Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"

[Aigars Mahinovs]

I'll just attach the signed version, it seems like GMail plain text
mode is still a bit broken.

On Mon, 20 Nov 2023 at 08:53, Kurt Roeckx <k...@roeckx.be> wrote:
>
> On Mon, Nov 20, 2023 at 12:40:58AM +0100, Aigars Mahinovs wrote:
> > I second adding this version to the vote
>
> I'm getting a bad signature on this.
>
> > On Mon, 20 Nov 2023 at 00:22, Luca Boccassi <bl...@debian.org> wrote:
> > Second version, taking into account feedback. Looking for seconds at
> > this point:
>
> Maybe Santiago wants to adopt this text, rather than having 2 options?
>
>
> Kurt
>


-- 
Best regards,
    Aigars Mahinovs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I second adding this version to the vote

On Mon, 20 Nov 2023 at 00:22, Luca Boccassi <bl...@debian.org> wrote:
Second version, taking into account feedback. Looking for seconds at
this point:

    ----- GENERAL RESOLUTION STARTS -----

    Debian Public Statement about the EU Cyber Resilience Act and the
    Product Liability Directive

    The European Union is currently preparing a regulation "on horizontal
    cybersecurity requirements for products with digital elements" known as
    the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
    phase of the legislative process. The act includes a set of essential
    cybersecurity and vulnerability handling requirements for manufacturers.
    It will require products to be accompanied by information and
    instructions to the user. Manufacturers will need to perform risk
    assessments and produce technical documentation and for critical
    components, have third-party audits conducted. Security issues under
    active exploitation will have to be reported to European authorities
    within 24 hours (1). The CRA will be followed up by an update to the
    existing Product Liability Directive (PLD) which, among other things,
    will introduce the requirement for products on the market using software
    to be able to receive updates to address security vulnerabilities.

    Given the current state of the electronics and computing devices market,
    constellated with too many irresponsible vendors not taking taking
    enough precautions to ensure and maintain the security of their products,
    resulting in grave issues such as the plague of ransomware (that, among
    other things, has often caused public services to be severely hampered or
    shut down entirely, across the European Union and beyond, to the
    detriment of its citizens), the Debian project welcomes this initiative
    and supports its spirit and intent.

    The Debian project believes Free and Open Source Software Projects to be
    very well positioned to respond to modern challenges around security and
    accountability that these regulations aim to improve for products
    commercialized on the Single Market. Debian is well known for its
    security track record through practices of responsible disclosure and
    coordination with upstream developers and other Free and Open Source
    Software projects. The project aims to live up to the commitment made in
    the Debian Social Contract: "We will not hide problems." (2)

    The Debian project welcomes the attempt of the legislators to ensure
    that the development of Free and Open Source Software is not negatively
    affected by these regulations, as clearly expressed by the European
    Commission in response to stakeholders' requests (1) and as stated in
    Recital 10 of the preamble to the CRA:

     'In order not to hamper innovation or research, free and open-source
      software developed or supplied outside the course of a commercial
      activity should not be covered by this Regulation.'

    The Debian project however notes that not enough emphasis has been
    employed in all parts of these regulations to clearly exonerate Free
    and Open Source Software developers and maintainers from being subject
    to the same liabilities as commercial vendors, which has caused
    uncertainty and worry among such stakeholders.

    Therefore, the Debian project asks the legislators to enhance the
    text of these regulations to clarify beyond any reasonable doubt that
    Free and Open Source Software developers and contributors are not going
    to be treated as commercial vendors in the exercise of their duties when
    merely developing and publishing Free and Open Source Software, with
    special emphasis on clarifying grey areas, such as donations,
    contributions from commercial companies and developing Free and Open
    Source Software that may be later commercialised by a commercial vendor.
    It is fundamental for the interests of the European Union itself that
    Free and Open Source Software development can continue to thrive and
    produce high quality software components, applications and operating
    systems, and this can only happen if Free and Open Source Software
    developers and contributors can continue to work on these projects as
    they have been doing before these new regulations, especially but not
    exclusively in the context of nonprofit organizations, without being
    encumbered by legal requirements that are only appropriate for
    commercial companies and enterprises.

    ==========================================================================

    Sources:

    (1) CRA proposals and links:
    
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-proposal-for-cybersecurity-regulation
    PLD proposals and links:
    
https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-new-product-liability-directive
    Response from the European Commission to a question from the European 
Parliament on FOSS awareness:
    https://www.europarl.europa.eu/doceo/document/E-9-2023-002473-ASW_EN.html

    (2) Debian Social Contract No. 2, 3 and 4
    https://www.debian.org/social_contract

    ----- GENERAL RESOLUTION ENDS -----

- --
Kind regards,
Luca Boccassi

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEFmwrqIlWRDzdY39G+mQ7ph0ievsFAmVbOssACgkQ+mQ7ph0i
evsc5RAAshSQM1Hr8Hk/MQZvYgkXe/GlDJQ/Ms+UMf9Vqae/NZ4TfbTtgZKpM5ER
ae0NeSqfaeFSxQGAv17jyhTFehO2VGSaMO2PtRKxXGytsJjz2uftaJdGfL2bFi//
NPZzODIakkLGOY3iUVUklwW7751GA+T3o1HDrsIkEN5+3e+wdTo61wLj30KyVflR
jAEvPWmEoRIv1V8HVEDLRBmS2d95NE+q1WZ2VYMh2iK/1atYQupkSXuzM0BOYjLj
KtTGU6uVHJ5JuI5Xw9ItDkrZh7MwFv90+fMhVFmNQk+wHQzLsvczyrloPIjABXge
SMPU3T5B3jOOdFPLHK8uaSelW3vRlyrimQY7FiUD51xaNOHSVsg1aVOJ7F9CWyZh
qi23q/z3po/1lKpaZN6O+/y4xjc8dFjbO8Tw374JHEWN29hU3vP0oCtdow7m+MP/
sTp2Hvls0cQFsKWrxxTdPhJ3NkcVNd6eVj0UJlog6v8rDMdKkHx2E76gwswJRdRo
S410CqYiMFq+mq1w6pf68goF2bI/BqLf6OEF65PVhA1H17VeWedZGFUTUz4M+m6W
dG6jQbg4kYNwQz2UHQlgd6HlxZOOklJmStikubZJLNkfCMDlz0jU1/Vp6i4m6bjc
nX+lHknRifc9f49M7ouMiGfDpw9rGKYV6DwbrQuH/2Xcmkg0FSg=
=izVL
-----END PGP SIGNATURE-----