On Wed, 15 Nov 2023 at 12:59, Santiago Ruano Rincón
<santiag...@riseup.net> wrote:
>
> El 15/11/23 a las 00:49, Luca Boccassi escribió:
> > On Sun, 2023-11-12 at 12:10 -0300, Santiago Ruano Rincón wrote:
> > > Dear Debian Fellows,
> > >
> > > Following the email sent by Ilu to debian-project (Message-ID:
> > > <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have
> > > discussed during the MiniDebConf UY 2023 with other Debian Members, I
> > > would like to call for a vote about issuing a Debian public statement
> > > regarding
> > > the EU Cyber Resilience Act (CRA) and the Product Liability Directive
> > > (PLD). The CRA is in the final stage in the legislative process in the
> > > EU Parliament, and we think it will impact negatively the Debian
> > > Project, users, developers, companies that rely on Debian, and the FLOSS
> > > community as a whole. Even if the CRA will be probably adopted before
> > > the time the vote ends (if it takes place), we think it is important to
> > > take a public stand about it.
> >
> > Hi Santiago,
>
> Hello Luca
>
> >
> > It seems clear that there is a lot of interest in the project to
> > express a position on this matter. But as mentioned in the thread by
> > myself and others, I find some of the specifics of the text a bit
> > problematic - and some of the responses it elicited even more so.
> >
> > So, I'd like to propose an alternative text, that uses a very similar
> > preamble and still expresses a strong request to the legislators to
> > protect the interests of FOSS and its contributors and clarify any
> > issue, grey area or confusion that might be present in the current
> > texts, and put it beyond any reasonable doubt that FOSS projects can
> > continue working as they have, while at the same time supporting the
> > spirit of the law and its goal to improve the abysmal landscape of
> > software security in commercial products.
> >
> > What do you think? Here's what I came up with:
> >
> > ----- GENERAL RESOLUTION STARTS -----
> >
> > Debian Public Statement about the EU Cyber Resilience Act and the
> > Product Liability Directive
> >
> > The European Union is currently preparing a regulation "on horizontal
> > cybersecurity requirements for products with digital elements" known as
> > the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
> > phase of the legislative process. The act includes a set of essential
> > cybersecurity and vulnerability handling requirements for manufacturers.
> > It will require products to be accompanied by information and
> > instructions to the user. Manufacturers will need to perform risk
> > assessments and produce technical documentation and for critical
> > components, have third-party audits conducted. Security issues under
> > active exploitation will have to be reported to European authorities
> > within 24 hours (1). The CRA will be followed up by an update to the
> > existing Product Liability Directive (PLD) which, among other things,
> > will introduce the requirement for products on the market using software
> > to be able to receive updates to address security vulnerabilities.
> >
> > Given the current state of the electronics and computing devices market,
> > constellated with too many irresponsible vendors (largely employing
> > proprietary software) not taking taking enough precautions to ensure and
> > maintain the security of their products, resulting in grave issues such
> > as the plague of ransomware (that, among other things, has often caused
> > public services to be severely hampered or shut down entirely, across
> > the European Union and beyond, to the detriment of its citizens), the
> > Debian project welcomes this initiative and supports its spirit and
> > intent.
>
> I don't feel comfortable with most of the above paragraph. Where is the
> value in kind-of-finger-pointing proprietary software?
The intent was to reflect these parts of the original proposal:
While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone.
and highlight the difference between FOSS and proprietary software in
that regard. I can drop the explicit mention to proprietary software
between brackets, though, that's not a problem.
> > The Debian project believes Free and Open Source Software Projects to be
> > very well positioned to respond to modern challenges around security and
> > accountability that these regulations aim to improve for products
> > commercialized on the Single Market. Debian is well known for its
> > security track record through practices of responsible disclosure and
> > coordination with upstream developers and other Free and Open Source
> > Software projects. The project aims to live up to the commitment made in
> > the Debian Social Contract: "We will not hide problems." (2)
> >
> > The Debian project welcomes the attempt of the legislators to ensure
> > that the development of Free and Open Source Software is not negatively
> > affected by these regulations, as clearly expressed by the European
> > Commission in response to stakeholders' requests (1) and as stated in
> > Recital 10 of the preamble to the CRA:
> >
> > 'In order not to hamper innovation or research, free and open-source
> > software developed or supplied outside the course of a commercial
> > activity should not be covered by this Regulation.'
> >
> > The Debian project however notes that not enough emphasis has been
> > employed in all parts of these regulations to clearly exonerate Free
> > and Open Source Software Projects from being subject to the same
> > liabilities as commercial products, which has caused uncertainty and
> > worry among Free and Open Source Software developers and stakeholders.
> >
> > Therefore, the Debian project requests the legislators to enhance the
> > text of these regulations to clarify beyond any reasonable doubt that
> > Free and Open Source Software developers and contributors are not going
> > to be treated as commercial vendors, with special emphasis on
> > clarifying grey areas such as donations and contributions from
> > commercial companies. It is fundamental for the interests of the
> > European Union itself that Free and Open Source Software development
> > can continue to thrive and produce high quality software components,
> > applications and operating systems, and this can only happen if Free
> > and Open Source Software developers and contributors can continue to
> > work on these projects as they have been doing before these new
> > regulations, without being encumbered by legal requirements that are
> > only appropriate for commercial companies and enterprises.
> >
> >
> > ==========================================================================
> >
> > Sources:
> >
> > (1) CRA proposals and links:
> >
> > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
> > PLD proposals and links:
> >
> > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
> > Response from the European Commission to a question from the European
> > Parliament on FOSS awareness:
> >
> > https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html
> >
> > (2) Debian Social Contract No. 2, 3 and 4
> > https://www.debian.org/social_contract
> >
> > ----- GENERAL RESOLUTION ENDS -----
>
> Just a quick comment:
>
> IMHO, this proposal doesn't take into account issues with article 11. I
> don't think the proposed article helps to increase the security of the
> users, whether the vulnerabilities to be reported are known to be
> actively exploited or not. And this is for developers/manufacturers
> under commercial or non-commercial activities.
Article 11 applies to actively exploited security vulnerabilities, and
keeping them hidden - as irresponsible vendors routinely do - is bad
for users and for the ecosystem as a whole. It is also directly
against our social contract, as the original text already pointed out.
It is an overwhelmingly positive step forward, and one that will have
little to no effect on FOSS given, as the original proposal already
highlighted, FOSS already follows best practices around responsible
disclosure and security maintenance, even if some implementation
details (e.g.: time windows) could be improved in the law. It will on
the other hand likely be very detrimental for many irresponsible
commercial actors that routinely hide or refuse to fix security issues
affecting products, but I don't see why the Debian project should take
the defence of such bad practices around commercial products, even if
individual members think they should be allowed to do so - it has
nothing to do with our work or our project, as far as I can tell.
> Spreading the information about unpatched vulnerabilities among the
> agencies of the members of the Union increases the risk of leaks to
> malicious actors.
> Other than that, given recent history, I would prefer if government
> agencies don't get even more data about vulnerabilities that they could
> exploit.
On the contrary, status quo is that FOSS projects already disclose
unpatched vulnerabilities, but to for-profit enterprises like MITRE,
which are not exactly doing a stellar job in maintaining vulnerability
databases. Also commercial vendors routinely disclose vulnerabilities
to privileged (== well paying) business partners, ignoring small
customers or users, and making them answer to public bodies,
themselves accountable to the public rather than shareholders
interested only in maximizing their own profits, is a good step
forward.
> I find the reporting time limit too short and hard to fulfill for
> small-size companies or single developers, and it would also impact the
> research on security issues as it is currently done.
I believe it was mentioned that the time window is still subject to
discussions, and surely it can be improved, while noting that this all
applies to _actively_ exploited problems, so the window needs to be
short out of practical necessities of damage control. I am happy to
add a paragraph to mention this detail, how about something like the
following as the last paragraph:
Finally, the Debian project recognizes the importance of responsible and
timely disclosure of actively exploited security vulnerabilities, and notes
that Free and Open Source Projects are already leading by example in this
regard, but notes that the current proposed 24 hours window is very short
and could be problematic for small projects and vendors to comply with,
and thus encourages the legislators to consider relaxing this requirement
to ensure that all involved parties are able to comply with it.
> Moreover, this regulation will likely inspire other countries to apply
> similar disclosure requirements to their own agencies, increasing even
> more the above mentioned risk.
It's already happening in various forms for large markets anyway (see
for example the US govt EO on bills of materials), which again is a
good thing.
> In any case, you are, of course, free to propose an alternative text :-)
I would very much prefer presenting a single proposal, if at all
possible - hence all these modifications that I am happy to do, and
keep the alternative proposal as a last resort. Is there anything else
you'd like me to change or mention that could make it more amenable?
