1. Forum
  2. Usenet
  3. LINUX.DEBIAN.VOTE

  • Re: recent changes to the CRA address FLOSS community concerns?

    From Jonas Smedegaard@21:1/5 to All on Sat Dec 9 10:00:02 2023
    Quoting Paul Wise (2023-12-09 04:07:45)
    On IRC it was mentioned that there are updates to the CRA that may
    address the concerns of the FLOSS community.

    These blogs have updates at the top:

    https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/

    🥳
    update, december 2023: The concerns expressed in this blog have been
    heard and are being addressed in the final text. If you read on, do
    so because you are interested in historical context, not because
    you seek an understanding of how the CRA will apply in practice.

    https://berthub.eu/articles/posts/eu-cra-best-open-source-security/

    UPDATE: On December 1st the EU agreed on a version of the Cyber
    Resilience Act that appears to have substantially addressed the
    concerns in the post below. Further analysis awaits, but do know
    that the text that follows is now mostly of historical interest!

    Does anyone have any more info about the changes?

    As I understand it, a good source for this is EDRi, but apparently they
    have no news yet about the December 1st decision - I would expect news
    about that to appear here: https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/

    - Jonas

    --
    * Jonas Smedegaard - idealist & Internet-arkitekt
    * Tlf.: +45 40843136 Website: http://dr.jones.dk/
    * Sponsorship: https://ko-fi.com/drjones

    [x] quote me freely [ ] ask before reusing [ ] keep private --==============…84023388754394175=MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Description: signature
    Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmV0Kw0ACgkQLHwxRsGg ASGmpg//TgIHWxcdU2WCRyG6+QNzv/iTZ10qZ/7ujIYh/mbQoni064unrYbeCPdB oiJAe44dV4FGt25ppsKYXCrpa8B/3aPagwvnSwNag5skK9Djen4vNd4t54wUHz8W nGncfwS9pZqe3OGCV6kYrGYg4Bq7B62MQHCQGZvrBFBIY8f/kFea/uj3K9K0L6nR kz6P9bkgMqX5fX+nt42vl7BtKNSv1k8o8HXrWnFFJc0NxEtILd8oRG7VcDLm7/Qz kty71hSP9GXcGp406WwmqQmn4/kgNnHuBxtiMLn4S/Q0HlDZeT141IASdothFlmb kpUj7uqmMDvciZT+BCM8wVl+m3+VzW4lIHae7eFGEf9Lo3uqrqfSoMkFiL8L1EVd QeLj8e5VdQYNSFD8WLw40dmzGmtJfU7X+xequOE8/6SyuhSBTEy75a3r5Zi6Nu47 okAU0KT1LVigCP+KJk0Ztxsm+qkccwlF66Ua2sIu
  • From Ilu@21:1/5 to All on Sat Dec 9 11:50:02 2023
    Am 09.12.23 um 04:07 schrieb Paul Wise:

    Does anyone have any more info about the changes?

    Yes, I've seen the leaked document. I (and not only I) think NL-labs
    outlook is too optimistic. It's also necessary to understand that these
    kind of statements (the "update, december 2023") are also part of the
    political game of give and take.

    The leaked rumor says there have been some improvements, mainly to
    adress concerns from big platforms and foundations. Only point 3 from
    vote A has been addressed. Small projects (point 4) and commercial
    endeavours (point 1), like for example Freexian, are still out in the
    rain. The reporting obligations for exploited vulnerabilities (point 2)
    were doubled and so even became worse. PLD hasn't even been touched yet.
    And all this is still only a proposal which needs to be voted on by
    parliament (planned for March 2024).
    After the parliamentary decision the executive authorities will have to
    decide on the provisions for implementation and enforcement. Upcoming
    new standards will play a big role. Lobbying will have to go on and
    support from Debian will still be needed.

    There is also no way and no necessity to adapt the GA text based on
    unofficial rumors since ...

    ... the answer from the EU legislative body will not be to read and
    consider each bullet point we make --- ... the European legislative
    bodies will just see "oh, a biggish project opposes CRA".
    (Gunnar Wolf am 25.11.23 um 16:59)

    And that's all that's necessary.


    Am 09.12.23 um 04:07 schrieb Paul Wise:
    Hi all,

    On IRC it was mentioned that there are updates to the CRA that may
    address the concerns of the FLOSS community.

    These blogs have updates at the top:

    https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/

    🥳
    update, december 2023: The concerns expressed in this blog have been
    heard and are being addressed in the final text. If you read on, do
    so because you are interested in historical context, not because
    you seek an understanding of how the CRA will apply in practice.

    https://berthub.eu/articles/posts/eu-cra-best-open-source-security/

    UPDATE: On December 1st the EU agreed on a version of the Cyber
    Resilience Act that appears to have substantially addressed the
    concerns in the post below. Further analysis awaits, but do know
    that the text that follows is now mostly of historical interest!

    Does anyone have any more info about the changes?


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bill Allombert@21:1/5 to All on Sat Dec 9 21:40:01 2023
    Le Sat, Dec 09, 2023 at 11:41:08AM +0100, Ilu a écrit :
    There is also no way and no necessity to adapt the GA text based on unofficial rumors since ...

    ... the answer from the EU legislative body will not be to read and consider each bullet point we make --- ... the European legislative
    bodies will just see "oh, a biggish project opposes CRA".
    (Gunnar Wolf am 25.11.23 um 16:59)

    This is just Gunnar's opinion, not a fact.
    It does not quite make sense for Debian to bet that EU will not read the position statement. This denatures the purpose of this GR.
    If the statement is not meant to be read by the EU, who are the actual recipients ? This should have been clearly stated in the ballot.

    Cheers,
    --
    Bill. <ballombe@debian.org>

    Imagine a large red swirl here.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Luca Boccassi@21:1/5 to Florian Weimer on Sat Dec 30 20:40:01 2023
    On Sat, 30 Dec 2023 at 20:25, Florian Weimer <fw@deneb.enyo.de> wrote:

    * Paul Wise:

    Does anyone have any more info about the changes?

    Isn't that the crux of the matter?

    It appears that everyone in the EU political process is withholding
    details, like the concrete text as it exists today. Selective leaks
    are likely manipulative to some extent, perhaps trying to undermine
    the credibility of the legislative process itself, without actually
    caring much about FOSS.

    An objective analysis would need the complete consolidated text,
    including translations. The German version tends to be clearer what commercial activity is supposed to mean, for example.

    The latest revision was published 10 days ago:

    https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_17000_2023_INIT

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Florian Weimer@21:1/5 to All on Sat Dec 30 20:30:01 2023
    * Paul Wise:

    Does anyone have any more info about the changes?

    Isn't that the crux of the matter?

    It appears that everyone in the EU political process is withholding
    details, like the concrete text as it exists today. Selective leaks
    are likely manipulative to some extent, perhaps trying to undermine
    the credibility of the legislative process itself, without actually
    caring much about FOSS.

    An objective analysis would need the complete consolidated text,
    including translations. The German version tends to be clearer what
    commercial activity is supposed to mean, for example.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)