Re: recent changes to the CRA address FLOSS community concerns?

To: debian-vote@lists.debian.org
Subject: Re: recent changes to the CRA address FLOSS community concerns?
From: Ilu <ilulu@gmx.net>
Date: Sat, 9 Dec 2023 11:41:08 +0100
Message-id: <[🔎] 4a2f023f-6e93-7722-9ed9-9eda3ca7701c@gmx.net>
In-reply-to: <[🔎] 78d8b51e50fec27b80dd1810d52a07ca822de43d.camel@debian.org>
References: <[🔎] 78d8b51e50fec27b80dd1810d52a07ca822de43d.camel@debian.org>

Am 09.12.23 um 04:07 schrieb Paul Wise:
>
> Does anyone have any more info about the changes?
>
Yes, I've seen the leaked document. I (and not only I) think NL-labs
outlook is too optimistic. It's also necessary to understand that these
kind of statements (the "update, december 2023") are also part of the
political game of give and take.

The leaked rumor says there have been some improvements, mainly to
adress concerns from big platforms and foundations. Only point 3 from
vote A has been addressed. Small projects (point 4) and commercial
endeavours (point 1), like for example Freexian, are still out in the
rain. The reporting obligations for exploited vulnerabilities (point 2)
were doubled and so even became worse. PLD hasn't even been touched yet.
And all this is still only a proposal which needs to be voted on by
parliament (planned for March 2024).
After the parliamentary decision the executive authorities will have to
decide on the provisions for implementation and enforcement. Upcoming
new standards will play a big role. Lobbying will have to go on and
support from Debian will still be needed.

There is also no way and no necessity to adapt the GA text based on
unofficial rumors since ...

> ... the answer from the EU legislative body will not be to read and
> consider each bullet point we make --- ... the European legislative
> bodies will just see "oh, a biggish project opposes CRA".
(Gunnar Wolf am 25.11.23 um 16:59)

And that's all that's necessary.


Am 09.12.23 um 04:07 schrieb Paul Wise:

Hi all,

On IRC it was mentioned that there are updates to the CRA that may
address the concerns of the FLOSS community.

These blogs have updates at the top:

https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/

    🥳
    update, december 2023: The concerns expressed in this blog have been
    heard and are being addressed in the final text. If you read on, do
    so because you are interested in historical context, not because
    you seek an understanding of how the CRA will apply in practice.

https://berthub.eu/articles/posts/eu-cra-best-open-source-security/

    UPDATE: On December 1st the EU agreed on a version of the Cyber
    Resilience Act that appears to have substantially addressed the
    concerns in the post below. Further analysis awaits, but do know
    that the text that follows is now mostly of historical interest!

Does anyone have any more info about the changes?

Reply to:

Follow-Ups:
- Re: recent changes to the CRA address FLOSS community concerns?
  - From: Bill Allombert <ballombe@debian.org>

References:
- recent changes to the CRA address FLOSS community concerns?
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: recent changes to the CRA address FLOSS community concerns?
Next by Date: Re: recent changes to the CRA address FLOSS community concerns?
Previous by thread: Re: recent changes to the CRA address FLOSS community concerns?
Next by thread: Re: recent changes to the CRA address FLOSS community concerns?
Index(es):
- Date
- Thread