Re: CRA and PLD vote status
El 08/12/23 a las 21:37, Ilu escribió: > Am 08.12.23 um 21:13 schrieb Russ Allbery: > > Ilu writes: > > > > > CRA + PLD proposals include regulations, that will be detrimental > > > to FOSS > > > > How about: > > > > CRA and PLD proposals include regulations detrimental to FOSS > > > > This would be real-english-english? ;-) If it has the same meaning, fine > by me. I've pinged Santiago. I fully trust Russ's English skills :-) LGTM. Thank you! signature.asc Description: PGP signature
Re: Call for seconds: Delegate to the DPL
El 02/12/23 a las 01:07, Bill Allombert escribió: > On Tue, Nov 28, 2023 at 04:36:29PM -0600, Gunnar Wolf wrote: > > Bill Allombert dijo [Tue, Nov 28, 2023 at 10:07:29PM +0100]: > > > On Tue, Nov 28, 2023 at 09:25:17AM -0600, Gunnar Wolf wrote: > > > > This is also something we discussed before sending this call for > > > > votes. But how can we gauge whether the project is OK with issuing > > > > political statements or not? The only tool we were able to find is a > > > > GR. > > > > > > The less we know about the political opinion of each others, the better > > > for > > > the project. After all we only agreed to uphold the SC and nothing else. > > > > > > We are a technical entity. We do not need to know other developers > > > opinions on > > > issues unrelated to FLOSS to work together, and let us face it, it is > > > easier to > > > work together if we ignore whether we have major political disagreement. Yet, one of the goals of the proposed text is to minimize the negative impact of this particular EU policy on FLOSS projects and the related technical work. > > Yet, my belief is that all human interactions are political in > > nature. In some aspects of politics, you and I will not be the least > > aligned. But I believe our project is _first and foremost_ a political > > statement (that produces a first-grade technological artifact). +1! > > One major risk for Debian continued existence is that we start to become > suspicious of each other political views outside FLOSS, that we start to see > "collaborating with someone as part of our Debian activity" as "associating" > with them, and that "associating" with them start to become socially > problematic. There is a precedent for that. On the other hand, I have experience successfully working in a professional level with people that I would place in the other side of the one-dimensional political spectrum. > That is why I am quite against the whole 'community' view of Debian. We are a large community, and it is obvious we disagree at different points, political and technical. And that doesn't prevent us to keep working together, with obvious obstacles and etc. But that is still part of the "working together". This is not saying we have to think in the same way, of course. The only common ground is that we all agreed (at least "new" new members) to uphold the Social Contract (which, as its name state, **social**) the DFSG, et al. > In practice, it is very hard to participate in such GR without revealing > political views, as you can see by reading the discussion. > > > > And it is quite difficult discussing a ballot option without revealing > > > such > > > opinions. We have enough topics for flamewar already. This will only leads > > > to more fracturation of the project. > > > > > > But this GR is not about issuing political statements in general, it is > > > about > > > issuing a particular statement, which leads directly to the second issue, > > > are > > > GR (with the time limit, the amendment process, etc) the best medium to > > > draft > > > political statement that correctly addresses the issue while furthering > > > Debian > > > goal ? > > > > I do not know. But I think that's something that can, and ought, be > > put to the table. > > It seems like you are underestimating the risks and overestimating the > rewards. > Such statement is only useful if written by people that understand enough of > EU law terminology to address the issue. I asked whether the lawyer that > drafted > it was familiar with EU law and it does not seem to be the case. What makes you state this? As far as I case, the lawyer who drafted the statement knows well the EU regulations and legislation proceedings. > We should not make a statement that can be used against us. signature.asc Description: PGP signature
More additional changes (was: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive")
Hello again, Sorry for this, but I would like to take into account some (minor) additional changes. Some of them are indeed important. As the last time, a diff can be found at the bottom of the mail. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It is currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and, for critical components, have third-party audits conducted. Discovered security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement: 1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it. a. As the Debian Social Contract states, our goal is "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our work and endangers our commitment to "provide an integrated system of high-quality materials with no legal restrictions that would prevent such uses of the system". (2) b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects (the original projects that we integrate in our operating system). c. If upstream projects stop making available their code for fear of being in the scope of CRA and its financial consequences, system security will actually get worse rather than better. d. Having to get legal advice before giving a gift to society will discourage many developers, especially those without a company or other organisation supporting them. 2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (3) a. The Free Software community has developed a fine-tuned, tried-and-tested system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA). b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects and in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed. c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to ENISA and the intended propagation to other authorities and national administrations would collect all software vulnerabilities in one place. This greatly increases the risk of leaking information about vulnerabilities to threat actors, representing a threat for all the users around the world, including European citizens. d. Activists use Debian (e.g. through derivatives such as Tails), among other reasons, to protect themselves from authoritarian governments; handing threat actors exploits they can use for oppression is against what Debian stands for. e. Developers and companies will downplay security issues because a "security" issue now comes with legal implications. Less clarity on what is truly a security issue will hurt users by leaving them vulnerable. 3. While proprietary software is developed behind closed doors, Free Software development is done in the open, transparent for everyone.
Amendment to the original proposal (was: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive")
Hello there, Here you can find a modified version that takes into account most of the reviews. It doesn't change the meaning of the original proposal, and hopefully improves it. Thanks again for all the comments. A diff between both version is found below. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Discovered security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. More information about the proposed legislation and its consequences in (2). While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement: 1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it. a. As the Debian Social Contract states, our goal is "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our work and endangers our commitment to "provide an integrated system of high-quality materials with no legal restrictions that would prevent such uses of the system". (3) b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects (the original projects that we integrate in our operating system). c. If upstream projects stop developing for fear of being in the scope of CRA and its financial consequences, system security will actually get worse instead of better. d. Having to get legal advice before giving a present to society will discourage many developers, especially those without a company or other organisation supporting them. 2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (3) a. The Free Software community has developed a fine-tuned, tried-and-tested system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA). b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects, in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed. c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to ENISA and the intended propagation to other authorities and national administrations would collect all software vulnerabilities in one place, greatly increasing the risk of leaking information about vulnerabilities to threat actors, representing a threat for all the users around the world, including European citizens. d. Activists use Debian (e.g. through derivatives such as Tails), among other reasons, to protect themselves from authoritarian governments; handing threat actors exploits they can use for oppression is against what Debian stands for. e. Developers and companies will downplay security issues because a "security" issue now comes with legal implications. Less clarity on what is truly a security issue will hurt users by leaving them vulnerable. 3. While proprietary software i
Re: General Resolution: Statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Thanks to those who have spotted errors and have proposed fixes! I am collecting more patches, and I will send an updated proposal as soon as possible. But I won't be able to do it earlier than tomorrow Wednesday, when I will be in the Northern hemisphere. El 21/11/23 a las 12:01, Miriam Ruiz escribió: > s/Discoverded/Discovered/ > s/fullfill/fulfill/ > > El dom, 19 nov 2023 a las 22:53, Debian Project Secretary - Kurt > Roeckx () escribió: > > > > A General Resolution has been started about a statement > > about the EU Legislation "Cyber Resilience Act and Product Liability > > Directive" > > > > More information can be found at: > > https://www.debian.org/vote/2023/vote_002 > > > > > > Kurt Roeckx > > Debian Project Secretary > > signature.asc Description: PGP signature
Re: Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
El 20/11/23 a las 08:53, Kurt Roeckx escribió: > On Mon, Nov 20, 2023 at 12:40:58AM +0100, Aigars Mahinovs wrote: > > I second adding this version to the vote > > I'm getting a bad signature on this. > > > On Mon, 20 Nov 2023 at 00:22, Luca Boccassi wrote: > > Second version, taking into account feedback. Looking for seconds at > > this point: > > Maybe Santiago wants to adopt this text, rather than having 2 options? The initial proposal was made collectively, and now I realise I should have signed with a "On behalf of the Debian fellows in Montevideo". So it is not only me to decide. Anyway, IMHO, it is good to have more than one option. Cheers, -- Santiago signature.asc Description: PGP signature
Re: Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
El 15/11/23 a las 00:49, Luca Boccassi escribió: > On Sun, 2023-11-12 at 12:10 -0300, Santiago Ruano Rincón wrote: > > Dear Debian Fellows, > > > > Following the email sent by Ilu to debian-project (Message-ID: > > <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have > > discussed during the MiniDebConf UY 2023 with other Debian Members, I > > would like to call for a vote about issuing a Debian public statement > > regarding > > the EU Cyber Resilience Act (CRA) and the Product Liability Directive > > (PLD). The CRA is in the final stage in the legislative process in the > > EU Parliament, and we think it will impact negatively the Debian > > Project, users, developers, companies that rely on Debian, and the FLOSS > > community as a whole. Even if the CRA will be probably adopted before > > the time the vote ends (if it takes place), we think it is important to > > take a public stand about it. > > Hi Santiago, Hello Luca > > It seems clear that there is a lot of interest in the project to > express a position on this matter. But as mentioned in the thread by > myself and others, I find some of the specifics of the text a bit > problematic - and some of the responses it elicited even more so. > > So, I'd like to propose an alternative text, that uses a very similar > preamble and still expresses a strong request to the legislators to > protect the interests of FOSS and its contributors and clarify any > issue, grey area or confusion that might be present in the current > texts, and put it beyond any reasonable doubt that FOSS projects can > continue working as they have, while at the same time supporting the > spirit of the law and its goal to improve the abysmal landscape of > software security in commercial products. > > What do you think? Here's what I came up with: > > - GENERAL RESOLUTION STARTS - > > Debian Public Statement about the EU Cyber Resilience Act and the > Product Liability Directive > > The European Union is currently preparing a regulation "on horizontal > cybersecurity requirements for products with digital elements" known as > the Cyber Resilience Act (CRA). It's currently in the final "trilogue" > phase of the legislative process. The act includes a set of essential > cybersecurity and vulnerability handling requirements for manufacturers. > It will require products to be accompanied by information and > instructions to the user. Manufacturers will need to perform risk > assessments and produce technical documentation and for critical > components, have third-party audits conducted. Security issues under > active exploitation will have to be reported to European authorities > within 24 hours (1). The CRA will be followed up by an update to the > existing Product Liability Directive (PLD) which, among other things, > will introduce the requirement for products on the market using software > to be able to receive updates to address security vulnerabilities. > > Given the current state of the electronics and computing devices market, > constellated with too many irresponsible vendors (largely employing > proprietary software) not taking taking enough precautions to ensure and > maintain the security of their products, resulting in grave issues such > as the plague of ransomware (that, among other things, has often caused > public services to be severely hampered or shut down entirely, across > the European Union and beyond, to the detriment of its citizens), the > Debian project welcomes this initiative and supports its spirit and > intent. I don't feel comfortable with most of the above paragraph. Where is the value in kind-of-finger-pointing proprietary software? > The Debian project believes Free and Open Source Software Projects to be > very well positioned to respond to modern challenges around security and > accountability that these regulations aim to improve for products > commercialized on the Single Market. Debian is well known for its > security track record through practices of responsible disclosure and > coordination with upstream developers and other Free and Open Source > Software projects. The project aims to live up to the commitment made in > the Debian Social Contract: "We will not hide problems." (2) > > The Debian project welcomes the attempt of the legislators to ensure > that the development of Free and Open Source Software is not negatively > affected by these regulations, as clearly expressed by the European > Commission in response to stakeholders' req
Call for vote: public statement about the EU Legislation "Cyber Resilience Act and Product Liability Directive"
Dear Debian Fellows, Following the email sent by Ilu to debian-project (Message-ID: <4b93ed08-f148-4c7f-b172-f967f7de7...@gmx.net>), and as we have discussed during the MiniDebConf UY 2023 with other Debian Members, I would like to call for a vote about issuing a Debian public statement regarding the EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD). The CRA is in the final stage in the legislative process in the EU Parliament, and we think it will impact negatively the Debian Project, users, developers, companies that rely on Debian, and the FLOSS community as a whole. Even if the CRA will be probably adopted before the time the vote ends (if it takes place), we think it is important to take a public stand about it. - GENERAL RESOLUTION STARTS - Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It's currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and for critical components, have third-party audits conducted. Discoverded security issues will have to be reported to European authorities within 24 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software. More information about the proposed legislation and its consequences in (2). While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement: 1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it. a. It is Debian's goal to "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our works and endangers our commitment to "provide an integrated system of high-quality materials _with no legal restrictions_ that would prevent such uses of the system". (3) b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects. c. If upstream projects stop developing for fear of being in the scope of CRA and its financial consequences, system security will actually get worse instead of better. d. Having to get legal advice before giving a present to society will discourage many developers, especially those without a company or other organisation supporting them. 2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Social Contract: "We will not hide problems." (3) a. The Free Software community has developed a fine-tuned, well working system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA). b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects, in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed. c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to ENISA and the intended propagation to other authorities and national administrations would collect all software vulnerabilities in one place, greatly increasing the risk of leaking information about vulnerabilities to threat actors, representing a threat for all the users around the world, including European citizens. d. Activists use Debian (e.g. through derivatives such as Tails), among other reasons, to protect themselves from authorita
Re: Changing how we handle non-free firmware
El 29/08/22 a las 09:06, Simon Josefsson escribió: > Kurt Roeckx writes: > > > On Tue, Aug 23, 2022 at 10:39:57AM +0200, Simon Josefsson wrote: > >> As far as I can tell, both Steve's and Gunnar's proposal would make > >> Debian less of a free software operating system than it is today. That > >> makes me sad. My preference for an outcome would be along the following > >> lines. > > > > The key you signed this with (A3CC9C870B9D310ABAD4CF2F51722B08FE4745A2) > > is not in the debian keyring. > > I'm signing this with my debian RSA key. > > /Simon > > == > > We continue to stand by the spirit of the Debian Social Contract §1 > which says: > >Debian will remain 100% free > >We provide the guidelines that we use to determine if a work is >"free" in the document entitled "The Debian Free Software >Guidelines". We promise that the Debian system and all its components >will be free according to these guidelines. We will support people >who create or use both free and non-free works on Debian. We will >never make the system require the use of a non-free component. > > Therefore we will not include any non-free software in Debian, nor in the > main archive or installer/live/cloud or other official images, and will > not enable anything from non-free or contrib by default. > > We also continue to stand by the spirit of the Debian Social Contract §5 > which says: > >Works that do not meet our free software standards > >We acknowledge that some of our users require the use of works that >do not conform to the Debian Free Software Guidelines. We have >created "contrib" and "non-free" areas in our archive for these >works. The packages in these areas are not part of the Debian system, >although they have been configured for use with Debian. We encourage >CD manufacturers to read the licenses of the packages in these areas >and determine if they can distribute the packages on their CDs. Thus, >although non-free works are not a part of Debian, we support their >use and provide infrastructure for non-free packages (such as our bug >tracking system and mailing lists). > > Thereby re-inforcing the interpretation that any installer or image with > non-free software on it is not part of the Debian system, but that we > support their use and welcome others to distribute such work. > > == I won't vote for this, but I think it is important to have this option on the ballot. Seconded, -- Santiago signature.asc Description: PGP signature
Re: Reaffirm public voting
El 04/03/22 a las 12:03, Mattia Rizzolo escribió: > On Fri, Mar 04, 2022 at 10:42:51AM +, Holger Levsen wrote: > > Reaffirm public voting > > == > > > > Since we can either have secret and intransparent voting, or we can have > > open and transparent voting, the project resolves to leave our voting > > system as it is. > > > > Rationale: > > > > The GR proposal for secret voting is silent on implenentation details, > > probably because secret and transparent voting is, well, impossible to > > achieve fully, so this GR is bound to a similar fate as the 'publish > > debian-private' vote, which was voted for and then was never implemented. > > > > A voting system which is transparent only to some, is undemocratic and > > will lead to few people in the know, which is diagonal to Debians goals > > of openness and transparency. > > > > And then, early 2022 is not the time for rushed changes like this, which > > is also why I explicitly want to see "keep the status quo" on the ballot, > > and not only as "NOTA", but as a real option. > > > > I'm seeking sponsors for this amendment to the current GR. > > > Assuming you meant this as "this ballot" instead of "this amendment" > (following the new GR flow), I sponsor this. > > I sponsor this ballot. > If I were to add my thoughts: political GRs don't belong in Debian, > please take them elsewhere. For non-political votes there is no use > for private voting. I think technical is political. Giving freedom to software users is political. And I'd rather say we should avoid GRs involving individuals. Cheeers, -- S signature.asc Description: PGP signature
Re: General Resolution: Richard Stallman's readmission to the FSF board
El 26/03/21 a las 13:26, Dominik George escribió: > Hi, > > On Fri, Mar 26, 2021 at 11:50:31AM +0100, Jonas Smedegaard wrote: > > [replying only to -vote - please avoid cross-posting!] > > OK, but you actually replied only to -devel instead of -vote. > > > > > Quoting Dominik George (2021-03-26 11:05:26) ... > > > > > > 8><-- > > > Choice 2 > > > > > > > > > The Debian Project does not co-sign the statement regarding Richard > > > Stallman's readmission to the FSF board seen at > > > https://github.com/rms-open-letter/rms-open-letter.github.io/blob/main/index.md > > > > > > In its role as an important body in the free software world, the > > > Project has made its members aware of the situation, and respects the > > > opinion of all of its members. In doing so, every member is free to > > > sign the statement, or to not do so. > > > > > > The Debian Project make an official statement, along the lines of: > > > > > > * We have learnt about rms being readmitted to the FSF board > > > * We are aware of critical voices regarding the person known as rms, > > > and we take every single report very serously > > > * Everyone who is affected by any action, opinion or statement of > > > rms can ask the Debian Anti Harassment team for support, and > > > the Anti Harassment team will suppor tthem in communicating with > > > the FSF and ensure their concerns are addresses ... AFAIK, the Community Team has replaced the Anti Harassment Team. -- S signature.asc Description: PGP signature
Re: GR Proposal: replace "Chairman" with "Chair" throughout the Debian Constitution
El 08/07/16 a las 15:27, Margarita Manterola escribió: ... > > I'm therefore proposing the following General Resolution: > > === BEGIN GR TEXT === > > Title: Replace "Chairman" with "Chair" throughout the Debian Constitution > > All appearances of the word Chairman shall be replaced with the word Chair. > > === END GR TEXT === Seconded. Thanks! Santiago signature.asc Description: PGP signature
