diff options
author | Kurt Roeckx <kurt@roeckx.be> | 2023-11-19 20:51:48 +0100 |
---|---|---|
committer | Kurt Roeckx <kurt@roeckx.be> | 2023-11-19 20:52:25 +0100 |
commit | 06967027cc15e2c2ed368f527d305e8f7901bc44 (patch) | |
tree | fc09622c92d1ec943bd51eb35debc724849d2528 /english/vote | |
parent | 0c4623eb04d2873fd02a9b059d48bcee50bbbcf0 (diff) |
Start vote about EU CRA
Diffstat (limited to 'english/vote')
-rw-r--r-- | english/vote/2023/vote_002.wml | 234 |
1 files changed, 234 insertions, 0 deletions
diff --git a/english/vote/2023/vote_002.wml b/english/vote/2023/vote_002.wml new file mode 100644 index 00000000000..32a6bbcf3ee --- /dev/null +++ b/english/vote/2023/vote_002.wml @@ -0,0 +1,234 @@ +<define-tag pagetitle>General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"</define-tag> +<define-tag status>P</define-tag> +# meanings of the <status> tag: +# P: proposed +# D: discussed +# V: voted on +# F: finished +# O: other (or just write anything else) + +<style> +ol.a {list-style-type: lower-alpha;} +</style> + +#use wml::debian::template title="<pagetitle>" BARETITLE="true" NOHEADER="true" +#use wml::debian::toc +#use wml::debian::votebar + + + <h1><pagetitle></h1> + <toc-display /> + +# The Tags beginning with v are will become H3 headings and are defined in +# english/template/debian/votebar.wml +# all possible Tags: + +# vdate, vtimeline, vnominations, vdebate, vplatforms, +# Proposers +# vproposer, vproposera, vproposerb, vproposerc, vproposerd, +# vproposere, vproposerf +# Seconds +# vseconds, vsecondsa, vsecondsb, vsecondsc, vsecondsd, vsecondse, +# vsecondsf, vopposition +# vtext, vtextb, vtextc, vtextd, vtexte, vtextf +# vchoices +# vamendments, vamendmentproposer, vamendmentseconds, vamendmenttext +# vproceedings, vmajorityreq, vstatistics, vquorum, vmindiscuss, +# vballot, vforum, voutcome + + + <vtimeline /> + <table class="vote"> + <tr> + <th>Discussion Period:</th> + <td>2023-11-12</td> + <td>2023-11-25</td> + </tr> +# <tr> +# <th>Voting period:</th> +# <td>Sunday 2022-09-18 00:00:00 UTC</td> +# <td>Saturday 2022-10-01 23:59:59 UTC</td> +# </tr> + </table> + + <vproposera /> + <p>Santiago Ruano Rincón [<email santiago@debian.org>] + [<a href='https://lists.debian.org/debian-vote/2023/11/msg00000.html'>text of proposal</a>] + </p> + <vsecondsa /> + <ol> + <li>Gunnar Wolf [<email gwolf@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00001.html'>mail</a>]</li> + <li>Mattia Rizzolo [<email mattia@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00002.html'>mail</a>]</li> + <li>Lisandro Damián Nicanor Pérez Meyer [<email lisandro@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00003.html'>mail</a>]</li> + <li>Nicolas Dandrimont [<email olasd@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00004.html'>mail</a>]</li> + <li>Simon Quigley [<email tsimonq2@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00016.html'>mail</a>]</li> + <li>Pierre-Elliott Bécue [<email peb@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00019.html'>mail</a>]</li> + <li>Emmanuel Arias [<email eamanu@debian.org>] [<a href='https://lists.debian.org/debian-vote/2023/11/msg00062.html'>mail</a>]</li> + </ol> + <vtexta /> +<h3>Choice 1</h3> + + <h4>Debian Public Statement about the EU Cyber Resilience Act and the + Product Liability Directive</h4> + + <p>The European Union is currently preparing a regulation "on horizontal + cybersecurity requirements for products with digital elements" known as + the Cyber Resilience Act (CRA). It's currently in the final "trilogue" + phase of the legislative process. The act includes a set of essential + cybersecurity and vulnerability handling requirements for manufacturers. + It will require products to be accompanied by information and + instructions to the user. Manufacturers will need to perform risk + assessments and produce technical documentation and for critical + components, have third-party audits conducted. Discoverded security + issues will have to be reported to European authorities within 24 hours + (1). The CRA will be followed up by the Product Liability Directive + (PLD) which will introduce compulsory liability for software. More + information about the proposed legislation and its consequences in (2).</p> + + <p>While a lot of these regulations seem reasonable, the Debian project + believes that there are grave problems for Free Software projects + attached to them. Therefore, the Debian project issues the following + statement:</p> + + <ol> + <li> Free Software has always been a gift, freely given to society, to + take and to use as seen fit, for whatever purpose. Free Software has + proven to be an asset in our digital age and the proposed EU Cyber + Resilience Act is going to be detrimental to it. + <ol class="a"> + <li> It is Debian's goal to "make the best system we can, so that + free works will be widely distributed and used." Imposing requirements + such as those proposed in the act makes it legally perilous for others + to redistribute our works and endangers our commitment to "provide an + integrated system of high-quality materials _with no legal restrictions_ + that would prevent such uses of the system". (3)</li> + + <li> Knowing whether software is commercial or not isn't feasible, + neither in Debian nor in most free software projects - we don't track + people's employment status or history, nor do we check who finances + upstream projects.</li> + + <li> If upstream projects stop developing for fear of being in the + scope of CRA and its financial consequences, system security will + actually get worse instead of better.</li> + + <li> Having to get legal advice before giving a present to society + will discourage many developers, especially those without a company or + other organisation supporting them.</li> + </ol> + </li> + + <li> Debian is well known for its security track record through practices + of responsible disclosure and coordination with upstream developers and + other Free Software projects. We aim to live up to the commitment made + in the Social Contract: "We will not hide problems." (3) + <ol class="a"> + <li>The Free Software community has developed a fine-tuned, well + working system of responsible disclosure in case of security issues + which will be overturned by the mandatory reporting to European + authorities within 24 hours (Art. 11 CRA).</li> + + <li>Debian spends a lot of volunteering time on security issues, + provides quick security updates and works closely together with upstream + projects, in coordination with other vendors. To protect its users, + Debian regularly participates in limited embargos to coordinate fixes to + security issues so that all other major Linux distributions can also + have a complete fix when the vulnerability is disclosed.</li> + + <li>Security issue tracking and remediation is intentionally + decentralized and distributed. The reporting of security issues to + ENISA and the intended propagation to other authorities and national + administrations would collect all software vulnerabilities in one place, + greatly increasing the risk of leaking information about vulnerabilities + to threat actors, representing a threat for all the users around the + world, including European citizens.</li> + + <li>Activists use Debian (e.g. through derivatives such as Tails), + among other reasons, to protect themselves from authoritarian + governments; handing threat actors exploits they can use for oppression + is against what Debian stands for.</li> + + <li>Developers and companies will downplay security issues because + a "security" issue now comes with legal implications. Less clarity on + what is truly a security issue will hurt users by leaving them vulnerable.</li> + </ol> + </li> + + <li>While proprietary software is developed behind closed doors, Free + Software development is done in the open, transparent for everyone. To + keep even with proprietary software the open development process needs + to be entirely exempt from CRA requirements, just as the development of + software in private is. A "making available on the market" can only be + considered after development is finished and the software is released.</li> + + <li>Even if only "commercial activities" are in the scope of CRA, the + Free Software community - and as a consequence, everybody - will lose a + lot of small projects. CRA will force many small enterprises and most + probably all self employed developers out of business because they + simply cannot fullfill the requirements imposed by CRA. Debian and other + Linux distributions depend on their work. It is not understandable why + the EU aims to cripple not only an established community but also a + thriving market. CRA needs an exemption for small businesses and, at the + very least, solo-entrepreneurs.</li> + </ol> + + <hrline /> + + <p>Sources:</p> + + <p>(1)<br /> + <a href='https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation'>CRA proposals and links</a><br /> + <a href='https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive'>PLD proposals and links</a></p> + </p> + + (2) Background information:<br /> + <a href='https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/'>https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/</a><br /> + <a href='https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation'>https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation</a><br /> + <a href='https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/'>https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/</a><br /> + <a href='https://blog.opensource.org/author/webmink/'>https://blog.opensource.org/author/webmink/</a><br /> + <a href='https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en'>Detailed analysis</a> + </p> + + <p>(3) <a href='https://www.debian.org/social_contract'>Debian Social Contract No. 2, 3 and 4</a></p> + + +# <vquorum /> + +# <p> +# With the current list of <a href="vote_003_quorum.log">voting +# developers</a>, we have: +# </p> +# <pre> +##include 'vote_003_quorum.txt' +# </pre> +##include 'vote_003_quorum.src' +# +# +# <vstatistics /> +# <p> +# For this GR, like always, +## <a href="https://vote.debian.org/~secretary/gr_non_free_firmware/">statistics</a> +# <a href="suppl_003_stats">statistics</a> +# will be gathered about ballots received and +# acknowledgements sent periodically during the voting +# period. +# Additionally, the list of <a +# href="vote_003_voters.txt">voters</a> will be +# recorded. Also, the <a href="vote_003_tally.txt">tally +# sheet</a> will also be made available to be viewed. +# </p> +# +# <vmajorityreq /> +# <p> +# Proposal 5 and 6 need a 3:1 super majority +# </p> +##include 'vote_003_majority.src' +# +# <voutcome /> +##include 'vote_003_results.src' + + <hrline /> + <address> + <a href="mailto:secretary@debian.org">Debian Project Secretary</a> + </address> + |