On Sun, 12 Nov 2023 at 17:29, Scott Kitterman <deb...@kitterman.com> wrote: > On November 12, 2023 5:09:26 PM UTC, Luca Boccassi <bl...@debian.org> wrote: > >On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón > ><santiag...@riseup.net> wrote: > >> > >> Dear Debian Fellows, > >> > >> Following the email sent by Ilu to debian-project (Message-ID: > >> <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have > >> discussed during the MiniDebConf UY 2023 with other Debian Members, I > >> would like to call for a vote about issuing a Debian public statement > >> regarding > >> the EU Cyber Resilience Act (CRA) and the Product Liability Directive > >> (PLD). The CRA is in the final stage in the legislative process in the > >> EU Parliament, and we think it will impact negatively the Debian > >> Project, users, developers, companies that rely on Debian, and the FLOSS > >> community as a whole. Even if the CRA will be probably adopted before > >> the time the vote ends (if it takes place), we think it is important to > >> take a public stand about it. > >> > >> ----- GENERAL RESOLUTION STARTS ----- > >> > >> Debian Public Statement about the EU Cyber Resilience Act and the > >> Product Liability Directive > >> > >> The European Union is currently preparing a regulation "on horizontal > >> cybersecurity requirements for products with digital elements" known as > >> the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > >> phase of the legislative process. The act includes a set of essential > >> cybersecurity and vulnerability handling requirements for > >> manufacturers. > >> It will require products to be accompanied by information and > >> instructions to the user. Manufacturers will need to perform risk > >> assessments and produce technical documentation and for critical > >> components, have third-party audits conducted. Discoverded security > >> issues will have to be reported to European authorities within 24 hours > >> (1). The CRA will be followed up by the Product Liability Directive > >> (PLD) which will introduce compulsory liability for software. More > >> information about the proposed legislation and its consequences in (2). > > > >These all seem like good things to me. For too long private > >corporations have been allowed to put profit before accountability and > >user safety, which often results in long lasting damage for citizens, > >monetary or worse. It's about time the wild-west was reined in. > > > >> While a lot of these regulations seem reasonable, the Debian project > >> believes that there are grave problems for Free Software projects > >> attached to them. Therefore, the Debian project issues the following > >> statement: > >> > >> 1. Free Software has always been a gift, freely given to society, to > >> take and to use as seen fit, for whatever purpose. Free Software has > >> proven to be an asset in our digital age and the proposed EU Cyber > >> Resilience Act is going to be detrimental to it. > >> a. It is Debian's goal to "make the best system we can, so that > >> free works will be widely distributed and used." Imposing requirements > >> such as those proposed in the act makes it legally perilous for others > >> to redistribute our works and endangers our commitment to "provide an > >> integrated system of high-quality materials _with no legal > >> restrictions_ > >> that would prevent such uses of the system". (3) > > > >Debian does not sell products in the single market. Why would any > >requirement be imposed, how, and on whom? SPI? Debian France? > > > >> b. Knowing whether software is commercial or not isn't feasible, > >> neither in Debian nor in most free software projects - we don't track > >> people's employment status or history, nor do we check who finances > >> upstream projects. > > > >We do know whether something is commercial or not though - for > >example, we don't have to provide Debian with warranty to our users, > >because we know publishing images on debian.org is not a commercial > >activity. > >The second statement I find hard to follow, what would employment > >status have to do with this? > > > >> c. If upstream projects stop developing for fear of being in the > >> scope of CRA and its financial consequences, system security will > >> actually get worse instead of better. > > > >Why would projects stop developing? If it's a product sold on the > >single market, then it's right that it is subject to these rules. If > >it's not a product, then these rules don't affect it, just like rules > >on warranties. > > > >> d. Having to get legal advice before giving a present to society > >> will discourage many developers, especially those without a company or > >> other organisation supporting them. > > > >Same as above. If you are not selling anything, why would you need > >legal advice, any more than you already do? The EU Single Market has > >many, many rules, this is not the first and won't be the last. > > > >> 2. Debian is well known for its security track record through > >> practices > >> of responsible disclosure and coordination with upstream developers and > >> other Free Software projects. We aim to live up to the commitment made > >> in the Social Contract: "We will not hide problems." (3) > >> a. The Free Software community has developed a fine-tuned, well > >> working system of responsible disclosure in case of security issues > >> which will be overturned by the mandatory reporting to European > >> authorities within 24 hours (Art. 11 CRA). > > > >Well, actually the CVE system has a lot of critics - see recent LWN > >articles for some examples. So a public authority taking over from > >Mitre and other private companies doesn't sound so horrible to me, in > >principle - devil's in the details of course. > > > >> b. Debian spends a lot of volunteering time on security issues, > >> provides quick security updates and works closely together with > >> upstream > >> projects, in coordination with other vendors. To protect its users, > >> Debian regularly participates in limited embargos to coordinate fixes > >> to > >> security issues so that all other major Linux distributions can also > >> have a complete fix when the vulnerability is disclosed. > >> > >> c. Security issue tracking and remediation is intentionally > >> decentralized and distributed. The reporting of security issues to > >> ENISA and the intended propagation to other authorities and national > >> administrations would collect all software vulnerabilities in one > >> place, > >> greatly increasing the risk of leaking information about > >> vulnerabilities > >> to threat actors, representing a threat for all the users around the > >> world, including European citizens. > > > >This already happens with CVEs though? By a private, unaccountable, > >for profit corporation. > > > >> d. Activists use Debian (e.g. through derivatives such as Tails), > >> among other reasons, to protect themselves from authoritarian > >> governments; handing threat actors exploits they can use for oppression > >> is against what Debian stands for. > > > >Again, I don't see how this is any different than the status quo. > > > >> e. Developers and companies will downplay security issues because > >> a "security" issue now comes with legal implications. Less clarity on > >> what is truly a security issue will hurt users by leaving them > >> vulnerable. > > > >Companies already routinely downplay or outright neglect security > >issues in their products. It seems the intent of the legislation is to > >try and fix precisely that. One might be skeptical on the ability of > >the proposed legislation to improve the situation, of course, but > >that's a different story. > > > >> 3. While proprietary software is developed behind closed doors, Free > >> Software development is done in the open, transparent for everyone. To > >> keep even with proprietary software the open development process needs > >> to be entirely exempt from CRA requirements, just as the development of > >> software in private is. A "making available on the market" can only be > >> considered after development is finished and the software is released. > >> > >> 4. Even if only "commercial activities" are in the scope of CRA, the > >> Free Software community - and as a consequence, everybody - will lose a > >> lot of small projects. CRA will force many small enterprises and most > >> probably all self employed developers out of business because they > >> simply cannot fullfill the requirements imposed by CRA. Debian and > >> other > >> Linux distributions depend on their work. It is not understandable why > >> the EU aims to cripple not only an established community but also a > >> thriving market. CRA needs an exemption for small businesses and, at > >> the > >> very least, solo-entrepreneurs. > > > >To be brutally honest, if some private corporations' viability depends > >on being able to ignore glaring security issues that can harm their > >users, then I for one am all for them going out of business. Just like > >if a company's existence relies on the ability to breach privacy with > >impunity and is hampered by the GDPR, and so on. > > > >To do a reductio ad absurdum to illustrate my point, if a free > >software project's existence depended exclusively on an oil&gas > >corporation being able to pollute the environment and worsen climate > >change with impunity because the author is employed there, would it be > >worth it? The answer for me is categorically no. Especially given it's > >free software! The whole point of it is that someone else can maintain > >it, or the author can find a different source of income, and the > >project can continue - it's free, it's by definition not locked in one > >corporation. > > > >All in all, given how the situation is explained here, I do not > >understand where the issue is, for us as a project or as free software > >developers. I do not see any convincing argument at all as to why this > >is detrimental to Debian or free software, and the only link that is > >made is tenuous at best: maybe some free software developer is also > >employed by a company who is negatively affected by this. There are > >many, many things that can negatively affect anyone's employer, I do > >not see why, by itself, this should warrant a project statement. > > Then I would encourage you to do a bit of research on the topic. Given the > definitions being used in the proposal, Debian and most, if not all, of it's > upstreams are squarely within the realm of affected software. If this is > passed, I am seriously considering ceasing all free software work, because > it's not at all clear it's possible to avoid legal liability for things that > I can't reasonably control as a single developer. > > This is true even though I don't live in the EU.
Which definitions does the proposal use? Could you please quote them? The first two links do not provide any, as far as I can see. The third link (a blog post, not a piece of legislation) explicitly says: "the Cyber Resilience Act does not define commercial activity".