[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"



On Sun, 2023-11-12 at 12:10 -0300, Santiago Ruano Rincón wrote:
> Dear Debian Fellows,
> 
> Following the email sent by Ilu to debian-project (Message-ID:
> <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
> discussed during the MiniDebConf UY 2023 with other Debian Members, I
> would like to call for a vote about issuing a Debian public statement regarding
> the EU Cyber Resilience Act (CRA) and the Product Liability Directive
> (PLD). The CRA is in the final stage in the legislative process in the
> EU Parliament, and we think it will impact negatively the Debian
> Project, users, developers, companies that rely on Debian, and the FLOSS
> community as a whole. Even if the CRA will be probably adopted before
> the time the vote ends (if it takes place), we think it is important to
> take a public stand about it.

Hi Santiago,

It seems clear that there is a lot of interest in the project to
express a position on this matter. But as mentioned in the thread by
myself and others, I find some of the specifics of the text a bit
problematic - and some of the responses it elicited even more so.

So, I'd like to propose an alternative text, that uses a very similar
preamble and still expresses a strong request to the legislators to
protect the interests of FOSS and its contributors and clarify any
issue, grey area or confusion that might be present in the current
texts, and put it beyond any reasonable doubt that FOSS projects can
continue working as they have, while at the same time supporting the
spirit of the law and its goal to improve the abysmal landscape of
software security in commercial products.

What do you think? Here's what I came up with:

    ----- GENERAL RESOLUTION STARTS -----

    Debian Public Statement about the EU Cyber Resilience Act and the
    Product Liability Directive

    The European Union is currently preparing a regulation "on horizontal
    cybersecurity requirements for products with digital elements" known as
    the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
    phase of the legislative process. The act includes a set of essential
    cybersecurity and vulnerability handling requirements for manufacturers.
    It will require products to be accompanied by information and
    instructions to the user. Manufacturers will need to perform risk
    assessments and produce technical documentation and for critical
    components, have third-party audits conducted. Security issues under
    active exploitation will have to be reported to European authorities
    within 24 hours (1). The CRA will be followed up by an update to the
    existing Product Liability Directive (PLD) which, among other things,
    will introduce the requirement for products on the market using software
    to be able to receive updates to address security vulnerabilities.

    Given the current state of the electronics and computing devices market,
    constellated with too many irresponsible vendors (largely employing
    proprietary software) not taking taking enough precautions to ensure and
    maintain the security of their products, resulting in grave issues such
    as the plague of ransomware (that, among other things, has often caused
    public services to be severely hampered or shut down entirely, across
    the European Union and beyond, to the detriment of its citizens), the
    Debian project welcomes this initiative and supports its spirit and
    intent.

    The Debian project believes Free and Open Source Software Projects to be
    very well positioned to respond to modern challenges around security and
    accountability that these regulations aim to improve for products
    commercialized on the Single Market. Debian is well known for its
    security track record through practices of responsible disclosure and
    coordination with upstream developers and other Free and Open Source
    Software projects. The project aims to live up to the commitment made in
    the Debian Social Contract: "We will not hide problems." (2)

    The Debian project welcomes the attempt of the legislators to ensure
    that the development of Free and Open Source Software is not negatively
    affected by these regulations, as clearly expressed by the European
    Commission in response to stakeholders' requests (1) and as stated in
    Recital 10 of the preamble to the CRA:

     'In order not to hamper innovation or research, free and open-source
      software developed or supplied outside the course of a commercial
      activity should not be covered by this Regulation.'

    The Debian project however notes that not enough emphasis has been
    employed in all parts of these regulations to clearly exonerate Free
    and Open Source Software Projects from being subject to the same
    liabilities as commercial products, which has caused uncertainty and
    worry among Free and Open Source Software developers and stakeholders.

    Therefore, the Debian project requests the legislators to enhance the
    text of these regulations to clarify beyond any reasonable doubt that
    Free and Open Source Software developers and contributors are not going
    to be treated as commercial vendors, with special emphasis on
    clarifying grey areas such as donations and contributions from
    commercial companies. It is fundamental for the interests of the
    European Union itself that Free and Open Source Software development
    can continue to thrive and produce high quality software components,
    applications and operating systems, and this can only happen if Free
    and Open Source Software developers and contributors can continue to
    work on these projects as they have been doing before these new
    regulations, without being encumbered by legal requirements that are
    only appropriate for commercial companies and enterprises.

    ==========================================================================

    Sources:

    (1) CRA proposals and links:
    https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
    PLD proposals and links:
    https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
    Response from the European Commission to a question from the European Parliament on FOSS awareness:
    https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html

    (2) Debian Social Contract No. 2, 3 and 4
    https://www.debian.org/social_contract

    ----- GENERAL RESOLUTION ENDS -----

-- 
Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: