Seconded. On 20/11/23 at 17:54 +0100, Chris Hofstaedtler wrote: > I second adding this version. > > * Luca Boccassi <bluca@debian.org> [231119 23:22]: > > Second version, taking into account feedback. Looking for seconds at > > this point: > > > > ----- GENERAL RESOLUTION STARTS ----- > > > > Debian Public Statement about the EU Cyber Resilience Act and the > > Product Liability Directive > > > > The European Union is currently preparing a regulation "on horizontal > > cybersecurity requirements for products with digital elements" known as > > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > > phase of the legislative process. The act includes a set of essential > > cybersecurity and vulnerability handling requirements for manufacturers. > > It will require products to be accompanied by information and > > instructions to the user. Manufacturers will need to perform risk > > assessments and produce technical documentation and for critical > > components, have third-party audits conducted. Security issues under > > active exploitation will have to be reported to European authorities > > within 24 hours (1). The CRA will be followed up by an update to the > > existing Product Liability Directive (PLD) which, among other things, > > will introduce the requirement for products on the market using software > > to be able to receive updates to address security vulnerabilities. > > > > Given the current state of the electronics and computing devices market, > > constellated with too many irresponsible vendors not taking taking > > enough precautions to ensure and maintain the security of their products, > > resulting in grave issues such as the plague of ransomware (that, among > > other things, has often caused public services to be severely hampered or > > shut down entirely, across the European Union and beyond, to the > > detriment of its citizens), the Debian project welcomes this initiative > > and supports its spirit and intent. > > > > The Debian project believes Free and Open Source Software Projects to be > > very well positioned to respond to modern challenges around security and > > accountability that these regulations aim to improve for products > > commercialized on the Single Market. Debian is well known for its > > security track record through practices of responsible disclosure and > > coordination with upstream developers and other Free and Open Source > > Software projects. The project aims to live up to the commitment made in > > the Debian Social Contract: "We will not hide problems." (2) > > > > The Debian project welcomes the attempt of the legislators to ensure > > that the development of Free and Open Source Software is not negatively > > affected by these regulations, as clearly expressed by the European > > Commission in response to stakeholders' requests (1) and as stated in > > Recital 10 of the preamble to the CRA: > > > > 'In order not to hamper innovation or research, free and open-source > > software developed or supplied outside the course of a commercial > > activity should not be covered by this Regulation.' > > > > The Debian project however notes that not enough emphasis has been > > employed in all parts of these regulations to clearly exonerate Free > > and Open Source Software developers and maintainers from being subject > > to the same liabilities as commercial vendors, which has caused > > uncertainty and worry among such stakeholders. > > > > Therefore, the Debian project asks the legislators to enhance the > > text of these regulations to clarify beyond any reasonable doubt that > > Free and Open Source Software developers and contributors are not going > > to be treated as commercial vendors in the exercise of their duties when > > merely developing and publishing Free and Open Source Software, with > > special emphasis on clarifying grey areas, such as donations, > > contributions from commercial companies and developing Free and Open > > Source Software that may be later commercialised by a commercial vendor. > > It is fundamental for the interests of the European Union itself that > > Free and Open Source Software development can continue to thrive and > > produce high quality software components, applications and operating > > systems, and this can only happen if Free and Open Source Software > > developers and contributors can continue to work on these projects as > > they have been doing before these new regulations, especially but not > > exclusively in the context of nonprofit organizations, without being > > encumbered by legal requirements that are only appropriate for > > commercial companies and enterprises. > > > > ========================================================================== > > > > Sources: > > > > (1) CRA proposals and links: > > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation > > PLD proposals and links: > > https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive > > Response from the European Commission to a question from the European Parliament on FOSS awareness: > > https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html > > > > (2) Debian Social Contract No. 2, 3 and 4 > > https://www.debian.org/social_contract > > > > ----- GENERAL RESOLUTION ENDS ----- > > > > -- > > Kind regards, > > Luca Boccassi > >
Attachment:
signature.asc
Description: PGP signature