General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Hi, This is the first call for votes abouti: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive" Voting period starts 2023-12-09 00:00:00 UTC Votes must be received by 2023-12-22 23:59:59 UTC This vote is being conducted as required by the Debian Constitution. You may see the constitution at https://www.debian.org/devel/constitution. For voting questions or problems contact secret...@debian.org. The details of the general resolution can be found at: https://www.debian.org/vote/2023/vote_002 Also, note that you can get a fresh ballot any time before the end of the vote by sending a signed mail to bal...@vote.debian.org with the subject "gr_non_free_firmware". To vote you need to be a Debian Developer. HOW TO VOTE First, read the full text of the options. You might also want to read discussions at https://lists.debian.org/debian-vote/ To cast a vote, it is necessary to send this ballot filled out to a dedicated e-mail address, in a signed message, as described below. The dedicated email address this ballot should be sent to is: gr_non_free_firmw...@vote.debian.org The form you need to fill out is contained bellow in this message, marked with two lines containing the characters '-=-=-=-=-=-'. Do not erase anything between those lines, and do not change the choice names. There are 4 choices in the form, which you may rank with numbers between 1 and 4. In the brackets next to your preferred choice, place a 1. Place a 2 in the brackets next to your next choice. Continue until you reach your last choice. Do not enter a number smaller than 1 or larger than 4. You may skip numbers, leave some choices unranked, and rank options equally. Unranked choices are considered equally the least desired choices, and ranked below all ranked choices. To vote "no, no matter what", rank "None of the above" as more desirable than the unacceptable choices, or you may rank the "None of the above" choice and leave choices you consider unacceptable blank. (Note: if the "None of the above" choice is unranked, then it is equal to all other unranked choices, if any -- no special consideration is given to the "None of the above" choice by the voting software). Finally, mail the filled out ballot to: gr_cra_...@vote.debian.org. Don't worry about spacing of the columns or any quote characters (">") that your reply inserts. NOTE: The vote must be GPG signed (or PGP signed) with your key that is in the Debian keyring. You may, if you wish, choose to send a signed, encrypted ballot: use the vote key appended below for encryption. The voting software (Devotee) accepts mail that either contains only an unmangled OpenPGP message (RFC 2440 compliant), or a PGP/MIME mail (RFC 3156 compliant). To avoid problems I suggest you use PGP/MIME. VOTING SECRECY This is a secret vote. After the voting period there will be a record of all the votes without the name of the voter. It will instead contain a cryptographic hash. You will receive a secret after you have voted that can be used to calculate that hash. This allows you to verify that your vote is in the list. This secret is sent in an encrypted mail. VOTING FORM - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=- 52bbd34b-1e8e-45ad-bd32-e517dbf2958c [ ] Choice 1: CRA and PLD proposals include regulations detrimental to FOSS [ ] Choice 2: CRA and PLD proposals should only apply to commercial ventures [ ] Choice 3: The EU should not overrule DFSG 6 and FOSS licenses [ ] Choice 4: None Of The Above - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=- -- The responses to a valid vote shall be signed by the vote key created for this vote. The public key for the vote, signed by the Project secretary, is appended below. BALLOT OPTIONS Choice 1: CRA and PLD proposals include regulations detrimental to FOSS === Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It is currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and, for critical components, have third-party audits conducted. Discovered security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory
More additional changes (was: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive")
Hello again, Sorry for this, but I would like to take into account some (minor) additional changes. Some of them are indeed important. As the last time, a diff can be found at the bottom of the mail. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It is currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and, for critical components, have third-party audits conducted. Discovered security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement: 1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it. a. As the Debian Social Contract states, our goal is "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our work and endangers our commitment to "provide an integrated system of high-quality materials with no legal restrictions that would prevent such uses of the system". (2) b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects (the original projects that we integrate in our operating system). c. If upstream projects stop making available their code for fear of being in the scope of CRA and its financial consequences, system security will actually get worse rather than better. d. Having to get legal advice before giving a gift to society will discourage many developers, especially those without a company or other organisation supporting them. 2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (3) a. The Free Software community has developed a fine-tuned, tried-and-tested system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA). b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects and in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed. c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to ENISA and the intended propagation to other authorities and national administrations would collect all software vulnerabilities in one place. This greatly increases the risk of leaking information about vulnerabilities to threat actors, representing a threat for all the users around the world, including European citizens. d. Activists use Debian (e.g. through derivatives such as Tails), among other reasons, to protect themselves from authoritarian governments; handing threat actors exploits they can use for oppression is against what Debian stands for. e. Developers and companies will downplay security issues because a "security" issue now comes with legal implications. Less clarity on what is truly a security issue will hurt users by leaving them vulnerable. 3. While proprietary software is developed behind closed doors, Free Software development is done in the open, transparent for everyone.
Re: Amendment to the original proposal (was: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive")
Thank you very much Santiago! I am not sure whether your seconders must also second the amended version, but I reviewed it, and agree with the proposed changes (none of which seem to alter IMO the intent of the document). Thus, re-seconded. Santiago Ruano Rincón dijo [Fri, Nov 24, 2023 at 04:24:56PM +]: > Hello there, > > Here you can find a modified version that takes into account most of the > reviews. It doesn't change the meaning of the original proposal, and > hopefully improves it. Thanks again for all the comments. > > A diff between both version is found below. > > - GENERAL RESOLUTION STARTS - > > Debian Public Statement about the EU Cyber Resilience Act and the > Product Liability Directive > > The European Union is currently preparing a regulation "on horizontal > cybersecurity requirements for products with digital elements" known as > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > phase of the legislative process. The act includes a set of essential > cybersecurity and vulnerability handling requirements for manufacturers. > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > components, have third-party audits conducted. Discovered security > issues will have to be reported to European authorities within 24 hours > (1). The CRA will be followed up by the Product Liability Directive > (PLD) which will introduce compulsory liability for software. More > information about the proposed legislation and its consequences in (2). > > While a lot of these regulations seem reasonable, the Debian project > believes that there are grave problems for Free Software projects > attached to them. Therefore, the Debian project issues the following > statement: > > 1. Free Software has always been a gift, freely given to society, to > take and to use as seen fit, for whatever purpose. Free Software has > proven to be an asset in our digital age and the proposed EU Cyber > Resilience Act is going to be detrimental to it. > a. As the Debian Social Contract states, our goal is "make the best > system we can, so that free works will be widely distributed and used." > Imposing requirements such as those proposed in the act makes it legally > perilous for others to redistribute our work and endangers our commitment > to "provide an integrated system of high-quality materials with no legal > restrictions that would prevent such uses of the system". (3) > > b. Knowing whether software is commercial or not isn't feasible, > neither in Debian nor in most free software projects - we don't track > people's employment status or history, nor do we check who finances > upstream projects (the original projects that we integrate in our > operating system). > > c. If upstream projects stop developing for fear of being in the > scope of CRA and its financial consequences, system security will > actually get worse instead of better. > > d. Having to get legal advice before giving a present to society > will discourage many developers, especially those without a company or > other organisation supporting them. > > 2. Debian is well known for its security track record through practices > of responsible disclosure and coordination with upstream developers and > other Free Software projects. We aim to live up to the commitment made > in the Debian Social Contract: "We will not hide problems." (3) > > a. The Free Software community has developed a fine-tuned, > tried-and-tested system of responsible disclosure in case of security > issues which will be overturned by the mandatory reporting to European > authorities within 24 hours (Art. 11 CRA). > > b. Debian spends a lot of volunteering time on security issues, > provides quick security updates and works closely together with upstream > projects, in coordination with other vendors. To protect its users, > Debian regularly participates in limited embargos to coordinate fixes to > security issues so that all other major Linux distributions can also have > a complete fix when the vulnerability is disclosed. > > c. Security issue tracking and remediation is intentionally > decentralized and distributed. The reporting of security issues to > ENISA and the intended propagation to other authorities and national > administrations would collect all software vulnerabilities in one place, > greatly increasing the risk of leaking information about vulnerabilities > to threat actors, representing a threat for all the users around the > world, including European citizens. > > d. Activists use Debian (e.g.
Amendment to the original proposal (was: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive")
Hello there, Here you can find a modified version that takes into account most of the reviews. It doesn't change the meaning of the original proposal, and hopefully improves it. Thanks again for all the comments. A diff between both version is found below. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Discovered security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. More information about the proposed legislation and its consequences in (2). While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement: 1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it. a. As the Debian Social Contract states, our goal is "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our work and endangers our commitment to "provide an integrated system of high-quality materials with no legal restrictions that would prevent such uses of the system". (3) b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects (the original projects that we integrate in our operating system). c. If upstream projects stop developing for fear of being in the scope of CRA and its financial consequences, system security will actually get worse instead of better. d. Having to get legal advice before giving a present to society will discourage many developers, especially those without a company or other organisation supporting them. 2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (3) a. The Free Software community has developed a fine-tuned, tried-and-tested system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA). b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects, in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed. c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to ENISA and the intended propagation to other authorities and national administrations would collect all software vulnerabilities in one place, greatly increasing the risk of leaking information about vulnerabilities to threat actors, representing a threat for all the users around the world, including European citizens. d. Activists use Debian (e.g. through derivatives such as Tails), among other reasons, to protect themselves from authoritarian governments; handing threat actors exploits they can use for oppression is against what Debian stands for. e. Developers and companies will downplay security issues because a "security" issue now comes with legal implications. Less clarity on what is truly a security issue will hurt users by leaving them vulnerable. 3. While proprietary software
Re: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Thanks to those who have spotted errors and have proposed fixes! I am collecting more patches, and I will send an updated proposal as soon as possible. But I won't be able to do it earlier than tomorrow Wednesday, when I will be in the Northern hemisphere. El 21/11/23 a las 12:01, Miriam Ruiz escribió: > s/Discoverded/Discovered/ > s/fullfill/fulfill/ > > El dom, 19 nov 2023 a las 22:53, Debian Project Secretary - Kurt > Roeckx () escribió: > > > > A General Resolution has been started about a statement > > about the EU Legislation "Cyber Resilience Act and Product Liability > > Directive" > > > > More information can be found at: > > https://www.debian.org/vote/2023/vote_002 > > > > > > Kurt Roeckx > > Debian Project Secretary > > signature.asc Description: PGP signature
Re: Re: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
> "the EU aims to cripple": this is a strong statement that will annoy > all > readers who believe that the EU aims to make a better world and > possibly > reduce the support for and impact of the GR. Maybe "If accepted as > it > is, CRA will cripple" There are many such problems with the proposed text. An alternative text that aims to solve them is currently looking for seconds: https://lists.debian.org/debian-vote/2023/11/msg00065.html -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Re: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Hello everybody, thank you for preparing this! Quick comments form somebody who does not have the time to follow debian-vote: "make the best system we can": Maybe this is a good opportunity to point at our social contract, to show to the readers who have no idea what Debian is how important that the statement is for us, and that it predates the discussions on the CRA. The word "upstream" appears for the first time in point 1b. I am unsure with people with superficial knowledge of what we are doing know what "upstream" means. "The social contract": maybe "Our social contract" is clearer? 2d as it is written feels anti-government, and why would governments listen the needs of an anti-government organisation? The point on centralisation is already made in 2c. It may be remindwd there that threat actors include unlawful governments (and that in EU there as as many governments as members). Then, I would suggest to center 2d on the protection of activists. Maybe it could be said that Debian accept anonymous contributions for that reason, and that (to my knowledge) the CRA does not take that kind of situation into account. "the EU aims to cripple": this is a strong statement that will annoy all readers who believe that the EU aims to make a better world and possibly reduce the support for and impact of the GR. Maybe "If accepted as it is, CRA will cripple" I hope you find my comments helpful. Even if the GR text does not change, I will vote for it anyway. Finally, the conclusion calls for exemptions for small businesses, but why not explicitely call for a clear excemption for large free software projects such as Debian, given all the uncertainty that the CRA would create. After all, we compete with commercial products, we aim to have users beyond our community, and we do send strong signals to our users that they can put a lot of trust on us. In that sense, it may be argued one day by others that we are doing some kind of commerce. Have a nice day, Charles
Re: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On 2023-11-19 22:45 +0100, Debian Project Secretary - Kurt Roeckx wrote: > > More information can be found at: > https://www.debian.org/vote/2023/vote_002 This is generally good, but can we fix the typos and English-as-2nd-language issues before voting? Or is it too late already? I don't feel we should be putting out an official project statement with mistakes/English like this. And (assuming we are going to fix this) it feels wrong to vote on a text before it is finalised. Things I noticed: 1) Discoverded -> Discovered 2) "a fine-tuned, well working system " This is very peculiar, not really correct, english. At the very least 'well-working' needs hyphenating. "well-functioning"? "tried-and-tested"? Maybe just re-arrange the sentence. 3) "to keep even with" -> "to retain parity with" 4) "It is not understandable why" -> "It is not comprehensible why" or probably better: "It is not understandable why the EU aims to" -> "It makes no sense for the EU to aim to" HTH (did none of the seconders notice this stuff?). I guess I should join -project or -vote some day... Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/ signature.asc Description: PGP signature