Dear DPL candidates, As you may be aware, the EU has adopted a new cybersecurity regulation [CRA] and other countries are following the example. You may also be aware that Debian issued a public statement about it (based on a previous draft version of the regulation) last year. CRA will have an impact on commercial Debian downstreams, specifically on all of those who are placing a Debian-inside product in the EU single market. Part of the requirements rely on data that should be found in every single package integrated by the commercial downstream. And, as of today, part of that data is non existing. E.g.: include (meta)data about the support status upstream (supported, non-supported version, EOS date, ..., required for Article 13 (11)). Also manufacturers are required to "apply effective and regular tests and reviews of the security of the product with digital elements" (Annex I pII (3)). Non-commercial FLOSS products/projects do not have to comply with CRA. However, I think there could be an impact in the industry regarding the adoption and use of Debian. What are you thoughts on the subject? Should Debian help those commercial downstreams to fulfill the requirements? [CRA] https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html Thanks for running for DPL to both of you! -- Santiago
Attachment:
signature.asc
Description: PGP signature