Debian logo
A few days ago the results of the general vote of the Debian project developers, in which have issued their position regarding the project of the Cyber Resilience Law (CRA) proposed in the European Union.
Cyber Resilience Law aims to establish requirements additional for software manufacturers, with the aim of improving security and vulnerability management throughout the product life cycle. However, the Debian community expressed concerns about the potential impact on the open source software development ecosystem.
What is the Cyber Resilience Law?
The Cyber Resilience Act (CRA) It is legislation proposed by the European Commission which aims increase cybersecurity of digital products and services in the European Union.
The CRA establishes a series of requirements for manufacturers and suppliers of digital products and services, which must be met throughout the entire life cycle of the product or service and in case of non-compliance with the requirements, it is planned to introduce fines that can reach 15 million euros or 2,5% of the company's annual turnover.
Once the legislation is passed, Manufacturers will be required to facilitate the distribution of patches to address vulnerabilities in their products. Besides, must carry out security risk assessments before launching new products on the market and perform security tests. In particular, mandatory external audits for critical systems will be implemented. Besides, Manufacturers are expected to eliminate any vulnerabilities throughout the entire product lifecycle and report security incidents within a maximum period of 24 hours after their discovery to the European Union cybersecurity agency (ENISA).
It is worth mentioning that the main impact of the legislation will fall on commercial software producers, but There is concern in the community regarding its possible negative effect on the development ecosystem open source software.
Main points of concern
Legal liability for Debian
The bill introduces legal liability for failure to comply with security requirements, which goes against Debian's social responsibility to distribute software for any purpose and without restrictions. By not tracking the provenance of code and distributing software for any purpose without restrictions, Debian faces legal risks in enforcing the requirements set out in the CRA.
Possible open source retirement
The CRA could lead upstream projects to stop providing their code for fear of sanctions. This could also make it difficult for the open source community to share code, as developers will need to consider the legal implications.
Impact on open source development
The community fears that the CRA could limit the advancement of open source projects and hinder international development of open source software. Companies that use or contribute to open source projects could be responsible for security issues, even if the code was created in other countries.
Legal risks for independent projects
Independent projects that incorporate code from commercial manufacturers may face uncertain legal consequences as the legal liability introduced by the CRA could affect the transfer of code between commercial and non-commercial projects.
Questionable nature of reporting requirements
Developers express doubts about the requirement to report security issues to the European Network and Information Security Agency (ENISA) within 24 hours. Accumulating information about unpatched vulnerabilities in one place could pose significant risks in the event of a data leak.
Demands and Proposals
Exclusion from open source development
Debian developers are calling for open source development to be removed from the CRA entirely and for the law to only apply to final products.
Exemption for sole traders and small businesses
It is proposed that the CRA requirements not apply to sole traders and small businesses, as they may not meet all requirements and may be forced to close.
Reassessment of reporting requirements
Debian developers call for a reassessment of the need and nature of CRA reporting requirements, considering the potential associated security risks.
The Debian developers' statement highlights the importance of preserving the open and collaborative nature of open source software development amid concerns raised by the proposed CRA.
Finally, if you are interested in learning more about it, you can consult the details in the following link