1. Forum
  2. Usenet
  3. LINUX.DEBIAN.VOTE

  • Re: (last minute) Question to both candidates: CRA+PLD, similar regulat

    From Andreas Tille@21:1/5 to All on Sat Apr 6 09:50:31 2024
    Hi Santiago,

    Am Fri, Apr 05, 2024 at 03:21:48PM -0300 schrieb santiago:
    ...
    Non-commercial FLOSS products/projects do not have to comply with CRA. However, I think there could be an impact in the industry regarding the adoption and use of Debian.

    What are you thoughts on the subject?

    Should Debian help those commercial downstreams to fulfill the
    requirements?

    I would like to discuss this complex topic with people who are involved
    more deeply into this topic. I consider the current person-power within
    Debian insufficient for taking on additional tasks. Thus, even though
    we may have the intention to assist, the implementation remains
    challenging. I'm uncertain whether commercial downstreams might
    allocate resources towards legal expertise to find ways to adapt the law situation or explore alternative strategies to address this situation.

    Kind regards

    Andreas.

    [CRA] https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html

    Thanks for running for DPL to both of you!

    -- Santiago



    --
    https://fam-tille.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sruthi Chandran@21:1/5 to All on Sat Apr 6 09:52:26 2024
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------m68wRnUkEXme4P7RK3z84OYh
    Content-Type: multipart/alternative;
    boundary="------------vmlgZasrn30V2o9dE0C5TqU2"

    --------------vmlgZasrn30V2o9dE0C5TqU2
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    DQpPbiAwNS8wNC8yNCAyMzo1MSwgc2FudGlhZ28gd3JvdGU6DQo+IERlYXIgRFBMIGNhbmRp ZGF0ZXMsDQo+DQo+IEFzIHlvdSBtYXkgYmUgYXdhcmUsIHRoZSBFVSBoYXMgYWRvcHRlZCBh IG5ldyBjeWJlcnNlY3VyaXR5IHJlZ3VsYXRpb24NCj4gW0NSQV0gYW5kIG90aGVyIGNvdW50 cmllcyBhcmUgZm9sbG93aW5nIHRoZSBleGFtcGxlLiBZb3UgbWF5IGFsc28gYmUNCj4gYXdh cmUgdGhhdCBEZWJpYW4gaXNzdWVkIGEgcHVibGljIHN0YXRlbWVudCBhYm91dCBpdCAoYmFz ZWQgb24gYQ0KPiBwcmV2aW91cyBkcmFmdCB2ZXJzaW9uIG9mIHRoZSByZWd1bGF0aW9uKSBs YXN0IHllYXIuDQo+DQo+IENSQSB3aWxsIGhhdmUgYW4gaW1wYWN0IG9uIGNvbW1lcmNpYWwg RGViaWFuIGRvd25zdHJlYW1zLCBzcGVjaWZpY2FsbHkNCj4gb24gYWxsIG9mIHRob3NlIHdo byBhcmUgcGxhY2luZyBhIERlYmlhbi1pbnNpZGUgcHJvZHVjdCBpbiB0aGUgRVUgc2luZ2xl DQo+IG1hcmtldC4gUGFydCBvZiB0aGUgcmVxdWlyZW1lbnRzIHJlbHkgb24gZGF0YSB0aGF0 IHNob3VsZCBiZSBmb3VuZCBpbg0KPiBldmVyeSBzaW5nbGUgcGFja2FnZSBpbnRlZ3JhdGVk IGJ5IHRoZSBjb21tZXJjaWFsIGRvd25zdHJlYW0uIEFuZCwgYXMgb2YNCj4gdG9kYXksIHBh cnQgb2YgdGhhdCBkYXRhIGlzIG5vbiBleGlzdGluZy4gRS5nLjogaW5jbHVkZSAobWV0YSlk YXRhIGFib3V0DQo+IHRoZSBzdXBwb3J0IHN0YXR1cyB1cHN0cmVhbSAoc3VwcG9ydGVkLCBu b24tc3VwcG9ydGVkIHZlcnNpb24sIEVPUyBkYXRlLA0KPiAuLi4sIHJlcXVpcmVkIGZvciBB cnRpY2xlwqAxMyAoMTEpKS4gQWxzbyBtYW51ZmFjdHVyZXJzIGFyZSByZXF1aXJlZCB0bw0K PiAiYXBwbHkgZWZmZWN0aXZlIGFuZCByZWd1bGFyIHRlc3RzIGFuZCByZXZpZXdzIG9mIHRo ZSBzZWN1cml0eSBvZiB0aGUNCj4gcHJvZHVjdCB3aXRoIGRpZ2l0YWwgZWxlbWVudHMiIChB bm5leCBJIHBJSSAoMykpLg0KPg0KPiBOb24tY29tbWVyY2lhbCBGTE9TUyBwcm9kdWN0cy9w cm9qZWN0cyBkbyBub3QgaGF2ZSB0byBjb21wbHkgd2l0aCBDUkEuDQo+IEhvd2V2ZXIsIEkg dGhpbmsgdGhlcmUgY291bGQgYmUgYW4gaW1wYWN0IGluIHRoZSBpbmR1c3RyeSByZWdhcmRp bmcgdGhlDQo+IGFkb3B0aW9uIGFuZCB1c2Ugb2YgRGViaWFuLg0KPg0KPiBXaGF0IGFyZSB5 b3UgdGhvdWdodHMgb24gdGhlIHN1YmplY3Q/DQo+DQo+IFNob3VsZCBEZWJpYW4gaGVscCB0 aG9zZSBjb21tZXJjaWFsIGRvd25zdHJlYW1zIHRvIGZ1bGZpbGwgdGhlDQo+IHJlcXVpcmVt ZW50cz8NClJpZ2h0IG5vdyBJIGRvIG5vdCBoYXZlIGEgbG90IG9mIGlkZWEgYWJvdXQgQ1JB IGFuZCBpdHMgaW1wYWN0LCBidXQgSSANCndvdWxkIHNheSB3aGF0IEkgdGhpbmsgYWJvdXQg ZG93bnN0cmVhbSBkaXN0cm9zLiBTaW5jZSBpbiBEZWJpYW4sIHdlIGRvIA0Kbm90IHdhbnQg dG8gZGlzY3JpbWluYXRlIGJldHdlZW4gY29tbWVyY2lhbCBhbmQgbm9uLWNvbW1lcmNpYWwg DQphZGFwdGF0aW9ucywgSSBkbyB0aGluayB0aGF0IHdlIHNob3VsZCBsb29rIGludG8gdGhl IGlzc3VlIGFuZCBzZWUgaWYgDQp0aGVyZSBpcyBhbnkgd2F5IHRoYXQgRGViaWFuIGNhbiBo ZWxwIG91dC4gRm9yIHRoaXMsIHdlIG5lZWQgdG8gc3R1ZHkgaW4gDQpkZXRhaWwgYWJvdXQg Q1JBLCBtYXkgYmUgdGFrZSBoZWxwIGZyb20gbGF3eWVycyBhbmQgZXhwbG9yZSBwb3NzaWJp bGl0aWVzLg0KPg0KPiBbQ1JBXWh0dHBzOi8vd3d3LmV1cm9wYXJsLmV1cm9wYS5ldS9kb2Nl by9kb2N1bWVudC9UQS05LTIwMjQtMDEzMF9FTi5odG1sDQo+DQo+IFRoYW5rcyBmb3IgcnVu bmluZyBmb3IgRFBMIHRvIGJvdGggb2YgeW91IQ0KPg0KPiAgIC0tIFNhbnRpYWdvDQo= --------------vmlgZasrn30V2o9dE0C5TqU2
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE html>
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <body>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 05/04/24 23:51, santiago wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:ZhBBPJdXtL71OMQA@pokemon">
    <pre wrap="" class="moz-quote-pre">Dear DPL candidates,

    As you may be aware, the EU has adopted a new cybersecurity regulation
    [CRA] and other countries are following the example. You may also be
    aware that Debian issued a public statement about it (based on a
    previous draft version of the regulation) last year.

    CRA will have an impact on commercial Debian downstreams, specifically
    on all of those who are placing a Debian-inside product in the EU single market. Part of the requirements rely on data that should be found in
    every single package integrated by the commercial downstream. And, as of
    today, part of that data is non existing. E.g.: include (meta)data about
    the support status upstream (supported, non-supported version, EOS date,
    ..., required for Article 13 (11)). Also manufacturers are required to
    "apply effective and regular tests and reviews of the security of the
    product with digital elements" (Annex I pII (3)).

    Non-commercial FLOSS products/projects do not have to comply with CRA.
    However, I think there could be an impact in the industry regarding the adoption and use of Debian.

    What are you thoughts on the subject?</pre>
    </blockquote>
    <blockquote type="cite" cite="mid:ZhBBPJdXtL71OMQA@pokemon">
    <pre wrap="" class="moz-quote-pre">

    Should Debian help those commercial downstreams to fulfill the requirements?</pre>
    </blockquote>
    Right now I do not have a lot of idea about CRA and its impact, but
    I would say what I think about downstream distros. Since in Debian,
    we do not want to discriminate between commercial and non-commercial
    adaptations, I do think that we should look into the issue and see
    if there is any way that Debian can help out. For this, we need to
    study in detail about CRA, may be take help from lawyers and explore
    possibilities.<br>
    <blockquote type="cite" cite="mid:ZhBBPJdXtL71OMQA@pokemon">
    <pre wrap="" class="moz-quote-pre">

    [CRA] <a class="moz-txt-link-freetext" href="https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html">https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html</a>

    Thanks for running for DPL to both of you!

    -- Santiago
    </pre>
    </blockquote>
    </body>
    </html>

    --------------vmlgZasrn30V2o9dE0C5TqU2--

    --------------m68wRnUkEXme4P7RK3z84OYh--

    -----BEGIN PGP SIGNATURE-----

    wsD5BAABCAAjFiEEcd3Fxr6GmkZB13n+x+ob4VdN7V0FAmYQSYkFAwAAAAAACgkQx+ob4VdN7V2+ ygwAqvN9YLY7pryAklLh/YZB2XFxZlak8cpciYxYO4h5xMUIa0d6QiJOqFF6AWDLuOiGG2mU223z cPPq7HerzxEmbDnFHB8+FzaiUtDK3qybiKUQT4sUlsYNpktOwcz+JSXcp46sUtAxutHA8WPJIYS9 2RIELqC3SMmbgTQd1CRDGASMSg0I3yz5lXrF0N2dpbLfxpVoakcU8CY+/LXbOgHHeMgAeOC+7yVd lDj42U9K1yHoCBiVEWo7zTO0cy6gJgzG5+wuyS89rmB82227MZ8MPzWKPCpp3NX07mRXg3NHvDaE BJB32Q/5d8M1kxrGlRo9uBUzaCpIzefeW7PxxptjF5qQ+31WFJTw1/VhYA8Z4V4dtbk0RsbKTlxC F471pV6C+yXTL7tLpTvA72TiSjXeyRbgcU3U5Yqb7jZy78TuHvVu00BeVdA2EUgxZ/qppLFqg0V1 tZrSf7qwz/22J9JsiIpd4uiVJbk+eOPt1/mZd1yUVSvITTu72X85KHFQl028
    =1SXy
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)