Hi,
This is the second call for votes.
Voting period starts 2023-12-09 00:00:00 UTC
Votes must be received by 2023-12-22 23:59:59 UTC
This vote is being conducted as required by the Debian Constitution.
You may see the constitution at https://www.debian.org/devel/constitution.
For voting questions or problems contact secretary@debian.org.
The details of the general resolution can be found at:
https://www.debian.org/vote/2023/vote_002
Also, note that you can get a fresh ballot any time before the end of the
vote by sending a signed mail to
ballot@vote.debian.org
with the subject "gr_cra_pld".
To vote you need to be a Debian Developer.
HOW TO VOTE
First, read the full text of the options.
You might also want to read discussions at
https://lists.debian.org/debian-vote/
To cast a vote, it is necessary to send this ballot filled out to a
dedicated e-mail address, in a signed message, as described below. The
dedicated email address this ballot should be sent to is:
gr_cra_pld@vote.debian.org
The form you need to fill out is contained bellow in this message, marked
with two lines containing the characters '-=-=-=-=-=-'. Do not erase
anything between those lines, and do not change the choice names.
There are 4 choices in the form, which you may rank with numbers between 1
and 4. In the brackets next to your preferred choice, place a 1. Place a 2
in the brackets next to your next choice. Continue until you reach your
last choice. Do not enter a number smaller than 1 or larger than 4.
You may skip numbers, leave some choices unranked, and rank options
equally. Unranked choices are considered equally the least desired
choices, and ranked below all ranked choices.
To vote "no, no matter what", rank "None of the above" as more desirable
than the unacceptable choices, or you may rank the "None of the above"
choice and leave choices you consider unacceptable blank. (Note: if the
"None of the above" choice is unranked, then it is equal to all other
unranked choices, if any -- no special consideration is given to the
"None of the above" choice by the voting software).
Finally, mail the filled out ballot to:
gr_cra_pld@vote.debian.org.
Don't worry about spacing of the columns or any quote characters (">")
that your reply inserts.
NOTE: The vote must be GPG signed (or PGP signed) with your key that is
in the Debian keyring. You may, if you wish, choose to send a signed,
encrypted ballot: use the vote key appended below for encryption.
The voting software (Devotee) accepts mail that either contains only an
unmangled OpenPGP message (RFC 2440 compliant), or a PGP/MIME mail
(RFC 3156 compliant). To avoid problems I suggest you use PGP/MIME.
VOTING SECRECY
This is a secret vote. After the voting period there will be a record
of all the votes without the name of the voter. It will instead contain
a cryptographic hash. You will receive a secret after you have voted
that can be used to calculate that hash. This allows you to verify
that your vote is in the list. This secret is sent in an encrypted
mail.
VOTING FORM
- - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
52bbd34b-1e8e-45ad-bd32-e517dbf2958c
[ ] Choice 1: CRA and PLD proposals include regulations detrimental to FOSS
[ ] Choice 2: CRA and PLD proposals should only apply to commercial ventures
[ ] Choice 3: The EU should not overrule DFSG 6 and FOSS licenses
[ ] Choice 4: None Of The Above
- - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
----------------------------------------------------------------------
The responses to a valid vote shall be signed by the vote key created for
this vote. The public key for the vote, signed by the Project secretary,
is appended below.
BALLOT OPTIONS
Choice 1: CRA and PLD proposals include regulations detrimental to FOSS
=======================================================================
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It is currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and, for critical
components, have third-party audits conducted. Discovered security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software.
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. As the Debian Social Contract states, our goal is "make the best
system we can, so that free works will be widely distributed and used."
Imposing requirements such as those proposed in the act makes it legally
perilous for others to redistribute our work and endangers our commitment
to "provide an integrated system of high-quality materials with no legal
restrictions that would prevent such uses of the system". (2)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects (the original projects that we integrate in our
operating system).
c. If upstream projects stop making available their code
for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse rather than better.
d. Having to get legal advice before giving a gift to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Debian Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned,
tried-and-tested system of responsible disclosure in case of security
issues which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects and in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also have
a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place.
This greatly increases the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
retain parity with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fulfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. If accepted as it is,
CRA will undermine not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
=========
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
Choice 2: CRA and PLD proposals should only apply to commercial ventures
========================================================================
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Security issues under
active exploitation will have to be reported to European authorities
within 24 hours (1). The CRA will be followed up by an update to the
existing Product Liability Directive (PLD) which, among other things,
will introduce the requirement for products on the market using software
to be able to receive updates to address security vulnerabilities.
Given the current state of the electronics and computing devices market,
constellated with too many irresponsible vendors not taking taking
enough precautions to ensure and maintain the security of their products,
resulting in grave issues such as the plague of ransomware (that, among
other things, has often caused public services to be severely hampered or
shut down entirely, across the European Union and beyond, to the
detriment of its citizens), the Debian project welcomes this initiative
and supports its spirit and intent.
The Debian project believes Free and Open Source Software Projects to be
very well positioned to respond to modern challenges around security and
accountability that these regulations aim to improve for products
commercialized on the Single Market. Debian is well known for its
security track record through practices of responsible disclosure and
coordination with upstream developers and other Free and Open Source
Software projects. The project aims to live up to the commitment made in
the Debian Social Contract: "We will not hide problems." (2)
The Debian project welcomes the attempt of the legislators to ensure
that the development of Free and Open Source Software is not negatively
affected by these regulations, as clearly expressed by the European
Commission in response to stakeholders' requests (1) and as stated in
Recital 10 of the preamble to the CRA:
'In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial
activity should not be covered by this Regulation.'
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software developers and maintainers from being subject
to the same liabilities as commercial vendors, which has caused
uncertainty and worry among such stakeholders.
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors in the exercise of their duties when
merely developing and publishing Free and Open Source Software, with
special emphasis on clarifying grey areas, such as donations,
contributions from commercial companies and developing Free and Open
Source Software that may be later commercialised by a commercial vendor.
It is fundamental for the interests of the European Union itself that
Free and Open Source Software development can continue to thrive and
produce high quality software components, applications and operating
systems, and this can only happen if Free and Open Source Software
developers and contributors can continue to work on these projects as
they have been doing before these new regulations, especially but not
exclusively in the context of nonprofit organizations, without being
encumbered by legal requirements that are only appropriate for
commercial companies and enterprises.
=========
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
Response from the European Commission to a question from the European Parliament on FOSS awareness:
https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html
(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
Choice 3: The EU should not overrule DFSG 6 and FOSS licenses
=============================================================
Debian Public Statement about the EU Cyber Resilience Act (CRA) and the
Product Liability Directive (PLD)
The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).
The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free
Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the
success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it
harder for commercial entities or for any group of FOSS users.
The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for
closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the
market. The usual liability disclaimers in FOSS licenses should remain
valid without the risk of being overruled by the PLD.
The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between
closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGVzgoABEACvYGwAmHK0R4EjkgjVp1X3BSRkI+yFWH87pR6RwhwAaerm/846
ByyFZYwmTOJ0yJkGnPszAY+fbCtcojXdyQceFV4hiYX/kRUrEyHxpSvNKW3OF2Nq
/Dl8Ac1fqW+DuKLeBMhx29PI7eFB2aCrjBhoL/y9arIhb7LZ/G+Yz4Ee8515nJ+S
i950JmG5gHLn9qmzdgCShDFB65aVQgMLTeZHzTsu1fzG/6ALR+G3pLWK1QnL6FLA
FzTIBT7aZqpqZcWc6dkjhhzWmNpxq53LIQnzobqUluJVzptvG+JcIFWlCIuCAOBh
s72gmn3Po/9cEWgrvObNEgVFx13zTpgeG06e+ocPcUYGNk5gou7kEna0VYs3ryM6
rgqQ3oSoduS0Z8Fx2UfYpHqk2AvgiTX+a5oc6sOw3TPrIX9lYvC9XorfwuQ/HWiA
uIORmiMNOd4QKXVpvNoCm499uwb/9pDy065+gW65AczPFfGGjU7zm70aSw4ngpuO
R3bY3RnRKYk2ubl9S92vKh3PYTad6U9PTfazrV1ocxz9/KooCN9OS2C2Y2o4OO34
7AjCcOFp3jkNaKSQJVnxShwGF/09V9W3XtpWz+ztVcPo6zITvz+1q2UDVAX+IYbN
eyjhCX4Ju7yEpkUagJKRQtj+L9uekChEc7ZBci04OafDEHkgaXTNCG2NZQARAQAB
tCdHUiBDUkEgUExEIDxncl9jcmFfcGxkQHZvdGUuZGViaWFuLm9yZz6JAj4EEwEI
ACgFAmVzgoACGwMFCQAaXgAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHjt
Z4Suee+eubgP+wdip/51ZoAXRDld8FSsNATKHftWe5JEUl1/PpDRkop96KBG8sJY
NpEibywGNLFJKjYG6wsr+ZHEuwYdLWtaWPTMixCGAFmC3HqsZyv1TqKBAdhQ0l1N
Kr9Itd1TGxmLa8ioITE3yUMXbWiGA9dn1DzvRh8tNqJNVXZ9Ssua/ojKQubYiZ3u
sliktgCn1YBdhVhiyX6OrvT+ftl65Vy/G6kZhyTEnojoyVrdnYyJ+ATzc9j90eoH
Ep5Jlzawp6GE1hMGSVSQ6dvHGm4EgO8fnV7AtQl0XxLW96A5fDhklUrjudvkbErd
kwqXX6BXtBL88YWMhuUc03VSkIfd1dsFrkPWf56dVOsUwZHv73b++lrglgcm+qGG
6hzhb0k9CkzyMZmRVqjr3Ax3r20qW0u95wa/eHQ9srhQmnrydpxJ6h/eJBTkAjK+
BwGGW9XeaQEsTqvXLkNlaSsP5+ebysRRhQ9/AygYYdN0wRcLsQt/uXDDY5UZDtrw
SHZBa8QW4JLsEt2waOfwuABYCmVog+vbpHHvazqcaLeTXUd28drPULxeGezQJGwu
r7kqGolgy9REkMVeYGV6Wz3Caggzu/yExT0CzIiSUHdUd0xEI8UKCrfTkuA5/Akl
ucnilHpvncgLDHG/q0bfZJ87y5smksPu4BbHAfpZret2tY4djhZeugvMiQIzBBAB
CgAdFiEE5eUlYN2RxVbdvaXQIGTFNkHCXl0FAmVzgsUACgkQIGTFNkHCXl3qFw//
Vd3w64JQlko7f8ADmFjM1k1oh2VgN4y0oojpJUg941Tkdmy+WeWVlUU3prCMDIi5
6eNs1EYT56TSXeoGROytBLXUjpyT/PL7uM3iK5cDyxm1j4qAE5PtpM7yvLziKCvG
c9WNuX5K9ytJKYryL3q/veXevjn2k8/UNDyi5b0WRZY5h9ahjWovr7KVV1jgsMvy
SNF18tq7o5S75DSFl5Fa2VZPVY886kHhFnGwHURzLwaIhX0uxmF8UVcPaYRfL39Y
SqNNDKagTyKnKJ6e4x34omG5FgLCfcZGgPuyULnNMJNQ32XcJBWV51NHs1nf5xGg
dYxZc2DECGeDtzAjC4/KFOtxv2CjUHwOvQnxcGbXqdJFAkOrAD4XkAVTqKzaQO53
MeBCuN9DXAI5PPMPhswZ7KXep1cat66tSs1UJTTxc8Gt9co+P/WHRFaRbfBfIFVk
cNYZiH27VwS860WqPTwo5oK2mg3GkVPpKhQJzpTjEm7WyrNXHVLA4dTYFgFQ9rDk
dSJr/QCnr5q8y8oAOQsujpjFp80EFNgtlxxd2EHSBKYJqhVt+wydlHtw2GlAmcoo
/GK6Nre+B4LAjQdtW9L4Adbi4i9bthiWWJx6Q1el5dF/xQqcbpNG/JMsFywk9PAs
NM1uWsZMdcKomAccxn8Mr1fxJI+nRKXQT7mtFos9SI25Ag0EZXOCgAEQANOzJCPD
Y1ShRF47JLWK56L0/NBvla8+XiO83HTn78/UnK86Vmo/jTmwgXmY5oV7dgVj2E47
KU2nf9PdXs1De83OwiGMsUoliK/HMVyqwrXxrKbkDknd1BncflDbnhAxKPf5rbcP
rqbFWcqh3EwPXHsF0dwk+rT55OEIXb82vNyrSIguuy2O7TS0ZeF0wzcjvkBF9DHQ
z/XcCWF+c2mm48LoxbGljJ7IqS/91RNG8iUI3sArtr1T7qmb93b8/OpTYA0nnrCU
JVoDb5I8l11j27h5ykPVHCmx7Wvd8XDQF+VqUN8ifV/lLOnpM4iskfoJfoscktWY
KfVcVNLWqV2ZgCPxMDh3CmSODJ98No1C99sBHcL17cNMiqQDRfLVo1MDCQ6WNXYm
Bahp8UOJFcDNpc8N5WTmamc9mnraAPY7Hoddl3JsvBcR+7zDFFmAOMWFJLrBxurI
6yi040QP0+hVKlwpSHBLrDL7Zd1hT2+NW9nkQF+awqvFPVnkvXv6gW1mBAAAcGhY
aCNIlsyEA6jd8RPYeGMEOkPoIh1GneGUYadPhRIErWHG71r71zEr1MZwgsSEK/AE
eCkDTHPKlYmsDVKG8qDpzu+73CDRettIaOHdswrEdwghbDH/x8azD6H74pAdoPmW
EzVpsCuz1zMRftllMTrmesvXtTjMbNYBalDNABEBAAGJAiUEGAEIAA8FAmVzgoAC
GwwFCQAaXgAACgkQeO1nhK557543Cw//b64s5BJ908+6lkiFyByvvaOQyvCf9x+7
FoxC1Y5Imr94vImYf2mv10XzVcw5tLPJp4jlJW3ESJk57QqMtIdfVpyvQFjBKBgU
CqhzgtWT4IDOytTMoLzD/bLErcotp6ttlfTMwkKFOEf/CUwBy1JBuSJAICvhUX5N
IBv1sz6ZH8GPNoJNlyD71y2vKwzqaik3PtSLFmahjUd0NyBghLsOBuoLEW/DBrqM
E5IfsoUOeEJ+iRCSIC4kAGWMqCn4oNuO1cw7e6uHdx/TaoiaooQ73vhh5RkAZwio
2j9JHFIWTj4BRDAPhNQqmw24pWBRg+tlrN2tVlaAa9WmhweClvMQK5KILJaltf3n
9jLt9wk6800LDecjWHWiWBGGlMi19dv42pyuuVs2pfLYaxXKTgdSwbaKM74YZEQc
+tM6xeg1Kr9s7jDgx4HvbIfC1fPiUdcw+du1etz5RdM2GFv1Uabtfs6SkoX0REDw
J8M0teDBpLPYbl2s0bMtG5kkYkQ0rbbK1AX7BAT6MA2KVib/hqa8e7TgnsP4ccVg
wYjZwPInjr3gFtUbOSQMQmgKX1v4eVXku0t2d+viEdQiqlPoqzp6Z8FuKGWdGpYx
LvvnqrwWaAOnP9l6aV3Rpns6ouLS9owIUItazdfgPWYLbdhLJzIphvAfxs3Fpyn/
wHjaHLlofo0=
=PgB4
-----END PGP PUBLIC KEY BLOCK-----
Attachment:
signature.asc
Description: PGP signature