[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"



Just for good measure, seconded.

If this does go through, I am curious about the wider impact this has on the free software and open source community, outside the EU. As a United States citizen, I fear fragmentation in software availability and licenses that could potentially "wall off" the EU further from the rest of the world.

Deeply concerning to see.

On 11/12/23 09:10 AM, Santiago Ruano Rincón wrote:
Dear Debian Fellows,

Following the email sent by Ilu to debian-project (Message-ID:
<4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS
community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.

     ----- GENERAL RESOLUTION STARTS -----

     Debian Public Statement about the EU Cyber Resilience Act and the
     Product Liability Directive

     The European Union is currently preparing a regulation "on horizontal
     cybersecurity requirements for products with digital elements" known as
     the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
     phase of the legislative process. The act includes a set of essential
     cybersecurity and vulnerability handling requirements for manufacturers.
     It will require products to be accompanied by information and
     instructions to the user. Manufacturers will need to perform risk
     assessments and produce technical documentation and for critical
     components, have third-party audits conducted. Discoverded security
     issues will have to be reported to European authorities within 24 hours
     (1). The CRA will be followed up by the Product Liability Directive
     (PLD) which will introduce compulsory liability for software. More
     information about the proposed legislation and its consequences in (2).

     While a lot of these regulations seem reasonable, the Debian project
     believes that there are grave problems for Free Software projects
     attached to them. Therefore, the Debian project issues the following
     statement:

     1.  Free Software has always been a gift, freely given to society, to
     take and to use as seen fit, for whatever purpose. Free Software has
     proven to be an asset in our digital age and the proposed EU Cyber
     Resilience Act is going to be detrimental to it.
         a.  It is Debian's goal to "make the best system we can, so that
     free works will be widely distributed and used." Imposing requirements
     such as those proposed in the act makes it legally perilous for others
     to redistribute our works and endangers our commitment to "provide an
     integrated system of high-quality materials _with no legal restrictions_
     that would prevent such uses of the system". (3)

         b.  Knowing whether software is commercial or not isn't feasible,
     neither in Debian nor in most free software projects - we don't track
     people's employment status or history, nor do we check who finances
     upstream projects.

         c.  If upstream projects stop developing for fear of being in the
     scope of CRA and its financial consequences, system security will
     actually get worse instead of better.

         d.  Having to get legal advice before giving a present to society
     will discourage many developers, especially those without a company or
     other organisation supporting them.

     2.  Debian is well known for its security track record through practices
     of responsible disclosure and coordination with upstream developers and
     other Free Software projects. We aim to live up to the commitment made
     in the Social Contract: "We will not hide problems." (3)
         a.  The Free Software community has developed a fine-tuned, well
     working system of responsible disclosure in case of security issues
     which will be overturned by the mandatory reporting to European
     authorities within 24 hours (Art. 11 CRA).

         b.  Debian spends a lot of volunteering time on security issues,
     provides quick security updates and works closely together with upstream
     projects, in coordination with other vendors. To protect its users,
     Debian regularly participates in limited embargos to coordinate fixes to
     security issues so that all other major Linux distributions can also
     have a complete fix when the vulnerability is disclosed.

         c.  Security issue tracking and remediation is intentionally
     decentralized and distributed. The reporting of security issues to
     ENISA and the intended propagation to other authorities and national
     administrations would collect all software vulnerabilities in one place,
     greatly increasing the risk of leaking information about vulnerabilities
     to threat actors, representing a threat for all the users around the
     world, including European citizens.

         d.  Activists use Debian (e.g. through derivatives such as Tails),
     among other reasons, to protect themselves from authoritarian
     governments; handing threat actors exploits they can use for oppression
     is against what Debian stands for.

         e.  Developers and companies will downplay security issues because
     a "security" issue now comes with legal implications. Less clarity on
     what is truly a security issue will hurt users by leaving them vulnerable.

     3.  While proprietary software is developed behind closed doors, Free
     Software development is done in the open, transparent for everyone. To
     keep even with proprietary software the open development process needs
     to be entirely exempt from CRA requirements, just as the development of
     software in private is. A "making available on the market" can only be
     considered after development is finished and the software is released.

     4.  Even if only "commercial activities" are in the scope of CRA, the
     Free Software community - and as a consequence, everybody - will lose a
     lot of small projects. CRA will force many small enterprises and most
     probably all self employed developers out of business because they
     simply cannot fullfill the requirements imposed by CRA. Debian and other
     Linux distributions depend on their work. It is not understandable why
     the EU aims to cripple not only an established community but also a
     thriving market. CRA needs an exemption for small businesses and, at the
     very least, solo-entrepreneurs.

     ==========================================================================


     Sources:

     (1) CRA proposals and links:
     https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
     PLD proposals and links:
     https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive

     (2) Background information:
     https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
     https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
     https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
     https://blog.opensource.org/author/webmink/
     Detailed
     analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en

     (3) Debian Social Contract No. 2, 3 and 4
     https://www.debian.org/social_contract

     ----- GENERAL RESOLUTION ENDS -----

Cheers,

  -- Santiago

--
Simon Quigley
simon@tsimonq2.net
tsimonq2 on LiberaChat and OFTC
@tsimonq2:linuxdelta.com on Matrix
5C7A BEA2 0F86 3045 9CC8
C8B5 E27F 2CF8 458C 2FA4

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


Reply to: