The Debian project, a community of developers responsible for maintaining packages and infrastructure, has published a general voting (GR, General Resolution) approving the project’s position on the advancing cyber resilience act (Cra) in the European Union. The bill aims to enforce additional requirements for software manufacturers to enhance safety maintenance and transparency.
The bill proposes fines of up to 15 million euros or 2.5% of a company’s annual turnover for non-compliance. If passed, manufacturers will be required to allocate funds for vulnerability corrections, assess product risks, conduct safety testing (with mandatory external audits for critical systems), eliminate vulnerabilities throughout the product life cycle, and report safety incidents within 24 hours of detection.
While the bill primarily targets commercial software manufacturers, the Debian community is concerned about its potential negative impact on the open software development ecosystem. They believe the bill could hinder the advancement of open projects and impede the growth of the movement as an international force. Responsibility for security issues and insufficient vulnerability fixes could discourage companies from developing software based on open code.
The bill also raises concerns for independent projects that incorporate code from commercial products. Uncertainty arises regarding liability if open code developed by a commercial company is transferred to nonprofit projects and used by Linux distributors.