Re: Call for seconds: Delegate to the DPL
Bill Allombert dijo [Sat, Nov 25, 2023 at 10:33:34AM +]: > > > I offer the following ballot option for your consideration. > > > > > > - GENERAL RESOLUTION STARTS - > > > > > > The Debian developers delegate to the Debian Project Leader the task of > > > issuing > > > a Public Statement about the 'EU Cyber Resilience Act and the Product > > > Liability > > > Directive' that addresses Debian interests in the matter. > > > > > > - GENERAL RESOLUTION ENDS - > > > > I follow your logic in proposing this, although my interpretation of > > ¶5.1.4[0] in our constitution leads me to believe that the DPL does not need > > any delegation for this, so perhaps the intention becomes more of "Let the > > DPL decide". > > I agree with you on that point, but note that what matters > constitutionaly is that the DDs via the GR process has authority to do > it, and so have also the authority to delegate it, even to someone who > would otherwise have this authority. > > The point of this ballot option is to differentiate from 'NOTA' which > can be interpreted as precluding from issuing a statement. I understand your reasoning here, and to an extent, it makes sense. But I guess the right verb (for the Debian project to...) would not be "delegate", but rather "request" or something in that line (might be harder, as in "demand", or softer, as in "ask"...?) > > In February I posted[1] about the CRA to debian-project[1]. My intention was > > to get a few good people to spend some time to focus on this, since my > > available bandwidth for this was low (and continued to be since then). > > > > I'm not sure that it's a good idea to leave it as a DPL task, it might delay > > an actual public statement by a month or even more. That said, I'm not > > completely against the idea, if this ends up happening I would likely > > combine the best current ideas in an etherpad and invite everyone to list > > and hammer out any remaining issues. > > My view is that when drafting such statement, we should always keep in > mind what is its purpose. If it is to be read by the EU regulators, it > should be written by someone knowing their legal languages. Right. This ball was already in our DPL's court, but the DPL has to dance many dances. And we have only one DPL, who decided to spend his energy in a different way. The current GR followed some antecedents that (surprise, surprise, we are Debian!) were not time-bound. As I understand, the EU legislative process is quite advanced now, and I doubt we have the time to build "the perfect response". And the answer from the EU legislative body will not be to read and consider each bullet point we make --- While they are all important mostly *for people quoting and making press releases* in the technical community, the European legislative bodies will just see "oh, a biggish project opposes CRA". We want to communicate the reasoning as clearly as possible to our peers and to journalists. But we want *something* to be issued while we are still in the due time for the legislative process.
More additional changes (was: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive")
Hello again, Sorry for this, but I would like to take into account some (minor) additional changes. Some of them are indeed important. As the last time, a diff can be found at the bottom of the mail. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It is currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and, for critical components, have third-party audits conducted. Discovered security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement: 1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it. a. As the Debian Social Contract states, our goal is "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our work and endangers our commitment to "provide an integrated system of high-quality materials with no legal restrictions that would prevent such uses of the system". (2) b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects (the original projects that we integrate in our operating system). c. If upstream projects stop making available their code for fear of being in the scope of CRA and its financial consequences, system security will actually get worse rather than better. d. Having to get legal advice before giving a gift to society will discourage many developers, especially those without a company or other organisation supporting them. 2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (3) a. The Free Software community has developed a fine-tuned, tried-and-tested system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA). b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects and in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed. c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to ENISA and the intended propagation to other authorities and national administrations would collect all software vulnerabilities in one place. This greatly increases the risk of leaking information about vulnerabilities to threat actors, representing a threat for all the users around the world, including European citizens. d. Activists use Debian (e.g. through derivatives such as Tails), among other reasons, to protect themselves from authoritarian governments; handing threat actors exploits they can use for oppression is against what Debian stands for. e. Developers and companies will downplay security issues because a "security" issue now comes with legal implications. Less clarity on what is truly a security issue will hurt users by leaving them vulnerable. 3. While proprietary software is developed behind closed doors, Free Software development is done in the open, transparent for everyone.
Re: Call for seconds: Delegate to the DPL
Le Fri, Nov 24, 2023 at 07:38:40PM +0200, Jonathan Carter a écrit : > Hi Bill > > On 2023/11/24 19:14, Bill Allombert wrote: > > I offer the following ballot option for your consideration. > > > > - GENERAL RESOLUTION STARTS - > > > > The Debian developers delegate to the Debian Project Leader the task of > > issuing > > a Public Statement about the 'EU Cyber Resilience Act and the Product > > Liability > > Directive' that addresses Debian interests in the matter. > > > > - GENERAL RESOLUTION ENDS - > > I follow your logic in proposing this, although my interpretation of > ¶5.1.4[0] in our constitution leads me to believe that the DPL does not need > any delegation for this, so perhaps the intention becomes more of "Let the > DPL decide". I agree with you on that point, but note that what matters constitutionaly is that the DDs via the GR process has authority to do it, and so have also the authority to delegate it, even to someone who would otherwise have this authority. The point of this ballot option is to differentiate from 'NOTA' which can be interpreted as precluding from issuing a statement. > In February I posted[1] about the CRA to debian-project[1]. My intention was > to get a few good people to spend some time to focus on this, since my > available bandwidth for this was low (and continued to be since then). > > I'm not sure that it's a good idea to leave it as a DPL task, it might delay > an actual public statement by a month or even more. That said, I'm not > completely against the idea, if this ends up happening I would likely > combine the best current ideas in an etherpad and invite everyone to list > and hammer out any remaining issues. My view is that when drafting such statement, we should always keep in mind what is its purpose. If it is to be read by the EU regulators, it should be written by someone knowing their legal languages. Cheers, -- Bill. Imagine a large red swirl here.