Debian Public Statement about the EU Cyber Resilience Act and the Product Liability Directive

The European Union is currently preparing a regulation "on horizontal cybersecurity requirements for products with digital elements" known as the Cyber Resilience Act (CRA). It is currently in the final "trilogue" phase of the legislative process. The act includes a set of essential cybersecurity and vulnerability handling requirements for manufacturers. It will require products to be accompanied by information and instructions to the user. Manufacturers will need to perform risk assessments and produce technical documentation and, for critical components, have third-party audits conducted. Discovered security issues will have to be reported to European authorities within 25 hours (1). The CRA will be followed up by the Product Liability Directive (PLD) which will introduce compulsory liability for software.

While a lot of these regulations seem reasonable, the Debian project believes that there are grave problems for Free Software projects attached to them. Therefore, the Debian project issues the following statement:

1. Free Software has always been a gift, freely given to society, to take and to use as seen fit, for whatever purpose. Free Software has proven to be an asset in our digital age and the proposed EU Cyber Resilience Act is going to be detrimental to it.

   a. As the Debian Social Contract states, our goal is "make the best system we can, so that free works will be widely distributed and used." Imposing requirements such as those proposed in the act makes it legally perilous for others to redistribute our work and endangers our commitment to "provide an integrated system of high-quality materials with no legal restrictions that would prevent such uses of the system". (2)

   b. Knowing whether software is commercial or not isn't feasible, neither in Debian nor in most free software projects - we don't track people's employment status or history, nor do we check who finances upstream projects (the original projects that we integrate in our operating system).

   c. If upstream projects stop making available their code for fear of being in the scope of CRA and its financial consequences, system security will actually get worse rather than better.

   d. Having to get legal advice before giving a gift to society will discourage many developers, especially those without a company or other organisation supporting them.

2. Debian is well known for its security track record through practices of responsible disclosure and coordination with upstream developers and other Free Software projects. We aim to live up to the commitment made in the Debian Social Contract: "We will not hide problems." (3)

   a.The Free Software community has developed a fine-tuned, tried-and-tested system of responsible disclosure in case of security issues which will be overturned by the mandatory reporting to European authorities within 24 hours (Art. 11 CRA).

   b. Debian spends a lot of volunteering time on security issues, provides quick security updates and works closely together with upstream projects and in coordination with other vendors. To protect its users, Debian regularly participates in limited embargos to coordinate fixes to security issues so that all other major Linux distributions can also have a complete fix when the vulnerability is disclosed.

   c. Security issue tracking and remediation is intentionally decentralized and distributed. The reporting of security issues to ENISA and the intended propagation to other authorities and national administrations would collect all software vulnerabilities in one place. This greatly increases the risk of leaking information about vulnerabilities to threat actors, representing a threat for all the users around the world, including European citizens.

   d. Activists use Debian (e.g. through derivatives such as Tails), among other reasons, to protect themselves from authoritarian governments; handing threat actors exploits they can use for oppression is against what Debian stands for.

   e. Developers and companies will downplay security issues because a "security" issue now comes with legal implications. Less clarity on what is truly a security issue will hurt users by leaving them vulnerable.

3. While proprietary software is developed behind closed doors, Free Software development is done in the open, transparent for everyone. To retain parity with proprietary software the open development process needs to be entirely exempt from CRA requirements, just as the development of software in private is. A "making available on the market" can only be considered after development is finished and the software is released.

4. Even if only "commercial activities" are in the scope of CRA, the Free Software community - and as a consequence, everybody - will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneurs.

Information about the voting process:

Debian uses the Condorcet method for voting. Simplistically, plain Condorcets method can be stated like so : "Consider all possible two-way races between candidates. The Condorcet winner, if there is one, is the one candidate who can beat each other candidate in a two-way race with that candidate." The problem is that in complex elections, there may well be a circular relationship in which A beats B, B beats C, and C beats A. Most of the variations on Condorcet use various means of resolving the tie. Debian's variation is spelled out in the constitution, specifically, A.5(3)

Sources:

(1) CRA proposals and links & PLD proposals and links

(2) Debian Social Contract No. 2, 3, and 4

(3) Debian Constitution

Značky: #debian, #vote, #Debian, #statement

Značky: #Debian

Značky: #Debian

Značky: #Debian

Enlarge (credit: hdaniel )

Windows' infamous " Blue Screen of Death " is a bit of a punchline. People have made a hobby of spotting them out in the wild, and in some circles, they remain a byword for the supposed flakiness and instability of PCs. To this day, networked PCs in macOS are represented by beige CRT monitors displaying a BSOD.

But the BSOD is supposed to be a diagnostic tool, an informational screen that technicians can use to begin homing in on the problem that caused the crash in the first place; that old Windows' BSOD error codes were often so broad and vague as to be useless doesn't make the idea a bad one. Today, version 255 of the Linux systemd project honors that original intent by adding a systemd-bsod component that generates a full-screen display of some error messages when a Linux system crashes.

The systemd-bsod component is currently listed as "experimental" and "subject to change." But the functionality is simple: any logged error message that reaches the LOG_EMERG level will be displayed full-screen to allow people to take a photo or write it down. Phoronix reports that, as with BSODs in modern Windows, the Linux version will also generate a QR code to make it easier to look up information on your phone.

The following contributors got their Debian Developer accounts in the last two months:

• François Mazen (mzf)
• Andrew Ruthven (puck)
• Christopher Obbard (obbardc)
• Salvo Tomaselli (ltworf)

The following contributors were added as Debian Maintainers in the last two months:

• Bo YU
• Athos Coimbra Ribeiro
• Marc Leeman
• Filip Strömbäck

Congratulations!

Značky: #project, #Debian

The proposed and previously announced changes to the rsync service have become effective with archive.debian.org hostname now being discontinued.

The worldwide Debian mirrors network has served archive.debian.org via both HTTP and rsync. As part of improving the reliability of the service for users, the Debian mirrors team is separating the access methods to different host names:

• http://archive.debian.org/ will remain the entry point for HTTP clients such as APT

• rsync://rsync.archive.debian.org/debian-archive/ is now available for those who wish to mirror all or parts of the archives.

rsync service on archive.debian.org has stopped, and we encourage anyone using the service to migrate to the new host name as soon as possible.

If you are currently using rsync to the debian-archive from a debian.org server that forms part of the archive.debian.org rotation, we also encourage Administrators to move to the new service name. This will allow us to better manage which back-end servers offer rsync service in future.

Note that due to its nature the content of archive.debian.org does not change frequently - generally there will be several months, possibly more than a year, between updates - so checking for updates more than once a day is unnecessary.

For additional information plesase reach out to the Debian Mirrors Team maillist.

Značky: #Debian, #mirrors, #debian, #infrastructure, #technical

Next week the #MiniDebConfCambridge takes place in Cambridge, UK. This event will run from Thursday 23 to Sunday 26 November 2023.

The 4 days of the MiniDebConf include a Mini-DebCamp and of course the main Conference talks, BoFs, meets, and Sprints.

We give thanks to our partners and sponsors for this event

Arm - Building the Future of Computing

Codethink - Open Source System Software Experts

pexip - Powering video everywhere

Please see the MiniDebConfCambridge page more for information regarding Travel documentation, Accomodation, Meal planning, the full conference schedule, and yes, even parking.

We hope to see you there!

Značky: #cambridge, #debianevents, #sponsors, #minidebconf, #Debian

Due to the current state of affairs in Israel, who were to host DebConf24, the DebConf committee has decided to renew calls for bids to host DebConf24 at another venue and location.

The DebConf committee would like to express our sincere appreciation for the DebConf Israeli team, and the work they've done over several years. However, given the uncertainty about the situation, we regret that it will most likely not be possible to hold DebConf in Israel.

As we ask for submissions for new host locations we ask that you please review and understand the details and requirements for a bid submission to host the Debian Developer Conference .

Please review the template for a DebConf bid for guidelines on how to sumbit a proper bid.

To submit a bid, please create the appropriate page(s) under DebConf Wiki Bids , and add it to the "Bids" section in the main DebConf 24 page.

There isn't very much time to make a decision. We need bids by the end of November in order to make a decision by the end of the year.

After your submission is completed please send us a notification at debconf-team@lists.debian.org to let us know that your bid submission is ready for review.

We also suggest hanging out in our IRC chat room #debconf-team .

Given this short deadline, we understand that bids won't be as complete as they would usually be. Do the best you can in the time available.

Bids will be evaluated according to The Priority List .

You can get in contact with the DebConf team by email to debconf-team@lists.debian.org , or via the #debconf-team IRC channel on OFTC or via our Matrix Channel .

Thank you,

The Debian Debconf Committee

Značky: #Debian, #debian, #debconf, #debconf24