[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"



Santiago Ruano Rincón <santiagorr@riseup.net> wrote on 12/11/2023 at 16:10:21+0100:
> Dear Debian Fellows,
>
> Following the email sent by Ilu to debian-project (Message-ID:
> <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
> discussed during the MiniDebConf UY 2023 with other Debian Members, I
> would like to call for a vote about issuing a Debian public statement regarding
> the EU Cyber Resilience Act (CRA) and the Product Liability Directive
> (PLD). The CRA is in the final stage in the legislative process in the
> EU Parliament, and we think it will impact negatively the Debian
> Project, users, developers, companies that rely on Debian, and the FLOSS
> community as a whole. Even if the CRA will be probably adopted before
> the time the vote ends (if it takes place), we think it is important to
> take a public stand about it.
>
>     ----- GENERAL RESOLUTION STARTS -----
>
>     Debian Public Statement about the EU Cyber Resilience Act and the
>     Product Liability Directive
>
>     The European Union is currently preparing a regulation "on horizontal
>     cybersecurity requirements for products with digital elements" known as
>     the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
>     phase of the legislative process. The act includes a set of essential
>     cybersecurity and vulnerability handling requirements for manufacturers.
>     It will require products to be accompanied by information and
>     instructions to the user. Manufacturers will need to perform risk
>     assessments and produce technical documentation and for critical
>     components, have third-party audits conducted. Discoverded security
>     issues will have to be reported to European authorities within 24 hours
>     (1). The CRA will be followed up by the Product Liability Directive
>     (PLD) which will introduce compulsory liability for software. More
>     information about the proposed legislation and its consequences in (2).
>
>     While a lot of these regulations seem reasonable, the Debian project
>     believes that there are grave problems for Free Software projects
>     attached to them. Therefore, the Debian project issues the following
>     statement:
>
>     1.  Free Software has always been a gift, freely given to society, to
>     take and to use as seen fit, for whatever purpose. Free Software has
>     proven to be an asset in our digital age and the proposed EU Cyber
>     Resilience Act is going to be detrimental to it.
>         a.  It is Debian's goal to "make the best system we can, so that
>     free works will be widely distributed and used." Imposing requirements
>     such as those proposed in the act makes it legally perilous for others
>     to redistribute our works and endangers our commitment to "provide an
>     integrated system of high-quality materials _with no legal restrictions_
>     that would prevent such uses of the system". (3)
>
>         b.  Knowing whether software is commercial or not isn't feasible,
>     neither in Debian nor in most free software projects - we don't track
>     people's employment status or history, nor do we check who finances
>     upstream projects.
>
>         c.  If upstream projects stop developing for fear of being in the
>     scope of CRA and its financial consequences, system security will
>     actually get worse instead of better.
>
>         d.  Having to get legal advice before giving a present to society
>     will discourage many developers, especially those without a company or
>     other organisation supporting them.
>
>     2.  Debian is well known for its security track record through practices
>     of responsible disclosure and coordination with upstream developers and
>     other Free Software projects. We aim to live up to the commitment made
>     in the Social Contract: "We will not hide problems." (3)
>         a.  The Free Software community has developed a fine-tuned, well
>     working system of responsible disclosure in case of security issues
>     which will be overturned by the mandatory reporting to European
>     authorities within 24 hours (Art. 11 CRA).
>
>         b.  Debian spends a lot of volunteering time on security issues,
>     provides quick security updates and works closely together with upstream
>     projects, in coordination with other vendors. To protect its users,
>     Debian regularly participates in limited embargos to coordinate fixes to
>     security issues so that all other major Linux distributions can also
>     have a complete fix when the vulnerability is disclosed.
>
>         c.  Security issue tracking and remediation is intentionally
>     decentralized and distributed. The reporting of security issues to
>     ENISA and the intended propagation to other authorities and national
>     administrations would collect all software vulnerabilities in one place,
>     greatly increasing the risk of leaking information about vulnerabilities
>     to threat actors, representing a threat for all the users around the
>     world, including European citizens.
>
>         d.  Activists use Debian (e.g. through derivatives such as Tails),
>     among other reasons, to protect themselves from authoritarian
>     governments; handing threat actors exploits they can use for oppression
>     is against what Debian stands for.
>
>         e.  Developers and companies will downplay security issues because
>     a "security" issue now comes with legal implications. Less clarity on
>     what is truly a security issue will hurt users by leaving them vulnerable.
>
>     3.  While proprietary software is developed behind closed doors, Free
>     Software development is done in the open, transparent for everyone. To
>     keep even with proprietary software the open development process needs
>     to be entirely exempt from CRA requirements, just as the development of
>     software in private is. A "making available on the market" can only be
>     considered after development is finished and the software is released.
>
>     4.  Even if only "commercial activities" are in the scope of CRA, the
>     Free Software community - and as a consequence, everybody - will lose a
>     lot of small projects. CRA will force many small enterprises and most
>     probably all self employed developers out of business because they
>     simply cannot fullfill the requirements imposed by CRA. Debian and other
>     Linux distributions depend on their work. It is not understandable why
>     the EU aims to cripple not only an established community but also a
>     thriving market. CRA needs an exemption for small businesses and, at the
>     very least, solo-entrepreneurs.
>
>     ==========================================================================
>
>
>     Sources:
>
>     (1) CRA proposals and links:
>     https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
>     PLD proposals and links:
>     https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
>
>     (2) Background information:
>     https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
>     https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
>     https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
>     https://blog.opensource.org/author/webmink/
>     Detailed
>     analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
>
>     (3) Debian Social Contract No. 2, 3 and 4
>     https://www.debian.org/social_contract
>
>     ----- GENERAL RESOLUTION ENDS -----

Seconded.
-- 
PEB

Attachment: signature.asc
Description: PGP signature


Reply to: