[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Amendment to the original proposal (was: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive")



Hello there,

Here you can find a modified version that takes into account most of the
reviews. It doesn't change the meaning of the original proposal, and
hopefully improves it. Thanks again for all the comments.

A diff between both version is found below.

    ----- GENERAL RESOLUTION STARTS -----

    Debian Public Statement about the EU Cyber Resilience Act and the
    Product Liability Directive

    The European Union is currently preparing a regulation "on horizontal
    cybersecurity requirements for products with digital elements" known as
    the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
    phase of the legislative process. The act includes a set of essential
    cybersecurity and vulnerability handling requirements for manufacturers.
    It will require products to be accompanied by information and
    instructions to the user. Manufacturers will need to perform risk
    assessments and produce technical documentation and for critical
    components, have third-party audits conducted. Discovered security
    issues will have to be reported to European authorities within 24 hours
    (1). The CRA will be followed up by the Product Liability Directive
    (PLD) which will introduce compulsory liability for software. More
    information about the proposed legislation and its consequences in (2).

    While a lot of these regulations seem reasonable, the Debian project
    believes that there are grave problems for Free Software projects
    attached to them. Therefore, the Debian project issues the following
    statement:

    1.  Free Software has always been a gift, freely given to society, to
    take and to use as seen fit, for whatever purpose. Free Software has
    proven to be an asset in our digital age and the proposed EU Cyber
    Resilience Act is going to be detrimental to it.
        a.  As the Debian Social Contract states, our goal is "make the best
    system we can, so that free works will be widely distributed and used."
    Imposing requirements such as those proposed in the act makes it legally
    perilous for others to redistribute our work and endangers our commitment
    to "provide an integrated system of high-quality materials with no legal
    restrictions that would prevent such uses of the system". (3)

        b.  Knowing whether software is commercial or not isn't feasible,
    neither in Debian nor in most free software projects - we don't track
    people's employment status or history, nor do we check who finances
    upstream projects (the original projects that we integrate in our
    operating system).

        c.  If upstream projects stop developing for fear of being in the
    scope of CRA and its financial consequences, system security will
    actually get worse instead of better.

        d.  Having to get legal advice before giving a present to society
    will discourage many developers, especially those without a company or
    other organisation supporting them.

    2.  Debian is well known for its security track record through practices
    of responsible disclosure and coordination with upstream developers and
    other Free Software projects. We aim to live up to the commitment made
    in the Debian Social Contract: "We will not hide problems." (3)

        a.  The Free Software community has developed a fine-tuned,
    tried-and-tested system of responsible disclosure in case of security
    issues which will be overturned by the mandatory reporting to European
    authorities within 24 hours (Art. 11 CRA).

        b.  Debian spends a lot of volunteering time on security issues,
    provides quick security updates and works closely together with upstream
    projects, in coordination with other vendors. To protect its users,
    Debian regularly participates in limited embargos to coordinate fixes to
    security issues so that all other major Linux distributions can also have
    a complete fix when the vulnerability is disclosed.

        c.  Security issue tracking and remediation is intentionally
    decentralized and distributed. The reporting of security issues to
    ENISA and the intended propagation to other authorities and national
    administrations would collect all software vulnerabilities in one place,
    greatly increasing the risk of leaking information about vulnerabilities
    to threat actors, representing a threat for all the users around the
    world, including European citizens.

        d.  Activists use Debian (e.g. through derivatives such as Tails),
    among other reasons, to protect themselves from authoritarian
    governments; handing threat actors exploits they can use for oppression
    is against what Debian stands for.

        e.  Developers and companies will downplay security issues because
    a "security" issue now comes with legal implications. Less clarity on
    what is truly a security issue will hurt users by leaving them vulnerable.

    3.  While proprietary software is developed behind closed doors, Free
    Software development is done in the open, transparent for everyone. To
    retain parity with proprietary software the open development process needs
    to be entirely exempt from CRA requirements, just as the development of
    software in private is. A "making available on the market" can only be
    considered after development is finished and the software is released.

    4.  Even if only "commercial activities" are in the scope of CRA, the
    Free Software community - and as a consequence, everybody - will lose a
    lot of small projects. CRA will force many small enterprises and most
    probably all self employed developers out of business because they
    simply cannot fulfill the requirements imposed by CRA. Debian and other
    Linux distributions depend on their work. If accepted as it is,
    CRA will undermine not only an established community but also a
    thriving market. CRA needs an exemption for small businesses and, at the
    very least, solo-entrepreneurs.

    ==========================================================================


    Sources:

    (1) CRA proposals and links:
    https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act
    PLD proposals and links:
    https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive

    (2) Background information:
    https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
    https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
    https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
    https://blog.opensource.org/author/webmink/
    Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en

    (3) Debian Social Contract No. 2, 3 and 4
    https://www.debian.org/social_contract

    ----- GENERAL RESOLUTION ENDS -----



--- vote.original	2023-11-23 23:06:59.323036166 +0000
+++ vote.new	2023-11-23 23:24:20.434942609 +0000
@@ -9,7 +9,7 @@
 It will require products to be accompanied by information and
 instructions to the user. Manufacturers will need to perform risk
 assessments and produce technical documentation and for critical
-components, have third-party audits conducted. Discoverded security
+components, have third-party audits conducted. Discovered security
 issues will have to be reported to European authorities within 24 hours
 (1). The CRA will be followed up by the Product Liability Directive
 (PLD) which will introduce compulsory liability for software. More
@@ -24,17 +24,18 @@
 take and to use as seen fit, for whatever purpose. Free Software has
 proven to be an asset in our digital age and the proposed EU Cyber
 Resilience Act is going to be detrimental to it.
-    a.  It is Debian's goal to "make the best system we can, so that
-free works will be widely distributed and used." Imposing requirements
-such as those proposed in the act makes it legally perilous for others
-to redistribute our works and endangers our commitment to "provide an
-integrated system of high-quality materials _with no legal restrictions_
-that would prevent such uses of the system". (3)
+    a.  As the Debian Social Contract states, our goal is "make the best
+system we can, so that free works will be widely distributed and used."
+Imposing requirements such as those proposed in the act makes it legally
+perilous for others to redistribute our work and endangers our commitment
+to "provide an integrated system of high-quality materials with no legal
+restrictions that would prevent such uses of the system". (3)
 
     b.  Knowing whether software is commercial or not isn't feasible,
 neither in Debian nor in most free software projects - we don't track
 people's employment status or history, nor do we check who finances
-upstream projects.
+upstream projects (the original projects that we integrate in our
+operating system).
 
     c.  If upstream projects stop developing for fear of being in the
 scope of CRA and its financial consequences, system security will
@@ -47,11 +48,11 @@
 2.  Debian is well known for its security track record through practices
 of responsible disclosure and coordination with upstream developers and
 other Free Software projects. We aim to live up to the commitment made
-in the Social Contract: "We will not hide problems." (3)
+in the Debian Social Contract: "We will not hide problems." (3)
 
-    a.  The Free Software community has developed a fine-tuned, well
-working system of responsible disclosure in case of security issues
-which will be overturned by the mandatory reporting to European
+    a.  The Free Software community has developed a fine-tuned,
+tried-and-tested system of responsible disclosure in case of security
+issues which will be overturned by the mandatory reporting to European
 authorities within 24 hours (Art. 11 CRA).
 
     b.  Debian spends a lot of volunteering time on security issues,
@@ -80,7 +81,7 @@
 
 3.  While proprietary software is developed behind closed doors, Free
 Software development is done in the open, transparent for everyone. To
-keep even with proprietary software the open development process needs
+retain parity with proprietary software the open development process needs
 to be entirely exempt from CRA requirements, just as the development of
 software in private is. A "making available on the market" can only be
 considered after development is finished and the software is released.
@@ -89,9 +90,9 @@
 Free Software community - and as a consequence, everybody - will lose a
 lot of small projects. CRA will force many small enterprises and most
 probably all self employed developers out of business because they
-simply cannot fullfill the requirements imposed by CRA. Debian and other
-Linux distributions depend on their work. It is not understandable why
-the EU aims to cripple not only an established community but also a
+simply cannot fulfill the requirements imposed by CRA. Debian and other
+Linux distributions depend on their work. If accepted as it is,
+CRA will undermine not only an established community but also a
 thriving market. CRA needs an exemption for small businesses and, at the
 very least, solo-entrepreneurs.
 
@@ -101,7 +102,7 @@
 Sources:
 
 (1) CRA proposals and links:
-https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
+https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act
 PLD proposals and links:
 https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
 
@@ -110,8 +111,7 @@
 https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
 https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
 https://blog.opensource.org/author/webmink/
-Detailed
-analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
+Detailed analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
 
 (3) Debian Social Contract No. 2, 3 and 4
 https://www.debian.org/social_contract

Cheers,

 -- Santiago

Attachment: signature.asc
Description: PGP signature


Reply to: