Dear DPL candidates,

As you may be aware, the EU has adopted a new cybersecurity regulation
[CRA] and other countries are following the example. You may also be
aware that Debian issued a public statement about it (based on a
previous draft version of the regulation) last year.

CRA will have an impact on commercial Debian downstreams, specifically
on all of those who are placing a Debian-inside product in the EU single market. Part of the requirements rely on data that should be found in
every single package integrated by the commercial downstream. And, as of
today, part of that data is non existing. E.g.: include (meta)data about
the support status upstream (supported, non-supported version, EOS date,
..., required for Article 13 (11)). Also manufacturers are required to
"apply effective and regular tests and reviews of the security of the
product with digital elements" (Annex I pII (3)).

Non-commercial FLOSS products/projects do not have to comply with CRA.
However, I think there could be an impact in the industry regarding the adoption and use of Debian.

What are you thoughts on the subject?

Should Debian help those commercial downstreams to fulfill the
requirements?

[CRA] https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html

Thanks for running for DPL to both of you!

-- Santiago

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCZhBBMQAKCRAn3j1FEEiG 78ugAP9ZlyVXlDv9uqb4ZWJu/AuG+z2xE02AShVMZE+KOPKx7QD/U9eIhTiZCesz 46pp/aH+7CjTYnawBeCmclLOWRPNswA=
=WUHa
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)