Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11Â CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISAÂ and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRAÂ will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2)Â Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed
analysis:Â https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
Cheers,
-- Santiago
I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD).
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2) Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed
analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
Cheers,
-- Santiago
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2) Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed
analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
Cheers,
-- Santiago
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
<santiagorr@riseup.net> wrote:
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID:
<4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS
community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as >> the Cyber Resilience Act (CRA). It's currently in the final "trilogue" >> phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers. >> It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours >> (1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
These all seem like good things to me. For too long private
corporations have been allowed to put profit before accountability and
user safety, which often results in long lasting damage for citizens, >monetary or worse. It's about time the wild-west was reined in.
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements >> such as those proposed in the act makes it legally perilous for others >> to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_ >> that would prevent such uses of the system". (3)
Debian does not sell products in the single market. Why would any
requirement be imposed, how, and on whom? SPI? Debian France?
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
We do know whether something is commercial or not though - for
example, we don't have to provide Debian with warranty to our users,
because we know publishing images on debian.org is not a commercial
activity.
The second statement I find hard to follow, what would employment
status have to do with this?
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
Why would projects stop developing? If it's a product sold on the
single market, then it's right that it is subject to these rules. If
it's not a product, then these rules don't affect it, just like rules
on warranties.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or >> other organisation supporting them.
Same as above. If you are not selling anything, why would you need
legal advice, any more than you already do? The EU Single Market has
many, many rules, this is not the first and won't be the last.
2. Debian is well known for its security track record through practices >> of responsible disclosure and coordination with upstream developers and >> other Free Software projects. We aim to live up to the commitment made >> in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
Well, actually the CVE system has a lot of critics - see recent LWN
articles for some examples. So a public authority taking over from
Mitre and other private companies doesn't sound so horrible to me, in >principle - devil's in the details of course.
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream >> projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to >> security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place, >> greatly increasing the risk of leaking information about vulnerabilities >> to threat actors, representing a threat for all the users around the
world, including European citizens.
This already happens with CVEs though? By a private, unaccountable,
for profit corporation.
d. Activists use Debian (e.g. through derivatives such as Tails), >> among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression >> is against what Debian stands for.
Again, I don't see how this is any different than the status quo.
e. Developers and companies will downplay security issues because >> a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
Companies already routinely downplay or outright neglect security
issues in their products. It seems the intent of the legislation is to
try and fix precisely that. One might be skeptical on the ability of
the proposed legislation to improve the situation, of course, but
that's a different story.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To >> keep even with proprietary software the open development process needs >> to be entirely exempt from CRA requirements, just as the development of >> software in private is. A "making available on the market" can only be >> considered after development is finished and the software is released. >>
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a >> lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other >> Linux distributions depend on their work. It is not understandable why >> the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the >> very least, solo-entrepreneurs.
To be brutally honest, if some private corporations' viability depends
on being able to ignore glaring security issues that can harm their
users, then I for one am all for them going out of business. Just like
if a company's existence relies on the ability to breach privacy with >impunity and is hampered by the GDPR, and so on.
To do a reductio ad absurdum to illustrate my point, if a free
software project's existence depended exclusively on an oil&gas
corporation being able to pollute the environment and worsen climate
change with impunity because the author is employed there, would it be
worth it? The answer for me is categorically no. Especially given it's
free software! The whole point of it is that someone else can maintain
it, or the author can find a different source of income, and the
project can continue - it's free, it's by definition not locked in one >corporation.
All in all, given how the situation is explained here, I do not
understand where the issue is, for us as a project or as free software >developers. I do not see any convincing argument at all as to why this
is detrimental to Debian or free software, and the only link that is
made is tenuous at best: maybe some free software developer is also
employed by a company who is negatively affected by this. There are
many, many things that can negatively affect anyone's employer, I do
not see why, by itself, this should warrant a project statement.
On November 12, 2023 5:09:26 PM UTC, Luca Boccassi <bluca@debian.org> wrote: >On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón ><santiagorr@riseup.net> wrote:considering ceasing all free software work, because it's not at all clear it's possible to avoid legal liability for things that I can't reasonably control as a single developer.
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID:
<4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS >> community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal >> cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue" >> phase of the legislative process. The act includes a set of essential >> cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
These all seem like good things to me. For too long private
corporations have been allowed to put profit before accountability and
user safety, which often results in long lasting damage for citizens, >monetary or worse. It's about time the wild-west was reined in.
While a lot of these regulations seem reasonable, the Debian project >> believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following >> statement:
1. Free Software has always been a gift, freely given to society, to >> take and to use as seen fit, for whatever purpose. Free Software has >> proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that >> free works will be widely distributed and used." Imposing requirements >> such as those proposed in the act makes it legally perilous for others >> to redistribute our works and endangers our commitment to "provide an >> integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
Debian does not sell products in the single market. Why would any >requirement be imposed, how, and on whom? SPI? Debian France?
b. Knowing whether software is commercial or not isn't feasible, >> neither in Debian nor in most free software projects - we don't track >> people's employment status or history, nor do we check who finances
upstream projects.
We do know whether something is commercial or not though - for
example, we don't have to provide Debian with warranty to our users, >because we know publishing images on debian.org is not a commercial >activity.
The second statement I find hard to follow, what would employment
status have to do with this?
c. If upstream projects stop developing for fear of being in the >> scope of CRA and its financial consequences, system security will
actually get worse instead of better.
Why would projects stop developing? If it's a product sold on the
single market, then it's right that it is subject to these rules. If
it's not a product, then these rules don't affect it, just like rules
on warranties.
d. Having to get legal advice before giving a present to society >> will discourage many developers, especially those without a company or >> other organisation supporting them.
Same as above. If you are not selling anything, why would you need
legal advice, any more than you already do? The EU Single Market has
many, many rules, this is not the first and won't be the last.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made >> in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well >> working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
Well, actually the CVE system has a lot of critics - see recent LWN >articles for some examples. So a public authority taking over from
Mitre and other private companies doesn't sound so horrible to me, in >principle - devil's in the details of course.
b. Debian spends a lot of volunteering time on security issues, >> provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also >> have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national >> administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the >> world, including European citizens.
This already happens with CVEs though? By a private, unaccountable,
for profit corporation.
d. Activists use Debian (e.g. through derivatives such as Tails), >> among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
Again, I don't see how this is any different than the status quo.
e. Developers and companies will downplay security issues because >> a "security" issue now comes with legal implications. Less clarity on >> what is truly a security issue will hurt users by leaving them vulnerable.
Companies already routinely downplay or outright neglect security
issues in their products. It seems the intent of the legislation is to
try and fix precisely that. One might be skeptical on the ability of
the proposed legislation to improve the situation, of course, but
that's a different story.
3. While proprietary software is developed behind closed doors, Free >> Software development is done in the open, transparent for everyone. To >> keep even with proprietary software the open development process needs >> to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be >> considered after development is finished and the software is released. >>
4. Even if only "commercial activities" are in the scope of CRA, the >> Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most >> probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why >> the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
To be brutally honest, if some private corporations' viability depends
on being able to ignore glaring security issues that can harm their
users, then I for one am all for them going out of business. Just like
if a company's existence relies on the ability to breach privacy with >impunity and is hampered by the GDPR, and so on.
To do a reductio ad absurdum to illustrate my point, if a free
software project's existence depended exclusively on an oil&gas
corporation being able to pollute the environment and worsen climate
change with impunity because the author is employed there, would it be >worth it? The answer for me is categorically no. Especially given it's
free software! The whole point of it is that someone else can maintain
it, or the author can find a different source of income, and the
project can continue - it's free, it's by definition not locked in one >corporation.
All in all, given how the situation is explained here, I do not
understand where the issue is, for us as a project or as free software >developers. I do not see any convincing argument at all as to why this
is detrimental to Debian or free software, and the only link that is
made is tenuous at best: maybe some free software developer is also >employed by a company who is negatively affected by this. There are
many, many things that can negatively affect anyone's employer, I do
not see why, by itself, this should warrant a project statement.
Then I would encourage you to do a bit of research on the topic. Given the definitions being used in the proposal, Debian and most, if not all, of it's upstreams are squarely within the realm of affected software. If this is passed, I am seriously
This is true even though I don't live in the EU.
We do know whether something is commercial or not though ...
Then I would encourage you to do a bit of research on the topic.Given the definitions being used in the proposal, Debian and most, if
On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón
<santiagorr@riseup.net> wrote:
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID:
<4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS
community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal >> cybersecurity requirements for products with digital elements" known as >> the Cyber Resilience Act (CRA). It's currently in the final "trilogue" >> phase of the legislative process. The act includes a set of essential >> cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours >> (1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
These all seem like good things to me. For too long private
corporations have been allowed to put profit before accountability and
user safety, which often results in long lasting damage for citizens, monetary or worse. It's about time the wild-west was reined in.
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to >> take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements >> such as those proposed in the act makes it legally perilous for others >> to redistribute our works and endangers our commitment to "provide an >> integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
Debian does not sell products in the single market. Why would any
requirement be imposed, how, and on whom? SPI? Debian France?
b. Knowing whether software is commercial or not isn't feasible, >> neither in Debian nor in most free software projects - we don't track >> people's employment status or history, nor do we check who finances
upstream projects.
We do know whether something is commercial or not though - for
example, we don't have to provide Debian with warranty to our users,
because we know publishing images on debian.org is not a commercial
activity.
The second statement I find hard to follow, what would employment
status have to do with this?
c. If upstream projects stop developing for fear of being in the >> scope of CRA and its financial consequences, system security will
actually get worse instead of better.
Why would projects stop developing? If it's a product sold on the
single market, then it's right that it is subject to these rules. If
it's not a product, then these rules don't affect it, just like rules
on warranties.
d. Having to get legal advice before giving a present to society >> will discourage many developers, especially those without a company or >> other organisation supporting them.
Same as above. If you are not selling anything, why would you need
legal advice, any more than you already do? The EU Single Market has
many, many rules, this is not the first and won't be the last.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and >> other Free Software projects. We aim to live up to the commitment made >> in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
Well, actually the CVE system has a lot of critics - see recent LWN
articles for some examples. So a public authority taking over from
Mitre and other private companies doesn't sound so horrible to me, in principle - devil's in the details of course.
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
This already happens with CVEs though? By a private, unaccountable,
for profit corporation.
d. Activists use Debian (e.g. through derivatives such as Tails), >> among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression >> is against what Debian stands for.
Again, I don't see how this is any different than the status quo.
e. Developers and companies will downplay security issues because >> a "security" issue now comes with legal implications. Less clarity on >> what is truly a security issue will hurt users by leaving them vulnerable.
Companies already routinely downplay or outright neglect security
issues in their products. It seems the intent of the legislation is to
try and fix precisely that. One might be skeptical on the ability of
the proposed legislation to improve the situation, of course, but
that's a different story.
3. While proprietary software is developed behind closed doors, Free >> Software development is done in the open, transparent for everyone. To >> keep even with proprietary software the open development process needs >> to be entirely exempt from CRA requirements, just as the development of >> software in private is. A "making available on the market" can only be >> considered after development is finished and the software is released. >>
4. Even if only "commercial activities" are in the scope of CRA, the >> Free Software community - and as a consequence, everybody - will lose a >> lot of small projects. CRA will force many small enterprises and most >> probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why >> the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
To be brutally honest, if some private corporations' viability depends
on being able to ignore glaring security issues that can harm their
users, then I for one am all for them going out of business. Just like
if a company's existence relies on the ability to breach privacy with impunity and is hampered by the GDPR, and so on.
To do a reductio ad absurdum to illustrate my point, if a free
software project's existence depended exclusively on an oil&gas
corporation being able to pollute the environment and worsen climate
change with impunity because the author is employed there, would it be
worth it? The answer for me is categorically no. Especially given it's
free software! The whole point of it is that someone else can maintain
it, or the author can find a different source of income, and the
project can continue - it's free, it's by definition not locked in one corporation.
All in all, given how the situation is explained here, I do not
understand where the issue is, for us as a project or as free software developers. I do not see any convincing argument at all as to why this
is detrimental to Debian or free software, and the only link that is
made is tenuous at best: maybe some free software developer is also
employed by a company who is negatively affected by this. There are
many, many things that can negatively affect anyone's employer, I do
not see why, by itself, this should warrant a project statement.
Which definitions does the proposal use? Could you please quote them?
The first two links do not provide any, as far as I can see. The third
link (a blog post, not a piece of legislation) explicitly says: "the
Cyber Resilience Act does not define commercial activity".
(10a) For example, a fully decentralised development model, where no
single commercial entity exercises control over what is accepted into
the project’s code base, should be taken as an indication that the
product has been developed in a non-commercial setting. On the other
hand, where free and open source software is developed by a single organisation or an asymmetric community, where a single organisation is generating revenues from related use in business relationships, this
should be considered to be a commercial activity. Similarly, where the
main contributors to free and open-source projects are developers
employed by commercial entities and when such developers or the employer
can exercise control as to which modifications are accepted in the code
base, the project should generally be considered to be of a commercial nature.
Hi,
On Sun, 12 Nov 2023 at 14:35, Ilulu <ilulu@gmx.net> wrote:
[snip]
(10a) For example, a fully decentralised development model, where no
single commercial entity exercises control over what is accepted into
the project’s code base, should be taken as an indication that the product has been developed in a non-commercial setting. On the other
hand, where free and open source software is developed by a single organisation or an asymmetric community, where a single organisation is generating revenues from related use in business relationships, this
should be considered to be a commercial activity. Similarly, where the
main contributors to free and open-source projects are developers
employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature.
So basically this means Qt will be considered a commercial product
_even_ if it's totally open source (at least in the way we ship it in Debian). Even more, it can even be argued that if we ship it _and_ I
get to patch it (we do), then I might be responsible for it, which to
me makes no sense at all.
Am 12.11.23 um 18:09 schrieb Luca Boccassi:
We do know whether something is commercial or not though ...
I sincerely doubt that. Just to illustrate this I'm citing a part (only
a part) of one of the regulation drafts which are presently considered
in trilogue.
"(10) Only free and open-source made available on the market in the
course of a commercial activity should be covered by this Regulation.
Whether a free and open-source product has been made available as part
of a commercial activity should be assessed on a product-by-product
basis, looking at both the development model and the supply phase of the
free and open-source product with digital elements.
(10a) For example, a fully decentralised development model, where no
single commercial entity exercises control over what is accepted into
the project’s code base, should be taken as an indication that the
product has been developed in a non-commercial setting. On the other
hand, where free and open source software is developed by a single organisation or an asymmetric community, where a single organisation is generating revenues from related use in business relationships, this
should be considered to be a commercial activity. Similarly, where the
main contributors to free and open-source projects are developers
employed by commercial entities and when such developers or the employer
can exercise control as to which modifications are accepted in the code
base, the project should generally be considered to be of a commercial nature.
(10b) With regards to the supply phase, in the context of free and open-source software, a commercial activity might be characterized not
only by charging a price for a product, but also by charging a price for technical support services, when this does not serve only the
recuperation of actual costs, by providing a software platform through
which the manufacturer monetises other services, or by the use of
personal data for reasons other than exclusively for improving the
security, compatibility or interoperability of the software. Accepting donations without the intention of making a profit should not
count as a commercial activity, unless such donations are made by
commercial entities and are recurring in nature."
Am 12.11.23 um 19:01 schrieb Luca Boccassi:
Yes - if it's "made available on the market", which is in the first
bit that was snipped. Pushing a repository on Gitlab is not "making available on the market".
You are wrong. It is. That's why the proposal has:
"(10d) The sole act of hosting free and open-source software on open repositories does not in itself constitute making available on the
market of a product with digital elements. As such, most package
managers, code hosting and collaboration platforms should not be
considered as distributors under the meaning of this Regulation."
... which means that GITHUB is not responsible for the repo you pushed.
But you are. You are the manufacturer of that software product, you make
it available, and whether this is "on the market" = commercial depends
on a lot of things: how many donations you get and from whom, who your employer is, or who else is working on that repo ... and so on,
depending on how the wording of CRA-Recital 10 will turn out in the end.
You better ask your lawyer.
Yes - if it's "made available on the market", which is in the first
bit that was snipped. Pushing a repository on Gitlab is not "making
available on the market".
I don't see how the fact that Github is
not responsible for software hosted on its platform goes to imply that
ever such software is a product. Whether something is or is not a
product on the market is already quite clear, and the sources cited in
the original mail themselves say that the CRA does not change this
aspect.
Are you responsible for the warranty for
software you push to Github if someone git clones it? Of course not.
Because repositories on Github are not products on the single market.
Just for good measure, seconded.
Similarly, where the
main contributors to free and open-source projects are developers
employed by commercial entities and when such developers or the employer
can exercise control as to which modifications are accepted in the code
base, the project should generally be considered to be of a commercial
nature.
So basically this means Qt will be considered a commercial product
_even_ if it's totally open source (at least in the way we ship it in Debian). Even more, it can even be argued that if we ship it _and_ I
get to patch it (we do), then I might be responsible for it, which to
me makes no sense at all.
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11Â CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISAÂ and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRAÂ will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2)Â Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed
analysis:Â https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case
for software, including its source code and modified versions, that is
openly shared and freely accessible, usable, modifiable and
redistributable. In the context of software, a commercial activity might
be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by
the use of personal data for reasons other than exclusively for improving
the security, compatibility or interoperability of the software.
(23)‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the
course of a commercial activity, whether in return for payment or free of charge;
"Art. 3
(1) ‘product with digital elements’ means any software or hardware product ...
(18) ‘manufacturer’ means any natural or legal person who develops or manufactures products with digital elements ... and markets them under
his or her name or trademark, whether for payment or free of charge;
(23) ‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the
course of a commercial activity ..."
Am 12.11.23 um 19:19 schrieb Luca Boccassi:
I don't see how the fact that Github is
not responsible for software hosted on its platform goes to imply that ever such software is a product. Whether something is or is not a
product on the market is already quite clear, and the sources cited in
the original mail themselves say that the CRA does not change this
aspect.
Because everybody agrees that software is a product. And if you can
download the product on github or elsewhere, it's made available. There
is an explicit exemption only for the platform, not for the uploader.
It's fine if you think your software is not a product, but be aware that european market authorities will not agree with you.
Are you responsible for the warranty for
software you push to Github if someone git clones it? Of course not.
Not yet, but this will change, depending on whether the activity is considered commercial or not. Of course the details are still unclear.
In your example, pushing to your repo might not count as "making
available" (thanks to a lot of lobbying), but tagging a release probably does. What about CI artifacts? Nobody knows.
Because repositories on Github are not products on the single market.
Obviously repositories are not products. Software is.
I'm not spreading fud. I've read the stuff, I'm working on this since
FOSDEM, I have the necessary background and I participate in weekly
meetings with several big FOSS organisations/foundations. This workgroup
had frequent consultations with EU representatives. We are not spending considerable time on non-issues.
Ilu
Let me pipe in here. I have been exposed quite a bit with EU legislation in the process of our fight against software patents back in 2012. The EU legislators are quite sensible when the underlying issues are clearly explained to them, bu the legallanguage of the documents can be quite dense and also quite nuanced with one word sometimes completely changing the meaning of the entire document.
Looking at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022PC0454source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by
For example the intro clearly states the intent of *not* burdening the open source development process with the requirements of this directive:
(10) In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its
For this purpose the following point exists:
(23)‘making available on the market’ means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;
Here the "in the course of a commercial activity" is the critical bit. All volunteer work no longer meets the "making available on the market" definition and thus all other provisions/definitions no longer apply, because they all use the "makingavailable on the market" definition directly or indirectly (via "manufacturer" definition or "product with digital elements" definitions). Re-read the commercial activity mentioned in the point 10 above - it is quite explicit that the activity can only
Even regardless of the specific legal wording in the legislation itself, the point 10 of the preamble would be enough to to fix any "bug" in the legislation in post-processing via courts. As in - if any interpretation of the wording of the directive isindeed found to be hampering open source development, then it is clearly in error and contrary to the stated intent of the legislation.
I am *not* objecting to Debian taking such a vote and expressing the stance intended. However, I expect that it will be seen by the EU legislators with mifled amusement, because in their context and understanding the legislative proposal alreadycontains all the necessary protections for open source and free software development processes. However, if a company (say Amazon or MySQL) takes an open source product and provides a commercial service based on that product, then they are expected to
The EU puts the interests of the consumers and of the community above commercial interests. Even commercial interests of small businesses. Allowing small businesses to "pollute" the digital environment with insecure or unmaintained software justbecause they are small businesses makes no sense from a European perspective.
Hi,
On 13.11.23 19:54, Aigars Mahinovs wrote:
So a commercial company releasing open source
software that is *not* part of their commercial activity (for example a router manufacturer releasing an in-house written Git UI) would be "supplied outside the course of a commercial activity" and thus not
subject to this regulation.
That's why I mentioned systemd in my other email, perhaps I should
elaborate on that.
The lead developer is employed by Microsoft (who have a certain history
with the EU) and pretty obviously working on it full time.
Even regardless of the specific legal wording in the legislation itself, the point 10
of the preamble would be enough to to fix any "bug" in the legislation in post-processing via courts. As in - if any interpretation of the wording of the
directive is indeed found to be hampering open source development,
then it is clearly in error and contrary to the stated intent of the legislation.
On Mon, 13 Nov 2023 at 07:55, Aigars Mahinovs <aigarius@gmail.com> wrote: [snip]
Even regardless of the specific legal wording in the legislation itself,the point 10
of the preamble would be enough to to fix any "bug" in the legislation in post-processing via courts. As in - if any interpretation of the wordingof the
directive is indeed found to be hampering open source development,legislation.
then it is clearly in error and contrary to the stated intent of the
According to the current wording if, for some reason, I am held to be responsible for $whatever, then I should go to court. Me, who lives in
south america (because yes, they are looking for culprits no matter
where they live). They already won.
So, why not try and get the wording correctly from starters?
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, 13 Nov 2023 at 07:55, Aigars Mahinovs <<a href="mailto:aigarius@gmail.com" target="_blank">aigarius@gmail.com</a>>wrote:<br>
<div>direct relation to this product to a customer in the EU, none of this applies to you.</div><div><br></div><div>If you *are* engaged in commercial activity with customers in the EU, then the EU wants to protect its people and</div><div>also keepup the general hygiene of the computing environment in the EU to a certain level.<br></div><div><br></div><div>Â -<span class="gmail_signature_prefix">- </span><br></div><div></div></div><div dir="ltr" class="gmail_signature"><div dir="ltr">Best regards,<
  Aigars Mahinovs</div></div></div>
On Mon, 13 Nov 2023 at 12:20, Simon Richter <sjr@debian.org> wrote:
Hi,
On 13.11.23 19:54, Aigars Mahinovs wrote:
So a commercial company releasing open source
software that is *not* part of their commercial activity (for example a router manufacturer releasing an in-house written Git UI) would be "supplied outside the course of a commercial activity" and thus not subject to this regulation.
That's why I mentioned systemd in my other email, perhaps I should elaborate on that.
The lead developer is employed by Microsoft (who have a certain history with the EU) and pretty obviously working on it full time.
Employment statuses are irrelevant, as said development is not done as
part of any commercial product as per relevant legislation as
explained already by Aigars, so these points are moot. Mere employment
of a developer is not enough to make an open source software a
commercial product available on the market.
True, the employment status is irrelevant. However, in this example Microsoft will actually have the liability of
providing the security assurances and support for systemd and related systems, because they are providing
images of such systems as part of their commercial offering on the Azure cloud platforms. And that will be
true regardless of the employment status of a few developers.
A company that does not provide any Linux system services to EU customers, like some integrator operating
just in Canada, would not have such exposure and thus would not incur any such obligations.
Correct. And I agree with that effect:
The *one* negative impact I can see of this legislation is impact on small integrators that were used to being able to go to a
client company, install a bunch of Ubuntu Desktop workstations, set up a Ubuntu Server for SMB and also to serve the website
of the company, take one-time fee for their work and be gone. Now it would have to be made clear - who will be maintaining those
machines over time, ensuring they are patched with security updates in
time, upgraded to new OS releases when old ones are no
longer supported and so on.
Lots of interesting questions. But at no point does any responsibility get automatically assigned to, for example, Debian or individual
open source developers.
On Mon, 13 Nov 2023 at 12:57, Aigars Mahinovs <aigarius@gmail.com> wrote:
True, the employment status is irrelevant. However, in this exampleMicrosoft will actually have the liability of
providing the security assurances and support for systemd and relatedsystems, because they are providing
images of such systems as part of their commercial offering on the Azurecloud platforms. And that will be
true regardless of the employment status of a few developers.
A company that does not provide any Linux system services to EUcustomers, like some integrator operating
just in Canada, would not have such exposure and thus would not incurany such obligations.
Yes, but they have to do that *as part of that commercial product*,
which is not systemd, it's whatever product uses it, together with the
Linux kernel, glibc, gcc, etc. That's a good thing, and it applies to
any corporation that ships any open source software as part of their products. The corporation is responsible for security aspects of said
product and its part as shipped in that product, which is great.
It doesn't mean that the upstream open source project is now suddenly encumbered as a commercial product out of the blue - which is what the
person I was replying to concluded - because it's plainly and
obviously not developed solely and exclusively for that commercial
offering, given it's used everywhere on any Linux image from any
vendor that you can get your hands on by any means.
I am *not* objecting to Debian taking such a vote and expressing thestance intended. However, I expect that it will be seen by the EU
legislators with mifled amusement, because in their context and
understanding the legislative proposal already contains all the necessary protections for open source and free software development processes.
However, if a company (say Amazon or MySQL) takes an open source product
and provides a commercial service based on that product, then they are expected to also provide security updates, vulnerability notifications and other relevant services to their customers. Which is also an intended consequence of the legislation.
The EU puts the interests of the consumers and of the community abovecommercial interests. Even commercial interests of small businesses.
Allowing small businesses to "pollute" the digital environment with
insecure or unmaintained software just because they are small businesses makes no sense from a European perspective.
Indeed. This is good legislation, and the parts you quoted make it exceedingly obvious that the legislators in fact do care about not
hampering open source development. It would be very, very strange and self-defeating for the project to come out against this, as the next
time around (because if this doesn't pass, something else will -
software security in commercial products is too important to leave the current far-west as-is) we might not be so lucky.
<div>are very well represented in those. Opinions of IT people from outside of the EU are usually not considered to be relevant. As in </div><div>not adding anything new that the EU experts have not already considered.</div><div><br></div><div>Volunteer open source projects are seen as ... not being able to invest sufficient legal understanding into the topics to be able</div><div>to contribute to the discussion meaningfully *and* keep up with the nuanced changes in the proposals over time. </
<div><br></div><div>But umbrella organisations, like EFF are better positioned for this.</div><div></div><div>See: <a href="https://www.eff.org/deeplinks/2023/10/eff-and-other-experts-join-pointing-out-pitfalls-proposed-eu-cyber-resilience-act">https://www.eff.org/deeplinks/2023/10/eff-and-other-experts-join-pointing-out-pitfalls-proposed-eu-cyber-resilience-act</a></div><div>Note how the open source language has become very much softened and nuanced after changes in the</div><div>proposal removed
</div></div></div>
On Mon, 13 Nov 2023 at 13:29, Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com> wrote:
On Mon, 13 Nov 2023 at 07:55, Aigars Mahinovs <aigarius@gmail.com> wrote:
[snip]
Even regardless of the specific legal wording in the legislation itself, the point 10
of the preamble would be enough to to fix any "bug" in the legislation in >> > post-processing via courts. As in - if any interpretation of the wording of the
directive is indeed found to be hampering open source development,
then it is clearly in error and contrary to the stated intent of the legislation.
According to the current wording if, for some reason, I am held to be
responsible for $whatever, then I should go to court. Me, who lives in
south america (because yes, they are looking for culprits no matter
where they live). They already won.
So, why not try and get the wording correctly from starters?
IANAL, but to me the wording seems correct. As long as you are not explicitly conducting commercial activity in
direct relation to this product to a customer in the EU, none of this applies to you.
If you *are* engaged in commercial activity with customers in the EU, then the EU wants to protect its people and
also keep up the general hygiene of the computing environment in the EU to a certain level.
On Mon, 13 Nov 2023 at 11:50, Aigars Mahinovs <aigarius@gmail.com> wrote:
Whether accepting donations *in general* makes your activity inproviding software a "commercial activity" in the context of
this directive proposal is not really a supported notion in the text.There are a few specific examples of what does make
a "commercial activity" in point 10, but none of those examples directlyapply to general donations to a project or person.
I am not mixing, I think the current wording does not _exactly_ says
so, leaving a door open for abuse.
On Mon, Nov 13, 2023 at 02:19:38PM +0100, Aigars Mahinovs wrote:
Correct. And I agree with that effect:
same here.
The *one* negative impact I can see of this legislation is impact on small integrators that were used to being able to go to a
client company, install a bunch of Ubuntu Desktop workstations, set up a Ubuntu Server for SMB and also to serve the website
of the company, take one-time fee for their work and be gone. Now it would have to be made clear - who will be maintaining those
machines over time, ensuring they are patched with security updates in time, upgraded to new OS releases when old ones are no
longer supported and so on.
I don't see this a negative impact because this will in the long
term hopefully prevent the effect which is similar to a small
freelancer setting up a kitchen machine which will blow up
after some time. And noone wants that, whether it's been a small
or big company responsible for the exploding kitchen. And people
buying kitchen machines have understood they want safe machinery
in kitchens...
You are mixing up completely unrelated things. Commercial entities and software coming from it have nothing to do with commercial activity.
The commercial activity is what *you* are doing with the software. It is completely irrelevant where you got it from or if you wrote it.
If you are doing commercial activity and are getting QT as a commercial product from a commercial entity, then it is *easier* for
you - you can simply delegate the security responsibilities of that part of your software stack up to the QT commercial entity
and you just need to take care of the rest of the stack, which you are *selling* to your customers (commercial activity!).
Whether accepting donations *in general* makes your activity in providing software a "commercial activity" in the context of
this directive proposal is not really a supported notion in the text. There are a few specific examples of what does make
a "commercial activity" in point 10, but none of those examples directly apply to general donations to a project or person.
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2) Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed
analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
Cheers,
-- Santiago
By now the EU is actually quite used to dealing with volunteer
projects and open source projects in general. So they would not be
surprised in the slightest. And I do not believe it would tarnish
the image of Debian.
A lot of the same comments *were* communicated to EU Commission and
EU Parliament by IT industry associations, which employ lawyers that
track such things and analyse possible impacts, including towards
open source software, because that is a solid backbone of the modern
digital economy (their words, not mine). And there were indeed many
bugs in earlier revisions of these texts that would have made a bad
impact if implemented as written.
The EU listens *very* well to national IT associations of the member
states for feedback on such matters and open source experts are very
well represented in those. Opinions of IT people from outside of the
EU are usually not considered to be relevant. As in not adding
anything new that the EU experts have not already considered.
Volunteer open source projects are seen as ... not being able to
invest sufficient legal understanding into the topics to be able to contribute to the discussion meaningfully *and* keep up with the
nuanced changes in the proposals over time.
But umbrella organisations, like EFF are better positioned for this.
See: https://www.eff.org/deeplinks/2023/10/eff-and-other-experts-join-pointing-out-pitfalls-proposed-eu-cyber-resilience-act
Note how the open source language has become very much softened and nuanced after changes in the
proposal removed most of the bugs that would have affected open source previously.
On Mon, 13 Nov 2023 at 07:55, Aigars Mahinovs <aigarius@gmail.com> wrote: >[snip]
Even regardless of the specific legal wording in the legislation itself, the point 10
of the preamble would be enough to to fix any "bug" in the legislation in
post-processing via courts. As in - if any interpretation of the wording of the
directive is indeed found to be hampering open source development,
then it is clearly in error and contrary to the stated intent of the legislation.
According to the current wording if, for some reason, I am held to be >responsible for $whatever, then I should go to court. Me, who lives in
south america (because yes, they are looking for culprits no matter
where they live). They already won.
So, why not try and get the wording correctly from starters?
On Mon, 13 Nov 2023 at 12:31, Luca Boccassi <bluca@debian.org> wrote:
I am *not* objecting to Debian taking such a vote and expressing thestance intended. However, I expect that it will be seen by the EU
legislators with mifled amusement, because in their context and
understanding the legislative proposal already contains all the necessary
protections for open source and free software development processes.
However, if a company (say Amazon or MySQL) takes an open source product
and provides a commercial service based on that product, then they are
expected to also provide security updates, vulnerability notifications and >> other relevant services to their customers. Which is also an intended
consequence of the legislation.
commercial interests. Even commercial interests of small businesses.
The EU puts the interests of the consumers and of the community above
Allowing small businesses to "pollute" the digital environment with
insecure or unmaintained software just because they are small businesses
makes no sense from a European perspective.
Indeed. This is good legislation, and the parts you quoted make it
exceedingly obvious that the legislators in fact do care about not
hampering open source development. It would be very, very strange and
self-defeating for the project to come out against this, as the next
time around (because if this doesn't pass, something else will -
software security in commercial products is too important to leave the
current far-west as-is) we might not be so lucky.
By now the EU is actually quite used to dealing with volunteer projects and open source projects in general. So they would not
be surprised in the slightest. And I do not believe it would tarnish the image of Debian.
A lot of the same comments *were* communicated to EU Commission and EU Parliament by
IT industry associations, which employ lawyers that track such things and analyse possible impacts, including towards open
source software, because that is a solid backbone of the modern digital economy (their words, not mine). And there were
indeed many bugs in earlier revisions of these texts that would have made a bad impact if implemented as written.
The EU listens *very* well to national IT associations of the member states for feedback on such matters and open source experts
are very well represented in those. Opinions of IT people from outside of
the EU are usually not considered to be relevant. As in
not adding anything new that the EU experts have not already considered.
Volunteer open source projects are seen as ... not being able to invest sufficient legal understanding into the topics to be able
to contribute to the discussion meaningfully *and* keep up with the nuanced changes in the proposals over time.
But umbrella organisations, like EFF are better positioned for this.
See: https://www.eff.org/deeplinks/2023/10/eff-and-other-experts-join-pointing-out-pitfalls-proposed-eu-cyber-resilience-act
Note how the open source language has become very much softened and nuanced after changes in the
proposal removed most of the bugs that would have affected open source previously.
Am 12.11.23 um 18:09 schrieb Luca Boccassi:
We do know whether something is commercial or not though ...
I sincerely doubt that. Just to illustrate this I'm citing a part (only
a part) of one of the regulation drafts which are presently considered
in trilogue.
"(10) Only free and open-source made available on the market in the
course of a commercial activity should be covered by this Regulation.
Whether a free and open-source product has been made available as part
of a commercial activity should be assessed on a product-by-product
basis, looking at both the development model and the supply phase of the
free and open-source product with digital elements.
(10a) For example, a fully decentralised development model, where no
single commercial entity exercises control over what is accepted into
the project’s code base, should be taken as an indication that the
product has been developed in a non-commercial setting. On the other
hand, where free and open source software is developed by a single organisation or an asymmetric community, where a single organisation is generating revenues from related use in business relationships, this
should be considered to be a commercial activity. Similarly, where the
main contributors to free and open-source projects are developers
employed by commercial entities and when such developers or the employer
can exercise control as to which modifications are accepted in the code
base, the project should generally be considered to be of a commercial nature.
(10b) With regards to the supply phase, in the context of free and open-source software, a commercial activity might be characterized not
only by charging a price for a product, but also by charging a price for technical support services, when this does not serve only the
recuperation of actual costs, by providing a software platform through
which the manufacturer monetises other services, or by the use of
personal data for reasons other than exclusively for improving the
security, compatibility or interoperability of the software. Accepting donations without the intention of making a profit should not
count as a commercial activity, unless such donations are made by
commercial entities and are recurring in nature."
Am 12.11.23 um 18:17 schrieb Scott Kitterman:
Then I would encourage you to do a bit of research on the topic.Given the definitions being used in the proposal, Debian and most, if
not all, of it's upstreams are squarely within the realm of affected software. If this is passed, I am seriously considering ceasing all
free software work, because it's not at all clear it's possible to avoid legal liability for things that I can't reasonably control as a single developer.
Exactly.
Ilu
Am 12.11.23 um 18:09 schrieb Luca Boccassi:
On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón
<santiagorr@riseup.net> wrote:
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID:
<4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement
regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS >>> community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
    ----- GENERAL RESOLUTION STARTS -----
    Debian Public Statement about the EU Cyber Resilience Act and the >>>     Product Liability Directive
    The European Union is currently preparing a regulation "on
horizontal
    cybersecurity requirements for products with digital elements"
known as
    the Cyber Resilience Act (CRA). It's currently in the final
"trilogue"
    phase of the legislative process. The act includes a set of
essential
    cybersecurity and vulnerability handling requirements for
manufacturers.
    It will require products to be accompanied by information and
    instructions to the user. Manufacturers will need to perform risk >>>     assessments and produce technical documentation and for critical >>>     components, have third-party audits conducted. Discoverded security
    issues will have to be reported to European authorities within
24 hours
    (1). The CRA will be followed up by the Product Liability Directive
    (PLD) which will introduce compulsory liability for software. More >>>     information about the proposed legislation and its consequences >>> in (2).
These all seem like good things to me. For too long private
corporations have been allowed to put profit before accountability and
user safety, which often results in long lasting damage for citizens,
monetary or worse. It's about time the wild-west was reined in.
    While a lot of these regulations seem reasonable, the Debian
project
    believes that there are grave problems for Free Software projects >>>     attached to them. Therefore, the Debian project issues the
following
    statement:
    1. Free Software has always been a gift, freely given to
society, to
    take and to use as seen fit, for whatever purpose. Free Software >>> has
    proven to be an asset in our digital age and the proposed EU Cyber >>>     Resilience Act is going to be detrimental to it.
        a. It is Debian's goal to "make the best system we can, so
that
    free works will be widely distributed and used." Imposing
requirements
    such as those proposed in the act makes it legally perilous for >>> others
    to redistribute our works and endangers our commitment to
"provide an
    integrated system of high-quality materials _with no legal
restrictions_
    that would prevent such uses of the system". (3)
Debian does not sell products in the single market. Why would any
requirement be imposed, how, and on whom? SPI? Debian France?
        b. Knowing whether software is commercial or not isn't >>> feasible,
    neither in Debian nor in most free software projects - we don't >>> track
    people's employment status or history, nor do we check who finances
    upstream projects.
We do know whether something is commercial or not though - for
example, we don't have to provide Debian with warranty to our users,
because we know publishing images on debian.org is not a commercial
activity.
The second statement I find hard to follow, what would employment
status have to do with this?
        c. If upstream projects stop developing for fear of being
in the
    scope of CRA and its financial consequences, system security will >>>     actually get worse instead of better.
Why would projects stop developing? If it's a product sold on the
single market, then it's right that it is subject to these rules. If
it's not a product, then these rules don't affect it, just like rules
on warranties.
        d. Having to get legal advice before giving a present to >>> society
    will discourage many developers, especially those without a
company or
    other organisation supporting them.
Same as above. If you are not selling anything, why would you need
legal advice, any more than you already do? The EU Single Market has
many, many rules, this is not the first and won't be the last.
    2. Debian is well known for its security track record through >>> practices
    of responsible disclosure and coordination with upstream
developers and
    other Free Software projects. We aim to live up to the
commitment made
    in the Social Contract: "We will not hide problems." (3)
        a. The Free Software community has developed a fine-tuned,
well
    working system of responsible disclosure in case of security issues
    which will be overturned by the mandatory reporting to European >>>     authorities within 24 hours (Art. 11 CRA).
Well, actually the CVE system has a lot of critics - see recent LWN
articles for some examples. So a public authority taking over from
Mitre and other private companies doesn't sound so horrible to me, in
principle - devil's in the details of course.
        b. Debian spends a lot of volunteering time on security >>> issues,
    provides quick security updates and works closely together with >>> upstream
    projects, in coordination with other vendors. To protect its users,
    Debian regularly participates in limited embargos to coordinate >>> fixes to
    security issues so that all other major Linux distributions can >>> also
    have a complete fix when the vulnerability is disclosed.
        c. Security issue tracking and remediation is intentionally
    decentralized and distributed. The reporting of security issues to >>>     ENISA and the intended propagation to other authorities and
national
    administrations would collect all software vulnerabilities in
one place,
    greatly increasing the risk of leaking information about
vulnerabilities
    to threat actors, representing a threat for all the users around >>> the
    world, including European citizens.
This already happens with CVEs though? By a private, unaccountable,
for profit corporation.
        d. Activists use Debian (e.g. through derivatives such as
Tails),
    among other reasons, to protect themselves from authoritarian
    governments; handing threat actors exploits they can use for
oppression
    is against what Debian stands for.
Again, I don't see how this is any different than the status quo.
        e. Developers and companies will downplay security issues
because
    a "security" issue now comes with legal implications. Less
clarity on
    what is truly a security issue will hurt users by leaving them
vulnerable.
Companies already routinely downplay or outright neglect security
issues in their products. It seems the intent of the legislation is to
try and fix precisely that. One might be skeptical on the ability of
the proposed legislation to improve the situation, of course, but
that's a different story.
    3. While proprietary software is developed behind closed doors, >>> Free
    Software development is done in the open, transparent for
everyone. To
    keep even with proprietary software the open development process >>> needs
    to be entirely exempt from CRA requirements, just as the
development of
    software in private is. A "making available on the market" can
only be
    considered after development is finished and the software is
released.
    4. Even if only "commercial activities" are in the scope of
CRA, the
    Free Software community - and as a consequence, everybody - will >>> lose a
    lot of small projects. CRA will force many small enterprises and >>> most
    probably all self employed developers out of business because they >>>     simply cannot fullfill the requirements imposed by CRA. Debian
and other
    Linux distributions depend on their work. It is not
understandable why
    the EU aims to cripple not only an established community but also a
    thriving market. CRA needs an exemption for small businesses
and, at the
    very least, solo-entrepreneurs.
To be brutally honest, if some private corporations' viability depends
on being able to ignore glaring security issues that can harm their
users, then I for one am all for them going out of business. Just like
if a company's existence relies on the ability to breach privacy with
impunity and is hampered by the GDPR, and so on.
To do a reductio ad absurdum to illustrate my point, if a free
software project's existence depended exclusively on an oil&gas
corporation being able to pollute the environment and worsen climate
change with impunity because the author is employed there, would it be
worth it? The answer for me is categorically no. Especially given it's
free software! The whole point of it is that someone else can maintain
it, or the author can find a different source of income, and the
project can continue - it's free, it's by definition not locked in one
corporation.
All in all, given how the situation is explained here, I do not
understand where the issue is, for us as a project or as free software
developers. I do not see any convincing argument at all as to why this
is detrimental to Debian or free software, and the only link that is
made is tenuous at best: maybe some free software developer is also
employed by a company who is negatively affected by this. There are
many, many things that can negatively affect anyone's employer, I do
not see why, by itself, this should warrant a project statement.
At the moment - as the official proposals are worded now - everything
depends on the meaning of the word "commercial". Please note that the proposals have some examples on this as I mentioned before - but each proposal is worded differently.
The software is deemed commercial if
- the developer is selling services for it
- developers are employed by a company and can exercise control (= can
merge)
- the project receives donations (depending on how much, how often and
from whom)
- developed by a single organisation or an asymmetric community
(whatever that is, ask your lawyer)
- a single organisation is generating revenues from related use in
business relationships (notice the vague word "related")
- ...
The 3 proposals differ on these examples but they show what lawmakers
have in mind. Their intent is to include every project where a company
is involved in any way. And we all know that without company sponsorship
a lot of projects could not exist. Luca might state that "Mere
employment of a developer is not enough to make an open source software
a commercial product available on the market" but the parliaments
proposal explicitely says the opposite (if the developer has control,
i.e. merge permission). It doesn't help making blanket statements
without reading *all* proposals first.
There is even an inofficial 4th proposal circulating behind closed
doors, that tries to ditch the commercial/non-commercial differentiation
and goes off in a completely different direction (that will target every project that has a backing organisation - Debian has one). It is all
still in flow.
I cited the Parliaments proposal that says: "Accepting donations without
the intention of making a profit should not count as a commercial
activity, unless such donations are made by commercial entities and are recurring in nature." which clearly states that recurrent donations by companies make a software commercial. But Aigar still claims that
"accepting donations does not fall into any of those examples."
What Aigar writes is what we would like to have (and what we are
lobbying for) but not what the EU presently wants and not what's written
in all proposals.
It is not helpful to read legal texts with your own interpretation and
your own wishes in mind. Aigar and Luca are writing what they think is reasonable (and I mostly agree) and what they gather from one of the
texts (and my hope is that that will be the outcome) but at the moment
that is not the consensus among EU legislators. This is why I want
Debian to make a statement. We need to argue against the dangerous
proposals - which are there and I cited some of them. Ignoring the bad proposals by only reading the stuff that suits you does not help.
My intention with this resolution is not to damn CRA. A lot of things required by CRA are correct and are done anyway by almost all free
software projects (certainly by Debian). My intention is to give support
to those organisations that are trying to push CRA in the right
direction, notably EDRI and OFE (these are the ones I know of).
"Lobbying" is an integral part of EU law making and we should use it
like everybody else does.
Please also note that cloud services like Azure are not effected by CRA, that's NIS2. If you are familiar with European legislation you will know that.
Ilu
Am 12.11.23 um 18:35 schrieb Ilulu:
Am 12.11.23 um 18:09 schrieb Luca Boccassi:
We do know whether something is commercial or not though ...
I sincerely doubt that. Just to illustrate this I'm citing a part (only
a part) of one of the regulation drafts which are presently considered
in trilogue.
"(10) Only free and open-source made available on the market in the
course of a commercial activity should be covered by this Regulation. Whether a free and open-source product has been made available as part
of a commercial activity should be assessed on a product-by-product
basis, looking at both the development model and the supply phase of the free and open-source product with digital elements.
(10a) For example, a fully decentralised development model, where no
single commercial entity exercises control over what is accepted into
the project’s code base, should be taken as an indication that the product has been developed in a non-commercial setting. On the other
hand, where free and open source software is developed by a single organisation or an asymmetric community, where a single organisation is generating revenues from related use in business relationships, this
should be considered to be a commercial activity. Similarly, where the
main contributors to free and open-source projects are developers
employed by commercial entities and when such developers or the employer can exercise control as to which modifications are accepted in the code base, the project should generally be considered to be of a commercial nature.
(10b) With regards to the supply phase, in the context of free and open-source software, a commercial activity might be characterized not
only by charging a price for a product, but also by charging a price for technical support services, when this does not serve only the
recuperation of actual costs, by providing a software platform through which the manufacturer monetises other services, or by the use of
personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software. Accepting donations without the intention of making a profit should not
count as a commercial activity, unless such donations are made by commercial entities and are recurring in nature."
Am 12.11.23 um 18:17 schrieb Scott Kitterman:
Then I would encourage you to do a bit of research on the topic.Given the definitions being used in the proposal, Debian and most, if
not all, of it's upstreams are squarely within the realm of affected software. If this is passed, I am seriously considering ceasing all
free software work, because it's not at all clear it's possible to avoid legal liability for things that I can't reasonably control as a single developer.
Exactly.
Ilu
Am 12.11.23 um 18:09 schrieb Luca Boccassi:FLOSS
On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón
<santiagorr@riseup.net> wrote:
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID:
<4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement
regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the >>> EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the
securitycommunity as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to >>> take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the >>> Product Liability Directive
The European Union is currently preparing a regulation "on
horizontal
cybersecurity requirements for products with digital elements"
known as
the Cyber Resilience Act (CRA). It's currently in the final
"trilogue"
phase of the legislative process. The act includes a set of
essential
cybersecurity and vulnerability handling requirements for
manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk >>> assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded
Directiveissues will have to be reported to European authorities within
24 hours
(1). The CRA will be followed up by the Product Liability
finances(PLD) which will introduce compulsory liability for software. More >>> information about the proposed legislation and its consequences
in (2).
These all seem like good things to me. For too long private
corporations have been allowed to put profit before accountability and
user safety, which often results in long lasting damage for citizens,
monetary or worse. It's about time the wild-west was reined in.
While a lot of these regulations seem reasonable, the Debian
project
believes that there are grave problems for Free Software projects >>> attached to them. Therefore, the Debian project issues the
following
statement:
1. Free Software has always been a gift, freely given to
society, to
take and to use as seen fit, for whatever purpose. Free Software
has
proven to be an asset in our digital age and the proposed EU Cyber >>> Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so
that
free works will be widely distributed and used." Imposing
requirements
such as those proposed in the act makes it legally perilous for
others
to redistribute our works and endangers our commitment to
"provide an
integrated system of high-quality materials _with no legal
restrictions_
that would prevent such uses of the system". (3)
Debian does not sell products in the single market. Why would any
requirement be imposed, how, and on whom? SPI? Debian France?
b. Knowing whether software is commercial or not isn't
feasible,
neither in Debian nor in most free software projects - we don't
track
people's employment status or history, nor do we check who
issuesupstream projects.
We do know whether something is commercial or not though - for
example, we don't have to provide Debian with warranty to our users,
because we know publishing images on debian.org is not a commercial
activity.
The second statement I find hard to follow, what would employment
status have to do with this?
c. If upstream projects stop developing for fear of being
in the
scope of CRA and its financial consequences, system security will >>> actually get worse instead of better.
Why would projects stop developing? If it's a product sold on the
single market, then it's right that it is subject to these rules. If
it's not a product, then these rules don't affect it, just like rules
on warranties.
d. Having to get legal advice before giving a present to
society
will discourage many developers, especially those without a
company or
other organisation supporting them.
Same as above. If you are not selling anything, why would you need
legal advice, any more than you already do? The EU Single Market has
many, many rules, this is not the first and won't be the last.
2. Debian is well known for its security track record through
practices
of responsible disclosure and coordination with upstream
developers and
other Free Software projects. We aim to live up to the
commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned,
well
working system of responsible disclosure in case of security
users,which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
Well, actually the CVE system has a lot of critics - see recent LWN
articles for some examples. So a public authority taking over from
Mitre and other private companies doesn't sound so horrible to me, in
principle - devil's in the details of course.
b. Debian spends a lot of volunteering time on security
issues,
provides quick security updates and works closely together with
upstream
projects, in coordination with other vendors. To protect its
aDebian regularly participates in limited embargos to coordinate
fixes to
security issues so that all other major Linux distributions can
also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to >>> ENISA and the intended propagation to other authorities and
national
administrations would collect all software vulnerabilities in
one place,
greatly increasing the risk of leaking information about
vulnerabilities
to threat actors, representing a threat for all the users around
the
world, including European citizens.
This already happens with CVEs though? By a private, unaccountable,
for profit corporation.
d. Activists use Debian (e.g. through derivatives such as
Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for
oppression
is against what Debian stands for.
Again, I don't see how this is any different than the status quo.
e. Developers and companies will downplay security issues
because
a "security" issue now comes with legal implications. Less
clarity on
what is truly a security issue will hurt users by leaving them
vulnerable.
Companies already routinely downplay or outright neglect security
issues in their products. It seems the intent of the legislation is to
try and fix precisely that. One might be skeptical on the ability of
the proposed legislation to improve the situation, of course, but
that's a different story.
3. While proprietary software is developed behind closed doors,
Free
Software development is done in the open, transparent for
everyone. To
keep even with proprietary software the open development process
needs
to be entirely exempt from CRA requirements, just as the
development of
software in private is. A "making available on the market" can
only be
considered after development is finished and the software is
released.
4. Even if only "commercial activities" are in the scope of
CRA, the
Free Software community - and as a consequence, everybody - will
lose a
lot of small projects. CRA will force many small enterprises and
most
probably all self employed developers out of business because they >>> simply cannot fullfill the requirements imposed by CRA. Debian
and other
Linux distributions depend on their work. It is not
understandable why
the EU aims to cripple not only an established community but also
thriving market. CRA needs an exemption for small businesses
and, at the
very least, solo-entrepreneurs.
To be brutally honest, if some private corporations' viability depends
on being able to ignore glaring security issues that can harm their
users, then I for one am all for them going out of business. Just like
if a company's existence relies on the ability to breach privacy with
impunity and is hampered by the GDPR, and so on.
To do a reductio ad absurdum to illustrate my point, if a free
software project's existence depended exclusively on an oil&gas
corporation being able to pollute the environment and worsen climate
change with impunity because the author is employed there, would it be
worth it? The answer for me is categorically no. Especially given it's
free software! The whole point of it is that someone else can maintain
it, or the author can find a different source of income, and the
project can continue - it's free, it's by definition not locked in one
corporation.
All in all, given how the situation is explained here, I do not
understand where the issue is, for us as a project or as free software
developers. I do not see any convincing argument at all as to why this
is detrimental to Debian or free software, and the only link that is
made is tenuous at best: maybe some free software developer is also
employed by a company who is negatively affected by this. There are
many, many things that can negatively affect anyone's employer, I do
not see why, by itself, this should warrant a project statement.
Thanks for the detailed explanation! It had quite a few details that I was not aware about. Expressing the desired position of Debian and of the community *is* useful, especially when there are multiple variants of the legislation that need reconciliation. I was looking at the specific version that I linked to and the language in that version.
But that position should not be a blanket opposition to the legislation or containing overbroad statements.
Specific highlights on what activities should not fall into the scope of
the directive would be helpful.
But beyond that, I have not researched this specific issue enough to recommend specifics.
Peculiarly I am also not against Debian passing the resolution as it stands because the negotiatiators in the loop of reconciliation *are* able to use Debians position to argue for better open source conditions, even if the actual text in the Debian vote *were* far from perfect or accurate. (Which
I am not saying it is)
On Mon, 13 Nov 2023, 17:32 Ilu, <ilulu@gmx.net> wrote:
At the moment - as the official proposals are worded now - everything
depends on the meaning of the word "commercial". Please note that the
proposals have some examples on this as I mentioned before - but each
proposal is worded differently.
The software is deemed commercial if
- the developer is selling services for it
- developers are employed by a company and can exercise control (= can
merge)
- the project receives donations (depending on how much, how often and
from whom)
- developed by a single organisation or an asymmetric community
(whatever that is, ask your lawyer)
- a single organisation is generating revenues from related use in
business relationships (notice the vague word "related")
- ...
The 3 proposals differ on these examples but they show what lawmakers
have in mind. Their intent is to include every project where a company
is involved in any way. And we all know that without company sponsorship
a lot of projects could not exist. Luca might state that "Mere
employment of a developer is not enough to make an open source software
a commercial product available on the market" but the parliaments
proposal explicitely says the opposite (if the developer has control,
i.e. merge permission). It doesn't help making blanket statements
without reading *all* proposals first.
There is even an inofficial 4th proposal circulating behind closed
doors, that tries to ditch the commercial/non-commercial differentiation
and goes off in a completely different direction (that will target every
project that has a backing organisation - Debian has one). It is all
still in flow.
I cited the Parliaments proposal that says: "Accepting donations without
the intention of making a profit should not count as a commercial
activity, unless such donations are made by commercial entities and are
recurring in nature." which clearly states that recurrent donations by
companies make a software commercial. But Aigar still claims that
"accepting donations does not fall into any of those examples."
What Aigar writes is what we would like to have (and what we are
lobbying for) but not what the EU presently wants and not what's written
in all proposals.
It is not helpful to read legal texts with your own interpretation and
your own wishes in mind. Aigar and Luca are writing what they think is
reasonable (and I mostly agree) and what they gather from one of the
texts (and my hope is that that will be the outcome) but at the moment
that is not the consensus among EU legislators. This is why I want
Debian to make a statement. We need to argue against the dangerous
proposals - which are there and I cited some of them. Ignoring the bad
proposals by only reading the stuff that suits you does not help.
My intention with this resolution is not to damn CRA. A lot of things
required by CRA are correct and are done anyway by almost all free
software projects (certainly by Debian). My intention is to give support
to those organisations that are trying to push CRA in the right
direction, notably EDRI and OFE (these are the ones I know of).
"Lobbying" is an integral part of EU law making and we should use it
like everybody else does.
Please also note that cloud services like Azure are not effected by CRA,
that's NIS2. If you are familiar with European legislation you will know
that.
Ilu
Am 12.11.23 um 18:35 schrieb Ilulu:
Am 12.11.23 um 18:09 schrieb Luca Boccassi:FLOSS
> We do know whether something is commercial or not though ...
I sincerely doubt that. Just to illustrate this I'm citing a part (only
a part) of one of the regulation drafts which are presently considered
in trilogue.
"(10) Only free and open-source made available on the market in the
course of a commercial activity should be covered by this Regulation.
Whether a free and open-source product has been made available as part
of a commercial activity should be assessed on a product-by-product
basis, looking at both the development model and the supply phase of the >>> free and open-source product with digital elements.
(10a) For example, a fully decentralised development model, where no
single commercial entity exercises control over what is accepted into
the project’s code base, should be taken as an indication that the
product has been developed in a non-commercial setting. On the other
hand, where free and open source software is developed by a single
organisation or an asymmetric community, where a single organisation is
generating revenues from related use in business relationships, this
should be considered to be a commercial activity. Similarly, where the
main contributors to free and open-source projects are developers
employed by commercial entities and when such developers or the employer >>> can exercise control as to which modifications are accepted in the code
base, the project should generally be considered to be of a commercial
nature.
(10b) With regards to the supply phase, in the context of free and
open-source software, a commercial activity might be characterized not
only by charging a price for a product, but also by charging a price for >>> technical support services, when this does not serve only the
recuperation of actual costs, by providing a software platform through
which the manufacturer monetises other services, or by the use of
personal data for reasons other than exclusively for improving the
security, compatibility or interoperability of the software. Accepting
donations without the intention of making a profit should not
count as a commercial activity, unless such donations are made by
commercial entities and are recurring in nature."
Am 12.11.23 um 18:17 schrieb Scott Kitterman:
> Then I would encourage you to do a bit of research on the topic.
Given the definitions being used in the proposal, Debian and most, if
not all, of it's upstreams are squarely within the realm of affected
software. If this is passed, I am seriously considering ceasing all
free software work, because it's not at all clear it's possible to avoid >>> legal liability for things that I can't reasonably control as a single
developer.
Exactly.
Ilu
Am 12.11.23 um 18:09 schrieb Luca Boccassi:
On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón
<santiagorr@riseup.net> wrote:
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID:
<4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I >>>>> would like to call for a vote about issuing a Debian public statement >>>>> regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive >>>>> (PLD). The CRA is in the final stage in the legislative process in the >>>>> EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the
securitycommunity as a whole. Even if the CRA will be probably adopted before >>>>> the time the vote ends (if it takes place), we think it is important to >>>>> take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the >>>>> Product Liability Directive
The European Union is currently preparing a regulation "on
horizontal
cybersecurity requirements for products with digital elements" >>>>> known as
the Cyber Resilience Act (CRA). It's currently in the final
"trilogue"
phase of the legislative process. The act includes a set of
essential
cybersecurity and vulnerability handling requirements for
manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk >>>>> assessments and produce technical documentation and for critical >>>>> components, have third-party audits conducted. Discoverded
Directiveissues will have to be reported to European authorities within >>>>> 24 hours
(1). The CRA will be followed up by the Product Liability
finances(PLD) which will introduce compulsory liability for software. More >>>>> information about the proposed legislation and its consequences >>>>> in (2).
These all seem like good things to me. For too long private
corporations have been allowed to put profit before accountability and >>>> user safety, which often results in long lasting damage for citizens,
monetary or worse. It's about time the wild-west was reined in.
While a lot of these regulations seem reasonable, the Debian
project
believes that there are grave problems for Free Software projects >>>>> attached to them. Therefore, the Debian project issues the
following
statement:
1. Free Software has always been a gift, freely given to
society, to
take and to use as seen fit, for whatever purpose. Free Software >>>>> has
proven to be an asset in our digital age and the proposed EU Cyber >>>>> Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so >>>>> that
free works will be widely distributed and used." Imposing
requirements
such as those proposed in the act makes it legally perilous for >>>>> others
to redistribute our works and endangers our commitment to
"provide an
integrated system of high-quality materials _with no legal
restrictions_
that would prevent such uses of the system". (3)
Debian does not sell products in the single market. Why would any
requirement be imposed, how, and on whom? SPI? Debian France?
b. Knowing whether software is commercial or not isn't
feasible,
neither in Debian nor in most free software projects - we don't >>>>> track
people's employment status or history, nor do we check who
issuesupstream projects.
We do know whether something is commercial or not though - for
example, we don't have to provide Debian with warranty to our users,
because we know publishing images on debian.org is not a commercial
activity.
The second statement I find hard to follow, what would employment
status have to do with this?
c. If upstream projects stop developing for fear of being >>>>> in the
scope of CRA and its financial consequences, system security will >>>>> actually get worse instead of better.
Why would projects stop developing? If it's a product sold on the
single market, then it's right that it is subject to these rules. If
it's not a product, then these rules don't affect it, just like rules
on warranties.
d. Having to get legal advice before giving a present to
society
will discourage many developers, especially those without a
company or
other organisation supporting them.
Same as above. If you are not selling anything, why would you need
legal advice, any more than you already do? The EU Single Market has
many, many rules, this is not the first and won't be the last.
2. Debian is well known for its security track record through >>>>> practices
of responsible disclosure and coordination with upstream
developers and
other Free Software projects. We aim to live up to the
commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, >>>>> well
working system of responsible disclosure in case of security
users,which will be overturned by the mandatory reporting to European >>>>> authorities within 24 hours (Art. 11 CRA).
Well, actually the CVE system has a lot of critics - see recent LWN
articles for some examples. So a public authority taking over from
Mitre and other private companies doesn't sound so horrible to me, in
principle - devil's in the details of course.
b. Debian spends a lot of volunteering time on security
issues,
provides quick security updates and works closely together with >>>>> upstream
projects, in coordination with other vendors. To protect its
Debian regularly participates in limited embargos to coordinate >>>>> fixes to
security issues so that all other major Linux distributions can >>>>> also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally >>>>> decentralized and distributed. The reporting of security issues to >>>>> ENISA and the intended propagation to other authorities and
national
administrations would collect all software vulnerabilities in
one place,
greatly increasing the risk of leaking information about
vulnerabilities
to threat actors, representing a threat for all the users around >>>>> the
world, including European citizens.
This already happens with CVEs though? By a private, unaccountable,
for profit corporation.
d. Activists use Debian (e.g. through derivatives such as >>>>> Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for
oppression
is against what Debian stands for.
Again, I don't see how this is any different than the status quo.
e. Developers and companies will downplay security issues >>>>> because
a "security" issue now comes with legal implications. Less
clarity on
what is truly a security issue will hurt users by leaving them >>>>> vulnerable.
Companies already routinely downplay or outright neglect security
issues in their products. It seems the intent of the legislation is to >>>> try and fix precisely that. One might be skeptical on the ability of
the proposed legislation to improve the situation, of course, but
that's a different story.
3. While proprietary software is developed behind closed doors, >>>>> Free
Software development is done in the open, transparent for
everyone. To
keep even with proprietary software the open development process >>>>> needs
to be entirely exempt from CRA requirements, just as the
development of
software in private is. A "making available on the market" can >>>>> only be
considered after development is finished and the software is
released.
4. Even if only "commercial activities" are in the scope of
CRA, the
Free Software community - and as a consequence, everybody - will >>>>> lose a
lot of small projects. CRA will force many small enterprises and >>>>> most
probably all self employed developers out of business because they >>>>> simply cannot fullfill the requirements imposed by CRA. Debian >>>>> and other
Linux distributions depend on their work. It is not
understandable why
the EU aims to cripple not only an established community but also >> a
thriving market. CRA needs an exemption for small businesses
and, at the
very least, solo-entrepreneurs.
To be brutally honest, if some private corporations' viability depends >>>> on being able to ignore glaring security issues that can harm their
users, then I for one am all for them going out of business. Just like >>>> if a company's existence relies on the ability to breach privacy with
impunity and is hampered by the GDPR, and so on.
To do a reductio ad absurdum to illustrate my point, if a free
software project's existence depended exclusively on an oil&gas
corporation being able to pollute the environment and worsen climate
change with impunity because the author is employed there, would it be >>>> worth it? The answer for me is categorically no. Especially given it's >>>> free software! The whole point of it is that someone else can maintain >>>> it, or the author can find a different source of income, and the
project can continue - it's free, it's by definition not locked in one >>>> corporation.
All in all, given how the situation is explained here, I do not
understand where the issue is, for us as a project or as free software >>>> developers. I do not see any convincing argument at all as to why this >>>> is detrimental to Debian or free software, and the only link that is
made is tenuous at best: maybe some free software developer is also
employed by a company who is negatively affected by this. There are
many, many things that can negatively affect anyone's employer, I do
not see why, by itself, this should warrant a project statement.
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
Just to be clear: I also do agree with the main intention of the
proposal, what I do not like is that the current draft wording might
backfire on us.
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
What do you think? Here's what I came up with:
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software Projects from being subject to the same
liabilities as commercial products
, which has caused uncertainty and
worry among Free and Open Source Software developers and stakeholders.
Therefore, the Debian project requests the legislators to enhance the
Hi,
On 11/15/23 15:22, Lucas Nussbaum wrote:
FreeThe Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate
and Open Source Software Projects from being subject to the same
liabilities as commercial products
I find this part a bit ambiguous. When GitLab or Proxmox or RedHat sells services around a free software product, I think it's OK if they are covered by this regulation. Maybe it would be better with s/Projects/Organizations/?
That is exactly why I think this is dangerous: I want GitLab and Proxmox
to be responsible for what they release, but it is very difficult to
draw a line between their offering and what Microsoft is doing by paying
for systemd development while they are also selling Azure cloud.
On 15/11/23 at 00:49 +0000, Luca Boccassi wrote:
What do you think? Here's what I came up with:
Hi,
FWIW, I would likely second something along those lines. Some comments:
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software Projects from being subject to the same
liabilities as commercial products
I find this part a bit ambiguous. When GitLab or Proxmox or RedHat sells services around a free software product, I think it's OK if they are
covered by this regulation. Maybe it would be better with s/Projects/Organizations/?
Maybe we should underline specific borderline situations where the
impact of the regulation would be unclear?
, which has caused uncertainty and
worry among Free and Open Source Software developers and stakeholders.
Therefore, the Debian project requests the legislators to enhance the
(minor) s/requests/asks/? (can we request the legislators?)
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software Projects from being subject to the same
liabilities as commercial products
I find this part a bit ambiguous. When GitLab or Proxmox or RedHat sells services around a free software product, I think it's OK if they are
covered by this regulation. Maybe it would be better with s/Projects/Organizations/?
Maybe we should underline specific borderline situations where the
impact of the regulation would be unclear?
On Sun, 2023-11-12 at 12:10 -0300, Santiago Ruano Rincón wrote:
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to take a public stand about it.
Hi Santiago,
It seems clear that there is a lot of interest in the project to
express a position on this matter. But as mentioned in the thread by
myself and others, I find some of the specifics of the text a bit
problematic - and some of the responses it elicited even more so.
So, I'd like to propose an alternative text, that uses a very similar preamble and still expresses a strong request to the legislators to
protect the interests of FOSS and its contributors and clarify any
issue, grey area or confusion that might be present in the current
texts, and put it beyond any reasonable doubt that FOSS projects can
continue working as they have, while at the same time supporting the
spirit of the law and its goal to improve the abysmal landscape of
software security in commercial products.
What do you think? Here's what I came up with:
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Security issues under
active exploitation will have to be reported to European authorities
within 24 hours (1). The CRA will be followed up by an update to the
existing Product Liability Directive (PLD) which, among other things,
will introduce the requirement for products on the market using software
to be able to receive updates to address security vulnerabilities.
Given the current state of the electronics and computing devices market,
constellated with too many irresponsible vendors (largely employing
proprietary software) not taking taking enough precautions to ensure and
maintain the security of their products, resulting in grave issues such
as the plague of ransomware (that, among other things, has often caused
public services to be severely hampered or shut down entirely, across
the European Union and beyond, to the detriment of its citizens), the
Debian project welcomes this initiative and supports its spirit and
intent.
The Debian project believes Free and Open Source Software Projects to be
very well positioned to respond to modern challenges around security and
accountability that these regulations aim to improve for products
commercialized on the Single Market. Debian is well known for its
security track record through practices of responsible disclosure and
coordination with upstream developers and other Free and Open Source
Software projects. The project aims to live up to the commitment made in
the Debian Social Contract: "We will not hide problems." (2)
The Debian project welcomes the attempt of the legislators to ensure
that the development of Free and Open Source Software is not negatively
affected by these regulations, as clearly expressed by the European
Commission in response to stakeholders' requests (1) and as stated in
Recital 10 of the preamble to the CRA:
'In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial
activity should not be covered by this Regulation.'
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software Projects from being subject to the same
liabilities as commercial products, which has caused uncertainty and
worry among Free and Open Source Software developers and stakeholders.
Therefore, the Debian project requests the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors, with special emphasis on
clarifying grey areas such as donations and contributions from
commercial companies. It is fundamental for the interests of the
European Union itself that Free and Open Source Software development
can continue to thrive and produce high quality software components,
applications and operating systems, and this can only happen if Free
and Open Source Software developers and contributors can continue to
work on these projects as they have been doing before these new
regulations, without being encumbered by legal requirements that are
only appropriate for commercial companies and enterprises.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
Response from the European Commission to a question from the European Parliament on FOSS awareness:
https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html
(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
On Wed, 15 Nov 2023 at 06:23, Lucas Nussbaum <lucas@debian.org> wrote:
On 15/11/23 at 00:49 +0000, Luca Boccassi wrote:
What do you think? Here's what I came up with:
Hi,
FWIW, I would likely second something along those lines. Some comments:
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software Projects from being subject to the same
liabilities as commercial products
I find this part a bit ambiguous. When GitLab or Proxmox or RedHat sells services around a free software product, I think it's OK if they are covered by this regulation. Maybe it would be better with s/Projects/Organizations/?
Maybe we should underline specific borderline situations where the
impact of the regulation would be unclear?
I think the two paragraphs are clearer than that already when taken
together, especially the last bit which essentially boils down to "let
us continue to do what we are doing and go after vendors instead
kkthxbye", but what about this rewording:
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software developers and maintainers from being subject
to the same liabilities as commercial vendors, which has caused
uncertainty and worry among such stakeholders.
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors in the exercise of their duties when merely developing and publishing Free and Open Source Software, with
special emphasis on clarifying grey areas, such as donations,
contributions from commercial companies and developing Free and Open
Source Software that may be later commercialised by a
commercial vendor. It is fundamental for the interests of the
European Union itself that Free and Open Source Software development
can continue to thrive and produce high quality software components, applications and operating systems, and this can only happen if Free
and Open Source Software developers and contributors can continue to
work on these projects as they have been doing before these new
regulations, without being encumbered by legal requirements that are
only appropriate for commercial companies and enterprises.
El 15/11/23 a las 00:49, Luca Boccassi escribió:
On Sun, 2023-11-12 at 12:10 -0300, Santiago Ruano Rincón wrote:
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to take a public stand about it.
Hi Santiago,
Hello Luca
It seems clear that there is a lot of interest in the project to
express a position on this matter. But as mentioned in the thread by
myself and others, I find some of the specifics of the text a bit problematic - and some of the responses it elicited even more so.
So, I'd like to propose an alternative text, that uses a very similar preamble and still expresses a strong request to the legislators to
protect the interests of FOSS and its contributors and clarify any
issue, grey area or confusion that might be present in the current
texts, and put it beyond any reasonable doubt that FOSS projects can continue working as they have, while at the same time supporting the
spirit of the law and its goal to improve the abysmal landscape of
software security in commercial products.
What do you think? Here's what I came up with:
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Security issues under
active exploitation will have to be reported to European authorities
within 24 hours (1). The CRA will be followed up by an update to the
existing Product Liability Directive (PLD) which, among other things,
will introduce the requirement for products on the market using software
to be able to receive updates to address security vulnerabilities.
Given the current state of the electronics and computing devices market,
constellated with too many irresponsible vendors (largely employing
proprietary software) not taking taking enough precautions to ensure and
maintain the security of their products, resulting in grave issues such
as the plague of ransomware (that, among other things, has often caused
public services to be severely hampered or shut down entirely, across
the European Union and beyond, to the detriment of its citizens), the
Debian project welcomes this initiative and supports its spirit and
intent.
I don't feel comfortable with most of the above paragraph. Where is the
value in kind-of-finger-pointing proprietary software?
The Debian project believes Free and Open Source Software Projects to be
very well positioned to respond to modern challenges around security and
accountability that these regulations aim to improve for products
commercialized on the Single Market. Debian is well known for its
security track record through practices of responsible disclosure and
coordination with upstream developers and other Free and Open Source
Software projects. The project aims to live up to the commitment made in
the Debian Social Contract: "We will not hide problems." (2)
The Debian project welcomes the attempt of the legislators to ensure
that the development of Free and Open Source Software is not negatively
affected by these regulations, as clearly expressed by the European
Commission in response to stakeholders' requests (1) and as stated in
Recital 10 of the preamble to the CRA:
'In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial
activity should not be covered by this Regulation.'
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software Projects from being subject to the same
liabilities as commercial products, which has caused uncertainty and
worry among Free and Open Source Software developers and stakeholders.
Therefore, the Debian project requests the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors, with special emphasis on
clarifying grey areas such as donations and contributions from
commercial companies. It is fundamental for the interests of the
European Union itself that Free and Open Source Software development
can continue to thrive and produce high quality software components,
applications and operating systems, and this can only happen if Free
and Open Source Software developers and contributors can continue to
work on these projects as they have been doing before these new
regulations, without being encumbered by legal requirements that are
only appropriate for commercial companies and enterprises.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
Response from the European Commission to a question from the European Parliament on FOSS awareness:
https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html
(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
Just a quick comment:
IMHO, this proposal doesn't take into account issues with article 11. I
don't think the proposed article helps to increase the security of the
users, whether the vulnerabilities to be reported are known to be
actively exploited or not. And this is for developers/manufacturers
under commercial or non-commercial activities.
Spreading the information about unpatched vulnerabilities among the
agencies of the members of the Union increases the risk of leaks to
malicious actors.
Other than that, given recent history, I would prefer if government
agencies don't get even more data about vulnerabilities that they could exploit.
I find the reporting time limit too short and hard to fulfill for
small-size companies or single developers, and it would also impact the research on security issues as it is currently done.
Moreover, this regulation will likely inspire other countries to apply similar disclosure requirements to their own agencies, increasing even
more the above mentioned risk.
In any case, you are, of course, free to propose an alternative text :-)
On Wed, 15 Nov 2023 at 13:53, Lucas Nussbaum <lucas@debian.org> wrote:
On 15/11/23 at 11:38 +0000, Luca Boccassi wrote:
On Wed, 15 Nov 2023 at 06:23, Lucas Nussbaum <lucas@debian.org> wrote:
On 15/11/23 at 00:49 +0000, Luca Boccassi wrote:
What do you think? Here's what I came up with:
Hi,
FWIW, I would likely second something along those lines. Some comments:
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software Projects from being subject to the same
liabilities as commercial products
I find this part a bit ambiguous. When GitLab or Proxmox or RedHat sells
services around a free software product, I think it's OK if they are covered by this regulation. Maybe it would be better with s/Projects/Organizations/?
Maybe we should underline specific borderline situations where the impact of the regulation would be unclear?
I think the two paragraphs are clearer than that already when taken together, especially the last bit which essentially boils down to "let
us continue to do what we are doing and go after vendors instead kkthxbye", but what about this rewording:
The Debian project however notes that not enough emphasis has been employed in all parts of these regulations to clearly exonerate Free
and Open Source Software developers and maintainers from being subject
to the same liabilities as commercial vendors, which has caused uncertainty and worry among such stakeholders.
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that Free and Open Source Software developers and contributors are not going to be treated as commercial vendors in the exercise of their duties when merely developing and publishing Free and Open Source Software, with special emphasis on clarifying grey areas, such as donations, contributions from commercial companies and developing Free and Open Source Software that may be later commercialised by a
commercial vendor. It is fundamental for the interests of the
European Union itself that Free and Open Source Software development
can continue to thrive and produce high quality software components, applications and operating systems, and this can only happen if Free
and Open Source Software developers and contributors can continue to
work on these projects as they have been doing before these new regulations, without being encumbered by legal requirements that are
only appropriate for commercial companies and enterprises.
This looks better, thanks!
I wonder if we should have something like "Free software development by nonprofit organizations" somewhere. I agree that are many situations
where development happens outside of the context of an NPO, and where
this regulation should not apply. But it might be easier for Debian to focus on its own context.
How about:
...if Free and Open Source Software developers and contributors can continue to
work on these projects as they have been doing before these new
regulations, especially but not exclusively in the context of
nonprofit organizations,
without being encumbered by legal requirements that are only appropriate for commercial companies and enterprises.
That is exactly why I think this is dangerous: I want GitLab and
Proxmox
to be responsible for what they release, but it is very difficult to
draw a line between their offering and what Microsoft is doing by
paying
for systemd development while they are also selling Azure cloud.
Why should there be a borderline between that? Microsoft has to be responsible
for what they are selling in the Azure cloud (pre-defined images),
regardless of
the systemd developer work.
That would also be a consistent position: "as long as the source code is public under a DFSG-compliant license, the open source exemption should
apply even to works produced for commercial gain."
However, I do not think the EU wants an exemption this broad, which is
why I see a risk that this threatens the model that systemd is currently developed under.
From my personal perspective on systemd, I don't care much, but with my Debian hat on I think that would be pretty disruptive.
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive
(PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to
take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11Â CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISAÂ and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRAÂ will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2)Â Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed
analysis:Â https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
Cheers,
-- Santiago
I wonder if we should have something like "Free software development by nonprofit organizations" somewhere.
"Bart" == Bart Martens <bartm@debian.org> writes:
On Mon, 13 Nov 2023 at 15:51, Lisandro Damián Nicanor Pérez Meyer < perezmeyer@gmail.com> wrote:
On Mon, 13 Nov 2023 at 11:50, Aigars Mahinovs <aigarius@gmail.com> wrote:
Whether accepting donations *in general* makes your activity inproviding software a "commercial activity" in the context of
this directive proposal is not really a supported notion in the text.There are a few specific examples of what does make
a "commercial activity" in point 10, but none of those examples directlyapply to general donations to a project or person.
I am not mixing, I think the current wording does not _exactly_ says
so, leaving a door open for abuse.
The current working does say what is commercial activity and accepting donations does not fall into any of those examples.
But EFF, among others, does mention that it would be more comforting if accepting donations was explicitly highlighted as an example of
activity that clearly falls outside of the commercial activity definition.
--
Best regards,
Aigars Mahinovs
On Sun, Nov 12, 2023 at 12:10:21PM -0300, Santiago Ruano Rincón wrote:
Dear Debian Fellows,
Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7e4d@gmx.net>), and as we have
discussed during the MiniDebConf UY 2023 with other Debian Members, I
would like to call for a vote about issuing a Debian public statement regarding
the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). The CRA is in the final stage in the legislative process in the
EU Parliament, and we think it will impact negatively the Debian
Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before
the time the vote ends (if it takes place), we think it is important to take a public stand about it.
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Discoverded security
issues will have to be reported to European authorities within 24 hours
(1). The CRA will be followed up by the Product Liability Directive
(PLD) which will introduce compulsory liability for software. More
information about the proposed legislation and its consequences in (2).
While a lot of these regulations seem reasonable, the Debian project
believes that there are grave problems for Free Software projects
attached to them. Therefore, the Debian project issues the following
statement:
1. Free Software has always been a gift, freely given to society, to
take and to use as seen fit, for whatever purpose. Free Software has
proven to be an asset in our digital age and the proposed EU Cyber
Resilience Act is going to be detrimental to it.
a. It is Debian's goal to "make the best system we can, so that
free works will be widely distributed and used." Imposing requirements
such as those proposed in the act makes it legally perilous for others
to redistribute our works and endangers our commitment to "provide an
integrated system of high-quality materials _with no legal restrictions_
that would prevent such uses of the system". (3)
b. Knowing whether software is commercial or not isn't feasible,
neither in Debian nor in most free software projects - we don't track
people's employment status or history, nor do we check who finances
upstream projects.
c. If upstream projects stop developing for fear of being in the
scope of CRA and its financial consequences, system security will
actually get worse instead of better.
d. Having to get legal advice before giving a present to society
will discourage many developers, especially those without a company or
other organisation supporting them.
2. Debian is well known for its security track record through practices
of responsible disclosure and coordination with upstream developers and
other Free Software projects. We aim to live up to the commitment made
in the Social Contract: "We will not hide problems." (3)
a. The Free Software community has developed a fine-tuned, well
working system of responsible disclosure in case of security issues
which will be overturned by the mandatory reporting to European
authorities within 24 hours (Art. 11 CRA).
b. Debian spends a lot of volunteering time on security issues,
provides quick security updates and works closely together with upstream
projects, in coordination with other vendors. To protect its users,
Debian regularly participates in limited embargos to coordinate fixes to
security issues so that all other major Linux distributions can also
have a complete fix when the vulnerability is disclosed.
c. Security issue tracking and remediation is intentionally
decentralized and distributed. The reporting of security issues to
ENISA and the intended propagation to other authorities and national
administrations would collect all software vulnerabilities in one place,
greatly increasing the risk of leaking information about vulnerabilities
to threat actors, representing a threat for all the users around the
world, including European citizens.
d. Activists use Debian (e.g. through derivatives such as Tails),
among other reasons, to protect themselves from authoritarian
governments; handing threat actors exploits they can use for oppression
is against what Debian stands for.
e. Developers and companies will downplay security issues because
a "security" issue now comes with legal implications. Less clarity on
what is truly a security issue will hurt users by leaving them vulnerable.
3. While proprietary software is developed behind closed doors, Free
Software development is done in the open, transparent for everyone. To
keep even with proprietary software the open development process needs
to be entirely exempt from CRA requirements, just as the development of
software in private is. A "making available on the market" can only be
considered after development is finished and the software is released.
4. Even if only "commercial activities" are in the scope of CRA, the
Free Software community - and as a consequence, everybody - will lose a
lot of small projects. CRA will force many small enterprises and most
probably all self employed developers out of business because they
simply cannot fullfill the requirements imposed by CRA. Debian and other
Linux distributions depend on their work. It is not understandable why
the EU aims to cripple not only an established community but also a
thriving market. CRA needs an exemption for small businesses and, at the
very least, solo-entrepreneurs.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
(2) Background information:
https://blog.documentfoundation.org/blog/2023/01/24/tdf-position-on-eus-proposed-cyber-resilience-act/
https://blogs.eclipse.org/post/mike-milinkovich/european-cyber-resilience-act-potential-impact-eclipse-foundation
https://labs.ripe.net/author/maarten-aertsen/open-source-software-vs-the-proposed-cyber-resilience-act/
https://blog.opensource.org/author/webmink/
Detailed
analysis: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services/F3376542_en
(3) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
Cheers,
-- Santiago
"Bart" == Bart Martens <bartm@debian.org> writes:
Bart> On Wed, Nov 15, 2023 at 02:52:31PM +0100, Lucas Nussbaum wrote:
>> I wonder if we should have something like "Free software
>> development by nonprofit organizations" somewhere.
Bart> Are we now drawing a line between profit and nonprofit? In my
Bart> view, with Free Software it should not matter who produces,
Bart> publishes or uses the software, in commercial or nonprofit
Bart> context. That is, in my view, an essential element of the
Bart> continuous growth and success of Free Software. This should be
Bart> the main message if Debian would make a public statement in
Bart> this context. Debian should not try to fix the EU text by
Bart> defining which categories of contributors are to be
Bart> protected. On the contrary, we should aim at keeping the
Bart> existing freedoms for anyone alike, including commercial
Bart> companies. That is also publishing open source software under
Bart> licenses with the usual disclaimers of liabilities.
I think that when your practices can be best described as monatizing
your customers, or monatizing the users of your open-source software,
then you have extended beyond the free-software ethos, and I think
commercial liability makes sense.
So let's consider some situations.
* A commercial company writes free software. Should they have liability
to someone who grabs that software uses it unrelated to that company's
business and they never make money from that person? Example: A large
company makes a useful library that they and others use; the library
is ancillary to their business; they do not provide support for the
library.
I'd generally say that the commercial company is writing free software
and I agree that Debian should support the idea they should have all
the protections of anyone writing free software.
* A commercial company writes free-software that for all practical
purposes can be used only for access to their proprietary web
service. I'd rather not allow arguments about whether a flaw is on
the web service side or the client API side to be used to help the
company get out of liability to their customers/users.
*A company writes software. They sell support for that software. They
have a track record of being bad about providing security updates to
people who do not pay for support; it is hinted that this helps them
drive support revenue.
I think they should be in the same boat as any company giving software
away for free and also selling support. I.E. the fact that the source
is available should not in this instance help them escape liability.
Whether not giving away security updates for free should be considered
good business or a social evil seems like a debate for another forum,
but I don't think open source should be a factor here.
So, there are some cases where I agree with you that the commercial
nature of the company should not matter to free software protection and
other cases where it is a lot less clear to me.
I do think we want to avoid cases where releasing something as free
software or open source increases liability over giving the same
software away for gratis as closed-source.
--Sam
>>"Bart" == Bart Martens <bartm@debian.org> writes:
>>"Bart" == Bart Martens <bartm@debian.org> writes:
>> * A commercial company writes free-software that for all
>> practical purposes can be used only for access to their
>> proprietary web service. I'd rather not allow arguments about
>> whether a flaw is on the web service side or the client API side
>> to be used to help the company get out of liability to their
>> customers/users.
Bart> I guess "awscli" is an example of this situation.
Sure, let's say it is.
One could quibble about whether there are alternate implementations of
AWS's API, but for most uses, I'd agree with awscli being an example of
what I'm talking about.
Bart> https://packages.debian.org/sid/awscli
Bart> https://metadata.ftp-master.debian.org/changelogs//main/a/awscli/awscli_2.12.0-1_copyright
Bart> So the EU would hold Amazon liable for damages caused by using
Bart> "awscli", overruling the "without warranties" clause in the
Bart> license. Well, then next time Amazon might choose to only
Bart> provide documentation of the API, without publishing an open
Bart> source example implementation like "awscli". That's a loss for
Bart> foss. It illustrates the value of DFSG 6.
Ah, because the regulations specifically exclude SAAS and so Amazon
doesn't have liability for the API unless they publish software to use
the API?
If that's your point, I certainly understand you better.
If in practice we end up with less open-source software because of
things like that, I agree it would be a negative.
I second adding this version to the vote
On Mon, 20 Nov 2023 at 00:22, Luca Boccassi <bluca@debian.org> wrote:
Second version, taking into account feedback. Looking for seconds at
this point:
Second version, taking into account feedback. Looking for secondsat
this point:
Maybe Santiago wants to adopt this text, rather than having 2
options?
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors in the exercise of their duties when
merely developing and publishing Free and Open Source Software, with
special emphasis on clarifying grey areas, such as donations,
contributions from commercial companies and developing Free and Open
Source Software that may be later commercialised by a commercial vendor.
It is fundamental for the interests of the European Union itself that
Free and Open Source Software development can continue to thrive and
produce high quality software components, applications and operating
systems, and this can only happen if Free and Open Source Software
developers and contributors can continue to work on these projects as
they have been doing before these new regulations, especially but not
exclusively in the context of nonprofit organizations, without being
encumbered by legal requirements that are only appropriate for
commercial companies and enterprises.
Second version, taking into account feedback. Looking for seconds at
this point:
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Security issues under
active exploitation will have to be reported to European authorities
within 24 hours (1). The CRA will be followed up by an update to the
existing Product Liability Directive (PLD) which, among other things,
will introduce the requirement for products on the market using software
to be able to receive updates to address security vulnerabilities.
Given the current state of the electronics and computing devices market,
constellated with too many irresponsible vendors not taking taking
enough precautions to ensure and maintain the security of their products,
resulting in grave issues such as the plague of ransomware (that, among
other things, has often caused public services to be severely hampered or
shut down entirely, across the European Union and beyond, to the
detriment of its citizens), the Debian project welcomes this initiative
and supports its spirit and intent.
The Debian project believes Free and Open Source Software Projects to be
very well positioned to respond to modern challenges around security and
accountability that these regulations aim to improve for products
commercialized on the Single Market. Debian is well known for its
security track record through practices of responsible disclosure and
coordination with upstream developers and other Free and Open Source
Software projects. The project aims to live up to the commitment made in
the Debian Social Contract: "We will not hide problems." (2)
The Debian project welcomes the attempt of the legislators to ensure
that the development of Free and Open Source Software is not negatively
affected by these regulations, as clearly expressed by the European
Commission in response to stakeholders' requests (1) and as stated in
Recital 10 of the preamble to the CRA:
'In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial
activity should not be covered by this Regulation.'
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software developers and maintainers from being subject
to the same liabilities as commercial vendors, which has caused
uncertainty and worry among such stakeholders.
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors in the exercise of their duties when
merely developing and publishing Free and Open Source Software, with
special emphasis on clarifying grey areas, such as donations,
contributions from commercial companies and developing Free and Open
Source Software that may be later commercialised by a commercial vendor.
It is fundamental for the interests of the European Union itself that
Free and Open Source Software development can continue to thrive and
produce high quality software components, applications and operating
systems, and this can only happen if Free and Open Source Software
developers and contributors can continue to work on these projects as
they have been doing before these new regulations, especially but not
exclusively in the context of nonprofit organizations, without being
encumbered by legal requirements that are only appropriate for
commercial companies and enterprises.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
Response from the European Commission to a question from the European Parliament on FOSS awareness:
https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html
(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
--
Kind regards,
Luca Boccassi
I second adding this version.
* Luca Boccassi <bluca@debian.org> [231119 23:22]:
Second version, taking into account feedback. Looking for seconds at
this point:
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Security issues under
active exploitation will have to be reported to European authorities
within 24 hours (1). The CRA will be followed up by an update to the
existing Product Liability Directive (PLD) which, among other things,
will introduce the requirement for products on the market using software
to be able to receive updates to address security vulnerabilities.
Given the current state of the electronics and computing devices market,
constellated with too many irresponsible vendors not taking taking
enough precautions to ensure and maintain the security of their products,
resulting in grave issues such as the plague of ransomware (that, among
other things, has often caused public services to be severely hampered or
shut down entirely, across the European Union and beyond, to the
detriment of its citizens), the Debian project welcomes this initiative
and supports its spirit and intent.
The Debian project believes Free and Open Source Software Projects to be
very well positioned to respond to modern challenges around security and
accountability that these regulations aim to improve for products
commercialized on the Single Market. Debian is well known for its
security track record through practices of responsible disclosure and
coordination with upstream developers and other Free and Open Source
Software projects. The project aims to live up to the commitment made in
the Debian Social Contract: "We will not hide problems." (2)
The Debian project welcomes the attempt of the legislators to ensure
that the development of Free and Open Source Software is not negatively
affected by these regulations, as clearly expressed by the European
Commission in response to stakeholders' requests (1) and as stated in
Recital 10 of the preamble to the CRA:
'In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial
activity should not be covered by this Regulation.'
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software developers and maintainers from being subject
to the same liabilities as commercial vendors, which has caused
uncertainty and worry among such stakeholders.
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors in the exercise of their duties when
merely developing and publishing Free and Open Source Software, with
special emphasis on clarifying grey areas, such as donations,
contributions from commercial companies and developing Free and Open
Source Software that may be later commercialised by a commercial vendor.
It is fundamental for the interests of the European Union itself that
Free and Open Source Software development can continue to thrive and
produce high quality software components, applications and operating
systems, and this can only happen if Free and Open Source Software
developers and contributors can continue to work on these projects as
they have been doing before these new regulations, especially but not
exclusively in the context of nonprofit organizations, without being
encumbered by legal requirements that are only appropriate for
commercial companies and enterprises.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
Response from the European Commission to a question from the European Parliament on FOSS awareness:
https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html
(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
--
Kind regards,
Luca Boccassi
On 11/20/23 00:21, Luca Boccassi wrote:
Second version, taking into account feedback. Looking for seconds at
this point:
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Security issues under
active exploitation will have to be reported to European authorities
within 24 hours (1). The CRA will be followed up by an update to the
existing Product Liability Directive (PLD) which, among other things,
will introduce the requirement for products on the market using software
to be able to receive updates to address security vulnerabilities.
Given the current state of the electronics and computing devices market,
constellated with too many irresponsible vendors not taking taking
enough precautions to ensure and maintain the security of their products,
resulting in grave issues such as the plague of ransomware (that, among
other things, has often caused public services to be severely hampered or
shut down entirely, across the European Union and beyond, to the
detriment of its citizens), the Debian project welcomes this initiative
and supports its spirit and intent.
The Debian project believes Free and Open Source Software Projects to be
very well positioned to respond to modern challenges around security and
accountability that these regulations aim to improve for products
commercialized on the Single Market. Debian is well known for its
security track record through practices of responsible disclosure and
coordination with upstream developers and other Free and Open Source
Software projects. The project aims to live up to the commitment made in
the Debian Social Contract: "We will not hide problems." (2)
The Debian project welcomes the attempt of the legislators to ensure
that the development of Free and Open Source Software is not negatively
affected by these regulations, as clearly expressed by the European
Commission in response to stakeholders' requests (1) and as stated in
Recital 10 of the preamble to the CRA:
'In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial
activity should not be covered by this Regulation.'
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software developers and maintainers from being subject
to the same liabilities as commercial vendors, which has caused
uncertainty and worry among such stakeholders.
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors in the exercise of their duties when
merely developing and publishing Free and Open Source Software, with
special emphasis on clarifying grey areas, such as donations,
contributions from commercial companies and developing Free and Open
Source Software that may be later commercialised by a commercial vendor.
It is fundamental for the interests of the European Union itself that
Free and Open Source Software development can continue to thrive and
produce high quality software components, applications and operating
systems, and this can only happen if Free and Open Source Software
developers and contributors can continue to work on these projects as
they have been doing before these new regulations, especially but not
exclusively in the context of nonprofit organizations, without being
encumbered by legal requirements that are only appropriate for
commercial companies and enterprises.
Hi,
Thanks a lot for taking the time to word out things this way.
However, I really think this text is being too nice with the EU. The
feeling in short is reading:
- what you did was good
- what you did was good
- what you did was good
- oh, btw, there's room for improvement... it'd be nice if...
That's not at all my feeling about the CRA. I'm once more really unhappy about EU, I feel like we're getting trapped by big corp and their
lobbying power, and we need to use stronger words.
On Mon, Nov 20, 2023 at 12:40:58AM +0100, Aigars Mahinovs wrote:
I second adding this version to the vote
I'm getting a bad signature on this.
On Mon, 20 Nov 2023 at 00:22, Luca Boccassi <bluca@debian.org> wrote: Second version, taking into account feedback. Looking for seconds at
this point:
Maybe Santiago wants to adopt this text, rather than having 2 options?
I second adding this version to the vote
I'm getting a bad signature on this.
On Mon, 20 Nov 2023 at 00:22, Luca Boccassi <bluca@debian.org> wrote: Second version, taking into account feedback. Looking for seconds at
this point:
Maybe Santiago wants to adopt this text, rather than having 2 options?
The initial proposal was made collectively, and now I realise I should
have signed with a "On behalf of the Debian fellows in Montevideo". So
it is not only me to decide.
Anyway, IMHO, it is good to have more than one option.
Microsoft was not happy with having to unbundle Bing and Edge from
Windows.
In data martedì 21 novembre 2023 16:13:32 CET, Luca Boccassi ha scritto:
Microsoft was not happy with having to unbundle Bing and Edge from
Windows.
It is still impossible to uninstall edge...
On 11/20/23 00:21, Luca Boccassi wrote:[...]
Second version, taking into account feedback. Looking for seconds at
this point:
Thanks a lot for taking the time to word out things this way.
However, I really think this text is being too nice with the EU. The feeling in short is reading:
- what you did was good
- what you did was good
- what you did was good
- oh, btw, there's room for improvement... it'd be nice if...
That's not at all my feeling about the CRA. I'm once more really unhappy about EU,
I feel like we're getting trapped by big corp and their lobbying
power, and we need to use stronger words.
In the absence of something better, I'll still vote for the above...
Cheers,
Thomas Goirand (zigo)
Second version, taking into account feedback. Looking for seconds at
this point:
On Tue, Nov 21, 2023 at 09:14:05AM +0100, Thomas Goirand wrote:
I feel like we're getting trapped by big corp and their lobbying
power, and we need to use stronger words.
Probably in a different way. I'd rather prefer Debian to defend the DFSG, including DFSG 6. If the EU were to draw a line for compulsory liability, then
it should not be between commercial and nonprofit, but rather between FOSS and
non-FOSS. For example, in my opinion "awscli" is FOSS, and the usual liability
disclaimer in FOSS licenses should also be valid for "awscli". This is, in my understanding, a different opinion than discussed so far, right?
On Wed, 22 Nov 2023 at 09:28, Bart Martens <bartm@debian.org> wrote:
On Tue, Nov 21, 2023 at 09:14:05AM +0100, Thomas Goirand wrote:
I feel like we're getting trapped by big corp and their lobbying
power, and we need to use stronger words.
Probably in a different way. I'd rather prefer Debian to defend the DFSG, including DFSG 6. If the EU were to draw a line for compulsory liability, then
it should not be between commercial and nonprofit, but rather between FOSS and
non-FOSS. For example, in my opinion "awscli" is FOSS, and the usual liability
disclaimer in FOSS licenses should also be valid for "awscli". This is, in my
understanding, a different opinion than discussed so far, right?
That would not be a good outcome. Just because a smartphone ships open
source software, it doesn't mean its vendor should get away with not providing security updates after a few months, causing the phone
owners to lose their data or worse.
On Wed, Nov 22, 2023 at 06:46:06PM +0000, Luca Boccassi wrote:
On Wed, 22 Nov 2023 at 09:28, Bart Martens <bartm@debian.org> wrote:
On Tue, Nov 21, 2023 at 09:14:05AM +0100, Thomas Goirand wrote:
I feel like we're getting trapped by big corp and their lobbying
power, and we need to use stronger words.
Probably in a different way. I'd rather prefer Debian to defend the DFSG, including DFSG 6. If the EU were to draw a line for compulsory liability, then
it should not be between commercial and nonprofit, but rather between FOSS and
non-FOSS. For example, in my opinion "awscli" is FOSS, and the usual liability
disclaimer in FOSS licenses should also be valid for "awscli". This is, in my
understanding, a different opinion than discussed so far, right?
That would not be a good outcome. Just because a smartphone ships open source software, it doesn't mean its vendor should get away with not providing security updates after a few months, causing the phone
owners to lose their data or worse.
That is a different case. The user of a smartphone depends on the vendor for keeping the smarthpone safe for use during a reasonable time after purchase. I follow you on that.
On Wed, 22 Nov 2023 at 20:35, Bart Martens <bartm@debian.org> wrote:
On Wed, Nov 22, 2023 at 06:46:06PM +0000, Luca Boccassi wrote:
On Wed, 22 Nov 2023 at 09:28, Bart Martens <bartm@debian.org> wrote:
On Tue, Nov 21, 2023 at 09:14:05AM +0100, Thomas Goirand wrote:
I feel like we're getting trapped by big corp and their lobbying power, and we need to use stronger words.
Probably in a different way. I'd rather prefer Debian to defend the DFSG,
including DFSG 6. If the EU were to draw a line for compulsory liability, then
it should not be between commercial and nonprofit, but rather between FOSS and
non-FOSS. For example, in my opinion "awscli" is FOSS, and the usual liability
disclaimer in FOSS licenses should also be valid for "awscli". This is, in my
understanding, a different opinion than discussed so far, right?
That would not be a good outcome. Just because a smartphone ships open source software, it doesn't mean its vendor should get away with not providing security updates after a few months, causing the phone
owners to lose their data or worse.
That is a different case. The user of a smartphone depends on the vendor for
keeping the smarthpone safe for use during a reasonable time after purchase.
I follow you on that.
It's not really different, if you can get out of security maintenance
of some software just because of its license, then it affects any
product using software. That would be quite an obvious loophole to
take advantage of, and that's probably why the distinction in these regulations is never on the license, but on whether it's a commercial activity or not.
Second version, taking into account feedback. Looking for seconds at
this point:
Second version, taking into account feedback. Looking for seconds at
this point:
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Security issues under
active exploitation will have to be reported to European authorities
within 24 hours (1). The CRA will be followed up by an update to the
existing Product Liability Directive (PLD) which, among other things,
will introduce the requirement for products on the market using software
to be able to receive updates to address security vulnerabilities.
Given the current state of the electronics and computing devices market,
constellated with too many irresponsible vendors not taking taking
enough precautions to ensure and maintain the security of their products,
resulting in grave issues such as the plague of ransomware (that, among
other things, has often caused public services to be severely hampered or
shut down entirely, across the European Union and beyond, to the
detriment of its citizens), the Debian project welcomes this initiative
and supports its spirit and intent.
The Debian project believes Free and Open Source Software Projects to be
very well positioned to respond to modern challenges around security and
accountability that these regulations aim to improve for products
commercialized on the Single Market. Debian is well known for its
security track record through practices of responsible disclosure and
coordination with upstream developers and other Free and Open Source
Software projects. The project aims to live up to the commitment made in
the Debian Social Contract: "We will not hide problems." (2)
The Debian project welcomes the attempt of the legislators to ensure
that the development of Free and Open Source Software is not negatively
affected by these regulations, as clearly expressed by the European
Commission in response to stakeholders' requests (1) and as stated in
Recital 10 of the preamble to the CRA:
'In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial
activity should not be covered by this Regulation.'
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software developers and maintainers from being subject
to the same liabilities as commercial vendors, which has caused
uncertainty and worry among such stakeholders.
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors in the exercise of their duties when
merely developing and publishing Free and Open Source Software, with
special emphasis on clarifying grey areas, such as donations,
contributions from commercial companies and developing Free and Open
Source Software that may be later commercialised by a commercial vendor.
It is fundamental for the interests of the European Union itself that
Free and Open Source Software development can continue to thrive and
produce high quality software components, applications and operating
systems, and this can only happen if Free and Open Source Software
developers and contributors can continue to work on these projects as
they have been doing before these new regulations, especially but not
exclusively in the context of nonprofit organizations, without being
encumbered by legal requirements that are only appropriate for
commercial companies and enterprises.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
Response from the European Commission to a question from the European Parliament on FOSS awareness:
https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html
(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
--
Kind regards,
Luca Boccassi
Second version, taking into account feedback. Looking for seconds at
this point:
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Security issues under
active exploitation will have to be reported to European authorities
within 24 hours (1). The CRA will be followed up by an update to the
existing Product Liability Directive (PLD) which, among other things,
will introduce the requirement for products on the market using software
to be able to receive updates to address security vulnerabilities.
Given the current state of the electronics and computing devices market,
constellated with too many irresponsible vendors not taking taking
enough precautions to ensure and maintain the security of their products,
resulting in grave issues such as the plague of ransomware (that, among
other things, has often caused public services to be severely hampered or
shut down entirely, across the European Union and beyond, to the
detriment of its citizens), the Debian project welcomes this initiative
and supports its spirit and intent.
The Debian project believes Free and Open Source Software Projects to be
very well positioned to respond to modern challenges around security and
accountability that these regulations aim to improve for products
commercialized on the Single Market. Debian is well known for its
security track record through practices of responsible disclosure and
coordination with upstream developers and other Free and Open Source
Software projects. The project aims to live up to the commitment made in
the Debian Social Contract: "We will not hide problems." (2)
The Debian project welcomes the attempt of the legislators to ensure
that the development of Free and Open Source Software is not negatively
affected by these regulations, as clearly expressed by the European
Commission in response to stakeholders' requests (1) and as stated in
Recital 10 of the preamble to the CRA:
'In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial
activity should not be covered by this Regulation.'
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software developers and maintainers from being subject
to the same liabilities as commercial vendors, which has caused
uncertainty and worry among such stakeholders.
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors in the exercise of their duties when
merely developing and publishing Free and Open Source Software, with
special emphasis on clarifying grey areas, such as donations,
contributions from commercial companies and developing Free and Open
Source Software that may be later commercialised by a commercial vendor.
It is fundamental for the interests of the European Union itself that
Free and Open Source Software development can continue to thrive and
produce high quality software components, applications and operating
systems, and this can only happen if Free and Open Source Software
developers and contributors can continue to work on these projects as
they have been doing before these new regulations, especially but not
exclusively in the context of nonprofit organizations, without being
encumbered by legal requirements that are only appropriate for
commercial companies and enterprises.
==========================================================================
Sources:
(1) CRA proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
PLD proposals and links:
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
Response from the European Commission to a question from the European Parliament on FOSS awareness:
https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html
(2) Debian Social Contract No. 2, 3 and 4
https://www.debian.org/social_contract
----- GENERAL RESOLUTION ENDS -----
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 300 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 46:43:51 |
| Calls: | 6,710 |
| Calls today: | 3 |
| Files: | 12,243 |
| Messages: | 5,354,357 |
| Posted today: | 1 |