. > > The Debian project asks the EU to not draw a line between commercial > and non-commercial use of FOSS. Such line should instead be between > closed-source software and FOSS. FOSS should be entirely exempt from > the CRA and the PLD. > > END OF PROPOSAL TEXT > Seconded. Kind regards, Laura Arjona Reina https://wiki.debian.org/LauraArjona -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEZin0RNRxg3W3fj8cTDhhvcxwa3QFAmVffFcACgkQTDhhvcxw a3R0TAv/abNEOcO8skEQSyrj0EXJkyYtOQlpHd+22ZDEbu4ebMH4naC4tkF1IKKO rEQR4DyTUGnY5VdHn1BePX6/vTred7o/NoFkAjDTm0oU88Xdj1/P/M8e4pDhRoWy wh/Z5MxEy7x06C2YipDkyBPark8+VwapLzQD5Z2QtX1N3ZlwdbkOgbLpxA0grpEc dzQEZm7IOgSRSCre56F7lHqvzoLfLhmwYjJHCOfmWyc91FcIqXwG1/UWXMywZAPk od4ESfCzlDiow2+PSXP3J9VVtlNXzyz7seBmswK8CN3NrGJAEP/2/MnpMxyBvLLp DM7l3MYugoiCiMNk1yBP7972lZnJRD/u+2jiZBRUYQyJxHgA0uAYO+IR+DavoE3y ++7qErWH6CKzLsOqAC69j4FlUE5w0RAu7bCDTlowGLjbDkq2q3xX/Qn9GU/XZCIm 8gdtMThSZZSZ2C6zYm+wQDsZZV46aM7A7tfxEOUjjn4LSRifURKFZ5ME0qe/ZxcM FTWauMeA =s2Fs -END PGP SIGNATURE-
Re: call for seconds - separate proposal text for 2023/vote_002
Hi, Since my signature got lost on the way, retrying: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 > START OF PROPOSAL TEXT > > Debian Public Statement about the EU Cyber Resilience Act (CRA) and the > Product Liability Directive (PLD) > > The CRA includes requirements for manufacturers of software, followed > up by the PLD with compulsory liability for software. The Debian > project has concerns on the impact on Free and Open-Source Software > (FOSS). > > The CRA makes the use of FOSS in commercial context more difficult. > This goes against the philosophy of the Debian project. The Debian Free > Software Guidelines (DFSG) include "6. No Discrimination Against Fields > of Endeavor - The license must not restrict anyone from making use of > the program in a specific field of endeavor." A significant part of the > success of FOSS is its use in commercial context. It should remain > possible for anyone to produce, publish and use FOSS, without making it > harder for commercial entities or for any group of FOSS users. > > The compulsory liability as meant in the PLD overrules the usual > liability disclaimers in FOSS licenses. This makes sharing FOSS with > the public more legally risky. The compulsory liability makes sense for > closed-source software, where the users fully depend on the > manufacturers. With FOSS the users have the option of helping > themselves with the source code, and/or hiring any consultant on the > market. The usual liability disclaimers in FOSS licenses should remain > valid without the risk of being overruled by the PLD. > > The Debian project asks the EU to not draw a line between commercial > and non-commercial use of FOSS. Such line should instead be between > closed-source software and FOSS. FOSS should be entirely exempt from > the CRA and the PLD. > > END OF PROPOSAL TEXT Seconded. -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEtjuqOJSXmNjSiX3Tfr04e7CZCBEFAmVfE2QACgkQfr04e7CZ CBHWYgf+KO0K7qpGRSRR88nM3YKJ8iRgPVUMM7sSnn+WSpUvcJPmY/tjk9Iqx55Q 72AhS2G/RCrv0YXkY4JUQbP/sg5VUSd+MKhPCPQieutfblEFowYymI65rBWro5J2 lHNTkXhUEEVgmB/KSKo1+iar50zPxssJ5GzCSWLH8vbkQ69tTPFP6LImADUdMdxX i71tbjflzAO4pzwCWhQ9+IKvoxbgPGTJqGHPH16r+cbTNWpHdIncSzGoxT+tE6KT F1ICOZ88BxwpsD5MEPyavQujE2io+4PJEkmjy1vmgK+vqvLsW0WdNOhkVutFtrsa gjXhb9HCD75D7gv11RHfzdgm/ceJCw== =xdEd -END PGP SIGNATURE- Simon
Re: call for seconds - separate proposal text for 2023/vote_002
Hi, On 23.11.23 03:16, Bart Martens wrote: START OF PROPOSAL TEXT Debian Public Statement about the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD) The CRA includes requirements for manufacturers of software, followed up by the PLD with compulsory liability for software. The Debian project has concerns on the impact on Free and Open-Source Software (FOSS). The CRA makes the use of FOSS in commercial context more difficult. This goes against the philosophy of the Debian project. The Debian Free Software Guidelines (DFSG) include "6. No Discrimination Against Fields of Endeavor - The license must not restrict anyone from making use of the program in a specific field of endeavor." A significant part of the success of FOSS is its use in commercial context. It should remain possible for anyone to produce, publish and use FOSS, without making it harder for commercial entities or for any group of FOSS users. The compulsory liability as meant in the PLD overrules the usual liability disclaimers in FOSS licenses. This makes sharing FOSS with the public more legally risky. The compulsory liability makes sense for closed-source software, where the users fully depend on the manufacturers. With FOSS the users have the option of helping themselves with the source code, and/or hiring any consultant on the market. The usual liability disclaimers in FOSS licenses should remain valid without the risk of being overruled by the PLD. The Debian project asks the EU to not draw a line between commercial and non-commercial use of FOSS. Such line should instead be between closed-source software and FOSS. FOSS should be entirely exempt from the CRA and the PLD. END OF PROPOSAL TEXT Seconded. Simon
Re: call for seconds - separate proposal text for 2023/vote_002
On Wed, 2023-11-22 at 19:16 +0100, Bart Martens wrote: > Hello, I hereby welcome seconds for adding this text to 2023/vote_002 > as a separate proposal. Seconded. > START OF PROPOSAL TEXT > > Debian Public Statement about the EU Cyber Resilience Act (CRA) and the > Product Liability Directive (PLD) > > The CRA includes requirements for manufacturers of software, followed > up by the PLD with compulsory liability for software. The Debian > project has concerns on the impact on Free and Open-Source Software > (FOSS). > > The CRA makes the use of FOSS in commercial context more difficult. > This goes against the philosophy of the Debian project. The Debian Free > Software Guidelines (DFSG) include "6. No Discrimination Against Fields > of Endeavor - The license must not restrict anyone from making use of > the program in a specific field of endeavor." A significant part of the > success of FOSS is its use in commercial context. It should remain > possible for anyone to produce, publish and use FOSS, without making it > harder for commercial entities or for any group of FOSS users. > > The compulsory liability as meant in the PLD overrules the usual > liability disclaimers in FOSS licenses. This makes sharing FOSS with > the public more legally risky. The compulsory liability makes sense for > closed-source software, where the users fully depend on the > manufacturers. With FOSS the users have the option of helping > themselves with the source code, and/or hiring any consultant on the > market. The usual liability disclaimers in FOSS licenses should remain > valid without the risk of being overruled by the PLD. > > The Debian project asks the EU to not draw a line between commercial > and non-commercial use of FOSS. Such line should instead be between > closed-source software and FOSS. FOSS should be entirely exempt from > the CRA and the PLD. > > END OF PROPOSAL TEXT -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Re: call for seconds - separate proposal text for 2023/vote_002
Le Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens a écrit : > > The Debian project asks the EU to not draw a line between commercial > and non-commercial use of FOSS. But the EU already does, all the time, really. This is simply not realistic. Cheers, -- Bill. Imagine a large red swirl here.
Re: call for seconds - separate proposal text for 2023/vote_002
On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote: > Hello, I hereby welcome seconds for adding this text to 2023/vote_002 > as a separate proposal. seconded > > START OF PROPOSAL TEXT > > Debian Public Statement about the EU Cyber Resilience Act (CRA) and the > Product Liability Directive (PLD) > > The CRA includes requirements for manufacturers of software, followed > up by the PLD with compulsory liability for software. The Debian > project has concerns on the impact on Free and Open-Source Software > (FOSS). > > The CRA makes the use of FOSS in commercial context more difficult. > This goes against the philosophy of the Debian project. The Debian Free > Software Guidelines (DFSG) include "6. No Discrimination Against Fields > of Endeavor - The license must not restrict anyone from making use of > the program in a specific field of endeavor." A significant part of the > success of FOSS is its use in commercial context. It should remain > possible for anyone to produce, publish and use FOSS, without making it > harder for commercial entities or for any group of FOSS users. > > The compulsory liability as meant in the PLD overrules the usual > liability disclaimers in FOSS licenses. This makes sharing FOSS with > the public more legally risky. The compulsory liability makes sense for > closed-source software, where the users fully depend on the > manufacturers. With FOSS the users have the option of helping > themselves with the source code, and/or hiring any consultant on the > market. The usual liability disclaimers in FOSS licenses should remain > valid without the risk of being overruled by the PLD. > > The Debian project asks the EU to not draw a line between commercial > and non-commercial use of FOSS. Such line should instead be between > closed-source software and FOSS. FOSS should be entirely exempt from > the CRA and the PLD. > > END OF PROPOSAL TEXT > -- ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B signature.asc Description: PGP signature
Re: call for seconds - separate proposal text for 2023/vote_002
On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote: > Hello, I hereby welcome seconds for adding this text to 2023/vote_002 > as a separate proposal. seconded -- ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B signature.asc Description: PGP signature
call for seconds - separate proposal text for 2023/vote_002
Hello, I hereby welcome seconds for adding this text to 2023/vote_002 as a separate proposal. START OF PROPOSAL TEXT Debian Public Statement about the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD) The CRA includes requirements for manufacturers of software, followed up by the PLD with compulsory liability for software. The Debian project has concerns on the impact on Free and Open-Source Software (FOSS). The CRA makes the use of FOSS in commercial context more difficult. This goes against the philosophy of the Debian project. The Debian Free Software Guidelines (DFSG) include "6. No Discrimination Against Fields of Endeavor - The license must not restrict anyone from making use of the program in a specific field of endeavor." A significant part of the success of FOSS is its use in commercial context. It should remain possible for anyone to produce, publish and use FOSS, without making it harder for commercial entities or for any group of FOSS users. The compulsory liability as meant in the PLD overrules the usual liability disclaimers in FOSS licenses. This makes sharing FOSS with the public more legally risky. The compulsory liability makes sense for closed-source software, where the users fully depend on the manufacturers. With FOSS the users have the option of helping themselves with the source code, and/or hiring any consultant on the market. The usual liability disclaimers in FOSS licenses should remain valid without the risk of being overruled by the PLD. The Debian project asks the EU to not draw a line between commercial and non-commercial use of FOSS. Such line should instead be between closed-source software and FOSS. FOSS should be entirely exempt from the CRA and the PLD. END OF PROPOSAL TEXT signature.asc Description: This is a digitally signed message part