Start vote about EU CRA

1 files changed, 234 insertions, 0 deletions

diff --git a/english/vote/2023/vote_002.wml b/english/vote/2023/vote_002.wml
new file mode 100644
index 00000000000..32a6bbcf3ee
--- /dev/null
+++ b/english/vote/2023/vote_002.wml
@@ -0,0 +1,234 @@
+<define-tag pagetitle>General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"</define-tag>
+<define-tag status>P</define-tag>
+# meanings of the <status> tag:
+# P: proposed
+# D: discussed
+# V: voted on
+# F: finished
+# O: other (or just write anything else)
+
+<style>
+ol.a {list-style-type: lower-alpha;}
+</style>
+
+#use wml::debian::template title="<pagetitle>" BARETITLE="true" NOHEADER="true"
+#use wml::debian::toc
+#use wml::debian::votebar
+
+
+    <h1><pagetitle></h1>
+    <toc-display />
+
+# The Tags beginning with v are will become H3 headings and are defined in
+# english/template/debian/votebar.wml
+# all possible Tags:
+
+# vdate, vtimeline, vnominations, vdebate, vplatforms,
+# Proposers
+#          vproposer,  vproposera, vproposerb, vproposerc, vproposerd,
+#          vproposere, vproposerf
+# Seconds
+#          vseconds,   vsecondsa, vsecondsb, vsecondsc, vsecondsd, vsecondse,
+#          vsecondsf,  vopposition
+# vtext, vtextb, vtextc, vtextd, vtexte, vtextf
+# vchoices
+# vamendments, vamendmentproposer, vamendmentseconds, vamendmenttext
+# vproceedings, vmajorityreq, vstatistics, vquorum, vmindiscuss,
+# vballot, vforum, voutcome
+
+
+    <vtimeline />
+    <table class="vote">
+      <tr>
+        <th>Discussion Period:</th>
+	<td>2023-11-12</td>
+	<td>2023-11-25</td>
+      </tr>
+#      <tr>
+#	<th>Voting period:</th>
+#	<td>Sunday 2022-09-18 00:00:00 UTC</td>
+#	<td>Saturday 2022-10-01 23:59:59 UTC</td>
+#      </tr>
+    </table>
+
+    <vproposera />
+    <p>Santiago Ruano Rincón [<email santiago@debian.org>]
+	[<a href='https://lists.debian.org/debian-vote/2023/11/msg00000.html'>text of proposal</a>]
+    </p>
+    <vsecondsa />
+    <ol>
+        <li>Gunnar Wolf [<email gwolf@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00001.html'>mail</a>]</li>
+        <li>Mattia Rizzolo [<email mattia@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00002.html'>mail</a>]</li>
+        <li>Lisandro Damián Nicanor Pérez Meyer [<email lisandro@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00003.html'>mail</a>]</li>
+        <li>Nicolas Dandrimont [<email olasd@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00004.html'>mail</a>]</li>
+        <li>Simon Quigley [<email tsimonq2@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00016.html'>mail</a>]</li>
+        <li>Pierre-Elliott Bécue [<email peb@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00019.html'>mail</a>]</li>
+        <li>Emmanuel Arias  [<email eamanu@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00062.html'>mail</a>]</li>
+    </ol>
+    <vtexta />
+<h3>Choice 1</h3>
+
+    <h4>Debian Public Statement about the EU Cyber Resilience Act and the
+    Product Liability Directive</h4>
+
+    <p>The European Union is currently preparing a regulation "on horizontal
+    cybersecurity requirements for products with digital elements" known as
+    the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
+    phase of the legislative process. The act includes a set of essential
+    cybersecurity and vulnerability handling requirements for manufacturers.
+    It will require products to be accompanied by information and
+    instructions to the user. Manufacturers will need to perform risk
+    assessments and produce technical documentation and for critical
+    components, have third-party audits conducted. Discoverded security
+    issues will have to be reported to European authorities within 24 hours
+    (1). The CRA will be followed up by the Product Liability Directive
+    (PLD) which will introduce compulsory liability for software. More
+    information about the proposed legislation and its consequences in (2).</p>
+
+    <p>While a lot of these regulations seem reasonable, the Debian project
+    believes that there are grave problems for Free Software projects
+    attached to them. Therefore, the Debian project issues the following
+    statement:</p>
+
+    <ol>
+    <li>  Free Software has always been a gift, freely given to society, to
+    take and to use as seen fit, for whatever purpose. Free Software has
+    proven to be an asset in our digital age and the proposed EU Cyber
+    Resilience Act is going to be detrimental to it.
+        <ol class="a">
+        <li> It is Debian's goal to "make the best system we can, so that
+    free works will be widely distributed and used." Imposing requirements
+    such as those proposed in the act makes it legally perilous for others
+    to redistribute our works and endangers our commitment to "provide an
+    integrated system of high-quality materials _with no legal restrictions_
+    that would prevent such uses of the system". (3)</li>
+
+        <li>  Knowing whether software is commercial or not isn't feasible,
+    neither in Debian nor in most free software projects - we don't track
+    people's employment status or history, nor do we check who finances
+    upstream projects.</li>
+
+        <li>  If upstream projects stop developing for fear of being in the
+    scope of CRA and its financial consequences, system security will
+    actually get worse instead of better.</li>
+
+        <li>  Having to get legal advice before giving a present to society
+    will discourage many developers, especially those without a company or
+    other organisation supporting them.</li>
+        </ol>
+    </li>
+
+    <li>  Debian is well known for its security track record through practices
+    of responsible disclosure and coordination with upstream developers and
+    other Free Software projects. We aim to live up to the commitment made
+    in the Social Contract: "We will not hide problems." (3)
+        <ol class="a">
+        <li>The Free Software community has developed a fine-tuned, well
+    working system of responsible disclosure in case of security issues
+    which will be overturned by the mandatory reporting to European
+    authorities within 24 hours (Art. 11 CRA).</li>
+
+        <li>Debian spends a lot of volunteering time on security issues,
+    provides quick security updates and works closely together with upstream
+    projects, in coordination with other vendors. To protect its users,
+    Debian regularly participates in limited embargos to coordinate fixes to
+    security issues so that all other major Linux distributions can also
+    have a complete fix when the vulnerability is disclosed.</li>
+
+        <li>Security issue tracking and remediation is intentionally
+    decentralized and distributed. The reporting of security issues to
+    ENISA and the intended propagation to other authorities and national
+    administrations would collect all software vulnerabilities in one place,
+    greatly increasing the risk of leaking information about vulnerabilities
+    to threat actors, representing a threat for all the users around the
+    world, including European citizens.</li>
+
+        <li>Activists use Debian (e.g. through derivatives such as Tails),
+    among other reasons, to protect themselves from authoritarian
+    governments; handing threat actors exploits they can use for oppression
+    is against what Debian stands for.</li>
+
+        <li>Developers and companies will downplay security issues because
+    a "security" issue now comes with legal implications. Less clarity on
+    what is truly a security issue will hurt users by leaving them vulnerable.</li>
+        </ol>
+    </li>
+
+    <li>While proprietary software is developed behind closed doors, Free
+    Software development is done in the open, transparent for everyone. To
+    keep even with proprietary software the open development process needs
+    to be entirely exempt from CRA requirements, just as the development of
+    software in private is. A "making available on the market" can only be
+    considered after development is finished and the software is released.</li>
+
+    <li>Even if only "commercial activities" are in the scope of CRA, the
+    Free Software community - and as a consequence, everybody - will lose a
+    lot of small projects. CRA will force many small enterprises and most
+    probably all self employed developers out of business because they
+    simply cannot fullfill the requirements imposed by CRA. Debian and other
+    Linux distributions depend on their work. It is not understandable why
+    the EU aims to cripple not only an established community but also a
+    thriving market. CRA needs an exemption for small businesses and, at the
+    very least, solo-entrepreneurs.</li>
+    </ol>
+
+    <hrline />
+
+    <p>Sources:</p>
+
+    <p>(1)<br />
+    <a href='https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation'>CRA proposals and links</a><br />
+    <a href='https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive'>PLD proposals and links</a></p>
+    </p>
+
+    (2) Background information:<br />
+    <a href='https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/'>https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/</a><br />
+    <a href='https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation'>https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation</a><br />
+    <a href='https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/'>https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/</a><br />
+    <a href='https://blog.opensource.org/author/webmink/'>https://blog.opensource.org/author/webmink/</a><br />
+    <a href='https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en'>Detailed analysis</a>
+    </p>
+
+    <p>(3) <a href='https://www.debian.org/social_contract'>Debian Social Contract No. 2, 3 and 4</a></p>
+
+
+#    <vquorum />
+
+#     <p>
+#        With the current list of <a href="vote_003_quorum.log">voting
+#          developers</a>, we have:
+#     </p>
+#    <pre>
+##include 'vote_003_quorum.txt'
+#    </pre>
+##include 'vote_003_quorum.src'
+#
+#
+#    <vstatistics />
+#    <p>
+#	For this GR, like always,
+##                <a href="https://vote.debian.org/~secretary/gr_non_free_firmware/">statistics</a>
+#               <a href="suppl_003_stats">statistics</a>
+#             will be gathered about ballots received and
+#             acknowledgements sent periodically during the voting
+#             period.
+#               Additionally, the list of <a
+#             href="vote_003_voters.txt">voters</a> will be
+#             recorded. Also, the <a href="vote_003_tally.txt">tally
+#             sheet</a> will also be made available to be viewed.
+#         </p>
+#
+#    <vmajorityreq />
+#    <p>
+#      Proposal 5 and 6 need a 3:1 super majority
+#    </p>
+##include 'vote_003_majority.src'
+#
+#    <voutcome />
+##include 'vote_003_results.src'
+
+    <hrline />
+      <address>
+        <a href="mailto:secretary@debian.org">Debian Project Secretary</a>
+      </address>
+