Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, Nov 19, 2023 at 11:21:47PM +, Luca Boccassi wrote: > Second version, taking into account feedback. Looking for seconds at > this point: > > - GENERAL RESOLUTION STARTS - > > Debian Public Statement about the EU Cyber Resilience Act and the > Product Liability Directive > > The European Union is currently preparing a regulation "on horizontal > cybersecurity requirements for products with digital elements" known as > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > phase of the legislative process. The act includes a set of essential > cybersecurity and vulnerability handling requirements for manufacturers. > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > components, have third-party audits conducted. Security issues under > active exploitation will have to be reported to European authorities > within 24 hours (1). The CRA will be followed up by an update to the > existing Product Liability Directive (PLD) which, among other things, > will introduce the requirement for products on the market using software > to be able to receive updates to address security vulnerabilities. > > Given the current state of the electronics and computing devices market, > constellated with too many irresponsible vendors not taking taking > enough precautions to ensure and maintain the security of their products, > resulting in grave issues such as the plague of ransomware (that, among > other things, has often caused public services to be severely hampered or > shut down entirely, across the European Union and beyond, to the > detriment of its citizens), the Debian project welcomes this initiative > and supports its spirit and intent. > > The Debian project believes Free and Open Source Software Projects to be > very well positioned to respond to modern challenges around security and > accountability that these regulations aim to improve for products > commercialized on the Single Market. Debian is well known for its > security track record through practices of responsible disclosure and > coordination with upstream developers and other Free and Open Source > Software projects. The project aims to live up to the commitment made in > the Debian Social Contract: "We will not hide problems." (2) > > The Debian project welcomes the attempt of the legislators to ensure > that the development of Free and Open Source Software is not negatively > affected by these regulations, as clearly expressed by the European > Commission in response to stakeholders' requests (1) and as stated in > Recital 10 of the preamble to the CRA: > > 'In order not to hamper innovation or research, free and open-source > software developed or supplied outside the course of a commercial > activity should not be covered by this Regulation.' > > The Debian project however notes that not enough emphasis has been > employed in all parts of these regulations to clearly exonerate Free > and Open Source Software developers and maintainers from being subject > to the same liabilities as commercial vendors, which has caused > uncertainty and worry among such stakeholders. > > Therefore, the Debian project asks the legislators to enhance the > text of these regulations to clarify beyond any reasonable doubt that > Free and Open Source Software developers and contributors are not going > to be treated as commercial vendors in the exercise of their duties when > merely developing and publishing Free and Open Source Software, with > special emphasis on clarifying grey areas, such as donations, > contributions from commercial companies and developing Free and Open > Source Software that may be later commercialised by a commercial vendor. > It is fundamental for the interests of the European Union itself that > Free and Open Source Software development can continue to thrive and > produce high quality software components, applications and operating > systems, and this can only happen if Free and Open Source Software > developers and contributors can continue to work on these projects as > they have been doing before these new regulations, especially but not > exclusively in the context of nonprofit organizations, without being > encumbered by legal requirements that are only appropriate for > commercial companies and enterprises. > > == > > Sources: > > (1) CRA proposals and links: > > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation > PLD proposa
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, Nov 19, 2023 at 11:21:47PM +, Luca Boccassi wrote: > Second version, taking into account feedback. Looking for seconds at > this point: So I'm still only counting 4 seconds at this point. Kurt
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Sun, 2023-11-19 at 23:21 +, Luca Boccassi wrote: > Second version, taking into account feedback. Looking for seconds at > this point: Elbrus spotted a typo, fixed below - that's the only change, "taking taking" -> "taking" in the second paragraph - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Security issues under active exploitation will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by an update to the existing Product Liability Directive (PLD) which, among other things, will introduce the requirement for products on the market using software to be able to receive updates to address security vulnerabilities. Given the current state of the electronics and computing devices market, constellated with too many irresponsible vendors not taking enough precautions to ensure and maintain the security of their products, resulting in grave issues such as the plague of ransomware (that, among other things, has often caused public services to be severely hampered or shut down entirely, across the European Union and beyond, to the detriment of its citizens), the Debian project welcomes this initiative and supports its spirit and intent. The Debian project believes Free and Open Source Software Projects to be very well positioned to respond to modern challenges around security and accountability that these regulations aim to improve for products commercialized on the Single Market. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free and Open Source Software projects. The project aims to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (2) The Debian project welcomes the attempt of the legislators to ensure that the development of Free and Open Source Software is not negatively affected by these regulations, as clearly expressed by the European Commission in response to stakeholders' requests (1) and as stated in Recital 10 of the preamble to the CRA: 'In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.' The Debian project however notes that not enough emphasis has been employed in all parts of these regulations to clearly exonerate Free and Open Source Software developers and maintainers from being subject to the same liabilities as commercial vendors, which has caused uncertainty and worry among such stakeholders. Therefore, the Debian project asks the legislators to enhance the text of these regulations to clarify beyond any reasonable doubt that Free and Open Source Software developers and contributors are not going to be treated as commercial vendors in the exercise of their duties when merely developing and publishing Free and Open Source Software, with special emphasis on clarifying grey areas, such as donations, contributions from commercial companies and developing Free and Open Source Software that may be later commercialised by a commercial vendor. It is fundamental for the interests of the European Union itself that Free and Open Source Software development can continue to thrive and produce high quality software components, applications and operating systems, and this can only happen if Free and Open Source Software developers and contributors can continue to work on these projects as they have been doing before these new regulations, especially but not exclusively in the context of nonprofit organizations, without being encumbered by legal requirements that are only appropriate for commercial companies and enterprises. == Sources: (1) CRA proposals and links: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation PLD proposals and links: https://www.europarl.europa.eu/legislative
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Santiago Ruano Rincón dijo [Tue, Nov 21, 2023 at 01:15:40PM -0300]: > > > I second adding this version to the vote > > > > I'm getting a bad signature on this. > > > > > On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: > > > Second version, taking into account feedback. Looking for seconds at > > > this point: > > > > Maybe Santiago wants to adopt this text, rather than having 2 options? > > The initial proposal was made collectively, and now I realise I should > have signed with a "On behalf of the Debian fellows in Montevideo". So > it is not only me to decide. > > Anyway, IMHO, it is good to have more than one option. As one of the seconders --- I know it's up to Santiago to formally adopt or reject the modification to the text he submitted, but yes, this text was the result of –at least– a couple of hours of us working collectively over a text drafted by Ilu. It will surely have some English non-native weirdnesses, as highlighted by Wookey; I'm willing to adopt Wookey's suggestions, as they don't change tone or meaning. As for Luca's proposed version, it _is_ a worthy proposal, and I'll surely vote it above "Further Discussion". But it strongly changes the tone used. I'm happier with the original version. I believe this highlights the strength of Condorcet-based voting systems. If Santiago were to adopt the new text, we might get a situation –as happened in vote 2016-002 leading to 2016-004– where the "softer" version does not get the traction, where the original, "raw" version does. Thanks! - Gunnar. signature.asc Description: PGP signature
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
El 20/11/23 a las 08:53, Kurt Roeckx escribió: > On Mon, Nov 20, 2023 at 12:40:58AM +0100, Aigars Mahinovs wrote: > > I second adding this version to the vote > > I'm getting a bad signature on this. > > > On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: > > Second version, taking into account feedback. Looking for seconds at > > this point: > > Maybe Santiago wants to adopt this text, rather than having 2 options? The initial proposal was made collectively, and now I realise I should have signed with a "On behalf of the Debian fellows in Montevideo". So it is not only me to decide. Anyway, IMHO, it is good to have more than one option. Cheers, -- Santiago signature.asc Description: PGP signature
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
I'll just attach the signed version, it seems like GMail plain text mode is still a bit broken. On Mon, 20 Nov 2023 at 08:53, Kurt Roeckx wrote: > > On Mon, Nov 20, 2023 at 12:40:58AM +0100, Aigars Mahinovs wrote: > > I second adding this version to the vote > > I'm getting a bad signature on this. > > > On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: > > Second version, taking into account feedback. Looking for seconds at > > this point: > > Maybe Santiago wants to adopt this text, rather than having 2 options? > > > Kurt > -- Best regards, Aigars Mahinovs -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I second adding this version to the vote On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: Second version, taking into account feedback. Looking for seconds at this point: - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Security issues under active exploitation will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by an update to the existing Product Liability Directive (PLD) which, among other things, will introduce the requirement for products on the market using software to be able to receive updates to address security vulnerabilities. Given the current state of the electronics and computing devices market, constellated with too many irresponsible vendors not taking taking enough precautions to ensure and maintain the security of their products, resulting in grave issues such as the plague of ransomware (that, among other things, has often caused public services to be severely hampered or shut down entirely, across the European Union and beyond, to the detriment of its citizens), the Debian project welcomes this initiative and supports its spirit and intent. The Debian project believes Free and Open Source Software Projects to be very well positioned to respond to modern challenges around security and accountability that these regulations aim to improve for products commercialized on the Single Market. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free and Open Source Software projects. The project aims to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (2) The Debian project welcomes the attempt of the legislators to ensure that the development of Free and Open Source Software is not negatively affected by these regulations, as clearly expressed by the European Commission in response to stakeholders' requests (1) and as stated in Recital 10 of the preamble to the CRA: 'In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.' The Debian project however notes that not enough emphasis has been employed in all parts of these regulations to clearly exonerate Free and Open Source Software developers and maintainers from being subject to the same liabilities as commercial vendors, which has caused uncertainty and worry among such stakeholders. Therefore, the Debian project asks the legislators to enhance the text of these regulations to clarify beyond any reasonable doubt that Free and Open Source Software developers and contributors are not going to be treated as commercial vendors in the exercise of their duties when merely developing and publishing Free and Open Source Software, with special emphasis on clarifying grey areas, such as donations, contributions from commercial companies and developing Free and Open Source Software that may be later commercialised by a commercial vendor. It is fundamental for the interests of the European Union itself that Free and Open Source Software development can continue to thrive and produce high quality software components, applications and operating systems, and this can only happen if Free and Open Source Software developers and contributors can continue to work on these projects as they have been doing before these new re
Re: Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
> > Second version, taking into account feedback. Looking for seconds > at > > this point: > > Maybe Santiago wants to adopt this text, rather than having 2 > options? Already attempted that last week: https://lists.debian.org/debian-vote/2023/11/msg00051.html Unfortunately time available is limited by the GR process. -- Kind regards, Luca Boccassi signature.asc Description: This is a digitally signed message part
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
On Mon, Nov 20, 2023 at 12:40:58AM +0100, Aigars Mahinovs wrote: > I second adding this version to the vote I'm getting a bad signature on this. > On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: > Second version, taking into account feedback. Looking for seconds at > this point: Maybe Santiago wants to adopt this text, rather than having 2 options? Kurt
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I second adding this version to the vote On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: Second version, taking into account feedback. Looking for seconds at this point: - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Security issues under active exploitation will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by an update to the existing Product Liability Directive (PLD) which, among other things, will introduce the requirement for products on the market using software to be able to receive updates to address security vulnerabilities. Given the current state of the electronics and computing devices market, constellated with too many irresponsible vendors not taking taking enough precautions to ensure and maintain the security of their products, resulting in grave issues such as the plague of ransomware (that, among other things, has often caused public services to be severely hampered or shut down entirely, across the European Union and beyond, to the detriment of its citizens), the Debian project welcomes this initiative and supports its spirit and intent. The Debian project believes Free and Open Source Software Projects to be very well positioned to respond to modern challenges around security and accountability that these regulations aim to improve for products commercialized on the Single Market. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free and Open Source Software projects. The project aims to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (2) The Debian project welcomes the attempt of the legislators to ensure that the development of Free and Open Source Software is not negatively affected by these regulations, as clearly expressed by the European Commission in response to stakeholders' requests (1) and as stated in Recital 10 of the preamble to the CRA: 'In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.' The Debian project however notes that not enough emphasis has been employed in all parts of these regulations to clearly exonerate Free and Open Source Software developers and maintainers from being subject to the same liabilities as commercial vendors, which has caused uncertainty and worry among such stakeholders. Therefore, the Debian project asks the legislators to enhance the text of these regulations to clarify beyond any reasonable doubt that Free and Open Source Software developers and contributors are not going to be treated as commercial vendors in the exercise of their duties when merely developing and publishing Free and Open Source Software, with special emphasis on clarifying grey areas, such as donations, contributions from commercial companies and developing Free and Open Source Software that may be later commercialised by a commercial vendor. It is fundamental for the interests of the European Union itself that Free and Open Source Software development can continue to thrive and produce high quality software components, applications and operating systems, and this can only happen if Free and Open Source Software developers and contributors can continue to work on these projects as they have been doing before these new regulations, especially but not exclusively in the context of nonprofit organizations, without being encumbered by legal requirements that are only appropriate for commercial companies and enterprises. == Sources: (1) CRA proposals and links: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation PLD proposals and links: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-di
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Second version, taking into account feedback. Looking for seconds at this point: - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Security issues under active exploitation will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by an update to the existing Product Liability Directive (PLD) which, among other things, will introduce the requirement for products on the market using software to be able to receive updates to address security vulnerabilities. Given the current state of the electronics and computing devices market, constellated with too many irresponsible vendors not taking taking enough precautions to ensure and maintain the security of their products, resulting in grave issues such as the plague of ransomware (that, among other things, has often caused public services to be severely hampered or shut down entirely, across the European Union and beyond, to the detriment of its citizens), the Debian project welcomes this initiative and supports its spirit and intent. The Debian project believes Free and Open Source Software Projects to be very well positioned to respond to modern challenges around security and accountability that these regulations aim to improve for products commercialized on the Single Market. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free and Open Source Software projects. The project aims to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (2) The Debian project welcomes the attempt of the legislators to ensure that the development of Free and Open Source Software is not negatively affected by these regulations, as clearly expressed by the European Commission in response to stakeholders' requests (1) and as stated in Recital 10 of the preamble to the CRA: 'In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.' The Debian project however notes that not enough emphasis has been employed in all parts of these regulations to clearly exonerate Free and Open Source Software developers and maintainers from being subject to the same liabilities as commercial vendors, which has caused uncertainty and worry among such stakeholders. Therefore, the Debian project asks the legislators to enhance the text of these regulations to clarify beyond any reasonable doubt that Free and Open Source Software developers and contributors are not going to be treated as commercial vendors in the exercise of their duties when merely developing and publishing Free and Open Source Software, with special emphasis on clarifying grey areas, such as donations, contributions from commercial companies and developing Free and Open Source Software that may be later commercialised by a commercial vendor. It is fundamental for the interests of the European Union itself that Free and Open Source Software development can continue to thrive and produce high quality software components, applications and operating systems, and this can only happen if Free and Open Source Software developers and contributors can continue to work on these projects as they have been doing before these new regulations, especially but not exclusively in the context of nonprofit organizations, without being encumbered by legal requirements that are only appropriate for commercial companies and enterprises. == Sources: (1) CRA proposals and links: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation PLD proposals and links: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive Response from the European Commission to a question from the European Parliament