SourceForge Removes Blanket Blocking

Recently there was much gnashing of teeth as SourceForge (which shares a corporate overlord with Slashdot) started programmatically blocking users in certain countries to comply with US export restrictions. Thankfully they didn't let it end there and have found a way to put the power back in the hands of the users. "Beginning now, every project admin can click on Develop -> Project Admin -> Project Settings to find a new section called Export Control. By default, we've ticked the more restrictive setting. If you conclude that your project is *not* subject to export regulations, or any other related prohibitions, you may now tick the other check mark and click Update. After that, all users will be able to download your project files as they did before last month's change."

Liability?

So they are letting people "opt in" to remove export controls. Who is liable if the code is subject to export restrictions, SF or the developer?

Re:Liability?

[Reason58]

So they are letting people "opt in" to remove export controls. Who is liable if the code is subject to export restrictions, SF or the developer?

Is Google liable if I Gmail you restricted encryption algorithms?

Re:Liability?

[snmpkid]

Likely both

Re:Liability?

[religious+freak]

It's a wink, and probably both.

Re:Liability?

Opt out, not in.
Opt in is whem you choose yourself to do something, or actively allow a third party to do something which relates to you.
Opt out is when the third party does it anyway, but leaves the onus on you to say you don't want them to do it after all.

Re:Liability?

[Yvanhoe]

But before opening a project on sourceforge, you have to describe your proposal and they manually accept or not. That could be argued to be editorial control. This is not exactly a gmail situation.

Re:Liability?

[casualsax3]

The distribution of source code (encryption in particular) is explicitly protected under the First Amendment:

http://en.wikipedia.org/wiki/Bernstein_v._United_States

Re:Liability?

[westlake]

Is Google liable if I Gmail you restricted encryption algorithms?

Google isn't hosting the file or providing you with a "home page" for your project. Sourceforge is much more exposed.

Re:Liability?

Just curious, is there an offshore version of SourceForge? Do the mirrors cover liability? I can see issues where it may not be an issue in other parts of the world, but since the project is stored on (or replicated to) US servers (?), it may fall foul of US export rules.

Re:Liability?

[Ihmhi]

Yes, but once you're actually in the project can change from exportable to non-exportable very quickly.

For instance, let's say you start with an open source compressor sort of program like Winrar. No biggie there. But then in version 0.42 you add in encryption. At the start everything was peachy keen, but the second you put on that encryption you should, by law, restrict its export.

Re:Liability?

[ubersoldat2k7]

By which country's law? My country's law, EU law, U.S. law? I mean, sourceforge is used around the globe, not only on the U.S. Here we don't have stupid export restrictions to any country, hell, I can even sell rum to Cuba if I want to.

Re:Liability?

[Idiomatick]

Are torrent sites liable when they link to torrent files which allow you to download things?

Logic doesn't always apply in the world of tech laws.

Re:Liability?

[Idiomatick]

And on google docs?

Re:Liability?

[someone1234]

I challenge you to sell rum to Cuba via Sourceforge!

Re:Liability?

The distribution of source code (encryption in particular) is explicitly protected under the First Amendment:

I think that is highly unlikely. But let's check. Together.

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Yeah, I don't see any explicit mention of source code there, or even encryption. It may be implicitly protected by the US Constitution, or it may be explicitly protected by US law, but it is definitely not explicitly protected by the First Amendment.

This is completely stupid.

[frinkacheese]

This is dumb. The terrorists will just get their mates in another country to get whatever it is they want.

Only the kind of stupid Americans that though that restricting the export of encryption technology would actually work would think of this. What happened there? They all got it anyway.

What exactly do they hope to achieve with this stupidity?

Re:This is completely stupid.

[BHearsum]

They hope to avoid liability.

Re:This is completely stupid.

[Locke2005]

Why does this requires "mates" in another country? Can't they just go through a proxy server in another country?

Re:This is completely stupid.

[2short]

They are complying with the law. Certainly, what they are doing is stupid and will be completely ineffective. But that's hard to avoid when complying with a law that is stupid and completely ineffective.

Re:This is completely stupid.

stupid Australian.

Re:This is completely stupid.

[steelfood]

Nowhere does GP mention Sourceforge explicitly. I may be wrong, but GP may be saying that the US law is stupid, hence the US lawmakers who enacted the law are stupid, hence the populace of the US who voted the lawmakers into office are stupid.

And there's nothing inaccurate about that as far as I can tell.

Re:This is completely stupid.

[Z00L00K]

And if they can't get it they will write their own encryption.

It's a lot harder to decipher something that's encrypted than to apply a simple algorithm to it. If you do encounter something that's encrypted you will first have to figure out how it is encrypted before you even start to look for the key.

And steganography is another way of doing exchange of information. Who knows - some pr0n may actually contain hidden messages.

Re:This is completely stupid.

[vlm]

But that's hard to avoid when complying with a law that is stupid and completely ineffective.

How is it stupid and ineffective if the purpose was to enlarge/preserve the great American bureaucracy and secondarily harass O.S. developers?

Re:This is completely stupid.

[rtfa-troll]

Now, I have to admit, that I'm one of the first mods to moderate insightful when I think it's deeply funny (people who can't get a joke deserve all the low flying fighter jets that pass over them). However, I still find moderating this insightful extremely scary. What if the other mods aren't joking??

Re:This is completely stupid.

[HiThere]

Well, when you need to choose between a stupid candidate and an abominable one, sometimes stupid is the better choice. Usually, though, they aren't *actually* stupid. They're just cleverly disguising their goals. But they *aren't* experts in any field except getting elected, and, possibly, law. So they make decisions that look stupid to anyone expert in ANY other field. And that's almost everybody. (They just disagree about which decisions were stupid.)

Re:This is completely stupid.

[hairyfeet]

The hope to avoid liability and at the same time have a "wink wink, nudge nudge" kind of situation like those codecs you're not supposed to have in Linux in certain countries unless you bend over and pay your license fee, you cock smoking tea baggers?

Seriously it is no different than the codecs you're not supposed to have in Linux, that everyone has anyway, or the DVD rippers you aren't supposed to use in the USA, which of course everyone...well you get the idea. YOU know it is bullshit, I know it is bullshit, but some damned pencil pusher came up with a law that the Internet makes less than worthless but it is still a law, hence the hoop jumping. Deity forbid that anyone should have common sense when it comes to the law and the Internet. I always thought that export ban was as ridiculous as the ban on game consoles, saying the would be used for weapons research, when we all know they could just show up in China with a suitcase full of cash and probably get any hardware they wanted straight from the factory.

it is just another example of the USA acting like the global black market doesn't exist or that information in the age of the Internet can be neatly locked away. Kinda like how we pretend China is our friend while they try to "Haxorz teh planet!!! LOL!". Just the same political bullshit, different day.

Re:This is completely stupid.

[harlows_monkeys]

Only the kind of stupid Americans that though that restricting the export of encryption technology would actually work[...]

I'm curious. How do the stupid Americans who think that differ from the stupid Europeans who think that? Or were you not aware that European countries and the EU also have similar export restrictions?

Re:This is completely stupid.

[mustafap]

>hence the corporations of the US who got the lawmakers into office are stupid.

There, corrected that for you.

Re:This is completely stupid.

[Gerald]

It's much easier to distribute open source crypto software than closed source in the U.S. You just have to send a couple of emails. Closed source crypto requires jumping through many hoops, and is much closer to "harassment".

Re:This is completely stupid.

[2short]

If we assume the purpose was to enlarge government bureaucracy, than it's ineffective because it hasn't much. The compliance burden is all on the developers. Ditto if the purpose is to harass O.S. developers, because it really only causes much problem for commercial encryption software, which is generally closed source.

So the answer to "How is it ineffective?" is pretty much the same whether you assume it's overt purpose, or one of your supposed hidden ones.

The answer to "How is it stupid?" does not depend on its purpose, unless you think its purpose is to make US commercial encryption software makers marginally less competitive, which even your cynicism level does not seem to claim.

Re:This is completely stupid.

[2short]

"Nowhere does GP mention Sourceforge explicitly. I may be wrong, but GP may be saying that the US law is stupid"

If you were correct, the word "this" in his third sentence would refer to "restricting the export of encryption technology", so he'd be saying only those who would think this would would think this would work. So my interpretation is correct, unless you suggest a slashdot poster might say something silly, or with imperfect grammar; which I refuse to contemplate.

Duh

[Locke2005]

Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?

Re:Duh

[HungryHobo]

Feel free to rent a server in some random country and mirror sourceforge.

Re:Duh

[Timothy+Brownawell]

Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?

I'd imagine that not working too well if the company responsible is still located in the US. Hm, maybe if the non-US servers wouldn't accept uploads from US IP addresses?

Re:Duh

[tagno25]

It is not considered a "munition" any more. http://xkcd.com/504/

Re:Duh

[steelfood]

IANAL, but I believe any US developer will then have to completely censor the code they upload to those servers. Though, I'm sure it'd be fine if a US developer gave a German developer the code to upload to said offshore servers, but it might still be a violation if the US developer uploaded it himself.

Of course, proving that the code was downloaded by the "bad" people in the "bad" countries will be up to the government, but since Sourceforge is a US company, they'd suddenly be liable for the records.

Re:Duh

[NeoSkandranon]

As was said many times in the original article, the issue is the country the business is based in and the laws there. It doesn't matter one ounce where the servers are located.

Re:Duh

I did, but it ended up in the states anyway.
Talk about bad luck with random numbers!

Re:Duh

[__aaclcg7560]

Try a different seed next time. :P

Re:Duh

[bws111]

You are 100% wrong. First, the export controls are not simply 'ok to export freely and not ok to export to country x'. The controls are 'export license required' and 'no license required'. If you are developing something that is export controlled, and you wish to export it (including putting on an open server), you must obtain a license. That license will state the terms under which it may be exported, and who it may be exported to. If your license says it is OK to export to Germany, it will probably also require you to get a statement from the receiver that says they will not re-export it. If your licensed export finds it's way somewhere it shouldn't, YOU are who they are coming after, and you better have all your documentation when they do.

Also, don't delude yourself into thinking that they have to 'prove' anyone from a restricted country downloaded it to prosecute you. Just putting it on an open server is exporting it.

Having said all that, the list of restricted types of software is very small, and not likely to be something you would find on SourceForge. This mostly involves things that could be used for real-time control of weapons.

Re:Duh

That's exactly what I expected this to be all about. Unfortunately, it's not. Fuck the US foreign policy.

Re:Duh

[rtfa-troll]

(including putting on an open server)

In my experience there seem to be (INAL and ICNYL) specific exceptions for systems which are publically available for free download. That should apply to most of sourceforge.

Re:Duh

[westlake]

Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?

Moving your servers abroad to avoid export controls pretty much guarantees that you will be prosecuted in the states.

Export controls are not unique to the U.S., and they are not limited to encryption. This is serious shit and you had damn well better know what you are getting into.

Re:Duh

Point invalid.

If I mirrored Sourceforge the default setting would still block many countries, including the one I may host the mirror in.

Re:Duh

[jittles]

I think the issue at hand is that Sourceforge's corporate overlord is based out of the US. I'm pretty sure if they break any of the rules in ITAR (I believe encryption is considered to be a weapon) then they could be held liable. Even if they host everything out of the US.

Re:Duh

Many already exist. This one's based in the UK. http://www.mirrorservice.org/sites/download.sourceforge.net/

Re:Duh

[LingNoi]

There already is. It's called launchpad.net and it's free from:

- US software patent law
- stupid DMCA take downs ala battle net emulator
- this silly export law
- sourceforge's adverts which take up 40% of the page

I don't know why anyone bothers using sourceforge anymore. It was great when it was the only solution but now there are MUCH better options. Especially now they're blocking non-US connections.

Re:Duh

[Locke2005]

As usual, the unintended consequences of brain-dead US policy is to actively encourage progressive businesses to locate elsewhere... good work sending those jobs overseas, US Congress! Now if we could just find a way to offshore our politicians...

Hmmm

[mewsenews]

As a Canadian locked out of Hulu and Comedy Central's web clips, I wish geolocation based on IP would burn in hell already.

That being said:

There was a Syrian developer commenting on the story about the original announcement, he was justifiably pissed off that Sourceforge had decided to deny him access to his own work. Does this change allow him to work on his project in peace?

Has Slashdot decided to stop mentioning that Sourceforge is owned by the same parent company? They're sure trying to do some damage control by going straight to Slashdot's front page with their weird opt-in workaround..

Re:Hmmm

[mewsenews]

Crap, the story does have a "shares a corporate overlord" clause.

Re:Hmmm

As a Canadian locked out of Hulu and Comedy Central's web clips

Maybe I'm thinking of something different, but at least from Belgium I can perfectly watch all of Comedy Central's shows that they put online (The Daily Show, The Colbert Report, South Park, Drawn Together, ...), and everything linked on http://www.comedycentral.com . Hulu is another matter...

Re:Hmmm

Allowing Canadians to watch Hulu would be letting the terrorists win.

Man, the moderators have no sense of humor today. Which is also why I'm posting AC.

Re:Hmmm

I have friends in Canada and other places that want to use Hulu or other sites from time to time and can't, and it's annoying. However I kind of don't get pissed off about it, as it's their bandwidth they are giving away for free -- for (hopefully) some other benefit. Kind of like a car dealership in a small town having a pancake breakfast. Yes there are free pancakes, but they get to meet people in the area and setup connections and get the word out. If people are flying in from Canada to eat the pancakes, well, there'll never be any return on investment there, and if there is, I'd want it to go to the Canadian dealership that payed me and their government various amounts of money to be able to sell and distribute there. There isn't some great symbiotic relationship here where our government pays for bandwidth and canadians sometimes watch for free, and sometimes americans watch stuff out of canada for free (come on, you guys don't even watch your own shows) -- so for you to be watching for free, we have to pay for your sucking up the bandwidth. Sorry!

Huh?

[leuk_he]

I can code. I am not american. I am not a lawyer. People are downloading from local mirrors, not from USA. How can i say if the project should be restricted or not?

Why does the USA government not build a firewall to prevent exporting any American byte to the restricted list?

Re:Huh?

Because, although we have laws, we are supposed to be innocent until proven guilty. Fortunately, this is not China, yet.

Re:Huh?

More interestingly, can I check a checkbox indicating the project not to be hosted *in* the US? Or to be accessible to people in the US? So as to not be liable under US CYA laws?

Re:Huh?

[noidentity]

Why does the USA government not build a firewall to prevent exporting any American byte to the restricted list?

Have you got a list of the restricted bytes? Actually, it'd be simpler if you just listed which bits are restricted, 0s, 1s, or possibly both...

Re:Huh?

More interestingly, can I check a checkbox indicating the project not to be hosted *in* the US? Or to be accessible to people in the US? So as to not be liable under US CYA laws?

Start and host your project in whatever third world dump you live in. Problem solved.

And these restrictions makes so much sense

[JoshuaZ]

Yeah. These restrictions make so much sense. Because we all know that North Korea has no way to get access to any servers outside North Korea. And no one can use a proxy server at all. And they really are going to be absolutely helpless without the tiny open-source projects. This is as ridiculous as the old restrictions on exporting encryption (at least those got removed a few years ago).

Re:And these restrictions makes so much sense

[HungryHobo]

I'm fairly sure those restrictions were never actually dropped.
they just gave up trying to enforce them.

Re:And these restrictions makes so much sense

[JoshuaZ]

Not exactly. In 1996, Clinton issued an executive order which took commercial encryption off the munitions list. It is still on the list of controled commecial exports but that's a lot less restrictive (much, much easier to get permission to export, less severe punishments for violations, and lower priorities for federal investigators).

Re:And these restrictions makes so much sense

Because we all know that North Korea has no way to get access to any servers outside North Korea.

I wouldn't worry about that since North Korea basically has no Internet.

Re:And these restrictions makes so much sense

The law is not about preventing such espionage from occurring, because that is unrealistic.

It is about being able to punish someone for doing it.

The right thing to do :)

[neo00]

Great news, and this is a brave thing to do :) Blindly blocking all SF projects to some people was wrong. I said this before, US export laws should only apply to US products. OpenSource/Free software projects should stay "open" and "free/libre" to everybody. Those who worked hard on these projects, including developers from the banned countries, should have the right to decide whether their projects should be blocked or not. Some said the law applies to SF just because they host the projects. If the law was strict to this level then the whole internet should be banned to these countries.

Re:The right thing to do :)

[countertrolling]

should only...should stay...should have...should be...

Well, if you really want want all these should've...could've...would've(s), then you and your neighbors should vote for politicians that will handle the issue properly. If if you're going to cry about how the "system" is rigged against you, save your breath. I'll have none of it. You all are just cursing darkness instead of lighting a candle. There is no law on the books that require you to vote for spoon fed by mass media candidates.. yet.

Re:The right thing to do :)

[SwashbucklingCowboy]

"Some said the law applies to SF just because they host the projects. If the law was strict to this level then the whole internet should be banned to these countries."

The law IS that strict. And no, the whole internet should not be banned. This is about encryption, not information.

Re:The right thing to do :)

[HiThere]

Right. And I got two choices who have a reasonable chance of winning. Sometimes they both back this kind of law, the rest of the time one backs it, and the other doesn't mention it. Or occasionally neither mentions it.

I can't even recall a time that one lied, and said he was opposed to it.

In the above two paragraphs, "it" refers to "export conditions and controls on software". And the normal case is that nobody will tell you their position on it.

Re:The right thing to do :)

[countertrolling]

And I got two choices who have a reasonable chance of winning.

Looks like you don't read too good... In that case, just continue following the crowd then.. Always safer to go with the winner, right? Even as they lead you right over the cliff.

Re:The right thing to do :)

I'll bet there are just millions of people waiting to vote for the 'no restrictions on giving any sort of weapons technology to anyone' candidate.

Re:The right thing to do :)

[neo00]

You're talking about the a different law (the one regarding export of cryptography). The relevant law in this context, regarding Syria for example, prohibits the export of US goods and technology to Syria. This includes all software products. That's why Google, Sun, Microsoft, etc have been blocking downloads in Syria for few years now. From the website of US embassy in Syria:

The most comprehensive sanction, called the Syria Accountability Act (SAA) of 2004, prohibits the export of most goods containing more than 10% U.S.-manufactured component parts to Syria.

Re:The right thing to do :)

[HiThere]

Sorry. Somehow the 've must have been skipped after "And I". (Yeah, it's still not literally true, as it's not currently time for an election.)

Sometimes I vote for a minority candidate, but I know how the voting system works. The fix is in, so I might as well not vote as vote for a minority party. (And in any case, the minority party candidates are often as bad as the majority party candidate, and almost none of them mention exports of software.)

OTOH, local elections are going to start being instant runoff. It's not Condorcet, but it's a lot better than the current system. So locally it might start to count to pay attention to who I actually want to vote for.

Re:The right thing to do :)

[countertrolling]

Sorry. Somehow the 've must have been skipped after "And I".

That wasn't what I was talking about. Here, I'll repost the part you are having trouble comprehending: If if you're going to cry about how the "system" is rigged against you, save your breath. I'll have none of it. You all are just cursing darkness instead of lighting a candle. There is no law on the books that require you to vote for spoon fed by mass media candidates.. yet. Try to understand a candidate needs nothing more than majority of votes to win. Money is totally irrelevant... if the voters decide to make it so. You are the system, so when you complain about it, you are only complaining about yourself.

Re:The right thing to do :)

[HiThere]

I read that, but I ignored it. Intentionally. It seems to me a stupid argument. (Note my comment about how IRV changes things.)

Tell me, do you buy lottery tickets? Do you expect to win? Do you buy more to increase your chance of winning? That would make as much sense as your argument, and is roughly analogous.

Re:The right thing to do :)

[countertrolling]

Tell me, do you buy lottery tickets?

Sometimes. You can't win if you don't play.

Do you expect to win?

I hope to win, or I wouldn't buy the ticket. BUT.. the kicker is I don't blame the lottery people when I don't win. And that's the only part makes my argument analogous to the political issue here.

I can hope that people vote the way I do, but I don't blame "the system" in any way if they don't. Doing so is just plain foolish, and only diverts attention away from the real problem. The politician can take great advantage of your feeling of hopelessness, and they often do. And it often works. If you want all sorts of regulations, how are you going to get them if nobody votes for the people that would implement them? And if you did vote for such people, you will have proven my point.

Move outside of the United States

[davidwr]

At least consider it.

Dump sourceforge

[starsong]

Why the hell does anyone even use SourceForge anymore? Their tools suck, the site is beyond slow and plastered with ads, and you have to play download roulette with their crappy 90s-era mirroring system. Plus you get crazy decrees like this from whatever's going on at the top. It's not like there aren't alternatives these days. Google Code is awesome by comparison.

Re:Dump sourceforge

[Infiniti2000]

Google Code is awesome by comparison.

I'm guessing you didn't bother to read the Google Code TOS? It puts the blame solely on the developer. Given that it's Google with a boatload of money to throw at attorneys, chances are that it's airtight for them in a legal battle should the need arise.

Re:Dump sourceforge

What ads?

    -Firefox with AdBlock Plus user

Re:Dump sourceforge

[Sir_Lewk]

Not to mention, Subversion and CVS are sooo 90's. I'm hugely a fan of github, their site is great, their people are awesomely responsive, and git itself just rocks. With distributed version control you never have to worry about this sort of thing either.

Re:Dump sourceforge

[starsong]

As opposed to what? If there is an export-control problem (not likely), do you really expect SourceForge's TOS to protect you?

Re:Dump sourceforge

[Toonol]

I'm guessing you didn't bother to read the Google Code TOS [google.com]? It puts the blame solely on the developer.

Isn't that where blame would belong?

Re:Dump sourceforge

[Tanuki64]

I suppose you missed that additionally to subversion or CVS you can activate a whole bunch of other repositories including git in sourceforge?

Re:Dump sourceforge

[Sir_Lewk]

In fact I did. Seems they only added it sometime last year, well after I had abandoned them for greener fields. Github still has sourceforge cornered in the "good website" ring though, particularly with sourceforge's recent godawful website redesign.

Re:Dump sourceforge

[Philip_the_physicist]

Of my local ISPs, I can think of one which offers free access to google code, but they almost all mirror sourceforge for their customers. Free, fast, access is pretty appealing to project founders.

Re:Dump sourceforge

[isilrion]

Google Code is awesome by comparison.

Nice that you mention it... I usually warn people to stay away from Google Code because they also block these countries. A lot of the times, the developers who put the code there (and sometimes are not from the US) are not even aware that their code is inaccessible.

For a long time, Google Code was /the worst/ code hosting site available for me. Now, SF sunk to their level.

Re:Dump sourceforge

Yeah awesome but not for banned countries, not for me!

It is for these reasons...

[steelfood]

...that projects such as TOR and Freenet exist.

Re:It is for these reasons...

[stephanruby]

You mean http://portabletor.sourceforge.net/ or http://sourceforge.net/projects/freenet/. Thank god those projects are already mirrored internationally by a decentralized network, otherwise the net effect of this export control would be to just keep encryption out of the citizens of those same repressive governments, not those governments themselves.

How to check for an 'American' byte?

[thijsh]

The problem is the cost of the special made-in-USA-color-electron-microscope, they have to check each byte to see if it contains red, white and blue electrons.

Re:How to check for an 'American' byte?

I don't know about the electrons, but all the quarks in the neutrons and protons in my hard drive are red, green and blue. Is that enough to be safe?

Re:How to check for an 'American' byte?

[nashv]

No, you need loopy strings of all colors tangled into more dimensions than you can access. Your data needs to be holographically encoded along the 15th dimension to be safe. Oh wait, I think the inventor of 15th dimension claims copyright on his IP.

Re:How to check for an 'American' byte?

[clickety6]

American bytes just have fatter bits than non-American bytes so it's easy to recognize them.
They're the bytes made up of 0s and 2s.

Re:How to check for an 'American' byte?

[orgelspieler]

Electron microscopes? You're making this way too hard on yourself. The "American byte" is right after the "evil bit" in the packet header.

Important Internet Reminder: Remember

to encrypt EVERYTHING !!!

Google wants to "do no evil" for the N.S.A.

Yours In Astrakhan,
Kilgore Trout

Stupid, stupid law

[bcmm]

The USA has compiled a list of the countries it considers most repressive, and attempted to forbid the citizens of those countries from using encrypted communications... I don't think the governments on that list mind.

Re:Stupid, stupid law

[countertrolling]

I don't think the governments on that list mind.

Probably so. In fact, I would go so far as to say the US did it at their requests. The real arms race throughout the world is between a government and its citizens. I believe the US regards only those who restrict American business as "repressive". Otherwise most of Latin America, Asia, and Africa would be on the list.

Debian has never found this sort of blocking...

[John+Hasler]

...necessary. Why has Source Forge suddenly decided that it is?

Re:Debian has never found this sort of blocking...

[vlm]

Never say never... Admittedly this battle ended about a decade ago. Not sure how/why SF caught up with the 90s and had their little fit.

http://www.debian.org/legal/cryptoinmain

Re:Debian has never found this sort of blocking...

[steelfood]

Not sure how/why SF caught up with the 90s and had their little fit.

Judging from their site's appearance, I'd say they never left the 90's.

Mates in another country

[tepples]

It requires mates to operate the proxy server.

Re:Mates in another country

[CastrTroy]

Or any of the millions of the completely open proxy servers.

Re:Mates in another country

[Locke2005]

Is there a definitive list of these proxy servers anywhere? 'Cause I'm looking for some kiddy... er, looking to leak classified government... er, wanting to exercise my right to anonymous speech by stalking my ex... er, well I'd just like to surf anonymously, ok?

To which country?

[tepples]

Which developed country is willing to take thousands of refugees from the U.S. copyright regime, software patent regime, mobile phone regulatory regime, and other results of bought senators?

Re:To which country?

Canada. Highest rate of immigration in the world, per capita, and you get bonus points for speaking English.

The benefits work both ways: American immigrants displace the Chinese, who are rapidly colonising us.

Re:To which country?

Which sane country is willing to take thousands of refugees from the U.S.?

Fixed it for you.

war

[anonieuweling]

A couple of weeks ago, to ensure compliance with US law as we roll out improvements to SourceForge.net, we began programmatically blocking access to the site for users in certain countries against which the US government imposes sanctions.
`Sanctions` are acts of WAR
So private corporations assist in illegal types of warfare by the US goverment which is legally owned by the deepest pockets.
How can SourceForge allow project admins to circumvent this law that provides for teh safety of all scared american peeple?
I mean, first it is law and now the project admin, who can be non-american -terrorist?- , can decide?

Re:war

[vlm]

`Sanctions` are acts of WAR

Uh, no, they are not.

You can work it two directions, going from "acts of war" toward sanctions or from sanctions toward acts of war. Neither direction works either logically or by authoritative definitions or by historical precedence.

illegal types of warfare by the US goverment

So, you can evaluate this one, either by the golden rule, he whom has the gold makes the rules, in which case its not possible for a government to do something illegal (although individual members might do something illegal). Or, you can evaluate it in a traditional historical method, where the victors write the history and therefore were the good guys. And I don't think the US is going to lose (although the US may change policy). Either way, I'm not seeing it.

As far as ends and means, I think we have the same ends, but your means are just not going to work.

Re:war

[SwashbucklingCowboy]

"`Sanctions` are acts of WAR"

Don't be silly.

Re:war

[Zey]

vlm (69642) wrote:

anonieuweling (536832) wrote:

`Sanctions` are acts of WAR

Uh, no, they are not.

Quite true. They're not an act of war of themselves, just the last non-combat stage before an American war against whichever third world nation they've opted to target during this Presidential term, usually for resources or strategic advantage.

Sanctions by non-US groups tend to be more about changing behavior rather than intentionally starving a nation to weaken it prior to an invasion.

Stupid options, need CowboyMcNeal

[Lorens]

The choices are

1) This project does NOT incorporate, access, call upon, or otherwise use encryption of any kind, including, but not limited to, open source algorithms and/or calls to encryption in the operating system or underlying platform.

and

2) This project DOES incorporate, access, call upon or otherwise use encryption. Posting of open source encryption is controlled under U.S. Export Control Classification Number "ECCN" 5D002 and must be simultaneously reported by email to the U.S. government. You are responsible for submitting this email report to the U.S. government in accordance with procedures described in: http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNotify.html and Section 740.13(e) of the Export Administration Regulations ("EAR") 15 C.F.R. Parts 730-772.

My project FileUniq is plain python, and executes a call to "md5" in order to get a hash. Obtaining a python library that provides the md5 function is not even described in the documentation, but I definitely do make a call to encryption in the underlying platform. However, I firmly believe that the U.S. Bureau of Industry and Security will not appreciate my TSU notification.

Maybe Sourceforge actually wants to overwhelm the BIS with useless submissions?

Re:Stupid options, need CowboyMcNeal

[vlm]

However, I firmly believe that the U.S. Bureau of Industry and Security will not appreciate my TSU notification.

And you'd be wrong. Somewhere out there, a bureaucrat is pining away daydreaming of being able to successfully process just one more TSU notification, whatever that means. Probably just index it and file it away somewhere. Just one more dot on his metrics graph and he gets the big performance bonus, and/or gets to hire another headcount to process the notifications. Come on Lorens(597774), send in a notification and make his day!

Don't think so

[nten]

I am fairly certain that Germany is already a member of the same treaties. The German developer would just be charged instead. Some information, like some physical devices, only has use for killing. Is there some qualitative difference that makes it wrong to regulate such information, but ok to regulate the devices?

Re:Don't think so

[Locke2005]

Some information... only has use for killing. I can't think of any information that would make it easier to kill that couldn't also be used to help prevent death. In the technological realm, almost everything is a two-edged sword. Security by obscurity is a poor means of defense.

Re:Don't think so

[bws111]

Well if what you are dealing with is weapon systems (which is what these restrictions are about), then preventing your enemy from avoiding death is exactly what you want to do. Security by obscurity is only bad if you are counting on your enemy never figuring out a particular thing. However, it is very valuable as a way keeping your enemy off guard, by having him constantly have to figure out what you already know while you move on to the next thing.

Re:Don't think so

[Locke2005]

I didn't say that the government had no legitimate "national security" interest in preventing the dissemination of certain information. What I said was that I could not imagine any information that was useful only "for killing". The fact that one's enemies could use information about one's weapon systems to avoid getting killed by them only supports my point.

Re:Don't think so

Some information, like some physical devices, only has use for killing.
Bullshit.

Is there some qualitative difference that makes it wrong to regulate such information, but ok to regulate the devices?
Yes. Unlike distributing physical objects, distributing ideas can and should be completely free. And even if you accept the premise (which I do not) that some information is useless apart from killing, censorship is still evil because it helps to enable further censorship.

Will this work?

[dtmos]

I guess SourceForge has vetted this process with its attorneys, but I must be missing something. If a project admin opens up his project's block, he's personally criminally liable should some citizen of a country on the wrong list see a controlled technology from one of SourceForge's servers. That's scary enough for US citizens residing in the US. However, SourceForge doesn't provide the admins (AFAIK) with any export control training, or even vet their citizenship; an admin in Syria, with Syrian citizenship, who did this would seem to be out of reach of the US, which would then fall back to SourceForge, since it did not control access to the technology on its servers. Unless SourceForge has now asked to see citizenship papers of each of its project admins ... ?

This problem covers all sorts of technology far beyond encryption but, just to continue the encryption example, there is a little note on p. 7 of Category 5 (Part 2: Information Security) of the Commerce Control List:

License Requirement Note: When a person performs or provides technical assistance that incorporates, or otherwise draws upon, “technology” that was either obtained in the United States or is of US-origin, then a release of the “technology” takes place. Such technical assistance, when rendered with the intent to aid in the “development” or “production” of encryption commodities or software that would be controlled for “EI” reasons under ECCN 5A002 or 5D002.a or 5D002.c, may require authorization under the EAR even if the underlying encryption algorithm to be implemented is from the public domain or is not of U.S. origin.

Because simple site blocking...

...will stop those terrorists from getting their hands on PGP...

I just wish ...

they would stop exporting all this crap television.

Reality Check

[mpapet]

The number one reason why this is *very* much ado about nothing is that the projects the U.S. Government would have any interest in AT ALL are novel and strong encryption schemes. To satisfy both novel and strong conditions puts one into a *very* small and elite group.

Sure, there are many projects that implement standard/weak/known encryption. That's completely different than a project that implements legitimately novel AND strong to the point of piquing the interest of the BIS/spooks. I don't know for sure, but zrtp might be an example.

An American company can export SSL/TLS/PKI and similar, crypto products without ever drawing the interest of the BIS. I guess at some point in distant history, this was not the case. As someone that actually worked with the BIS on getting encryption export compliance it has been easy for a long time.

Re:Reality Check

So what you're saying is that SSL is too weak to be worthy of notice? That just fills me with confidence...

Re:Reality Check

[jonwil]

Unless the NSA has a supercomputer more powerful than anything on the Top 10 list hidden underneath their building somewhere I dont see them being able to crack 2048 bit RSA or 256 bit AES anytime soon.

Re:Reality Check

[Philip_the_physicist]

But those are both already available all over the world, so preventing yet another implementation of them being exported wouldn't achieve anything.

Counterproductive laws

[presidenteloco]

The USA is squandering some of its technological lead and economic opportunities with dumb-ass laws.

I've already had to stop hosting several online businesses in the US due to the patriot act and international customers' unwillingness to have there data stored in the US.

Stem cell research was set back a decade by Christian fundamentalist opposition making its way into
federal law.

Laws restricting export of US software just result in software being innovated faster elsewhere.

As Freeman Dyson once said: The best way to defeat soviet communism would be to ship Apple computers to their population en masse. He was basically right, though who knew it would be cloned PCs that would do the trick.

Congratulations, but too late

[RAMMS+EIN]

I congratulate SourceForge on empowering their users to choose for themselves, but I'm still moving my stuff elsewhere. Not just because of the country restrictions, but also because I don't like the new (slow, heavy, buggy) interface, and because I've been getting dropped connections from them.

The question is: what is the best place to move to?

Because they distribute standard crypto

[mpapet]

OpenSSL and PKI-integrated projects all use standard crypto libraries that are based on standard crypto technology.

The BIS's interest lies in novel and strong encryption schemes. The difficulty of which is hard to describe.

Whoa there Tiger

[mpapet]

My project FileUniq is plain python, and executes a call to "md5" in order to get a hash.

MD5 is non-special (and deprecated anyway) no one at the BIS would give you a moment's difficulty. Worst case scenario, notify the BIS and they send you an official reply. I know this because I've worked with the BIS to export encryption technology. They were very easy to work with and tolerated my inexperience. Call them and explain your situation.

Sourceforge's language is a little daunting. A (new?) lawyer (justifying his job?) at sourceforge MegaCorp probably has quite a bit to do with the entire fiasco.

Re:Whoa there Tiger

[mpapet]

Pfft... I forgot to mention MD5 is a hashing algorithm, not really encryption per se...

The user

[Sycraft-fu]

That's why they are doing it this way. If they had it by default off someone might argue, perhaps successfully, that it was Sourceforge's fault since they didn't stop it from happening. However here they are blocking it by default and the screen probably has something along the lines of "You certify this is ok for export by removing this." Thus if it comes up, it is on the user. They made the change, they should have reasonably been aware of what it was for and made sure their software was ok.

Wait...

[Locke2005]

Source forge was blocking downloads by Blanket Jackson??? I didn't even know he was an open source hacker! He doesn't really look old enough...

Most Projects Will Remain Blocked

[CritterNYC]

The two options given in the SourceForge.net project settings are:

1. This project does NOT incorporate, access, call upon, or otherwise use encryption of any kind, including, but not limited to, open source algorithms and/or calls to encryption in the operating system or underlying platform.

2. This project DOES incorporate, access, call upon or otherwise use encryption. Posting of open source encryption is controlled under U.S. Export Control Classification Number "ECCN" 5D002 and must be simultaneously reported by email to the U.S. government. You are responsible for submitting this email report to the U.S. government in accordance with procedures described in: http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNotify.html and Section 740.13(e) of the Export Administration Regulations ("EAR") 15 C.F.R. Parts 730-772.

The 2nd option is the default and what all projects are currently set to.

In order to select the first, you can't be using any kind of encryption at all. Our project, PortableApps.com, isn't really about encryption, it's about taking your favorite software with you on a flash drive wherever you go. But we do bundle a number of open source apps that use encryption including Firefox, Thunderbird, Sunbird, Songbird, FileZilla, KeePass, Toucan, KompoZer, 7-Zip, Miranda IM, Pidgin, PuTTY, SeaMonkey, WinSCP, WinWGet, OpenOffice.org, PDFTK Builder, PNotes and PeaZip. That means we need to keep the 2nd option selected and those countries remain blocked.

In reality that means pretty much every project on source forge that is or includes a web browser, ftp client, email client, scp client, im client, archive tool, etc will have to keep the 2nd option selected and remain blocked as well.

Re:Most Projects Will Remain Blocked

[Tanuki64]

I activated the first option for all my projects. First, I don't care for American laws. I am not American and will never visit Satan's own country. Second, some of my projects use the openssl libs, but they are not included in my projects, so I don't even less.

In the immortal words of Simon & Garfunkle

[presidenteloco]

Lie lie lie
Lye lie lye
Li li Lie li li lie lye lye la la Lie

(variations in spelling to defeat postercomment compression filter.)

What's the point?

What's the point of export restrictions on software? Does the government really think that if some enemy country wanted a piece of software available in the US that they couldn't send someone over here and then send it home?

Read the GPL

[EEPROMS]

Last I looked the GPL doesn't allow the distributor (sourceforge in this case) to discriminate against "persons or groups". Thus saying sourceforge legally cannot distribute GPL code if they promote a discriminatory system (and they are) even if you can duck shove the responsibility to the author (nor can the author use the GPL under these circumstances).

Re:Read the GPL

[RoboRay]

In that case, the GPL is illegal in the US. I'm pretty sure law trumps licensing.

Re:Read the GPL

First: it's been a while since I read the SourceForge TOS, but I would expect that, by uploading a program to SourceForge, you implicitly grant SourceForge a license to distribute it, somewhat independent of whatever license you provide to downloaders. And the author doesn't need a (copyright) license to distribute his own program.

Second: no, what you're referring to is part of the Debian Free Software Guidelines and the Open Source Definition, not the GPL. Those are not rules for distributors, they're rules for people who write licenses. And the rule is only that a license must permit all recipients to use, modify, and distribute the software; there's nothing that says you have to give it to them.

(The fact that I'm using Linux, or even the fact that I sometimes burn install CDs for friends, does not mean I have an obligation to give a copy to anyone who asks.)

Re:Read the GPL

> In that case, the GPL is illegal in the US. I'm pretty sure law trumps licensing.

How do you find that out?

If SourceForge hasnt a choice not to discriminate against "persons or groups" due to this petty law shouldnt then SourceForge cease distributing GPL code?

Re:Read the GPL

[mikechant]

In that case, the GPL is illegal in the US. I'm pretty sure law trumps licensing.

Yes, criminal law trumps license provisions.

No, that does not mean the GPL is 'illegal', it just means that this particular clause of the GPL is unenforceable in this particular case.

This is similar to what has happened in various EULA cases where particular clauses being struck out (e.g. by consumer law) does not invalidate the EULA as a whole (although some EULAs are probably entirely uneforceable in some countries, but that's another matter).

Design and hosting

[ElusiveJoe]

Well, I'm not a programmer, but I hate Google Code. I hate their design. I mean, really hate. It reminds me of Gnome and its HIG philosophy (which is "users are retards"). Those curved edges and the two-color palette... ewww.

Also, sourceforge offers web hosting, so free projects can keep their sites (which could have a better design) at no cost. I don't know if Google Code does this, never saw it.

The SF interface started sucking after recent "update". It was really awful, 404 and 501 errors all the time. Now it is more reliable, but still awfully slow and unintuitive. A very bad "update" that was. Can I have the old design, please?

Mutual exclusion

> Well, when you need to choose between a stupid candidate and an abominable one, sometimes stupid is the better choice.

Sometimes, the hard one is knowing which is which... Especially when a candidate can be both.

No blanket blocking!

[Tetsujin]

Damnit, I need my blanket to keep warm!

Adding regexps to foxyproxy is a daily task here

Just to give you an idea of how bad the situation is, here's a sample of domains that I *have* to access through TOR or proxies. I'm in Syria, and this is really just a sample ..
Note that:
amazon, facebook, youtube, skype, blogspot ... etc are blocked by the Syrian authorities.
wikipedia.org is directly accessible but wikimedia.org is blocked!!!
sun downloads, googlecode ... and now sourceforge are allowed by the authorities here but the sites block all Syrian IPs.

amazon.com
anon.inf.tu-dresden.de
blogspot.com
code.google.com
dl.google.com
dlc-cdn.sun.com
dlc.sun.com
truveo.com
video.aol.com
facebook.com
googlecode.com
skype.com
tagged.com
wikimedia.com
youtube.com
all4syria.org
download.virtualbox.org ...

Obscurity

[nten]

Isn't obscurity exactly what you want until you figure out a counter? If I figured out how to turn a bunch of smoke detectors and cleaning chemicals into a thermo-nuke that fits in a shoe heel, I don't think I'd make the plans public right away. Yes the public as a whole knowing how it worked would speed up the effort to build a detector, but not as much as it would speed up some teenager with a bad week making something nasty in chem lab. Don't they withhold details on a linux kernel bug until they get it fixed now?