Fedora To Have a "Don't Ask, Don't Tell" For Contributors 212
An anonymous reader writes "The Fedora Project is now going to enforce a "Don't Ask, Don't Tell" policy for contributors. What the project's engineering committee is asking their members to conceal is a contributor's nationality, country of origin, or area of residence. There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?"
Huh? (Score:2, Insightful)
If someone in Syria submits a contribution to US based software, how does that infringe an export ban?
Re: (Score:3, Interesting)
"If someone in Syria submits a contribution to US based software, how does that infringe an export ban?"
I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?
Re: (Score:2)
I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?
Exactly what do you define a "business"?
It's a business if no money changes hands?
Re: (Score:3)
Re: (Score:2)
I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?
Of course they should - for all the reasons Americans hold dear.
Would the US Government think so? Probably not, but look at the shit going down in Venezuela as a direct consequence of Kennedy's EO on Cuba - they have no idea what they're doing (or are at least in severe denial about free markets and trade's effect on freedom because they want to be central plan
Re: (Score:2)
Pishaw. Vice Presidential corporate buddies get a free pass.
Re: (Score:2)
If someone in Syria submits a contribution to US based software, how does that infringe an export ban?
Ask yourself this - how could someone in Syria contribute to code they've never seen before?
Re:Huh? (Score:4, Insightful)
The same way that Western goods make their way to any country under export control, through intermediaries.
Coke can't sell to North Korea. Coke however can be sold (or made) in China and then gets shipped across the line [projectcensored.org] to North Korea.
Is it really hard to imagine that Syria or Iran might be able to download from an intermediary country that might have a mirror of the distribution? Or had someone travel to such a country to download it? Or just went through a VPN or proxy? Or...
Re: (Score:2)
The same way that Western goods make their way to any country under export control, through intermediaries.
Coke can't sell to North Korea. Coke however can be sold (or made) in China and then gets shipped across the line [projectcensored.org] to North Korea.
Is it really hard to imagine that Syria or Iran might be able to download from an intermediary country that might have a mirror of the distribution? Or had someone travel to such a country to download it? Or just went through a VPN or proxy? Or...
Is Coca-Cola restricted by ITAR?
Something tells me the rules for cryptography exports are a bit more stringent than the ones for sugar water.
Re: (Score:2)
Re: (Score:2)
The code could very well be based in a project without so many stupid trade restrictions. For example, let's pretend Linus still lives in Finland, and that he is hosting the git repo in Finland.
While that does appear a legitimate work-around, I feel compelled to point out that OP specified US-based software. Pretty sure something that's hosted out of a non-US repo wouldn't count.
Re: (Score:2)
If that happened people would just move the repositories elsewhere. Welcome to the Internet.
Remember separate distro repositories for people in countries with restrictions on strong encryption?
Re: (Score:2)
What if the check out server is in the Cayman Islands?
Re: (Score:2)
Or a proxy server.
Or VPN.
Or intermediary country.
Re: (Score:2)
Presumably because it would not be possible for such a contribution to be made without the import ban first being broken.
So don't export to them. Export to someone's else, and then they export to them.
A huge part of the code isn't made in USA anyway. Worst case scenario is these guys making contributions on non-USA code on some other country's SVN server to be merged to Fedora later.
Re: (Score:2)
Presumably because it would not be possible for such a contribution to be made without the import ban first being broken.
So don't export to them. Export to someone's else, and then they export to them.
That is expressly forbidden with physical exports under US law. Your responsibility for an export doesn't end once it leaves your hands if you didn't do due diligence to ensure that the ultimate recipient wasn't a denied party. This is a fairly obvious loophole otherwise.
Now, how all of this applies to software is anybody's guess.
Re: (Score:2)
Your responsibility for an export doesn't end once it leaves your hands if you didn't do due diligence to ensure that the ultimate recipient wasn't a denied party.
And exactly how the Law expects that the exporter manages that? That's impossible! It's the USA Government that have armed troops to enforce policies, not the civilian exporters!
Re: (Score:2)
Your responsibility for an export doesn't end once it leaves your hands if you didn't do due diligence to ensure that the ultimate recipient wasn't a denied party.
And exactly how the Law expects that the exporter manages that? That's impossible! It's the USA Government that have armed troops to enforce policies, not the civilian exporters!
The Law can expect anything it wants to - quite a few laws are unreasonable. The anti-smartphone-while-driving law in California appears to ban having a powered-on smartphone in the front passenger's purse, which is obviously unreasonable. That is why they're all selectively enforced.
Generally if you show due diligence you're fine. That's why big corporations require all their sub-contractors to screen their own shipments/payments against export control lists as a condition for getting business.
Just loo
Only the final validation (Score:2)
Re: (Score:2)
But such process doesn't actually exist, since bugs exist so they must occasionally get through the validation.
Re: (Score:2)
IANAL! (Score:2)
'but should these governmental restrictions apply to an open-source software project?' there would appear to be two different questions here. (1) does the current law apply and (2) should the law apply.
w.r.t. (1) Sounds like some cognizant group has determined that the law does (or at least may) apply, so the Fedora team is taking the steps they can.
As for (2), that is a matter for Congress. Lobby them if you think the law should carve out an exception for Open Source projects (all or some specific license
Re: (Score:2)
Lobby Congress? Really?
That's part of the problem. The people with the most money always wins.
Re: (Score:2)
You hit the nail on the head. I've seen discussion between a few FOSS projects around this, and they all would love to have contributors from countries like Iran, but the legalities around this are pretty muddy, so nobody with anything to lose wants to touch this.
The laws are written pretty broadly. It is hard to see how the regime in Iran benefits if an Iranian citizen can donate code to a project usable by anybody. I could see the argument against being allowed to pay them, or even donate to them or re
Elephants in the mist (Score:3)
"Go to jail. Go directly to jail. Do not pass Go" (Score:2)
There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?
In the name of god, why would a geek think open source development would give his US-based project Immunity from American law?
Export controls come with teeth that bite. Suggesting that your contributors conspire to evade those controls is an invitation to diasaster for everyone involved.
Re: (Score:2)
To say it's 'export controlled' is an oversimplification of the restrictions around working with those nations.
But in simple terms, this is about *contributors*, not downloading. And if it weren't an issue, then Fedora people wouldn't be trying to game it for plausible deniability (which of course doesn't work when you say "Hey everyone, I want to be able to claim plausible deniability so could you just omit some information so I can do that?"
Common sense, upside down (Score:2)
So you're telling me that North Korean and Iranian scientists are just as likely to contribute malicious code to libraries used by Western agencies as anyone else? I think not.
Open-source is supposed to be about maximum transparency, not about hiding information that might actually be relevant. Imagine having to apply security at airports if you had no idea whether the person you are about to scan is a 90 year old grandmother or an 18-25 male from the Middle East. Statistics and common sense tells you that
Re: (Score:3)
Well, you totally failed at this one.
If you only scan the 18-25 year old male from the Middle East, then the radical element will find a way to use the person that is not scanned. They'll use the 90-year-grandmother with or without her knowledge.
You fail at security.
Re: (Score:2)
The reason that terrorists use 18-25 year old males from the Middle East by default is that such people are the most practical for them to use, and that using someone else would be a lot harder and would make it more likely they would get caught (for instance, because such alternates have less loyalty to them).
Scanning the targets that are easiest for terrorists to use doesn't stop them, but it makes their plan harder compared to scanning random people, as long as you still scan the random people at some lo
Re: (Score:2)
In game theory, when the rival player can adapt to any pure strategy, it makes sense to adopt a mixed strategy. In this example, it might mean that we randomly scan either the 18-25 year old male from the Middle East and/or the 90-year-grandmother. But the 18-25 year old is more likely to be picked, because the rival has a lower cost of training the 18-25 year old male.
Disclaimer: this has nothing to do with what is just, just what is more strategic.
Be aware of the consequences (Score:2)
Fine, accept code from foreigners, but be well aware that this will make is certain that it will not be used in many corporate sites. One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content. Otherwise it cannot be used. No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.
Re:Be aware of the consequences (Score:5, Informative)
One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content.
That's pretty idiotic. Most projects involve foreign content. All it takes is one stealthy Canadian and you can't use it? What about Canadians living in the United States? Is that still foreign? Just how xenophobic are you?
Do you vet each commericial package as well to make sure they don't have a single line of code produced in India?
No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.
Enjoy going back to pen and paper then, you won't find much software anywhere that you can demonstrate has no "off-shore" content.
Re: (Score:2)
One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content.
Well, let's see. There's the Linux kernel. I hear that was developed by some guy in Finland. Then there's Samba, which comes from Australia, I believe.
Anyone care to add to the list? This is just for starters.
Re: (Score:2)
if it has off-shore content, it will not be used, period.
[citation needed]
Aside from some ITAR class stuff, I call B.S. on this.
Where companies might have a 'feel good' buy American policy, it usually isn't strictly followed. When I used to work for a local utility in the '80s, we were replacing full sized half ton pickup trucks used by our meter readers. The replacement: Chevy LUV pickups (Isuzus rebadged). Management recognized the paradox of the situation but said, "As long as it has an American name stamped on it, we don't give a sh*t."
oh yes (Score:2)
Doesn't an export restriction mean... (Score:2)
Doesn't an export restriction mean you can't send goods to a restricted country? If somebody in Cuba sends code to Redhat, in the US, that would seem to be an import. There is an easy solution, even if it does apply. Said developer just needs to upload it to a server in a friendly country without the restriction and Redhat get it from there. In such cases, usually France is the go between.
Re:Lawsuit? (Score:5, Insightful)
If contributing to open source projects is wrong, then I don't want anybody to be right.
Re: (Score:2, Funny)
Those Open Source nuts should all be imprisoned! Or, at the very least, branded as the traitors they are, aiding and abetting the enemy. Perhaps they should all go to Russia with Snowden.
Re: (Score:3, Insightful)
Maybe the US should stop making enemies.
Re: (Score:2)
maybe hostile nations should stop trying to pwn open source projects with back door code. you tell me that all code is inspected, I say bs. instead of "don't ask don't tell" we need rigorous account checking. Who is the person submitting the code? what is his background? what other code has he submitted?
Re:Absolutely (Score:5, Interesting)
This could quite possibly qualify as "civil disobedience", which has a long history in the US.
Re:Absolutely (Score:5, Insightful)
Re: (Score:2)
"Noble cause" isn't a defense in itself.
If you won the battle, it is.
Re:Absolutely (Score:5, Informative)
No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.
Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.
Re:Absolutely (Score:5, Funny)
No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.
Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.
Want to get out of jury duty, say the words "jury nullification".
Re:Absolutely (Score:5, Insightful)
Want to have a shot at being able to fight for justice? Keep your mouth shut.
Re: (Score:3)
If you've read "On Civil Disobedience" by Thoreau, the jury didn't get a chance to find non-guilty. He didn't contest the charges. The goal is to get thrown in prison so that it becomes too expensive for the civil authority to continue enforcing the law.
Re: (Score:2)
I have not read it, but I will make two points:
1) There are many kinds of civil disobedience - in some cases a mass uprising to flood the courts and prisons is a viable option. In others only a single person or small group is in a position to be able to meaningfully disobey.
2) In the US, unless I badly misremember, a confession alone is not sufficient for a conviction. You still get your trial by jury, even if pleading guilty. A plea bargain can potentially short-circuit the process, but that would be co
Re: (Score:2)
The first step in the trail process is arraignment, where the list of charges against you are read and you are asked whether you plead guilty, not guilty, or no contest to each of them. If you don't plead not guilty, there is no trial and things skip directly to sentencing.
Re:Absolutely (Score:4, Interesting)
No, there's one kind of civil disobedience. It's just there's a lot of posers out there who want the "cool factor" of claiming martydom without having to following through on all the down sides of actually being a martyr.
Re: (Score:2)
Re: (Score:2)
By this definition of civil disobedience, MLK was a poser.
Re: (Score:3)
No, he wasn't. King was imprisoned 29 times during his movement, during which he would not even accept being released on bail before trial. Most Notably in Birmingham, Alabama where he was almost a thousand people to be arrested. Again, getting sent to jail was the deliberate goal of the protest, as it overloaded the civil authority's ability to enforce an unjust law.
http://en.wikipedia.org/wiki/L... [wikipedia.org]
Re: (Score:2)
And a citizens duty in a democracy is to-- in most circumstances-- obey the laws passed by its people.
Sometimes those laws are particularly egregious, and in those RARE circumstances civil disobedience may be justified. But that bar needs to be VERY high, otherwise it just degenerates into "I really think IP laws suck, so Im torrenting everything and calling it civil disobedience." Thats not a noble cause, its undermining democracy and society.
I dont really see how you could classify export restrictions a
Re: (Score:2)
That presupposes that you live in a functioning democracy where the people get a powerful voice in the passing of laws. Iceland and Sweden spring to mind as potential candidates for being such, I can't think of many others offhand.
Re: (Score:2)
There have been supreme court justices that disagree with your opinion, though I agree that it is by far the majority opinion.
FWIW, when I am on a jury, I decide based on justice. And I don't let any judge tell me what justice is, not with the corrupt way they have gamified the court system, to the point where I will not call it a "justice system".
As it happens, every time I've been on a jury, the case was, AFAIKT, a valid case, and I happened to agree with the judge. This doesn't mean that if I felt that
Re: (Score:2)
Going to jail for civil disobediance has an equally long history in the US. In fact the book that coined the term was written when Thoreau was in prison for refusing to pay his war tax.
Re: (Score:2)
Don't ask, don't tell passed legal muster for the U.S. armed forces...
Re:Absolutely (Score:5, Informative)
The situations are rather different. The stated purpose of the US military's DADT policy (which was repealed back in 2011, incidentally) was to allow homosexuals to serve while eliminating the perceived drawbacks (specifically, a reduction in unit cohesion and morale) that came with having them serve openly.
In contrast, the stated reason export restrictions are in place is to sanction or otherwise prevent the sharing of goods and information with certain countries. Fedora's DADT policy does nothing to address those issues, since those reasons are intact, regardless of whether the individual's nationality is known or not. If anything, it may make the problem worse by providing a false sense of legitimacy and legality to the nature of the business relationship, encouraging others to break the law as well. All Fedora is trying to do is eliminate their own culpability through willful ignorance, but the law makes it clear that they are required to proactively ensure that the people they share their data with are not from export-restricted countries. Willful ignorance is no excuse.
To be clear, I'm NOT addressing the topic of how things ought to work, how things should be, or whether these restrictions make any sense at all. That's a discussion for another comment thread.
Re: (Score:2)
Re: (Score:2)
This allows individuals in restricted countries to contribute to greater software quality and security without the perceived drawbacks [...]
What perceived drawbacks? In the case of the military's DADT policy, regardless of what the law was, there was a concern about how having homosexuals openly serving would affect the performance of units. In this case, however, individuals from those countries are simply barred because the US has cut off exports to those nations and requires that all US companies be proactive in doing the same. Nothing more. No perceptual issues at all. If the law was off the books tomorrow, virtually every open source proje
Re: (Score:2)
> If the law was off the books tomorrow, virtually every open source project would welcome their
> participation with open arms.
Them not being able to participate is a drawback. Frankly, ignoring laws that are wrong is a persons duty. There is no legitimate reason to bar their particpation. Resepect for laws that are wrong is disrespect for the laws victims.
I have yet to see any reasonable argument why anyone should see it as their duty to follow the law just because somebody made a law.
Re: (Score:2)
Them not being able to participate is a drawback.
Sure, but I was talking specifically about perceived drawbacks that were the cause for being barred from participation and how the military thought it was addressing those with its DADT policy, whereas no drawbacks preventing participation were being addressed here. That is, the reasons they were barred from participation are still just as (in)valid as they were before, but now Fedora is willfully ignoring that fact. Yes, their lack of a participation is a drawback, but their lack of participation is not a
Re: (Score:2)
IIUC, Fedora is not increasing the export of code, but rather allowing the import of code. As such, I don't see why the law should have anything to do with it. If it does, then this needs to be explained more clearly.
What this seems to be doing is allowing Fedora to import code with names assigned, but without geocoding it. It is true that this would imply that the contributor had, in some manner, got hold of the original code, but this doesn't mean that Fedora gave them access. Probably they got it fro
Re: (Score:2)
Clear, cogent and logical reasoning. What makes you think that will have anything at all to do with reality?
Re: (Score:2)
Because the government thinks it's in its own interest to enforce those laws, otherwise they'd have wiped them out already, given that they're the only ones keeping them on the books.
Re: (Score:2)
Never attribute to conscious thought that which can be explained by laziness, forgetfulness, apathy, or political distancing.
Of course, I kid, this is one of those cases where somebody is going to make a political issue of it and "strip away the sham." Fedora is giving themselves a little bit of an enforcement delay, or warning, at best, with this move.
Re: (Score:2)
Don't ask, don't tell passed legal muster for the U.S. armed forces...
They have guns. Fedora guys have not. :-)
Re: (Score:2)
Their slang term "open sores" to describe open source software will ironically come true. We will bleed.
Can you cite this? In fact, can you cite where the republican party (let's say the past 10 years) said that gays should be in prison?
And I don't mean a one off republican. I can find pretty of crazy democrats to quote. I am asking where the party position was anything close to what you slandered.
Re: (Score:3)
"Law is Law".
Und Befehl ist befehl.
One may well ask, how can you advocate breaking some laws and obeying others?" The answer is found in the fact that there are two kinds of laws: just laws . . . and unjust laws."
Re: (Score:2)
And who decides which are which?
If society found a law unjust, it would be repealed.
If that is an individual, and not society at large, then all laws are unjust in someone's eyes.
Re: (Score:2)
And who decides which are which?
If society found a law unjust, it would be repealed.
If that is an individual, and not society at large, then all laws are unjust in someone's eyes.
Only in an ideal world. We don't have that luxury.
Re: (Score:2)
Seems like it would just be better to lease a server in Zimbabwe or something, instead of the steps they are currently taking.
Re: (Score:3)
Since our purchased Congress is inherently incapable of understanding any project that doesn't conform to a corporate structure or corporate "profit at all costs" philosophy, it wouldn't be surprised if this is what happens. End the end no way to download source code from a US site.
Re: (Score:3)
If you aren't paying, and you aren't taking ownership of something, is it really a violation of import restrictions? I mean, how does that hurt the sanctions against Cuba, for example?
Re:Absolutely (Score:5, Interesting)
Yes and "it's complicated".
The point of the sanctions is to say "If you're not going to play Global Economic Power nicely*, you're not going to play at all." That doesn't just mean "you're not going to win", but it also includes "you're not going to practice", "you're not going to have others play for you", and "you're not going to share the winnings with anyone who does play.
It has been upheld in US courts that even the minor fame from open-source authorship counts as economic gain (thus reinforcing the GPL's validity as being consequential). Acknowledging that Cuban programmers are good enough for inclusion in Fedora implies that Cuban programmers might be good enough for other projects, and that's marketing - certainly a part of that Global Economic Power game.
* For pro-American values of "nicely"
Re: (Score:2)
Ah, but then the "don't ask" policy officially quashes the "minor fame" aspect. What other avenues of fake profit exist?
Re: (Score:2)
Yes, that's exactly why the policy exists. Fedora's hoping they can do an end-run around the sanctions, but the problem lies in the "don't tell" side. If the submissions are traceable back to their contributors, then there's no reason a prolific contributor can't simply announce who he is, regardless of Fedora's policies. Then they get instant (minor) fame and can have their 15 minutes in the spotlight.
Re: (Score:2)
It has been upheld in US courts that even the minor fame from open-source authorship counts as economic gain (thus reinforcing the GPL's validity as being consequential).
I'd like to know the court citation. I did a quick Google search for "Arms Export Control Act open source software" and it looked like open source and anything else that was public domain was not subject to export restrictions.
http://oti.newamerica.net/blog... [newamerica.net]
http://www.mtu.edu/research/ad... [mtu.edu]
As to imports of scientific information, I read about that (I think) in Science, about how some American journals were refusing to accept papers from restricted countries. At least some lawyers argued that the regulatio
Re: (Score:3)
If you aren't paying, and you aren't taking ownership of something, is it really a violation of import restrictions? I mean, how does that hurt the sanctions against Cuba, for example?
I've been involved in this discussion on another open source project where we have a potential contributor from a fairly-heavily-embargoed nation. The issue is that the wording of the laws is very broad. There isn't much question that we couldn't send money to the developer in question, but the problem is that the law would seem to cover even receiving donations from them (in goods, services, or money).
I suspect the reason is that the laws were written to be fairly loophole-proof. If you spot somebody sa
Re: (Score:2)
That's an American company making money. That doesn't benefit Cuba at all.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Right. To begin with red hat is a company and they also make money. for both reasons they get no exception to export restrictions. It doesn't mean you have to like it. But that's the law and there's no reason to grant an exception
Re: (Score:2)
Re:Absolutely (Score:4, Insightful)
I don't know the intricacies of U.S. law, but I was under the impression that the law regarding ecryption algorithms as munitions was no longer in place.
Correct. Software is not export-controlled specifically at all.
Unless there's something else restricting software specifically, there's no economic value to restrict unless you have paid developers in restricted/embargoed territtories who are receiving money across the border.
The problem is that the prohibitions are blanket ones against money, goods, and services moving in either way across the border with a few named countries like Iran (these kinds of laws exist in many countries, the specific targets vary, but Iran is a pretty common one so I just use that as an example). You actually need an exception to the law to ship anything at all in either direction, and those exceptions usually require specific licenses from the government (you're allowed to ship n kg of wheat into Iran or whatever).
Sure, it doesn't make as much sense when applied to FOSS, but the laws were written broadly without FOSS in mind. So, companies and non-profits aren't terribly eager to test them. It is entirely possible that a court would find accepting free contributions is non-infringing, but it is also possible that a court would treat you like somebody shipping crates full of missiles.
It is a big mess, and different FOSS organizations are handling it in different ways. Some try to have organizations in various jurisdictions so that they can keep different activities in different areas. Some just ban it. Some don't think it is a problem. Since nobody has gone to court yet, it is hard to say what the outcome would be the first time this happens.
Re:Absolutely (Score:5, Interesting)
Maybe it's a stupid question, but can't you "launder" code by routing it through a third nation and recommitting the code from there?
What is the export restriction on anyway? The bits? The IP? And does it extend to any derived work of an export restricted IP burdened work? Because if any piece of code on which any citizen of a restricted country has copyright, I'm pretty sure the linux kernel would contain at least one line, meaning all android phones and most routers, servers etc would be illegal?
Also, DADT sounds really stupid as company policy. I don't know a lot about US law, but in the Netherlands corporate liability extends if the management knew or was in a position to know that law was breached, and having policy to conceal such breach is good evidence that management was in a position to know. Any US lawyers care to comment?
Re: (Score:3)
Fedora is a US based company, yes? Then should they abide by US laws?
Actually, it's the position of the U.S. government that you should have to abide by U.S. laws no matter where you're based.
Re: (Score:2)
I don't trust anonymous comments on Slashdot. Just look at all the nonsense (hosts files for one) that's based in this thread alone.
I'd trust code I can see from a place I don't trust more than I'd trust code I can't see from a place I like.
Re: (Score:2)
Re: (Score:2)
Because I do NOT trust code from Russia, China, anywhere in the Middle East, and a few other places. Just look at all the crime (Target for one) that's based in Russia alone.
Well, unfortunately, maintainers have found they also cannot trust sources in the US and other nations due to corporate and government intrusion either. Nor can you trust the code is entirely bug free, and who knows if the security flaw bug was intentionally introduced.
The only answer for open source maintainers is constant vigilance. NOBODY is to be trusted.
Search back to when Linus Torvalds was asked if the NSA and other agencies had ever tried to make him to install back doors in the kernel. He said "N
Re: (Score:2)
Because I do NOT trust code from Russia, China, anywhere in the Middle East, and a few other places.
You are free to audit the code. ;-)
Re:Do they apply to US-based commercial products? (Score:4, Informative)
No. No, they do not, for one simple reason - Microsoft doesn't take source code from their userbase and roll it into the next release of Windows. The entire issue simply doesn't come up with closed source, because no one outside has access to the source code in the first place.
Red Hat's problem in this situation really has no analog in the conventional business world. ITAR 18 USC 2339B simply don't address the situation of accepting material support from blacklisted entities. They just want to make sure that our ever-growing list of enemies doesn't someday someday require purging millions of lines of functioning source code. "Well what do we have here... Looks like you accepted code from one of those evil bastard terrorist(tm) Finns - Get ready for PMITA!"
Re: (Score:2)
Re: (Score:3, Interesting)
ITAR is still alive and well, we recently had lots of "fun" trying to get a decent frequency standard for our internal cal lab in (non-EU) eastern Europe.
"OMG, the Russkies could steal the secrets of the atomic... clock?!?"
Re: (Score:2)
They are restricted because they are used in GPS and similar applications. Even if you are doing dead-reckoning the more precise the clock is the more accurate the results will be. This is unsurprisingly useful in things like munitions. e.g. a nuclear weapon will have a lower CEP if you have more accurate clocks in the system.
Re: (Score:2)
Export restrictions
Except that this is an issue of imports, not exports.
Work is allegedly being done in some foreign country and then brought in as a component of a (supposedly) US product. Yes, the subsequent export of that product might raise some issues. But not logically over the foreign-built bits.