Thanks for the detailed explanation! It had quite a few details that I was not aware about. Expressing the desired position of Debian and of the community *is* useful, especially when there are multiple variants of the legislation that need reconciliation. I was looking at the specific version that I linked to and the language in that version.
But that position should not be a blanket opposition to the legislation or containing overbroad statements. Specific highlights on what activities should not fall into the scope of the directive would be helpful. But beyond that, I have not researched this specific issue enough to recommend specifics. Peculiarly I am also not against Debian passing the resolution as it stands because the negotiatiators in the loop of reconciliation *are* able to use Debians position to argue for better open source conditions, even if the actual text in the Debian vote *were* far from perfect or accurate. (Which I am not saying it is) On Mon, 13 Nov 2023, 17:32 Ilu, <il...@gmx.net> wrote: > At the moment - as the official proposals are worded now - everything > depends on the meaning of the word "commercial". Please note that the > proposals have some examples on this as I mentioned before - but each > proposal is worded differently. > > The software is deemed commercial if > - the developer is selling services for it > - developers are employed by a company and can exercise control (= can > merge) > - the project receives donations (depending on how much, how often and > from whom) > - developed by a single organisation or an asymmetric community > (whatever that is, ask your lawyer) > - a single organisation is generating revenues from related use in > business relationships (notice the vague word "related") > - ... > > The 3 proposals differ on these examples but they show what lawmakers > have in mind. Their intent is to include every project where a company > is involved in any way. And we all know that without company sponsorship > a lot of projects could not exist. Luca might state that "Mere > employment of a developer is not enough to make an open source software > a commercial product available on the market" but the parliaments > proposal explicitely says the opposite (if the developer has control, > i.e. merge permission). It doesn't help making blanket statements > without reading *all* proposals first. > > There is even an inofficial 4th proposal circulating behind closed > doors, that tries to ditch the commercial/non-commercial differentiation > and goes off in a completely different direction (that will target every > project that has a backing organisation - Debian has one). It is all > still in flow. > > I cited the Parliaments proposal that says: "Accepting donations without > the intention of making a profit should not count as a commercial > activity, unless such donations are made by commercial entities and are > recurring in nature." which clearly states that recurrent donations by > companies make a software commercial. But Aigar still claims that > "accepting donations does not fall into any of those examples." > > What Aigar writes is what we would like to have (and what we are > lobbying for) but not what the EU presently wants and not what's written > in all proposals. > > It is not helpful to read legal texts with your own interpretation and > your own wishes in mind. Aigar and Luca are writing what they think is > reasonable (and I mostly agree) and what they gather from one of the > texts (and my hope is that that will be the outcome) but at the moment > that is not the consensus among EU legislators. This is why I want > Debian to make a statement. We need to argue against the dangerous > proposals - which are there and I cited some of them. Ignoring the bad > proposals by only reading the stuff that suits you does not help. > > My intention with this resolution is not to damn CRA. A lot of things > required by CRA are correct and are done anyway by almost all free > software projects (certainly by Debian). My intention is to give support > to those organisations that are trying to push CRA in the right > direction, notably EDRI and OFE (these are the ones I know of). > "Lobbying" is an integral part of EU law making and we should use it > like everybody else does. > > Please also note that cloud services like Azure are not effected by CRA, > that's NIS2. If you are familiar with European legislation you will know > that. > > Ilu > > Am 12.11.23 um 18:35 schrieb Ilulu: > > Am 12.11.23 um 18:09 schrieb Luca Boccassi: > > > We do know whether something is commercial or not though ... > > > > I sincerely doubt that. Just to illustrate this I'm citing a part (only > > a part) of one of the regulation drafts which are presently considered > > in trilogue. > > > > "(10) Only free and open-source made available on the market in the > > course of a commercial activity should be covered by this Regulation. > > Whether a free and open-source product has been made available as part > > of a commercial activity should be assessed on a product-by-product > > basis, looking at both the development model and the supply phase of the > > free and open-source product with digital elements. > > (10a) For example, a fully decentralised development model, where no > > single commercial entity exercises control over what is accepted into > > the project’s code base, should be taken as an indication that the > > product has been developed in a non-commercial setting. On the other > > hand, where free and open source software is developed by a single > > organisation or an asymmetric community, where a single organisation is > > generating revenues from related use in business relationships, this > > should be considered to be a commercial activity. Similarly, where the > > main contributors to free and open-source projects are developers > > employed by commercial entities and when such developers or the employer > > can exercise control as to which modifications are accepted in the code > > base, the project should generally be considered to be of a commercial > > nature. > > (10b) With regards to the supply phase, in the context of free and > > open-source software, a commercial activity might be characterized not > > only by charging a price for a product, but also by charging a price for > > technical support services, when this does not serve only the > > recuperation of actual costs, by providing a software platform through > > which the manufacturer monetises other services, or by the use of > > personal data for reasons other than exclusively for improving the > > security, compatibility or interoperability of the software. Accepting > > donations without the intention of making a profit should not > > count as a commercial activity, unless such donations are made by > > commercial entities and are recurring in nature." > > > > Am 12.11.23 um 18:17 schrieb Scott Kitterman: > > > Then I would encourage you to do a bit of research on the topic. > > Given the definitions being used in the proposal, Debian and most, if > > not all, of it's upstreams are squarely within the realm of affected > > software. If this is passed, I am seriously considering ceasing all > > free software work, because it's not at all clear it's possible to avoid > > legal liability for things that I can't reasonably control as a single > > developer. > > > > Exactly. > > > > Ilu > > > > Am 12.11.23 um 18:09 schrieb Luca Boccassi: > >> On Sun, 12 Nov 2023 at 15:10, Santiago Ruano Rincón > >> <santiag...@riseup.net> wrote: > >>> > >>> Dear Debian Fellows, > >>> > >>> Following the email sent by Ilu to debian-project (Message-ID: > >>> <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have > >>> discussed during the MiniDebConf UY 2023 with other Debian Members, I > >>> would like to call for a vote about issuing a Debian public statement > >>> regarding > >>> the EU Cyber Resilience Act (CRA) and the Product Liability Directive > >>> (PLD). The CRA is in the final stage in the legislative process in the > >>> EU Parliament, and we think it will impact negatively the Debian > >>> Project, users, developers, companies that rely on Debian, and the > FLOSS > >>> community as a whole. Even if the CRA will be probably adopted before > >>> the time the vote ends (if it takes place), we think it is important to > >>> take a public stand about it. > >>> > >>> ----- GENERAL RESOLUTION STARTS ----- > >>> > >>> Debian Public Statement about the EU Cyber Resilience Act and the > >>> Product Liability Directive > >>> > >>> The European Union is currently preparing a regulation "on > >>> horizontal > >>> cybersecurity requirements for products with digital elements" > >>> known as > >>> the Cyber Resilience Act (CRA). It's currently in the final > >>> "trilogue" > >>> phase of the legislative process. The act includes a set of > >>> essential > >>> cybersecurity and vulnerability handling requirements for > >>> manufacturers. > >>> It will require products to be accompanied by information and > >>> instructions to the user. Manufacturers will need to perform risk > >>> assessments and produce technical documentation and for critical > >>> components, have third-party audits conducted. Discoverded > security > >>> issues will have to be reported to European authorities within > >>> 24 hours > >>> (1). The CRA will be followed up by the Product Liability > Directive > >>> (PLD) which will introduce compulsory liability for software. More > >>> information about the proposed legislation and its consequences > >>> in (2). > >> > >> These all seem like good things to me. For too long private > >> corporations have been allowed to put profit before accountability and > >> user safety, which often results in long lasting damage for citizens, > >> monetary or worse. It's about time the wild-west was reined in. > >> > >>> While a lot of these regulations seem reasonable, the Debian > >>> project > >>> believes that there are grave problems for Free Software projects > >>> attached to them. Therefore, the Debian project issues the > >>> following > >>> statement: > >>> > >>> 1. Free Software has always been a gift, freely given to > >>> society, to > >>> take and to use as seen fit, for whatever purpose. Free Software > >>> has > >>> proven to be an asset in our digital age and the proposed EU Cyber > >>> Resilience Act is going to be detrimental to it. > >>> a. It is Debian's goal to "make the best system we can, so > >>> that > >>> free works will be widely distributed and used." Imposing > >>> requirements > >>> such as those proposed in the act makes it legally perilous for > >>> others > >>> to redistribute our works and endangers our commitment to > >>> "provide an > >>> integrated system of high-quality materials _with no legal > >>> restrictions_ > >>> that would prevent such uses of the system". (3) > >> > >> Debian does not sell products in the single market. Why would any > >> requirement be imposed, how, and on whom? SPI? Debian France? > >> > >>> b. Knowing whether software is commercial or not isn't > >>> feasible, > >>> neither in Debian nor in most free software projects - we don't > >>> track > >>> people's employment status or history, nor do we check who > finances > >>> upstream projects. > >> > >> We do know whether something is commercial or not though - for > >> example, we don't have to provide Debian with warranty to our users, > >> because we know publishing images on debian.org is not a commercial > >> activity. > >> The second statement I find hard to follow, what would employment > >> status have to do with this? > >> > >>> c. If upstream projects stop developing for fear of being > >>> in the > >>> scope of CRA and its financial consequences, system security will > >>> actually get worse instead of better. > >> > >> Why would projects stop developing? If it's a product sold on the > >> single market, then it's right that it is subject to these rules. If > >> it's not a product, then these rules don't affect it, just like rules > >> on warranties. > >> > >>> d. Having to get legal advice before giving a present to > >>> society > >>> will discourage many developers, especially those without a > >>> company or > >>> other organisation supporting them. > >> > >> Same as above. If you are not selling anything, why would you need > >> legal advice, any more than you already do? The EU Single Market has > >> many, many rules, this is not the first and won't be the last. > >> > >>> 2. Debian is well known for its security track record through > >>> practices > >>> of responsible disclosure and coordination with upstream > >>> developers and > >>> other Free Software projects. We aim to live up to the > >>> commitment made > >>> in the Social Contract: "We will not hide problems." (3) > >>> a. The Free Software community has developed a fine-tuned, > >>> well > >>> working system of responsible disclosure in case of security > issues > >>> which will be overturned by the mandatory reporting to European > >>> authorities within 24 hours (Art. 11 CRA). > >> > >> Well, actually the CVE system has a lot of critics - see recent LWN > >> articles for some examples. So a public authority taking over from > >> Mitre and other private companies doesn't sound so horrible to me, in > >> principle - devil's in the details of course. > >> > >>> b. Debian spends a lot of volunteering time on security > >>> issues, > >>> provides quick security updates and works closely together with > >>> upstream > >>> projects, in coordination with other vendors. To protect its > users, > >>> Debian regularly participates in limited embargos to coordinate > >>> fixes to > >>> security issues so that all other major Linux distributions can > >>> also > >>> have a complete fix when the vulnerability is disclosed. > >>> > >>> c. Security issue tracking and remediation is intentionally > >>> decentralized and distributed. The reporting of security issues to > >>> ENISA and the intended propagation to other authorities and > >>> national > >>> administrations would collect all software vulnerabilities in > >>> one place, > >>> greatly increasing the risk of leaking information about > >>> vulnerabilities > >>> to threat actors, representing a threat for all the users around > >>> the > >>> world, including European citizens. > >> > >> This already happens with CVEs though? By a private, unaccountable, > >> for profit corporation. > >> > >>> d. Activists use Debian (e.g. through derivatives such as > >>> Tails), > >>> among other reasons, to protect themselves from authoritarian > >>> governments; handing threat actors exploits they can use for > >>> oppression > >>> is against what Debian stands for. > >> > >> Again, I don't see how this is any different than the status quo. > >> > >>> e. Developers and companies will downplay security issues > >>> because > >>> a "security" issue now comes with legal implications. Less > >>> clarity on > >>> what is truly a security issue will hurt users by leaving them > >>> vulnerable. > >> > >> Companies already routinely downplay or outright neglect security > >> issues in their products. It seems the intent of the legislation is to > >> try and fix precisely that. One might be skeptical on the ability of > >> the proposed legislation to improve the situation, of course, but > >> that's a different story. > >> > >>> 3. While proprietary software is developed behind closed doors, > >>> Free > >>> Software development is done in the open, transparent for > >>> everyone. To > >>> keep even with proprietary software the open development process > >>> needs > >>> to be entirely exempt from CRA requirements, just as the > >>> development of > >>> software in private is. A "making available on the market" can > >>> only be > >>> considered after development is finished and the software is > >>> released. > >>> > >>> 4. Even if only "commercial activities" are in the scope of > >>> CRA, the > >>> Free Software community - and as a consequence, everybody - will > >>> lose a > >>> lot of small projects. CRA will force many small enterprises and > >>> most > >>> probably all self employed developers out of business because they > >>> simply cannot fullfill the requirements imposed by CRA. Debian > >>> and other > >>> Linux distributions depend on their work. It is not > >>> understandable why > >>> the EU aims to cripple not only an established community but also > a > >>> thriving market. CRA needs an exemption for small businesses > >>> and, at the > >>> very least, solo-entrepreneurs. > >> > >> To be brutally honest, if some private corporations' viability depends > >> on being able to ignore glaring security issues that can harm their > >> users, then I for one am all for them going out of business. Just like > >> if a company's existence relies on the ability to breach privacy with > >> impunity and is hampered by the GDPR, and so on. > >> > >> To do a reductio ad absurdum to illustrate my point, if a free > >> software project's existence depended exclusively on an oil&gas > >> corporation being able to pollute the environment and worsen climate > >> change with impunity because the author is employed there, would it be > >> worth it? The answer for me is categorically no. Especially given it's > >> free software! The whole point of it is that someone else can maintain > >> it, or the author can find a different source of income, and the > >> project can continue - it's free, it's by definition not locked in one > >> corporation. > >> > >> All in all, given how the situation is explained here, I do not > >> understand where the issue is, for us as a project or as free software > >> developers. I do not see any convincing argument at all as to why this > >> is detrimental to Debian or free software, and the only link that is > >> made is tenuous at best: maybe some free software developer is also > >> employed by a company who is negatively affected by this. There are > >> many, many things that can negatively affect anyone's employer, I do > >> not see why, by itself, this should warrant a project statement. > >> > > > >
