On Fri, Nov 24, 2023 at 07:55:01AM -0600, Gunnar Wolf wrote: > Hello Bart,
Hi Gunnar! > > Bart Martens dijo [Wed, Nov 22, 2023 at 07:16:48PM +0100]: > > Hello, I hereby welcome seconds for adding this text to 2023/vote_002 > > as a separate proposal. > > Thanks for your contribution to this discussion! And thank you for your feedback. > As I said in another > thread, I believe that in a voting system such as the one we use in > Debian, more versions is unambiguously better, and options should only > be merged together in the case they are semantically equivalent. > > > Debian Public Statement about the EU Cyber Resilience Act (CRA) and the > > Product Liability Directive (PLD) > > > > The CRA includes requirements for manufacturers of software, followed > > up by the PLD with compulsory liability for software. The Debian > > project has concerns on the impact on Free and Open-Source Software > > (FOSS). > > > > The CRA makes the use of FOSS in commercial context more difficult. > > This goes against the philosophy of the Debian project. The Debian Free > > Software Guidelines (DFSG) include "6. No Discrimination Against Fields > > of Endeavor - The license must not restrict anyone from making use of > > the program in a specific field of endeavor." A significant part of the > > success of FOSS is its use in commercial context. It should remain > > possible for anyone to produce, publish and use FOSS, without making it > > harder for commercial entities or for any group of FOSS users. > > > > The compulsory liability as meant in the PLD overrules the usual > > liability disclaimers in FOSS licenses. This makes sharing FOSS with > > the public more legally risky. The compulsory liability makes sense for > > closed-source software, where the users fully depend on the > > manufacturers. With FOSS the users have the option of helping > > themselves with the source code, and/or hiring any consultant on the > > market. The usual liability disclaimers in FOSS licenses should remain > > valid without the risk of being overruled by the PLD. > > > > The Debian project asks the EU to not draw a line between commercial > > and non-commercial use of FOSS. Such line should instead be between > > closed-source software and FOSS. FOSS should be entirely exempt from > > the CRA and the PLD. > > My issue with your text is that I read it –bluntly over-abridged– as > «The CRA+PLD will make it harder to meaningfully develop Debian, > because we are compelled by our own foundation documents not to > distringuish between free and commercial. Many people use Debian in > commercial settings. If you enact this legislation, some of our users > be at risk of getting in trouble for using our fine intentions for > their economic benefit, as they will be covered by your > regulation. Please formally except us fully from your rules!» > > That is, it basically means: "European Parliament/Council: Our > foundation documents are at unease with the CRA and PLD". That is praphrasing my proposal rather roughly, but let's focus on the point you want to make. > That is > true, but a fair answer from them (if we warrant it!) could be "We > represent more people and wider interests than yours. Your SC is over > a quarter of a century old. Update your SC to comply with the changing > times". Which could even make sense! (although it would make Debian > stop being Debian!) > > This reading is the main reason I'm not endorsing it, and still prefer > our original proposal instead. How would such hypothetical answer from the EU matter for preferring one proposal over the other? I'm trying to understand your motive. Allow me to point out some weak points in proposal A, motivating me to write my separate proposal. - 1.a. The phrase "with no legal restrictions" is incorrect in the sense that FOSS uses legal restrictions for keeping it FOSS. - 1.b. I read "Knowing whether software is commercial or not". It is, in my understanding, about commercial use or non-commercial use. - 1.b. Arguing that knowing what's commercial or not isn't feasible implies accepting such distinction when the EU can give a practical legal definition. - 1.c. Stopping development would not exempt the author from CRA. Stopping the commercial use would. - 1.d. This somewhat implies accepting CRA requirements for big companies. - 2.a. Explaining that the 24h window would disrupt FOSS' well working system of responsible disclosures of security issues, implies accepting that the FOSS community would be legally required to provide security support. - 2.b. Mentioning the efforts Debian is doing on security support in this context implies accepting that Debian is required to do so. - 2.d. I don't feel comfortable with mentioning that Debian supports activists living under oppressive regimes. - 2.e. Commercial companies can currently hide security issues in proprietary software. One could argue that this is worse than downplaying when reporting. - 3. Software development in the open is in fact making unfinished software available on the market. - 3. Asking to exempt unfinished software being developed in the open, implies accepting that it becomes no longer exempt when it's ready for use. - 4. This implies, almost states explicitly, accepting CRA requirements for big companies. I invite you to compare the two proposals on the points listed above. In short, my proposal defends commercial use of FOSS and the usual liability disclaimers in FOSS licenses. To be clear, for avoiding misunderstandings, the EU regulation can be a good thing, when it requires manufacturers of closed products to provide security support for the pieces of FOSS they use in their products. Then we're talking about compulsory liability for those close products as a whole. My focus aims at protecting the liberty of not providing support whenever the users can help themselves with the available source code. Has my proposal sufficient seconds by now? If not... you know what to do. Cheers, Bart > > Greetings, > > - Gunnar.
