I second adding this version. * Luca Boccassi <bluca@debian.org> [231119 23:22]: > Second version, taking into account feedback. Looking for seconds at > this point: > > ----- GENERAL RESOLUTION STARTS ----- > > Debian Public Statement about the EU Cyber Resilience Act and the > Product Liability Directive > > The European Union is currently preparing a regulation "on horizontal > cybersecurity requirements for products with digital elements" known as > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > phase of the legislative process. The act includes a set of essential > cybersecurity and vulnerability handling requirements for manufacturers. > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > components, have third-party audits conducted. Security issues under > active exploitation will have to be reported to European authorities > within 24 hours (1). The CRA will be followed up by an update to the > existing Product Liability Directive (PLD) which, among other things, > will introduce the requirement for products on the market using software > to be able to receive updates to address security vulnerabilities. > > Given the current state of the electronics and computing devices market, > constellated with too many irresponsible vendors not taking taking > enough precautions to ensure and maintain the security of their products, > resulting in grave issues such as the plague of ransomware (that, among > other things, has often caused public services to be severely hampered or > shut down entirely, across the European Union and beyond, to the > detriment of its citizens), the Debian project welcomes this initiative > and supports its spirit and intent. > > The Debian project believes Free and Open Source Software Projects to be > very well positioned to respond to modern challenges around security and > accountability that these regulations aim to improve for products > commercialized on the Single Market. Debian is well known for its > security track record through practices of responsible disclosure and > coordination with upstream developers and other Free and Open Source > Software projects. The project aims to live up to the commitment made in > the Debian Social Contract: "We will not hide problems." (2) > > The Debian project welcomes the attempt of the legislators to ensure > that the development of Free and Open Source Software is not negatively > affected by these regulations, as clearly expressed by the European > Commission in response to stakeholders' requests (1) and as stated in > Recital 10 of the preamble to the CRA: > > 'In order not to hamper innovation or research, free and open-source > software developed or supplied outside the course of a commercial > activity should not be covered by this Regulation.' > > The Debian project however notes that not enough emphasis has been > employed in all parts of these regulations to clearly exonerate Free > and Open Source Software developers and maintainers from being subject > to the same liabilities as commercial vendors, which has caused > uncertainty and worry among such stakeholders. > > Therefore, the Debian project asks the legislators to enhance the > text of these regulations to clarify beyond any reasonable doubt that > Free and Open Source Software developers and contributors are not going > to be treated as commercial vendors in the exercise of their duties when > merely developing and publishing Free and Open Source Software, with > special emphasis on clarifying grey areas, such as donations, > contributions from commercial companies and developing Free and Open > Source Software that may be later commercialised by a commercial vendor. > It is fundamental for the interests of the European Union itself that > Free and Open Source Software development can continue to thrive and > produce high quality software components, applications and operating > systems, and this can only happen if Free and Open Source Software > developers and contributors can continue to work on these projects as > they have been doing before these new regulations, especially but not > exclusively in the context of nonprofit organizations, without being > encumbered by legal requirements that are only appropriate for > commercial companies and enterprises. > > ========================================================================== > > Sources: > > (1) CRA proposals and links: > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation > PLD proposals and links: > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive > Response from the European Commission to a question from the European Parliament on FOSS awareness: > https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html > > (2) Debian Social Contract No. 2, 3 and 4 > https://www.debian.org/social_contract > > ----- GENERAL RESOLUTION ENDS ----- > > -- > Kind regards, > Luca Boccassi
Attachment:
signature.asc
Description: PGP signature