Hello, I hereby welcome seconds for adding this text to 2023/vote_002
as a separate proposal.

START OF PROPOSAL TEXT

Debian Public Statement about the EU Cyber Resilience Act (CRA) and the
Product Liability Directive (PLD)

The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).

The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the
success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it
harder for commercial entities or for any group of FOSS users.

The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the
market. The usual liability disclaimers in FOSS licenses should remain
valid without the risk of being overruled by the PLD.

The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.

END OF PROPOSAL TEXT


-----BEGIN PGP SIGNATURE-----

iQJDBAABCgAtFiEEZaEt9P4xrWusTXauM1X01jtYIcwFAmVeRZAPHGJhcnRtQGtu YXJzLmJlAAoJEDNV9NY7WCHMSgAQAK7fjQKCTSJ2b319qtooVC5uirMuwFxaJm6x 4V1Pa6hCIppHZs2OkvFP5/cz17MjWNSnIaQsxYdIt7vGT355lyO5GG3MUb5H20QG 7HkZpL3VUDd2/I2/rlyCR6wJ8TT2B+8uvU5+UYsag8NZE6xQqVo6HcJNpJsUCqtt MwR1Fg3j4t+sQVX/MMwddAqWk7qXz8ynxRl9jNo3eVg/IwLllPovhoCAilRK8hpc +QccHMru4VqRq07OzZYNAFvZOuc++b/Shn/F7/VdLjnXqfMoaJ/PG90WnTL1LSCB ZdP9xZhawZdayU1EuD8bSz1tqYkD0zTyXDwT7xfZXnG6exiQpLoXI0M6gZRc3r9h Gr1cCGFFrmRD+rpRHilwdy+llY0ZQ7VvHw4DlJekc4MfW21vnW6MGaUAeWVt7VYW UvhII/xW3zDfC4WPyipeWCwEb5Lb+9JL63hXZ5Jb6IXlCGK8Jf95LUfDld1lVHAY 2muabw3wihVWpLM7EiPCKQ/zvxR+OYjODDRo0cFZoY1zDWPi2wKNgSNnbs6YP1PM gDLTBw4HGnHNpDn5GLvD5AZYRMx+mykMKmapG90ymltL2AqMFGJ2fw+17qg9ojc1 b4WlY/bmU7gKQWyIjxhNDQKdPvHywGJ7h4k9nxdSsMQHXBlqfcxlP3ttqiYuem60
O6FVWseg
=cGMR
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote:

Hello, I hereby welcome seconds for adding this text to 2023/vote_002
as a separate proposal.

seconded

--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmVeSkoACgkQzGWwzewn XVuZGxAApL62gRkqljcuhs9HrZilIRtd/sJs4/VIDxQ4tgvdwbH8n7GDdpN043Gj mlUtmFnJZ7RF8eJnVmtB3qhHaVMUSE2+f6M+pH/7JKrOcbBsR1Ywpv52lQj8uTdV Iv3BOTJC9qReRtv4iL3oFWKEnM4t8onEuO7u5aEQ/UhYhYgfEBZ6S/nhDPuHz4FA nJMaKjiENKsvUryFacoZLjsOXtQ8qSHa7ivODoCAEHQ9WdnIj9yhW0u0vaj+NAhF IuXQsHwHlllzhTB1XIjm7cxu0sAalEuANOqtkFBU7zb1AYhJWuBCG9uvgs3DTZqA NCCc42E+oWcLZ89hhqhNJctxjSqooY0o3wtdpvANWPJNuUcO6Y4HuaeIaM6R1zoh meATXFMNLzGxO/56YymSalMIYwmiiLQbKwGG93QYnXW44NajJmS0wD6mkmEr0qA4 kRAz7bZFsPB/cyNW5lrl7Dtjzt1p2ZPC+7mV9EHKJkljYmdwwar6vs5mDQsdeTtC Niw85RpAy6s1oLUMNV1XbX5VP80rchYbgI41uzBISlTM0TS3MnzamYVJoCw+hDHZ h5lw5M06UE5T9MKy44oYAqA7iLZHf5vxqXKhCDK/nB1ORSS/7OroNjZ+/rW8yGqf eKpUXPxyvOCy/XeFIqqGnbvgx9KhDrk1R5f/mvzNa9jdf4tZp0Q=
=Wq8H
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxN

Le Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens a �crit :

The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS.

But the EU already does, all the time, really. This is simply not
realistic.

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote:

Hello, I hereby welcome seconds for adding this text to 2023/vote_002
as a separate proposal.

seconded

START OF PROPOSAL TEXT

Debian Public Statement about the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD)

The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).

The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it harder for commercial entities or for any group of FOSS users.

The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the
market. The usual liability disclaimers in FOSS licenses should remain
valid without the risk of being overruled by the PLD.

The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.

END OF PROPOSAL TEXT

--
ChangZhuo Chen (陳昌倬) czchen@{czchen,debian}.org
Key fingerprint = BA04 346D C2E1 FE63 C790 8793 CC65 B0CD EC27 5D5B

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmVeUiMACgkQzGWwzewn XVuRGA//TpIV/z5DosVBgUzFW2aOa9IRNxdv2RPvu67n0BrPJOQJ3Hg+Me74x67f tVBY7Eoc74NFNOZ8S4qCJ//qL6AyoNt9xpmtYuvXHTZc6QGGyztZzKDW5VqwINGj uuJtVMVzCeuHMEmBPrxFyqOVHYpRDDRwfyIZwKpEpfz4vwTmOIucilKi/6iTOWNS bncRLank6+Abhskzg+H4HOChNmWi184uo7O7ciNlGDIqGHr6jllRACyfhXZovImN 24Ywx5QIrbkHzPzjshl7n9e7NO+kSGBV9+KU6kJjOsprVNTi18xkn2QScVt9HwXH oy57/pLFTZwMAJNPWhTMLcPdleJf3a362Ya91CEUkaAM1rX3B61OSSS9KGpyDPe1 NxdSdUHt70A0AC3c4MI9c3OijdWnOKB5d6YBiSGCSXiA+gB0+xAkGb/oc5tmLDxT grFUtnM75yTL3lNhO//BFQ9wGQOYUPOi20JJWTzw2+CYc31YaNZXwnZbA5Su+ThR V8POwHzqRoVguaanll0VMCTWDwc1/DFEpQl+Urhu/9WiIhsBhP0hdZhTkcumgTlY Aa2mmaX0ckVhpKcHDofngJCIWP2uYoNbp/FU9DXLN+wuWea3BZD/yRcD5HQ9j9H4 nl+Vhm5WXw/IyNPLi039qrJddbWox1kWT+CsSLJZlfTxbTMrKXk=
=B7hH
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxN

Hi,

On 23.11.23 03:16, Bart Martens wrote:

START OF PROPOSAL TEXT

Debian Public Statement about the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD)

The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).

The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it harder for commercial entities or for any group of FOSS users.

The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the
market. The usual liability disclaimers in FOSS licenses should remain
valid without the risk of being overruled by the PLD.

The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.

END OF PROPOSAL TEXT

Seconded.

Simon

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Since my signature got lost on the way, retrying:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

START OF PROPOSAL TEXT

Debian Public Statement about the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD)

The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).

The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it harder for commercial entities or for any group of FOSS users.

The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the
market. The usual liability disclaimers in FOSS licenses should remain
valid without the risk of being overruled by the PLD.

The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.

END OF PROPOSAL TEXT

Seconded.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEtjuqOJSXmNjSiX3Tfr04e7CZCBEFAmVfE2QACgkQfr04e7CZ CBHWYgf+KO0K7qpGRSRR88nM3YKJ8iRgPVUMM7sSnn+WSpUvcJPmY/tjk9Iqx55Q 72AhS2G/RCrv0YXkY4JUQbP/sg5VUSd+MKhPCPQieutfblEFowYymI65rBWro5J2 lHNTkXhUEEVgmB/KSKo1+iar50zPxssJ5GzCSWLH8vbkQ69tTPFP6LImADUdMdxX i71tbjflzAO4pzwCWhQ9+IKvoxbgPGTJqGHPH16r+cbTNWpHdIncSzGoxT+tE6KT F1ICOZ88BxwpsD5MEPyavQujE2io+4PJEkmjy1vmgK+vqvLsW0WdNOhkVutFtrsa gjXhb9HCD75D7gv11RHfzdgm/ceJCw==
=xdEd
-----END PGP SIGNATURE-----

Simon

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hBNTEyDQoNCkhlbGxv IGFsbCwNCg0KRWwgV2VkLCAyMiBOb3YgMjAyMyAxOToxNjo0OCArMDEwMA0KQmFydCBNYXJ0ZW5z IDxiYXJ0bUBkZWJpYW4ub3JnPiBlc2NyaWJpw7M6DQo+IEhlbGxvLCBJIGhlcmVieSB3ZWxjb21l IHNlY29uZHMgZm9yIGFkZGluZyB0aGlzIHRleHQgdG8gMjAyMy92b3RlXzAwMg0KPiBhcyBhIHNl cGFyYXRlIHByb3Bvc2FsLg0KPiANCj4gU1RBUlQgT0YgUFJPUE9TQUwgVEVYVA0KPiANCj4gRGVi aWFuIFB1YmxpYyBTdGF0ZW1lbnQgYWJvdXQgdGhlIEVVIEN5YmVyIFJlc2lsaWVuY2UgQWN0IChD UkEpIGFuZA0KPiB0aGUgUHJvZHVjdCBMaWFiaWxpdHkgRGlyZWN0aXZlIChQTEQpDQo+IA0KPiBU aGUgQ1JBIGluY2x1ZGVzIHJlcXVpcmVtZW50cyBmb3IgbWFudWZhY3R1cmVycyBvZiBzb2Z0d2Fy ZSwgZm9sbG93ZWQNCj4gdXAgYnkgdGhlIFBMRCB3aXRoIGNvbXB1bHNvcnkgbGlhYmlsaXR5IGZv ciBzb2Z0d2FyZS4gVGhlIERlYmlhbg0KPiBwcm9qZWN0IGhhcyBjb25jZXJucyBvbiB0aGUgaW1w YWN0IG9uIEZyZWUgYW5kIE9wZW4tU291cmNlIFNvZnR3YXJlDQo+IChGT1NTKS4NCj4gDQo+IFRo ZSBDUkEgbWFrZXMgdGhlIHVzZSBvZiBGT1NTIGluIGNvbW1lcmNpYWwgY29udGV4dCBtb3JlIGRp ZmZpY3VsdC4NCj4gVGhpcyBnb2VzIGFnYWluc3QgdGhlIHBoaWxvc29waHkgb2YgdGhlIERlYmlh biBwcm9qZWN0LiBUaGUgRGViaWFuDQo+IEZyZWUgU29mdHdhcmUgR3VpZGVsaW5lcyAoREZTRykg aW5jbHVkZSAiNi4gTm8gRGlzY3JpbWluYXRpb24gQWdhaW5zdA0KPiBGaWVsZHMgb2YgRW5kZWF2 b3IgLSBUaGUgbGljZW5zZSBtdXN0IG5vdCByZXN0cmljdCBhbnlvbmUgZnJvbSBtYWtpbmcNCj4g dXNlIG9mIHRoZSBwcm9ncmFtIGluIGEgc3BlY2lmaWMgZmllbGQgb2YgZW5kZWF2b3IuIiBBIHNp Z25pZmljYW50DQo+IHBhcnQgb2YgdGhlIHN1Y2Nlc3Mgb2YgRk9TUyBpcyBpdHMgdXNlIGluIGNv bW1lcmNpYWwgY29udGV4dC4gSXQNCj4gc2hvdWxkIHJlbWFpbiBwb3NzaWJsZSBmb3IgYW55b25l IHRvIHByb2R1Y2UsIHB1Ymxpc2ggYW5kIHVzZSBGT1NTLA0KPiB3aXRob3V0IG1ha2luZyBpdCBo YXJkZXIgZm9yIGNvbW1lcmNpYWwgZW50aXRpZXMgb3IgZm9yIGFueSBncm91cCBvZg0KPiBGT1NT IHVzZXJzLg0KPiANCj4gVGhlIGNvbXB1bHNvcnkgbGlhYmlsaXR5IGFzIG1lYW50IGluIHRoZSBQ TEQgb3ZlcnJ1bGVzIHRoZSB1c3VhbA0KPiBsaWFiaWxpdHkgZGlzY2xhaW1lcnMgaW4gRk9TUyBs aWNlbnNlcy4gVGhpcyBtYWtlcyBzaGFyaW5nIEZPU1Mgd2l0aA0KPiB0aGUgcHVibGljIG1vcmUg bGVnYWxseSByaXNreS4gVGhlIGNvbXB1bHNvcnkgbGlhYmlsaXR5IG1ha2VzIHNlbnNlDQo+IGZv ciBjbG9zZWQtc291cmNlIHNvZnR3YXJlLCB3aGVyZSB0aGUgdXNlcnMgZnVsbHkgZGVwZW5kIG9u IHRoZQ0KPiBtYW51ZmFjdHVyZXJzLiBXaXRoIEZPU1MgdGhlIHVzZXJzIGhhdmUgdGhlIG9wdGlv biBvZiBoZWxwaW5nDQo+IHRoZW1zZWx2ZXMgd2l0aCB0aGUgc291cmNlIGNvZGUsIGFuZC9vciBo aXJpbmcgYW55IGNvbnN1bHRhbnQgb24gdGhlDQo+IG1hcmtldC4gVGhlIHVzdWFsIGxpYWJpbGl0 eSBkaXNjbGFpbWVycyBpbiBGT1NTIGxpY2Vuc2VzIHNob3VsZCByZW1haW4NCj4gdmFsaWQgd2l0 aG91dCB0aGUgcmlzayBvZiBiZWluZyBvdmVycnVsZWQgYnkgdGhlIFBMRC4NCj4gDQo+IFRoZSBE ZWJpYW4gcHJvamVjdCBhc2tzIHRoZSBFVSB0byBub3QgZHJhdyBhIGxpbmUgYmV0d2VlbiBjb21t ZXJjaWFsDQo+IGFuZCBub24tY29tbWVyY2lhbCB1c2Ugb2YgRk9TUy4gU3VjaCBsaW5lIHNob3Vs ZCBpbnN0ZWFkIGJlIGJldHdlZW4NCj4gY2xvc2VkLXNvdXJjZSBzb2Z0d2FyZSBhbmQgRk9TUy4g Rk9TUyBzaG91bGQgYmUgZW50aXJlbHkgZXhlbXB0IGZyb20NCj4gdGhlIENSQSBhbmQgdGhlIFBM RC4NCj4gDQo+IEVORCBPRiBQUk9QT1NBTCBURVhUDQo+IA0KDQpTZWNvbmRlZC4NCg0KS2luZCBy ZWdhcmRzLA0KTGF1cmEgQXJqb25hIFJlaW5hDQpodHRwczovL3dpa2kuZGViaWFuLm9yZy9MYXVy YUFyam9uYQ0KLS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NCg0KaVFHekJBRUJDZ0FkRmlF RVppbjBSTlJ4ZzNXM2ZqOGNURGhodmN4d2EzUUZBbVZmZkZjQUNna1FURGhodmN4dw0KYTNSMFRB di9hYk5FT2NPOHNrRVFTeXJqMEVYSmt5WXRPUWxwSGQrMjJaREVidTRlYk1ING5hQzR0a0YxSUtL Tw0KckVRUjREeVRVR25ZNVZkSG4xQmVQWDYvdlRyZWQ3by9Ob0ZrQWpEVG0wb1U4OFhkajEvUC9N OGU0cERoUm9XeQ0Kd2gvWjVNeEV5N3gwNkMyWWlwRGt5QlBhcms4K1Z3YXBMelFENVoyUXRYMU4z Wmx3ZGJrT2diTHB4QTBncnBFYw0KZHpRRVptN0lPZ1NSU0NyZTU2RjdsSHF2em9MZkxobXdZakpI Q09mbVd5YzkxRmNJcVh3RzEvVVdYTXl3WkFQaw0Kb2Q0RVNmQ3psRGlvdzIrUFNYUDNKOVZWdGxO WHp5ejdzZUJtc3dLOENOM05yR0pBRVAvMi9NbnBNeHlCdkxMcA0KRE03bDNNWXVnb2lDaU1OazF5 QlA3OTcybFpuSlJEL3UrMmppWkJSVVlReUp4SGdBMHVBWU8rSVIrRGF2b0UzeQ0KKys3cUVyV0g2 Q0t6THNPcUFDNjlqNEZsVUU1dzBSQXU3YkNEVGxvd0dMamJEa3EycTN4WC9RbjlHVS9YWkNJbQ0K OGdkdE1UaFNaWlNaMkM2elltK3dRRHNaWlY0NmFNN0E3dGZ4RU9VampuNExTUmlmVVJLRlo1TUUw cWUvWnhjTQ0KRlRXYXVNZUENCj1zMkZzDQotLS0tLUVORCBQR1AgU0lHTkFUVVJFLS0tLS0NCg==

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote:

Hello, I hereby welcome seconds for adding this text to 2023/vote_002
as a separate proposal.

I'm currently counting 3 seconds for this.


Kurt

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Bart,

Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]:

Hello, I hereby welcome seconds for adding this text to 2023/vote_002
as a separate proposal.

Thanks for your contribution to this discussion! As I said in another
thread, I believe that in a voting system such as the one we use in
Debian, more versions is unambiguously better, and options should only
be merged together in the case they are semantically equivalent.

Debian Public Statement about the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD)

The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).

The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it harder for commercial entities or for any group of FOSS users.

The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the
market. The usual liability disclaimers in FOSS licenses should remain
valid without the risk of being overruled by the PLD.

The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.

My issue with your text is that I read it –bluntly over-abridged– as
«The CRA+PLD will make it harder to meaningfully develop Debian,
because we are compelled by our own foundation documents not to
distringuish between free and commercial. Many people use Debian in
commercial settings. If you enact this legislation, some of our users
be at risk of getting in trouble for using our fine intentions for
their economic benefit, as they will be covered by your
regulation. Please formally except us fully from your rules!»

That is, it basically means: "European Parliament/Council: Our
foundation documents are at unease with the CRA and PLD". That is
true, but a fair answer from them (if we warrant it!) could be "We
represent more people and wider interests than yours. Your SC is over
a quarter of a century old. Update your SC to comply with the changing
times". Which could even make sense! (although it would make Debian
stop being Debian!)

This reading is the main reason I'm not endorsing it, and still prefer
our original proposal instead.

Greetings,

- Gunnar.

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQRNFAUGU6QC1zaHBJ0kBMlUbhRTYAUCZWCrLgAKCRAkBMlUbhRT YJB6AP43dBeNCn5C/G+Px4LjPRfj0cLSrTtkm3BzBbWmU/adnAD/QnxGsXW0UGo4 wSS132EdZnDpKqV7hMSuyIfcQI+wXgM=
=o1QS
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Nov 24, 2023 at 07:55:01AM -0600, Gunnar Wolf wrote:

Hello Bart,

Hi Gunnar!

Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]:

Hello, I hereby welcome seconds for adding this text to 2023/vote_002
as a separate proposal.

Thanks for your contribution to this discussion!

And thank you for your feedback.

As I said in another
thread, I believe that in a voting system such as the one we use in
Debian, more versions is unambiguously better, and options should only
be merged together in the case they are semantically equivalent.

Debian Public Statement about the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD)

The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).

The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it harder for commercial entities or for any group of FOSS users.

The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the market. The usual liability disclaimers in FOSS licenses should remain valid without the risk of being overruled by the PLD.

The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.

My issue with your text is that I read it –bluntly over-abridged– as «The CRA+PLD will make it harder to meaningfully develop Debian,
because we are compelled by our own foundation documents not to
distringuish between free and commercial. Many people use Debian in commercial settings. If you enact this legislation, some of our users
be at risk of getting in trouble for using our fine intentions for
their economic benefit, as they will be covered by your
regulation. Please formally except us fully from your rules!»

That is, it basically means: "European Parliament/Council: Our
foundation documents are at unease with the CRA and PLD".

That is praphrasing my proposal rather roughly, but let's focus on the point you want to make.

That is
true, but a fair answer from them (if we warrant it!) could be "We
represent more people and wider interests than yours. Your SC is over
a quarter of a century old. Update your SC to comply with the changing times". Which could even make sense! (although it would make Debian
stop being Debian!)

This reading is the main reason I'm not endorsing it, and still prefer
our original proposal instead.

How would such hypothetical answer from the EU matter for preferring one proposal over the other? I'm trying to understand your motive.

Allow me to point out some weak points in proposal A, motivating me to write my separate proposal.

- 1.a. The phrase "with no legal restrictions" is incorrect in the sense that
FOSS uses legal restrictions for keeping it FOSS.

- 1.b. I read "Knowing whether software is commercial or not". It is, in my
understanding, about commercial use or non-commercial use.

- 1.b. Arguing that knowing what's commercial or not isn't feasible implies
accepting such distinction when the EU can give a practical legal definition.

- 1.c. Stopping development would not exempt the author from CRA. Stopping the
commercial use would.

- 1.d. This somewhat implies accepting CRA requirements for big companies.

- 2.a. Explaining that the 24h window would disrupt FOSS' well working system
of responsible disclosures of security issues, implies accepting that the
FOSS community would be legally required to provide security support.

- 2.b. Mentioning the efforts Debian is doing on security support in this
context implies accepting that Debian is required to do so.

- 2.d. I don't feel comfortable with mentioning that Debian supports activists
living under oppressive regimes.

- 2.e. Commercial companies can currently hide security issues in proprietary
software. One could argue that this is worse than downplaying when reporting.

- 3. Software development in the open is in fact making unfinished software
available on the market.

- 3. Asking to exempt unfinished software being developed in the open, implies
accepting that it becomes no longer exempt when it's ready for use.

- 4. This implies, almost states explicitly, accepting CRA requirements for big
companies.

I invite you to compare the two proposals on the points listed above. In short, my proposal defends commercial use of FOSS and the usual liability disclaimers in FOSS licenses.

To be clear, for avoiding misunderstandings, the EU regulation can be a good thing, when it requires manufacturers of closed products to provide security support for the pieces of FOSS they use in their products. Then we're talking about compulsory liability for those close products as a whole. My focus aims at protecting the liberty of not providing support whenever the users can help themselves with the available source code.

Has my proposal sufficient seconds by now? If not... you know what to do.

Cheers,

Bart

Greetings,

- Gunnar.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens wrote:

Hello, I hereby welcome seconds for adding this text to 2023/vote_002
as a separate proposal.

START OF PROPOSAL TEXT

Debian Public Statement about the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD)

The CRA includes requirements for manufacturers of software, followed
up by the PLD with compulsory liability for software. The Debian
project has concerns on the impact on Free and Open-Source Software
(FOSS).

The CRA makes the use of FOSS in commercial context more difficult.
This goes against the philosophy of the Debian project. The Debian Free Software Guidelines (DFSG) include "6. No Discrimination Against Fields
of Endeavor - The license must not restrict anyone from making use of
the program in a specific field of endeavor." A significant part of the success of FOSS is its use in commercial context. It should remain
possible for anyone to produce, publish and use FOSS, without making it harder for commercial entities or for any group of FOSS users.

The compulsory liability as meant in the PLD overrules the usual
liability disclaimers in FOSS licenses. This makes sharing FOSS with
the public more legally risky. The compulsory liability makes sense for closed-source software, where the users fully depend on the
manufacturers. With FOSS the users have the option of helping
themselves with the source code, and/or hiring any consultant on the
market. The usual liability disclaimers in FOSS licenses should remain
valid without the risk of being overruled by the PLD.

The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS. Such line should instead be between closed-source software and FOSS. FOSS should be entirely exempt from
the CRA and the PLD.

END OF PROPOSAL TEXT

seconded, thank you.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

The upcoming clima apocalypse is the big elephant in every room now.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmVl360ACgkQCRq4Vgaa qhxZdQ/+JglhqnMAQsI/tS0CrQEpTgvEVkuV17V9gh8wDisuTHDMxz/wcheD8CyX HxeYk277zLMJeWb4D7Zk+iVBWBlPs6YXTLq8wN6agtWN/1bdMobzZlckpBeJG32C Gyc7Olq5O6/cEU1yaxc2+HG/fOlK7HFBdy2v2wNjXqVj54VKxU7tuiW+KoZ4TEMO Hn9Qq0CFoXIlsllUXrGZdrfOQs4QqdYxUz6cU31toZhyQmbLlWVI2SAwe7K5AarA N6IhQs4dt17e9j6Rf4URLCT+sthjiqu9ZuF1uuL8seXKUZe7z6YoVGzJhij/JJ6B /LrUOkOK/Vz6uUlfAQWP5dBFtIvRZqcH+tg8h4BTczzUcH/wYPpKWmo58YvbPiY5 X+pSpQsdU8WhW/DVKuPqdrsSrd3jVgu7B3a7RJxBKrSr9MLTsT5eEimIn0OL7vwH nuAM0A4zKqn4gDhXyl59b2+Ihv+5lesyrlCltfcsiKxT6uZ1rEu9xg0pzjR1/Qgw uZobfE6dM3vdNa011u9U1ypb4GU4sac9a8nKeIysUcx1voAQGvbnbQ1K6ivyUp+F pBiaVBMPOMYNSsSocPyJkf92L3M5FPcaHdyWwVD3bT12

On Wed 2023-11-22 19:31:34 +0000, Bill Allombert wrote:

Le Wed, Nov 22, 2023 at 07:16:48PM +0100, Bart Martens a écrit :

The Debian project asks the EU to not draw a line between commercial
and non-commercial use of FOSS.

But the EU already does, all the time, really. This is simply not
realistic.

Are you saying that the EU draws the line between commercial and
non-commercial uses of *any* software, generally? Or any business
process, which happens to sometimes include software?

Liability rules that apply only for commercial business, whether the
business deals with software or not, are not at issue here, right?

If you're saying that there are EU software liability policies, that
apply strictly to F/LOSS software (not software generally), and which discriminate against fields of endeavor like commercial
vs. non-commercial, could you point to some examples? I'm quite
ignorant of EU law, so feel free to point me to obvious examples that
everyone already knows.

--dkg

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCZWfAaAAKCRA+nXFzcd5W XMHDAQC3opy7KC6apXoLJoTPYFl1JG2DO1XWjoG7hHIcApuQSgEAjkdGbGUxQhBC RIEoiegEuaw7PPrgEglz5+lRzVHI+gk=iY2A
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)