Debian Issues Statement about the EU Cyber Resilience Act
The EU Cyber Resilience Act (CRA) and the Product Liability Directive (PLD) aim to introduce a set of cybersecurity and vulnerability handling requirements for manufacturers, with the intention to improve security. However, the Debian project has issued a statement raising concerns about the negative implications for the open-source community and contributors.
Key concerns for the open-source community are:
- Potential legal peril: The Debian project believes that the CRA's requirements could make redistributing Free Software legally risky, endangering their commitment to providing an integrated system without legal restrictions.
- Difficulty determining software's commercial status: Most Free Software projects, including Debian, cannot feasibly determine whether software is commercial or not, complicating compliance with the CRA.
- Increased security risks and effects on code availability: Fear of the CRA's financial consequences may lead upstream projects to stop making their code available, which could worsen system security.
- Discouragement of developers: The need for legal advice before contributing to Free Software projects may discourage developers who don't have organizational support.
This could have broad implications on Debian's security practices,
- Challenges to responsible disclosure: The 24-hour mandatory reporting to European authorities could undermine the established responsible disclosure practices in the Free Software community.
- Centralized vulnerability reporting risks: Collecting all software vulnerabilities in one place increases the risk of leaking information to threat actors, putting users and privacy-focused initiatives at risk.
- Downplaying security issues: Legal implications may cause developers and companies to downplay security issues, leaving users more vulnerable.
To mitigate these concerns, Debian's statement proposes:
- Exempting open development processes from CRA requirements: Just as software developed in private is not covered by CRA, open development should be exempt to maintain parity.
- Exempting small businesses and solo-entrepreneurs: To protect small projects and businesses that can't meet the CRA's requirements, an exemption should be introduced.
Overall, the Debian project believes that the EU Cyber Resilience Act could have significant negative implications for the open-source community and its contributors, potentially stifling innovation and undermining security practices.