Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Mon, Nov 20, 2023 at 12:40:58AM +0100, Aigars Mahinovs wrote: > I second adding this version to the vote I'm getting a bad signature on this. > On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: > Second version, taking into account feedback. Looking for seconds at > this point: Maybe Santiago wants to adopt this text, rather than having 2 options? Kurt
Re: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Hello everybody, thank you for preparing this! Quick comments form somebody who does not have the time to follow debian-vote: "make the best system we can": Maybe this is a good opportunity to point at our social contract, to show to the readers who have no idea what Debian is how important that the statement is for us, and that it predates the discussions on the CRA. The word "upstream" appears for the first time in point 1b. I am unsure with people with superficial knowledge of what we are doing know what "upstream" means. "The social contract": maybe "Our social contract" is clearer? 2d as it is written feels anti-government, and why would governments listen the needs of an anti-government organisation? The point on centralisation is already made in 2c. It may be remindwd there that threat actors include unlawful governments (and that in EU there as as many governments as members). Then, I would suggest to center 2d on the protection of activists. Maybe it could be said that Debian accept anonymous contributions for that reason, and that (to my knowledge) the CRA does not take that kind of situation into account. "the EU aims to cripple": this is a strong statement that will annoy all readers who believe that the EU aims to make a better world and possibly reduce the support for and impact of the GR. Maybe "If accepted as it is, CRA will cripple" I hope you find my comments helpful. Even if the GR text does not change, I will vote for it anyway. Finally, the conclusion calls for exemptions for small businesses, but why not explicitely call for a clear excemption for large free software projects such as Debian, given all the uncertainty that the CRA would create. After all, we compete with commercial products, we aim to have users beyond our community, and we do send strong signals to our users that they can put a lot of trust on us. In that sense, it may be argued one day by others that we are doing some kind of commerce. Have a nice day, Charles
Re: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On 2023-11-19 22:45 +0100, Debian Project Secretary - Kurt Roeckx wrote: > > More information can be found at: > https://www.debian.org/vote/2023/vote_002 This is generally good, but can we fix the typos and English-as-2nd-language issues before voting? Or is it too late already? I don't feel we should be putting out an official project statement with mistakes/English like this. And (assuming we are going to fix this) it feels wrong to vote on a text before it is finalised. Things I noticed: 1) Discoverded -> Discovered 2) "a fine-tuned, well working system " This is very peculiar, not really correct, english. At the very least 'well-working' needs hyphenating. "well-functioning"? "tried-and-tested"? Maybe just re-arrange the sentence. 3) "to keep even with" -> "to retain parity with" 4) "It is not understandable why" -> "It is not comprehensible why" or probably better: "It is not understandable why the EU aims to" -> "It makes no sense for the EU to aim to" HTH (did none of the seconders notice this stuff?). I guess I should join -project or -vote some day... Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/ signature.asc Description: PGP signature
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I second adding this version to the vote On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: Second version, taking into account feedback. Looking for seconds at this point: - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Security issues under active exploitation will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by an update to the existing Product Liability Directive (PLD) which, among other things, will introduce the requirement for products on the market using software to be able to receive updates to address security vulnerabilities. Given the current state of the electronics and computing devices market, constellated with too many irresponsible vendors not taking taking enough precautions to ensure and maintain the security of their products, resulting in grave issues such as the plague of ransomware (that, among other things, has often caused public services to be severely hampered or shut down entirely, across the European Union and beyond, to the detriment of its citizens), the Debian project welcomes this initiative and supports its spirit and intent. The Debian project believes Free and Open Source Software Projects to be very well positioned to respond to modern challenges around security and accountability that these regulations aim to improve for products commercialized on the Single Market. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free and Open Source Software projects. The project aims to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (2) The Debian project welcomes the attempt of the legislators to ensure that the development of Free and Open Source Software is not negatively affected by these regulations, as clearly expressed by the European Commission in response to stakeholders' requests (1) and as stated in Recital 10 of the preamble to the CRA: 'In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.' The Debian project however notes that not enough emphasis has been employed in all parts of these regulations to clearly exonerate Free and Open Source Software developers and maintainers from being subject to the same liabilities as commercial vendors, which has caused uncertainty and worry among such stakeholders. Therefore, the Debian project asks the legislators to enhance the text of these regulations to clarify beyond any reasonable doubt that Free and Open Source Software developers and contributors are not going to be treated as commercial vendors in the exercise of their duties when merely developing and publishing Free and Open Source Software, with special emphasis on clarifying grey areas, such as donations, contributions from commercial companies and developing Free and Open Source Software that may be later commercialised by a commercial vendor. It is fundamental for the interests of the European Union itself that Free and Open Source Software development can continue to thrive and produce high quality software components, applications and operating systems, and this can only happen if Free and Open Source Software developers and contributors can continue to work on these projects as they have been doing before these new regulations, especially but not exclusively in the context of nonprofit organizations, without being encumbered by legal requirements that are only appropriate for commercial companies and enterprises. == Sources: (1) CRA proposals and links: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation PLD proposals and links: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-di
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, 19 Nov 2023 at 00:21, Sam Hartman wrote: > > > "Bart" == Bart Martens writes: > >> > >> * A commercial company writes free-software that for all > >> practical purposes can be used only for access to their > >> proprietary web service. I'd rather not allow arguments about > >> whether a flaw is on the web service side or the client API side > >> to be used to help the company get out of liability to their > >> customers/users. > > Bart> I guess "awscli" is an example of this situation. > > Sure, let's say it is. > One could quibble about whether there are alternate implementations of > AWS's API, but for most uses, I'd agree with awscli being an example of > what I'm talking about. > > Bart> https://packages.debian.org/sid/awscli > Bart> > https://metadata.ftp-master.debian.org/changelogs//main/a/awscli/awscli_2.12.0-1_copyright > Bart> So the EU would hold Amazon liable for damages caused by using > Bart> "awscli", overruling the "without warranties" clause in the > Bart> license. Well, then next time Amazon might choose to only > Bart> provide documentation of the API, without publishing an open > Bart> source example implementation like "awscli". That's a loss for > Bart> foss. It illustrates the value of DFSG 6. > > Ah, because the regulations specifically exclude SAAS and so Amazon > doesn't have liability for the API unless they publish software to use > the API? > > If that's your point, I certainly understand you better. > > If in practice we end up with less open-source software because of > things like that, I agree it would be a negative. The software license makes no difference, if there's a commercial activity involved then the vendor is responsible to its customers. Amazon didn't build awscli because it's a hobby activity or as a favor to the open source ecosystem, they built it because their cloud customers demand it and use it (same for Microsoft for azcli, and for Google for the gcloud cli). So it would not make any difference one way or the other, these softwares will still exist, and will still be open source because there's nothing to gain from doing otherwise. It's a good thing that cloud vendors are held accountable for the security of the software they ship on users' machines, even if their services fall under different regulatory regimes. A certain vendor that I won't name regularly bundles an outdated set of python interpreter, standard library, ancillary modules _and_ OpenSSL as cherry on top with their CLI tool - maybe once these regulations are in place, they'll finally get their act together and start doing proper security maintenance of said product.
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Second version, taking into account feedback. Looking for seconds at this point: - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Security issues under active exploitation will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by an update to the existing Product Liability Directive (PLD) which, among other things, will introduce the requirement for products on the market using software to be able to receive updates to address security vulnerabilities. Given the current state of the electronics and computing devices market, constellated with too many irresponsible vendors not taking taking enough precautions to ensure and maintain the security of their products, resulting in grave issues such as the plague of ransomware (that, among other things, has often caused public services to be severely hampered or shut down entirely, across the European Union and beyond, to the detriment of its citizens), the Debian project welcomes this initiative and supports its spirit and intent. The Debian project believes Free and Open Source Software Projects to be very well positioned to respond to modern challenges around security and accountability that these regulations aim to improve for products commercialized on the Single Market. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free and Open Source Software projects. The project aims to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (2) The Debian project welcomes the attempt of the legislators to ensure that the development of Free and Open Source Software is not negatively affected by these regulations, as clearly expressed by the European Commission in response to stakeholders' requests (1) and as stated in Recital 10 of the preamble to the CRA: 'In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.' The Debian project however notes that not enough emphasis has been employed in all parts of these regulations to clearly exonerate Free and Open Source Software developers and maintainers from being subject to the same liabilities as commercial vendors, which has caused uncertainty and worry among such stakeholders. Therefore, the Debian project asks the legislators to enhance the text of these regulations to clarify beyond any reasonable doubt that Free and Open Source Software developers and contributors are not going to be treated as commercial vendors in the exercise of their duties when merely developing and publishing Free and Open Source Software, with special emphasis on clarifying grey areas, such as donations, contributions from commercial companies and developing Free and Open Source Software that may be later commercialised by a commercial vendor. It is fundamental for the interests of the European Union itself that Free and Open Source Software development can continue to thrive and produce high quality software components, applications and operating systems, and this can only happen if Free and Open Source Software developers and contributors can continue to work on these projects as they have been doing before these new regulations, especially but not exclusively in the context of nonprofit organizations, without being encumbered by legal requirements that are only appropriate for commercial companies and enterprises. == Sources: (1) CRA proposals and links: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation PLD proposals and links: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive Response from the European Commission to a question from the European Parliament
