Dear Debianites
The European Commission Open Source Programme Office (EC OSPO) is open
to hearing our thoughts on the upcoming Cyber Resilience Act (CRA),
which aims to ensure that hardware and software products sold in Europe
have fewer security vulnerabilities and are appropriately addressed when
discovered. The EC OSPO is considering an audience with us, and possibly
even with the European Commision itself.
Although the legislation includes an exclusion for non-commercial Open
Source software, its impact on commercial products and services based on
Open Source software is not entirely clear. This issue has a direct
impact on our larger community (especially commercial users) and those
who fund Debian work, making it important for us to consider our
official position on the matter.
A longer description, along with the current proposal of legal text and
annexes are available on the EC website:
https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
Last weekend at FOSDEM, there were a few short presentations on the
topic, along with a panel discussion which dives a bit deeper into the
topic:
https://fosdem.org/2023/schedule/event/cyber_resilience/
The OSI is maintaining a list of public responses to the CRA from Open
Source projects:
https://blog.opensource.org/the-ultimate-list-of-reactions-to-the-cyber-resilience-act/
As the Debian Project Leader, I would like to form a team to assist with
evaluating this and creating a formal response, if necessary. If you are
interested in being part of this team, please reach out to me off-list.
Other than that, feel free to share your thoughts or discuss it further
on this thread.
-Jonathan
