Forgot your password?
typodupeerror
Red Hat Software Open Source Privacy Your Rights Online

Fedora To Have a "Don't Ask, Don't Tell" For Contributors 212

Posted by timothy
from the the-right-kind-of-discretion dept.
An anonymous reader writes "The Fedora Project is now going to enforce a "Don't Ask, Don't Tell" policy for contributors. What the project's engineering committee is asking their members to conceal is a contributor's nationality, country of origin, or area of residence. There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?"
This discussion has been archived. No new comments can be posted.

Fedora To Have a "Don't Ask, Don't Tell" For Contributors

Comments Filter:
  • Huh? (Score:2, Insightful)

    by Hognoxious (631665)

    If someone in Syria submits a contribution to US based software, how does that infringe an export ban?

    • Re: (Score:3, Interesting)

      "If someone in Syria submits a contribution to US based software, how does that infringe an export ban?"

      I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?

      • by Lisias (447563)

        I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?

        Exactly what do you define a "business"?

        It's a business if no money changes hands?

      • So when news reporters publish reports from people interviewed in those countries, is that "doing business" with those countries as well? That's also a transfer of copyrightable material from those countries into US, just like the FLOSS contributions.
      • I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?

        Of course they should - for all the reasons Americans hold dear.

        Would the US Government think so? Probably not, but look at the shit going down in Venezuela as a direct consequence of Kennedy's EO on Cuba - they have no idea what they're doing (or are at least in severe denial about free markets and trade's effect on freedom because they want to be central plan

    • If someone in Syria submits a contribution to US based software, how does that infringe an export ban?

      Ask yourself this - how could someone in Syria contribute to code they've never seen before?

      • Re:Huh? (Score:4, Insightful)

        by cdrudge (68377) on Thursday March 06, 2014 @01:42PM (#46420677) Homepage

        Ask yourself this - how could someone in Syria contribute to code they've never seen before?

        The same way that Western goods make their way to any country under export control, through intermediaries.

        Coke can't sell to North Korea. Coke however can be sold (or made) in China and then gets shipped across the line [projectcensored.org] to North Korea.

        Is it really hard to imagine that Syria or Iran might be able to download from an intermediary country that might have a mirror of the distribution? Or had someone travel to such a country to download it? Or just went through a VPN or proxy? Or...

        • Ask yourself this - how could someone in Syria contribute to code they've never seen before?

          The same way that Western goods make their way to any country under export control, through intermediaries.

          Coke can't sell to North Korea. Coke however can be sold (or made) in China and then gets shipped across the line [projectcensored.org] to North Korea.

          Is it really hard to imagine that Syria or Iran might be able to download from an intermediary country that might have a mirror of the distribution? Or had someone travel to such a country to download it? Or just went through a VPN or proxy? Or...

          Is Coca-Cola restricted by ITAR?

          Something tells me the rules for cryptography exports are a bit more stringent than the ones for sugar water.

      • The code could very well be based in a project without so many stupid trade restrictions. For example, let's pretend Linus still lives in Finland, and that he is hosting the git repo in Finland. Red Hat is a major contributor, but the Syrian could have gotten the code from the straight from the source in Finland.
        • The code could very well be based in a project without so many stupid trade restrictions. For example, let's pretend Linus still lives in Finland, and that he is hosting the git repo in Finland.

          While that does appear a legitimate work-around, I feel compelled to point out that OP specified US-based software. Pretty sure something that's hosted out of a non-US repo wouldn't count.

          • If that happened people would just move the repositories elsewhere. Welcome to the Internet.

            Remember separate distro repositories for people in countries with restrictions on strong encryption?

  • Only the final validation contributions should be of concern in relation to contributions from export ban countries. The process that removes problems induced by errors (stupidity) ought to be good enough catch the ones induced by malice as well.
    • by ultranova (717540)

      The process that removes problems induced by errors (stupidity) ought to be good enough catch the ones induced by malice as well.

      But such process doesn't actually exist, since bugs exist so they must occasionally get through the validation.

      • When I think about this, I think that people who don't trust software with code contributions from people in export ban countries might also not want to trust software with bugs, since people in export ban countries could exploit those bugs, regardless of the bugs' origin. One might argue that really skillfully created problems would have the ability to preferentially go unnoticed by the validation process, but problem creators with that skill level would also have the skill to spoof the origin of their co
  • by khb (266593)

    'but should these governmental restrictions apply to an open-source software project?' there would appear to be two different questions here. (1) does the current law apply and (2) should the law apply.

    w.r.t. (1) Sounds like some cognizant group has determined that the law does (or at least may) apply, so the Fedora team is taking the steps they can.

    As for (2), that is a matter for Congress. Lobby them if you think the law should carve out an exception for Open Source projects (all or some specific license

    • Lobby Congress? Really?

      That's part of the problem. The people with the most money always wins.

    • by Rich0 (548339)

      You hit the nail on the head. I've seen discussion between a few FOSS projects around this, and they all would love to have contributors from countries like Iran, but the legalities around this are pretty muddy, so nobody with anything to lose wants to touch this.

      The laws are written pretty broadly. It is hard to see how the regime in Iran benefits if an Iranian citizen can donate code to a project usable by anybody. I could see the argument against being allowed to pay them, or even donate to them or re

  • by gmuslera (3436) on Thursday March 06, 2014 @01:22PM (#46420457) Homepage Journal
    If you will ban contributors because their home country intelligence agencies may be trying to plant backdoors or weaken security in a way or another, you should start with the main country by far engaged in such activities, else would be meaningless or just following an unrelated agenda. But if you trust in contributors of such country, why not of others?
  • There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?

    In the name of god, why would a geek think open source development would give his US-based project Immunity from American law?

    Export controls come with teeth that bite. Suggesting that your contributors conspire to evade those controls is an invitation to diasaster for everyone involved.

  • So you're telling me that North Korean and Iranian scientists are just as likely to contribute malicious code to libraries used by Western agencies as anyone else? I think not.

    Open-source is supposed to be about maximum transparency, not about hiding information that might actually be relevant. Imagine having to apply security at airports if you had no idea whether the person you are about to scan is a 90 year old grandmother or an 18-25 male from the Middle East. Statistics and common sense tells you that

    • Well, you totally failed at this one.

      If you only scan the 18-25 year old male from the Middle East, then the radical element will find a way to use the person that is not scanned. They'll use the 90-year-grandmother with or without her knowledge.

      You fail at security.

      • by Jiro (131519)

        The reason that terrorists use 18-25 year old males from the Middle East by default is that such people are the most practical for them to use, and that using someone else would be a lot harder and would make it more likely they would get caught (for instance, because such alternates have less loyalty to them).

        Scanning the targets that are easiest for terrorists to use doesn't stop them, but it makes their plan harder compared to scanning random people, as long as you still scan the random people at some lo

      • by Khashishi (775369)

        In game theory, when the rival player can adapt to any pure strategy, it makes sense to adopt a mixed strategy. In this example, it might mean that we randomly scan either the 18-25 year old male from the Middle East and/or the 90-year-grandmother. But the 18-25 year old is more likely to be picked, because the rival has a lower cost of training the 18-25 year old male.

        Disclaimer: this has nothing to do with what is just, just what is more strategic.

  • Fine, accept code from foreigners, but be well aware that this will make is certain that it will not be used in many corporate sites. One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content. Otherwise it cannot be used. No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.

    • by vux984 (928602) on Thursday March 06, 2014 @02:41PM (#46421255)

      One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content.

      That's pretty idiotic. Most projects involve foreign content. All it takes is one stealthy Canadian and you can't use it? What about Canadians living in the United States? Is that still foreign? Just how xenophobic are you?

      Do you vet each commericial package as well to make sure they don't have a single line of code produced in India?

      No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.

      Enjoy going back to pen and paper then, you won't find much software anywhere that you can demonstrate has no "off-shore" content.

      • One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content.

        Well, let's see. There's the Linux kernel. I hear that was developed by some guy in Finland. Then there's Samba, which comes from Australia, I believe.

        Anyone care to add to the list? This is just for starters.

    • by PPH (736903)

      if it has off-shore content, it will not be used, period.

      [citation needed]

      Aside from some ITAR class stuff, I call B.S. on this.

      Where companies might have a 'feel good' buy American policy, it usually isn't strictly followed. When I used to work for a local utility in the '80s, we were replacing full sized half ton pickup trucks used by our meter readers. The replacement: Chevy LUV pickups (Isuzus rebadged). Management recognized the paradox of the situation but said, "As long as it has an American name stamped on it, we don't give a sh*t."

  • You can easily assign a dollar amount in benefit from the development or distribution to a foreign company so yes, they definitely should remain banned. As for workers working on the project, that doesn't make a lot of sense until you consider that you're giving them a compilable version of the code to work on and thus a product that can be assigned value.
  • Doesn't an export restriction mean you can't send goods to a restricted country? If somebody in Cuba sends code to Redhat, in the US, that would seem to be an import. There is an easy solution, even if it does apply. Said developer just needs to upload it to a server in a friendly country without the restriction and Redhat get it from there. In such cases, usually France is the go between.

"Love may fail, but courtesy will previal." -- A Kurt Vonnegut fan

Working...