[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"



Seconded.

On 20/11/23 at 17:54 +0100, Chris Hofstaedtler wrote:
> I second adding this version.
> 
> * Luca Boccassi <bluca@debian.org> [231119 23:22]:
> > Second version, taking into account feedback. Looking for seconds at
> > this point:
> > 
> >     ----- GENERAL RESOLUTION STARTS -----
> > 
> >     Debian Public Statement about the EU Cyber Resilience Act and the
> >     Product Liability Directive
> > 
> >     The European Union is currently preparing a regulation "on horizontal
> >     cybersecurity requirements for products with digital elements" known as
> >     the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
> >     phase of the legislative process. The act includes a set of essential
> >     cybersecurity and vulnerability handling requirements for manufacturers.
> >     It will require products to be accompanied by information and
> >     instructions to the user. Manufacturers will need to perform risk
> >     assessments and produce technical documentation and for critical
> >     components, have third-party audits conducted. Security issues under
> >     active exploitation will have to be reported to European authorities
> >     within 24 hours (1). The CRA will be followed up by an update to the
> >     existing Product Liability Directive (PLD) which, among other things,
> >     will introduce the requirement for products on the market using software
> >     to be able to receive updates to address security vulnerabilities.
> > 
> >     Given the current state of the electronics and computing devices market,
> >     constellated with too many irresponsible vendors not taking taking
> >     enough precautions to ensure and maintain the security of their products,
> >     resulting in grave issues such as the plague of ransomware (that, among
> >     other things, has often caused public services to be severely hampered or
> >     shut down entirely, across the European Union and beyond, to the
> >     detriment of its citizens), the Debian project welcomes this initiative
> >     and supports its spirit and intent.
> > 
> >     The Debian project believes Free and Open Source Software Projects to be
> >     very well positioned to respond to modern challenges around security and
> >     accountability that these regulations aim to improve for products
> >     commercialized on the Single Market. Debian is well known for its
> >     security track record through practices of responsible disclosure and
> >     coordination with upstream developers and other Free and Open Source
> >     Software projects. The project aims to live up to the commitment made in
> >     the Debian Social Contract: "We will not hide problems." (2)
> > 
> >     The Debian project welcomes the attempt of the legislators to ensure
> >     that the development of Free and Open Source Software is not negatively
> >     affected by these regulations, as clearly expressed by the European
> >     Commission in response to stakeholders' requests (1) and as stated in
> >     Recital 10 of the preamble to the CRA:
> > 
> >      'In order not to hamper innovation or research, free and open-source
> >       software developed or supplied outside the course of a commercial
> >       activity should not be covered by this Regulation.'
> > 
> >     The Debian project however notes that not enough emphasis has been
> >     employed in all parts of these regulations to clearly exonerate Free
> >     and Open Source Software developers and maintainers from being subject
> >     to the same liabilities as commercial vendors, which has caused
> >     uncertainty and worry among such stakeholders.
> > 
> >     Therefore, the Debian project asks the legislators to enhance the
> >     text of these regulations to clarify beyond any reasonable doubt that
> >     Free and Open Source Software developers and contributors are not going
> >     to be treated as commercial vendors in the exercise of their duties when
> >     merely developing and publishing Free and Open Source Software, with
> >     special emphasis on clarifying grey areas, such as donations,
> >     contributions from commercial companies and developing Free and Open
> >     Source Software that may be later commercialised by a commercial vendor.
> >     It is fundamental for the interests of the European Union itself that
> >     Free and Open Source Software development can continue to thrive and
> >     produce high quality software components, applications and operating
> >     systems, and this can only happen if Free and Open Source Software
> >     developers and contributors can continue to work on these projects as
> >     they have been doing before these new regulations, especially but not
> >     exclusively in the context of nonprofit organizations, without being
> >     encumbered by legal requirements that are only appropriate for
> >     commercial companies and enterprises.
> > 
> >     ==========================================================================
> > 
> >     Sources:
> > 
> >     (1) CRA proposals and links:
> >     https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
> >     PLD proposals and links:
> >     https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
> >     Response from the European Commission to a question from the European Parliament on FOSS awareness:
> >     https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html
> > 
> >     (2) Debian Social Contract No. 2, 3 and 4
> >     https://www.debian.org/social_contract
> > 
> >     ----- GENERAL RESOLUTION ENDS -----
> > 
> > -- 
> > Kind regards,
> > Luca Boccassi
> 
> 


Attachment: signature.asc
Description: PGP signature


Reply to: