Fedora To Have a "Don't Ask, Don't Tell" For Contributors

An anonymous reader writes "The Fedora Project is now going to enforce a "Don't Ask, Don't Tell" policy for contributors. What the project's engineering committee is asking their members to conceal is a contributor's nationality, country of origin, or area of residence. There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?"

Absolutely

Absolutely. Fedora is a US based company, yes? Then should they abide by US laws? Yes.
If they want to get code from countries that would otherwise be illegal in their current place of residence, they should not conceal the identies of the contributors and instead move the country they base their operations out of. Law is law.

Re:Absolutely

[SJHillman]

This could quite possibly qualify as "civil disobedience", which has a long history in the US.

Re:Absolutely

[JoeMerchant]

Don't ask, don't tell passed legal muster for the U.S. armed forces...

Re:Absolutely

[MRe_nl]

"Law is Law".
Und Befehl ist befehl.
One may well ask, how can you advocate breaking some laws and obeying others?" The answer is found in the fact that there are two kinds of laws: just laws . . . and unjust laws."

Re:Absolutely

[wisnoskij]

Seems like it would just be better to lease a server in Zimbabwe or something, instead of the steps they are currently taking.

Re:Absolutely

[i+kan+reed]

If you aren't paying, and you aren't taking ownership of something, is it really a violation of import restrictions? I mean, how does that hurt the sanctions against Cuba, for example?

Re:Absolutely

[Sarten-X]

...and an equally-long history of being illegal and getting people thrown in jail or slapped with fines. "Noble cause" isn't a defense in itself.

Re:Absolutely

Last time I checked Red Hat Enterprise charges

Re:Absolutely

[Lisias]

"Noble cause" isn't a defense in itself.

If you won the battle, it is.

Re:Absolutely

[Anubis+IV]

The situations are rather different. The stated purpose of the US military's DADT policy (which was repealed back in 2011, incidentally) was to allow homosexuals to serve while eliminating the perceived drawbacks (specifically, a reduction in unit cohesion and morale) that came with having them serve openly.

In contrast, the stated reason export restrictions are in place is to sanction or otherwise prevent the sharing of goods and information with certain countries. Fedora's DADT policy does nothing to address those issues, since those reasons are intact, regardless of whether the individual's nationality is known or not. If anything, it may make the problem worse by providing a false sense of legitimacy and legality to the nature of the business relationship, encouraging others to break the law as well. All Fedora is trying to do is eliminate their own culpability through willful ignorance, but the law makes it clear that they are required to proactively ensure that the people they share their data with are not from export-restricted countries. Willful ignorance is no excuse.

To be clear, I'm NOT addressing the topic of how things ought to work, how things should be, or whether these restrictions make any sense at all. That's a discussion for another comment thread.

Re:Absolutely

[K.+S.+Kyosuke]

If a US citizen says "first multiply the numbers, then add them", how is that different from when a North Korean citizen says "first multiply the numbers, then add them"? Mathematics works the same everywhere. Science works the same everywhere. Computer programs work the same no matter who wrote them. Everything that a computer program does is dependent on its source code and nothing that a computer program does is dependent on its originator. There can't possibly be a rational reason for that.

Re:Absolutely

[Immerman]

No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.

Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.

Re:Absolutely

[Sarten-X]

Yes and "it's complicated".

The point of the sanctions is to say "If you're not going to play Global Economic Power nicely*, you're not going to play at all." That doesn't just mean "you're not going to win", but it also includes "you're not going to practice", "you're not going to have others play for you", and "you're not going to share the winnings with anyone who does play.

It has been upheld in US courts that even the minor fame from open-source authorship counts as economic gain (thus reinforcing the GPL's validity as being consequential). Acknowledging that Cuban programmers are good enough for inclusion in Fedora implies that Cuban programmers might be good enough for other projects, and that's marketing - certainly a part of that Global Economic Power game.

* For pro-American values of "nicely"

Re:Absolutely

[funwithBSD]

And who decides which are which?

If society found a law unjust, it would be repealed.

If that is an individual, and not society at large, then all laws are unjust in someone's eyes.

Re:Absolutely

[i+kan+reed]

And who decides which are which?

If society found a law unjust, it would be repealed.

If that is an individual, and not society at large, then all laws are unjust in someone's eyes.

Only in an ideal world. We don't have that luxury.

Re:Absolutely

[goombah99]

Right. To begin with red hat is a company and they also make money. for both reasons they get no exception to export restrictions. It doesn't mean you have to like it. But that's the law and there's no reason to grant an exception

Re:Absolutely

[i+kan+reed]

Ah, but then the "don't ask" policy officially quashes the "minor fame" aspect. What other avenues of fake profit exist?

Re:Absolutely

[i+kan+reed]

That's an American company making money. That doesn't benefit Cuba at all.

Re:Absolutely

No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.

Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.

Want to get out of jury duty, say the words "jury nullification".

Re:Absolutely

[MickyTheIdiot]

Since our purchased Congress is inherently incapable of understanding any project that doesn't conform to a corporate structure or corporate "profit at all costs" philosophy, it wouldn't be surprised if this is what happens. End the end no way to download source code from a US site.

Re:Absolutely

And the Republicans attacked it nonstop because of their bigotry. They hate open source software even more than they hate gays. Expect them to attack this with the same religious fanaticism that they attacked Clinton for creating DADT. The bizarre thing is that Clinton telling gays that they would be put in prison if they used their first amendment rights is exactly the type of thing that Republicans love. They should have supported him putting gays in prison. Instead, they attacked him for not putting enough gays in prison. Expect the same to happen when Obama doesn't put enough developers in prison. The Republicans are going for blood. Their slang term "open sores" to describe open source software will ironically come true. We will bleed.

Re:Absolutely

[Sarten-X]

Yes, that's exactly why the policy exists. Fedora's hoping they can do an end-run around the sanctions, but the problem lies in the "don't tell" side. If the submissions are traceable back to their contributors, then there's no reason a prolific contributor can't simply announce who he is, regardless of Fedora's policies. Then they get instant (minor) fame and can have their 15 minutes in the spotlight.

Re:Absolutely

[sirlark]

I don't know the intricacies of U.S. law, but I was under the impression that the law regarding ecryption algorithms as munitions was no longer in place. Unless there's something else restricting software specifically, there's no economic value to restrict unless you have paid developers in restricted/embargoed territtories who are receiving money across the border. The economic value (if any) comes at a later stage when the software is distributed and possibly sold, or more likely services surrounding the software are sold. Why is this an issue?

Re:Absolutely

[Rich0]

If you aren't paying, and you aren't taking ownership of something, is it really a violation of import restrictions? I mean, how does that hurt the sanctions against Cuba, for example?

I've been involved in this discussion on another open source project where we have a potential contributor from a fairly-heavily-embargoed nation. The issue is that the wording of the laws is very broad. There isn't much question that we couldn't send money to the developer in question, but the problem is that the law would seem to cover even receiving donations from them (in goods, services, or money).

I suspect the reason is that the laws were written to be fairly loophole-proof. If you spot somebody sailing out of Iran with a tanker full of oil, the ship captain would just tell you that it was a gift and no money was exchanged. Unless you caught the money going in you might not have a case against him, even though he was obviously violating the embargo. So, the law presumes that nobody does something without getting SOMETHING for it, and thus anything moving in or out is forbidden.

I'm not sure if don't ask don't tell would work or not. I know that best practice in corporations is to screen any payee or shipment recipient daily against the various export control lists, and to place writing in contracts requiring their business partners to do the same. However, most corporations are not the beneficiaries of donations of code, so it is a bit of an untested area.

Re:Absolutely

[bluefoxlucid]

I suggest to you that you should now rewrite Microsoft Office from scratch. Since computer programs work the same everywhere it doesn't matter that you have to originate the code yourself instead of having it shared with you (for a fee, and in binary form) from some vendor.

Re:Absolutely

[mrvan]

Maybe it's a stupid question, but can't you "launder" code by routing it through a third nation and recommitting the code from there?

What is the export restriction on anyway? The bits? The IP? And does it extend to any derived work of an export restricted IP burdened work? Because if any piece of code on which any citizen of a restricted country has copyright, I'm pretty sure the linux kernel would contain at least one line, meaning all android phones and most routers, servers etc would be illegal?

Also, DADT sounds really stupid as company policy. I don't know a lot about US law, but in the Netherlands corporate liability extends if the management knew or was in a position to know that law was breached, and having policy to conceal such breach is good evidence that management was in a position to know. Any US lawyers care to comment?

Re:Absolutely

They hate open source software even more than they hate gays.

Pretty sure that's not possible.

Re:Absolutely

[Rich0]

I don't know the intricacies of U.S. law, but I was under the impression that the law regarding ecryption algorithms as munitions was no longer in place.

Correct. Software is not export-controlled specifically at all.

Unless there's something else restricting software specifically, there's no economic value to restrict unless you have paid developers in restricted/embargoed territtories who are receiving money across the border.

The problem is that the prohibitions are blanket ones against money, goods, and services moving in either way across the border with a few named countries like Iran (these kinds of laws exist in many countries, the specific targets vary, but Iran is a pretty common one so I just use that as an example). You actually need an exception to the law to ship anything at all in either direction, and those exceptions usually require specific licenses from the government (you're allowed to ship n kg of wheat into Iran or whatever).

Sure, it doesn't make as much sense when applied to FOSS, but the laws were written broadly without FOSS in mind. So, companies and non-profits aren't terribly eager to test them. It is entirely possible that a court would find accepting free contributions is non-infringing, but it is also possible that a court would treat you like somebody shipping crates full of missiles.

It is a big mess, and different FOSS organizations are handling it in different ways. Some try to have organizations in various jurisdictions so that they can keep different activities in different areas. Some just ban it. Some don't think it is a problem. Since nobody has gone to court yet, it is hard to say what the outcome would be the first time this happens.

Re:Absolutely

[king+neckbeard]

This allows individuals in restricted countries to contribute to greater software quality and security without the perceived drawbacks of having them contribute openly. The sharing of this software is not affected in any meaningful way because it's already FOSS, and the source code would almost certainly be mirrored in another country that is less ridiculous about imports.

Re:Absolutely

[king+neckbeard]

They charge for support contracts. These are contributing developers. There's an enormous difference.

Re:Absolutely

[Stormy+Dragon]

Going to jail for civil disobediance has an equally long history in the US. In fact the book that coined the term was written when Thoreau was in prison for refusing to pay his war tax.

Re:Absolutely

[Desler]

If society found a law unjust, it would be repealed.

In which fantasy land? "Society" has and still does uphold unjust laws all the time. What you describe is a tyranny of the majority.

Re:Absolutely

[Stormy+Dragon]

If you've read "On Civil Disobedience" by Thoreau, the jury didn't get a chance to find non-guilty. He didn't contest the charges. The goal is to get thrown in prison so that it becomes too expensive for the civil authority to continue enforcing the law.

Re:Absolutely

[LordLimecat]

And a citizens duty in a democracy is to-- in most circumstances-- obey the laws passed by its people.

Sometimes those laws are particularly egregious, and in those RARE circumstances civil disobedience may be justified. But that bar needs to be VERY high, otherwise it just degenerates into "I really think IP laws suck, so Im torrenting everything and calling it civil disobedience." Thats not a noble cause, its undermining democracy and society.

I dont really see how you could classify export restrictions as being serious enough to qualify.

Re:Absolutely

[NotDrWho]

Fedora is a US based company, yes? Then should they abide by US laws?

Actually, it's the position of the U.S. government that you should have to abide by U.S. laws no matter where you're based.

Re:Absolutely

[Immerman]

Want to have a shot at being able to fight for justice? Keep your mouth shut.

Re:Absolutely

[Anubis+IV]

This allows individuals in restricted countries to contribute to greater software quality and security without the perceived drawbacks [...]

What perceived drawbacks? In the case of the military's DADT policy, regardless of what the law was, there was a concern about how having homosexuals openly serving would affect the performance of units. In this case, however, individuals from those countries are simply barred because the US has cut off exports to those nations and requires that all US companies be proactive in doing the same. Nothing more. No perceptual issues at all. If the law was off the books tomorrow, virtually every open source project would welcome their participation with open arms.

That's why Fedora's DADT policy is quite different from the one employed by the US military. It does nothing to address the issue. It doesn't somehow change their nationality or alter the law, and it can't eliminate a perceived drawback since there isn't one. All it does is cover up their illegal participation.

Personally, I think the law is out of touch and needs to be amended, but that doesn't give Fedora the right to do as they please.

Re:Absolutely

[TheCarp]

> If the law was off the books tomorrow, virtually every open source project would welcome their
> participation with open arms.

Them not being able to participate is a drawback. Frankly, ignoring laws that are wrong is a persons duty. There is no legitimate reason to bar their particpation. Resepect for laws that are wrong is disrespect for the laws victims.

I have yet to see any reasonable argument why anyone should see it as their duty to follow the law just because somebody made a law.

Re:Absolutely

[JoeMerchant]

Clear, cogent and logical reasoning. What makes you think that will have anything at all to do with reality?

Re:Absolutely

[Anubis+IV]

Because the government thinks it's in its own interest to enforce those laws, otherwise they'd have wiped them out already, given that they're the only ones keeping them on the books.

Re:Absolutely

[Immerman]

That presupposes that you live in a functioning democracy where the people get a powerful voice in the passing of laws. Iceland and Sweden spring to mind as potential candidates for being such, I can't think of many others offhand.

Re:Absolutely

[K.+S.+Kyosuke]

Non sequitur much? I don't even have an idea what you're pointing at. If I rewrote MS Office, the result would be a different program using different algorithms doing different things written by a different person, not the same program doing the same things where the author is irrelevant.

Re:Absolutely

[Immerman]

I have not read it, but I will make two points:
1) There are many kinds of civil disobedience - in some cases a mass uprising to flood the courts and prisons is a viable option. In others only a single person or small group is in a position to be able to meaningfully disobey.
2) In the US, unless I badly misremember, a confession alone is not sufficient for a conviction. You still get your trial by jury, even if pleading guilty. A plea bargain can potentially short-circuit the process, but that would be counterproductive for effective civil disobedience.

Re:Absolutely

[JoeMerchant]

Never attribute to conscious thought that which can be explained by laziness, forgetfulness, apathy, or political distancing.

Of course, I kid, this is one of those cases where somebody is going to make a political issue of it and "strip away the sham." Fedora is giving themselves a little bit of an enforcement delay, or warning, at best, with this move.

Re: Absolutely

You remember very wrong. In the US, its set up to get as many people as possible to confess to save the time and money on jury trials. They do this by slapping you with overly massive potential jail terms and knocking it down to a couple of years if you just confess, so most people do guilty or not because 100 years is what you're getting with your shitty free lawyer.

Re:Absolutely

[Anubis+IV]

Them not being able to participate is a drawback.

Sure, but I was talking specifically about perceived drawbacks that were the cause for being barred from participation and how the military thought it was addressing those with its DADT policy, whereas no drawbacks preventing participation were being addressed here. That is, the reasons they were barred from participation are still just as (in)valid as they were before, but now Fedora is willfully ignoring that fact. Yes, their lack of a participation is a drawback, but their lack of participation is not a drawback that is (recursively) keeping them from participating. It's a symptom, not the cause, and I was talking about causes.

As for the rest, that's a topic I don't want to argue, so I'll leave it for someone else. I mostly agree, but with some caveats.

Re:Absolutely

[Stormy+Dragon]

The first step in the trail process is arraignment, where the list of charges against you are read and you are asked whether you plead guilty, not guilty, or no contest to each of them. If you don't plead not guilty, there is no trial and things skip directly to sentencing.

Re:Absolutely

[JackieBrown]

Their slang term "open sores" to describe open source software will ironically come true. We will bleed.

Can you cite this? In fact, can you cite where the republican party (let's say the past 10 years) said that gays should be in prison?

And I don't mean a one off republican. I can find pretty of crazy democrats to quote. I am asking where the party position was anything close to what you slandered.

Re:Absolutely

[Stormy+Dragon]

No, there's one kind of civil disobedience. It's just there's a lot of posers out there who want the "cool factor" of claiming martydom without having to following through on all the down sides of actually being a martyr.

Re:Absolutely

Yes, in the US, even if you confess, or plead guilty, you 'get your day in court'. Though I think entering your plea is done in front of a judge only, so if you plead guilty you forgo any jury seeing your case. Plea bargaining is just the prosecution 'offering' to 'go easy on you' if you plead guilty, which is still done in front of a judge.

Confessions can be used as evidence in court, but can be effectively contested for various reasons.

Re:Absolutely

That's not how juries work. Juries decide matters of fact, Judges decide matters of law. Before any trial, the Judge's first job is to distill down what the law says. "You as a juror have to determine if so-and-so really did ____; if you do, you must find him guilty of ____. You must then decide if what he did was negligent, which means ____; if so, you must also find him guilty of ____."

Your comment that "your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served" is outright wrong. In fact, it's almost exactly backwards. The whole point of the adversarial system is that there are two sides to every story, neither of them is probably the whole truth, and that the whole truth will probably never be known. That's why juries exist to sort out what the evidence actually indicates the facts of the case are. Their entire job is to "judge the facts of the case." The law acts upon those decided facts, and that ruling may or may not ultimately be "justice". Juries exist to provide a fair way of judging facts, not to reduce a large, unruly mob that wants to take the law into its own hands into a smaller, more ruly mob which still wants to take the law into its own hands.

There seems to be this myth built up around protest and civil disobedience where people have come to believe it should be risk-free, and some sort of (nearly literal) "get out of jail free card". That has never been the case, nor should it be the case.

Re:Absolutely

[Captain+Sarcastic]

I wish I had mod points - you put your finger on the point that armchair revolutionaries overlook. Retroactive resistance, so to speak, is safer. It was notable how the number of members of underground groups against the Nazis increased directly with the time after liberation.

Re:Absolutely

[nbauman]

It has been upheld in US courts that even the minor fame from open-source authorship counts as economic gain (thus reinforcing the GPL's validity as being consequential).

I'd like to know the court citation. I did a quick Google search for "Arms Export Control Act open source software" and it looked like open source and anything else that was public domain was not subject to export restrictions.

http://oti.newamerica.net/blog...

http://www.mtu.edu/research/ad...

As to imports of scientific information, I read about that (I think) in Science, about how some American journals were refusing to accept papers from restricted countries. At least some lawyers argued that the regulations allowed the exchange of scientific information, the journals were wrong, and should start accepting papers.

I've seen submissions in the New England Journal of Medicine from Iran, usually short pieces in their "Images in Clinical Medicine" feature. http://www.ncbi.nlm.nih.gov/pu... http://www.nejm.org/doi/full/1... Iran has a pretty good health care system, with doctors trained in the UK.

Iraq used to have one of the best health care systems in the world. Some of the most bitter critics of Saddam Hussein were Iraqi doctors, and I used to read their articles in The Lancet and BMJ. After the war, some of them were treated worse by George W. Bush than they were by Saddam (as in blowing up hospitals).

If they couldn't publish their stuff in American medical journals, the British journals are happy to publish high-quality work.

Re:Absolutely

[JeffAtl]

By this definition of civil disobedience, MLK was a poser.

Re:Absolutely

[HiThere]

There have been supreme court justices that disagree with your opinion, though I agree that it is by far the majority opinion.

FWIW, when I am on a jury, I decide based on justice. And I don't let any judge tell me what justice is, not with the corrupt way they have gamified the court system, to the point where I will not call it a "justice system".

As it happens, every time I've been on a jury, the case was, AFAIKT, a valid case, and I happened to agree with the judge. This doesn't mean that if I felt that equity and justice were being violated I would accept his dicta WRT how and on what basis I should vote.

Re:Absolutely

[HiThere]

IIUC, Fedora is not increasing the export of code, but rather allowing the import of code. As such, I don't see why the law should have anything to do with it. If it does, then this needs to be explained more clearly.

What this seems to be doing is allowing Fedora to import code with names assigned, but without geocoding it. It is true that this would imply that the contributor had, in some manner, got hold of the original code, but this doesn't mean that Fedora gave them access. Probably they got it from some other source which legally got the code from Fedora (i.e., Red Hat).

And, if I am understanding correctly, this does not violate any intentional wording of the law. It may, of course, violate a carelessly worded portion of the law...but so might anything. Legal bugs rarely get corrected except via legal interpretations by appellate courts...and though are nearly as likely to introduce bugs as to fix the old one, and often seem to introduce new bugs while still not fixing the old one. Which is a small part of why there are so many stupid, ill-conceived, and harmful laws on the books. Bribery of legislators is, of course, the predominate reason.

FWIW, I have little respect the for US legal system. There are worse ones, but the percentage of worse legal systems is growing fewer each year...usually without the rest of the world improving. The wholesale bribery of legislative bodies without anyone being punished does not inspire ANY respect. Neither does the wealthy blatantly abusing the less powerful. Neither does the choice of viable candidates for office.

Re:Absolutely

[Lisias]

Don't ask, don't tell passed legal muster for the U.S. armed forces...

They have guns. Fedora guys have not. :-)

Re:Absolutely

[Stormy+Dragon]

No, he wasn't. King was imprisoned 29 times during his movement, during which he would not even accept being released on bail before trial. Most Notably in Birmingham, Alabama where he was almost a thousand people to be arrested. Again, getting sent to jail was the deliberate goal of the protest, as it overloaded the civil authority's ability to enforce an unjust law.

http://en.wikipedia.org/wiki/L...

Re:Absolutely

Why lie about what Bush said? You people are disgusting. All you care about is hurting the poor and minorities. You have no respect for what is right. Why defend their decision to try to put gays in prison? Do you not know someone that is gay? So you want them put in prison?

Re:Absolutely

[Dcnjoe60]

No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.

Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.

Want to get out of jury duty, say the words "jury nullification".

That is only one possible outcome. Another would be a free night in jail for contempt.

Re:Absolutely

[funwithBSD]

What are you on about?

Granted I am only 40ish, but the number of unjust laws that have been removed or repealed in that time are significant.

Society does not turn on a dime, it evolves. It is not an instant gratification process.

Well, unless you want to burn it all down, man. Then the sky is the limit, if you escape the flames.

Re:Absolutely

[funwithBSD]

Everyone is a minority of some kind in some place.

So which minority gets to decide the majority is being a tyrannical?

Re:Absolutely

[pepty]

In my (quite limited) experience, if potential jurors make it clear they will be a pain in the ass and will be hating every second of it they get dismissed. This might go out the window in high profile cases, but judges and attorneys are looking for people who can work together to reach a decision without undue drama or delay.

Re:Absolutely

[prelelat]

You are right. This solves nothing. What happens when a contributor comes out as being from an embargoed country? Do they remove the code and say oh well? Do they take a heavy fine and possible jail time?

I'm not a lawyer but I find this way of dealing with the problem very dangerous to the community. They need to move the project to a country that will not cause so much problems for it.

Re:Absolutely

What is the export restriction on anyway?

I think the export restriction was on the encryption algorithms, no matter how they were represented (as bits, text, printed paper, audio files).

Re:Absolutely

Or just say you're an Atheist, that has always worked for me.

Re:Absolutely

[msobkow]

Here's the problem: most open source software isn't owned by US authors. So the software is developed and maintained with absolutely no concern about anal-retentive American military "requirements." You can hardly take a global project and demand that people from certain nations stop contributing so that you can ship the software to a US market without getting into trouble for "conspiring" with those nations.

Quite frankly, the law is asinine anyhow. There are no shortage of places around the globe to download and access the full code and binaries of "restricted" software from those nations, because there are other nations who participate in open source projects that don't kiss American ass.

So as far as I'm concerned, RedHat is doing what is necessary to continue using open source software.

To truly meet the American legal requirements, they'd have to rewrite and lock down an insane amount of software -- including replacing the Linux kernel.

Re:Absolutely

Most open source does not even originate from the US. so Open source will do fine. its only in Fascist America you will not get to enjoy the free exchange of ideas and code. The gay issue should never have been one, americans are insanely homophobic (military and scouts especially) anyone giving a shit about someone being gay in the last 30+ years can only be a narrowminded biggot. using "10 years" as an example is is close to retarted.

Re:Absolutely

[tragedy]

In contrast, the stated reason export restrictions are in place is to sanction or otherwise prevent the sharing of goods and information with certain countries.

Which seems difficult enough to do when you're talking about actual physical advanced weapons systems or industrial equipment massing thousands of tons. It's painfully obvious that it's impossible to do with software that's freely downloadable over the Internet. The kinds of people who think that it could somehow be done are either highly ignorant, just plain stupid, crazy or actually have a well thought out plan whose only downside is some small detail like turning the world into a prison or just killing nearly everyone. You say that the discussion of whether or not the law makes sense should be tabled for another time, but the sheer idiocy of the law has to be considered.

Also, it should be noted that Red Hat is really a service company. Computer services are thier product. Any proprietary software they produce doesn't have random contributors off the Internet and the open source code is, like the label says, open and provided as source (also as compiled code, but that's still just another kind of computer code). Everything else available on the Internet is computer code as well. You could draw a distinction between mere data and markup versus executable content, but good luck finding many web pages these days that don't count as executable content. So, if Red Hat is responsible for contributers from banned countries to open source software. Shouldn't every blog in the world be similarly responsible for any comments posted by people from banned countries?

Re:Absolutely

[Wycliffe]

I never even get to the interview stage for jury duty.
The first question on the mailed pre-questionaire asks "has a close family member ever been sued for personal injury?"
My dad owns a few dump trucks and tractor trailers so of course people have tried to sue him pretty much every
time any of his vehicles have been in an accident whether it was their fault or not. This seems to limit the pool
severely though as they are basically eliminating practically all small business owners and their families right off the
bat. Several other questions are equally as broad. It's amazing they find anyone who can honestly answer those
questions and still be a juror.
I also question the "jury of peers" problem. If it's a malpractice suit is it a jury of the doctor's peers or the patient's peers?
Patents specifically state it's suppose to be someone with similiar expertise in the field but I don't think courts work that way
even in patent cases.

Re:Absolutely

Congratulations, you have just admitted to committing a felony.

When you accept jury duty, you agree to follow the law.

Instead, you flouted it, and now you brag about it.

You'd better hope you never get caught out, Charles Hixson. You'll get reamed. And rightly so.

Re:Absolutely

[Immerman]

How would mentioning a valid judicial activity with a long and honorable history put you in contempt? They're still free to put you on the jury, in fact the defense might even be in favor, if the prosecution chooses to kick you out of the pool because you happen to know the full extent of your legal obligations that's their business.

Re:Absolutely

[Immerman]

Lets take a recent example in Snowden - regardless of what you think of his actions do you truly believe that mass civil disobedience was an option? Or that the media exposure would have been as extensive had he quietly surrendered after releasing his stolen secrets?

Re:Absolutely

[CurryCamel]

https://www.kansalaisaloite.fi/fi 50k "Likes" (not of Facebook, though - but I bet that is just around the corner), and your idea for a law goes to parliament for a vote.
HOW does Sweden beat us (again!), now in this sense?

Re:Absolutely

[sirlark]

Thanks for the informative response. I suppose I never considered the contributions as services since no-one was paying for them, but of course this means that a system of reciprocal gift giving would then be an easy way to get around the restrictions. What about post (mail) and email though? Are personal communications also heavily restricted? What about family members communicating? I'm not trying to be difficult here, it's now you've got me curious as to how this would actually work. I suppose that if personal communications are allowed, an argument could be made that patches are simply personal communications along the lines of I think this is a good way to fix your lawnmower (as an analogue equivalent).

Re:Absolutely

[Rich0]

Honestly, I'm not sure how mail works, but mail has a long tradition of being duty/control-free, and I think there are various treaties involved.

However, "mail" is limited to pieces of paper in an envelope. If that is all you're sending I'm pretty sure nobody will interfere with it.

I certainly see your line of argument. The real problem for larger FOSS organizations is risk. Big governments have no mechanism to ask for permission to do activities like this - you basically have to just do it, wait for them to potentially prosecute you for it, and then win in court. That entails a lot of risk, so anybody with something to lose avoids this stuff.

So, if you're some FOSS project with three contributors and $50/yr in donations and some contributor from Iran comes along, you're probably more likely to go along with it than if you're Apache or Mozilla or Redhat.

Re:Absolutely

[Dcnjoe60]

How would mentioning a valid judicial activity with a long and honorable history put you in contempt? They're still free to put you on the jury, in fact the defense might even be in favor, if the prosecution chooses to kick you out of the pool because you happen to know the full extent of your legal obligations that's their business.

Acting as a smart ass will put you in contempt. Simply put, contempt is anything the judge determines to be disrespectful or disobedient. Unless you are an attorney or somebody with a background in law, blurting out jury nullification will probably be viewed poorly by the judge as it isn't in the common vernacular. OTOH, if you made a statement like, "I think this is a bad law" or "This law doesn't even seem right" then you would probably be okay. Of course, you are free to try, but be prepared to answer the judge's question on the theory and history of nullification. If you fail and don't really have a good and convincing understanding of it, then you will probably be found in contempt.

Re:Absolutely

[i+kan+reed]

And a number have lasted your entire lifetime. And some have been created during your lifetime.

Re:Absolutely

[Immerman]

Well, for one I've heard of them and some of the significant and obviously-not-totally-corrupt actions of their governments. .fi =??? Finland? Okay, yeah I think I've heard some good things there as well. Seems like you Nordic countries are generally making some real progress towards sustainable democracy, lucky bastards. Care to share your secret with the rest of us miserable peons?

Re:Absolutely

[Phreakiture]

Right, so you apply the Dalton principle: be nice. When (not if!) they ask you if you will follow instructions and law, then, and only then, nicely, tell them that you believe in the principle of jury nullification, and that you cannot promise such a thing in good faith.

Of course, IANAL, and what exactly you encounter will depend on the other people present as well as those doing the selecting, so whatever happens from there will depend a lot on the human factor. You should, therefore, only do this if you truly believe it (as I do). Trying to get out of jury duty is shirking your responsibility, but telling the truth, and getting out of it because it is the truth, is not your problem.

Re:Absolutely

[LordLimecat]

We have some of the fairest elections in the world. The complaints I see on slashdot are that people dont care enough, or dont care about the things that slashdotters care about. Thats not the same thing as living in Russia, for example.

Seriously, this whole "it doesnt matter because our democracy is broken" meme is more harmful to our democracy than anything else. Want our system to suck less? Stop encouraging apathy!

Re: Absolutely

[vilanye]

A confession is not at all the same thing as pleading guilty.

The OP is right, a confession alone is not sufficient for conviction. Go to a cop and confess to a crime you didn't commit. You might get slapped with filing a false statement but you will not get convicted on the crime you confessed to.

Re:Absolutely

[vilanye]

What is wrong with accepting code from Cubans?

This is as stupid as the encryption export restrictions. It is like the government thinks that no one can implement encryption or that foreign code is dirty.

How about they put some restrictions where it matters like toys and dog food from China?

Re:Absolutely

Jury nullification is perfectly legal.

Re:Absolutely

[vilanye]

Do you know the definition of export?

Re:Absolutely

[unixisc]

Citation please? About the GOP hating FOSS

Re:Absolutely

[TheRealLifeboy]

Law is law

Wrong. Fail. Law is only there to serve the people it was meant for. If it doesn't work, it must be scrapped. If it has unintended side-effects, it must be changed or scapped. No law is a law unto itself. There are way too many laws (millions of them) anyway.

Also, because a country is perceived an enemy of another country, does that mean that the people in country A are all enemies of country B? Surely not, unless you just crawled out from under a rock and are still coming to terms with the fact that there are other humans.

The US is by far the biggest perpetrator of injustice, terror, warmongering and destabilisation in the world - all part of empire building. The only reason that is so, is because the majority of the people in the US have been so dumbed down in the "education" that they allow these villians in government to get away with it.

Re:Absolutely

[bluefoxlucid]

So your argument against the control of export of the product of labor is that the labor applied elsewhere would produce a different thing? i.e. your argument that the author of a program is irrelevant is that the author of a program is actually relevant?

Re:Absolutely

I thought Clinton said that? The democrats have a long history of hanging black people. Why do you support them? I cannot believe you are for hanging black people.

Do they apply to US-based commercial products?

Yes. They do. Why should US-based Open Source products get special treatment? Would that be an unfair competitive advantage if they did?

Re:Do they apply to US-based commercial products?

US-based commercial products aren't prevented from accepting contributions, only from exporting money to pay a salary to someone from a restricted countries.

Re:Do they apply to US-based commercial products?

[pla]

Do they apply to US-based commercial products?

No. No, they do not, for one simple reason - Microsoft doesn't take source code from their userbase and roll it into the next release of Windows. The entire issue simply doesn't come up with closed source, because no one outside has access to the source code in the first place.

Red Hat's problem in this situation really has no analog in the conventional business world. ITAR 18 USC 2339B simply don't address the situation of accepting material support from blacklisted entities. They just want to make sure that our ever-growing list of enemies doesn't someday someday require purging millions of lines of functioning source code. "Well what do we have here... Looks like you accepted code from one of those evil bastard terrorist(tm) Finns - Get ready for PMITA!"

Re:Do they apply to US-based commercial products?

[pla]

ITAR and 18 USC 2339B.

Re:Do they apply to US-based commercial products?

Where does this end? I remember in the 1990s, IUST (Iranian University of Science and Technology) writing a major part of the SMP code for the Linux kernel. Are we going to have to find what nationality the code was checked from and rip it out line by line?

I am reminded about ITAR and PRZ, way back when PGP managed to float out of the US, and he nearly got nailed for the same crime that someone sending nukes to Iran would.

This is an edge condition where the law needs to be changed, because the alternative is simple... Fedora and RedHat would split their development projects to an offshore organization, and just import said organization's code as a gestalt.

Re:Do they apply to US-based commercial products?

ITAR is still alive and well, we recently had lots of "fun" trying to get a decent frequency standard for our internal cal lab in (non-EU) eastern Europe.
"OMG, the Russkies could steal the secrets of the atomic... clock?!?"

Re:Do they apply to US-based commercial products?

[rexbinary]

The entire issue simply doesn't come up with closed source, because no one outside has access to the source code in the first place.

Except for offshore contractors from all over the world.

Re:Do they apply to US-based commercial products?

you naive child. I know exactly how I'd use an atomic clock, and why they're ITAR restricted devices. Big, big boom.

Re:Do they apply to US-based commercial products?

[cheesybagel]

They are restricted because they are used in GPS and similar applications. Even if you are doing dead-reckoning the more precise the clock is the more accurate the results will be. This is unsurprisingly useful in things like munitions. e.g. a nuclear weapon will have a lower CEP if you have more accurate clocks in the system.

Re:Do they apply to US-based commercial products?

So how do these blacklisted entities get the existing source code so they can make contributions? Oh, right... It was "exported" and therefore falls under ITAR...

Re:Lawsuit?

[SJHillman]

If contributing to open source projects is wrong, then I don't want anybody to be right.

Huh?

[Hognoxious]

If someone in Syria submits a contribution to US based software, how does that infringe an export ban?

Re:Huh?

[Jane+Q.+Public]

"If someone in Syria submits a contribution to US based software, how does that infringe an export ban?"

I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?

Re:Huh?

[CanHasDIY]

If someone in Syria submits a contribution to US based software, how does that infringe an export ban?

Ask yourself this - how could someone in Syria contribute to code they've never seen before?

Re:Huh?

Unless this theoretical Syrian national is also a great and powerful psychic, I doubt that they will be able to make a contribution to a code base without having seen it.

In other words, we would have to export the existing code base to them so that they may make updates and contributions to it.

Re:Huh?

To make this kind of contribution one usually needs to access sources first.

Re:Huh?

Presumably because it would not be possible for such a contribution to be made without the import ban first being broken.

Just like physical products. Not legal to export a banned product then import it back to the US.

Re:Huh?

If the source is open and distributed how will you keep them from getting it?
I think fedora should have to abide by US law.

Re:Huh?

Interesting question. Perhaps a good one for the mercenary firm formerly known as Blackwater, also headquartered in NC.

Re:Huh?

[Lisias]

I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?

Exactly what do you define a "business"?

It's a business if no money changes hands?

Re:Huh?

[MickyTheIdiot]

Pishaw. Vice Presidential corporate buddies get a free pass.

Re:Huh?

[K.+S.+Kyosuke]

So when news reporters publish reports from people interviewed in those countries, is that "doing business" with those countries as well? That's also a transfer of copyrightable material from those countries into US, just like the FLOSS contributions.

Re:Huh?

[MickyTheIdiot]

What if the check out server is in the Cayman Islands?

Re:Huh?

[Lisias]

Presumably because it would not be possible for such a contribution to be made without the import ban first being broken.

So don't export to them. Export to someone's else, and then they export to them.

A huge part of the code isn't made in USA anyway. Worst case scenario is these guys making contributions on non-USA code on some other country's SVN server to be merged to Fedora later.

Re:Huh?

[cdrudge]

Ask yourself this - how could someone in Syria contribute to code they've never seen before?

The same way that Western goods make their way to any country under export control, through intermediaries.

Coke can't sell to North Korea. Coke however can be sold (or made) in China and then gets shipped across the line to North Korea.

Is it really hard to imagine that Syria or Iran might be able to download from an intermediary country that might have a mirror of the distribution? Or had someone travel to such a country to download it? Or just went through a VPN or proxy? Or...

Re:Huh?

They are called Academi now, keep up or you'll miss the next name-change.

Re:Huh?

[Rich0]

Presumably because it would not be possible for such a contribution to be made without the import ban first being broken.

So don't export to them. Export to someone's else, and then they export to them.

That is expressly forbidden with physical exports under US law. Your responsibility for an export doesn't end once it leaves your hands if you didn't do due diligence to ensure that the ultimate recipient wasn't a denied party. This is a fairly obvious loophole otherwise.

Now, how all of this applies to software is anybody's guess.

Re:Huh?

[bill_mcgonigle]

I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?

Of course they should - for all the reasons Americans hold dear.

Would the US Government think so? Probably not, but look at the shit going down in Venezuela as a direct consequence of Kennedy's EO on Cuba - they have no idea what they're doing (or are at least in severe denial about free markets and trade's effect on freedom because they want to be central planners and pretend like they value freedom).

Re:Huh?

[NatasRevol]

Or a proxy server.

Or VPN.

Or intermediary country.

Re:Huh?

[Lisias]

Your responsibility for an export doesn't end once it leaves your hands if you didn't do due diligence to ensure that the ultimate recipient wasn't a denied party.

And exactly how the Law expects that the exporter manages that? That's impossible! It's the USA Government that have armed troops to enforce policies, not the civilian exporters!

Re:Huh?

[Rich0]

Your responsibility for an export doesn't end once it leaves your hands if you didn't do due diligence to ensure that the ultimate recipient wasn't a denied party.

And exactly how the Law expects that the exporter manages that? That's impossible! It's the USA Government that have armed troops to enforce policies, not the civilian exporters!

The Law can expect anything it wants to - quite a few laws are unreasonable. The anti-smartphone-while-driving law in California appears to ban having a powered-on smartphone in the front passenger's purse, which is obviously unreasonable. That is why they're all selectively enforced.

Generally if you show due diligence you're fine. That's why big corporations require all their sub-contractors to screen their own shipments/payments against export control lists as a condition for getting business.

Just look at how many businesses do nothing but deal with imports and exports as a sole source of income. The laws in this space are incredibly complex. I'm sure lots of companies bend/break them, however.

Re:Huh?

[CanHasDIY]

Ask yourself this - how could someone in Syria contribute to code they've never seen before?

The same way that Western goods make their way to any country under export control, through intermediaries.

Coke can't sell to North Korea. Coke however can be sold (or made) in China and then gets shipped across the line to North Korea.

Is it really hard to imagine that Syria or Iran might be able to download from an intermediary country that might have a mirror of the distribution? Or had someone travel to such a country to download it? Or just went through a VPN or proxy? Or...

Is Coca-Cola restricted by ITAR?

Something tells me the rules for cryptography exports are a bit more stringent than the ones for sugar water.

Re:Huh?

[king+neckbeard]

The code could very well be based in a project without so many stupid trade restrictions. For example, let's pretend Linus still lives in Finland, and that he is hosting the git repo in Finland. Red Hat is a major contributor, but the Syrian could have gotten the code from the straight from the source in Finland.

Re:Huh?

[CanHasDIY]

The code could very well be based in a project without so many stupid trade restrictions. For example, let's pretend Linus still lives in Finland, and that he is hosting the git repo in Finland.

While that does appear a legitimate work-around, I feel compelled to point out that OP specified US-based software. Pretty sure something that's hosted out of a non-US repo wouldn't count.

Re:Huh?

[cheesybagel]

If that happened people would just move the repositories elsewhere. Welcome to the Internet.

Remember separate distro repositories for people in countries with restrictions on strong encryption?

Re:Huh?

[Lisias]

Hard to comply and selectively enforced laws are the basement of half baked dictatorships - that ones where the political leaders cannot assume the dictatorship alone, needing support from a bunch of little wannabe dictators from some feudal social niche.

I live in one of these countries (Brazil). Believe me, for your own sake, get rid of hard to comply and selectively enforced laws. They allows the government to do things that normally they couldn't - as to persecute people at its own arbitrary criteria by not enforcing some laws, except on the selected ones.

Re:Huh?

[Jane+Q.+Public]

"Exactly what do you define a "business"? It's a business if no money changes hands?"

"Open Source" doesn't mean "Work For Free". Lots of money changes hands.

Re:Huh?

[Jane+Q.+Public]

"Would the US Government think so?"

Right. I wasn't saying they shouldn't... just that it was really the question at hand.

"... they have no idea what they're doing (or are at least in severe denial about free markets and trade's effect on freedom because they want to be central planners and pretend like they value freedom)"

I'm confused about who you mean there. The Venezuelans, or the Obama administration?

Re:Huh?

[GumphMaster]

And exactly how the Law expects that the exporter manages that?

Your law forces the exporter of ITAR controlled goods (arms, missile tech, crypto etc.) to impose your export restrictions, handling requirements, and audits etc. on the authorised foreign recipient of the goods in the form of contract clauses and required policy/process. It also requires the State Dept. to authorise any such export in the first place. They can, and do, veto exports of even the most tenuously arms-related items if they feel something evil in their waters, when the wind is blowing from the east etc. Failing to ask for/gain permission, exporting without imposing suitable restrictions, or exporting knowing the restrictions will be ignored carry hefty fines. Nations that the US would typically allow export to usually have equivalent laws/regulations blocking re-export. Some nations, e.g. the UK and Australia, have standing arrangement with the US for some classes of restricted materiel. Even so, you can still come unstuck, e.g. http://learnexportcompliance.b...

BTW: I am not saying that Fedora code falls under the ITAR umbrella.

Re:Huh?

[Rich0]

Couldn't agree more, but we're long past the point in the US where everybody is already a criminal...

Re:Huh?

[jrumney]

Yes, the rules for cryptography exports are more stringent, but Iran, North Korea, Syria and a few others are completely banned from any trade, with exceptions only for humanitarian purposes, which I don't think would cover Coca Cola. And (apart from Cuba), not just by the US, but by UN sanctions which most countries have coded into law. For crypto or anything that could be used militarily, there is a much larger list of countries, plus organizations and individuals, some of which are located in countries which you might otherwise consider safe.

Re:Huh?

[CanHasDIY]

but Iran, North Korea, Syria and a few others are completely banned from any trade, with exceptions only for humanitarian purposes, which I don't think would cover Coca Cola.

Depending on how much they know about soda, it might be considered an act of war.

Re:Huh?

[Lisias]

I know it.

But in this business model, the one that pays the money is not necessarily the one that receives the benefit.

Consider the following scenario:

1) Fedora gets contributions from A, B and C.

2) Person A lives on a restricted exports country, but does not receives money from anyone.

3) Person B lives on another restricted country, but receives it's money from a local enterprise that uses Fedora in his systems.

4) Person C lives in any "politically correct" country - doesn't matter if he/she gets paid or not.

How we can call "business" the relationship between Fedora and persons A and B?

Re:Huh?

[Jane+Q.+Public]

How we can call "business" the relationship between Fedora and persons A and B?

I would say that if it's a restricted exports country, Fedora should not be helping B use Fedora in the first place.

And why is A contributing if it's illegal for him to receive any benefit from it?

The point here was not about whether a country should be restricted or not. The point is: should the U.S. be able to stop a for-profit company from contributing to the well-being of a restricted exports country?

And make no mistake: open source or not, Redhat is a for-profit company.

Re:Huh?

[Lisias]

ok. Let's play "what if".

How we can call "business" the relationship between Fedora and persons A and B?

I would say that if it's a restricted exports country, Fedora should not be helping B use Fedora in the first place.

Being a freely available linux distribution, how you think Fedora could prevent this? It's a freely distribution after all. Anyone and the neighbor's dog can download it and reupload it to anyone in the world.

And why is A contributing if it's illegal for him to receive any benefit from it?

Because he have plenty of time and wants to learn something in order to get a better job?

Because he's a american "felon" that had to leave his country because he dared to blow a whistle?

Because he's a genius that will never be allowed to leave the country?

Or, probably the most common reason: because he wants to?

The point here was not about whether a country should be restricted or not. The point is: should the U.S. be able to stop a for-profit company from contributing to the well-being of a restricted exports country?

The question is irrelevant because we don't even decided *how* any open source company can prevent someone to get the source code without throwing the License through the window - what would, mind you, make then a company that loose the right to distribute the very same code.

What leave us with the paradox to solve: how a Open Source Company can enforce such laws and keep being a Open Source Company?

Humm... Microsoft, it's you behind such laws? =P

And make no mistake: open source or not, Redhat is a for-profit company.

A company is a company. A License is a License. I don't see how the "for-profit" part is relevant.

Why do they need to know in the first place?

It's not like they're being paid money for their work.

Who's actually upset by this?

Not sure if this is the right way to look at it but if it's a case of US banning exports to the listed countries (I can't imagine how the US would ban exports from those countries short of a bloackade) then what's the problem?

People in those countries are exporting their work on the opensource project at hand.

As for how they got their hands on that code... it's open source! they could have downloaded it from anywhere (i.e. NOT the US).

Where's the issue?

I WANT to know where code comes from.

Because I do NOT trust code from Russia, China, anywhere in the Middle East, and a few other places. Just look at all the crime (Target for one) that's based in Russia alone.

Re:I WANT to know where code comes from.

[SJHillman]

I don't trust anonymous comments on Slashdot. Just look at all the nonsense (hosts files for one) that's based in this thread alone.

I'd trust code I can see from a place I don't trust more than I'd trust code I can't see from a place I like.

Re:I WANT to know where code comes from.

If you are relying on the nationality of your contributors to secure your code, YER DOIN' IT WRONG.

Re:I WANT to know where code comes from.

That worked so well for GnutTLS. Thousands of eyes have looked over that code for years, and missed it. Open source didn't live up to it's hype in this case.

Re:I WANT to know where code comes from.

[Frobnicator]

Because I do NOT trust code from Russia, China, anywhere in the Middle East, and a few other places. Just look at all the crime (Target for one) that's based in Russia alone.

Well, unfortunately, maintainers have found they also cannot trust sources in the US and other nations due to corporate and government intrusion either. Nor can you trust the code is entirely bug free, and who knows if the security flaw bug was intentionally introduced.

The only answer for open source maintainers is constant vigilance. NOBODY is to be trusted.

Search back to when Linus Torvalds was asked if the NSA and other agencies had ever tried to make him to install back doors in the kernel. He said "Noooo..." while emphatically nodding his head "yes". He also claims to verify all the submissions that make it in, and claims to double-check all submissions that claim to have been made by him since spoofed changes have been known to happen.

Based on the heated, usually profanity-laden messages from the kernel mailing list when a maintainer lets a kernel bug through and he caught it, I'd say his personal level of distrust is just about right for what he is maintaining. Not even the highest-level maintainers have his complete trust.

Re:I WANT to know where code comes from.

[SJHillman]

I'm not saying Open Source is absolutely trustworthy, but I tend to trust it more than closed source - at least for large projects with a lot of people looking at it.

Re:I WANT to know where code comes from.

[Lisias]

Because I do NOT trust code from Russia, China, anywhere in the Middle East, and a few other places.

You are free to audit the code. ;-)

Re:I WANT to know where code comes from.

Great. Now software written by/for the US government is going to start getting expensive. It might start falling behind schedule.

Re:I WANT to know where code comes from.

[Dcnjoe60]

That worked so well for GnutTLS. Thousands of eyes have looked over that code for years, and missed it. Open source didn't live up to it's hype in this case.

How do you know there was a problem with GnuTLS? Oh, yeah, Red Hat developers detected it in the source code, that by the way, the only reason they had was because it was open source. It would seem that the system worked exactly as planned and open source does indeed live up to its hype.

Re:I WANT to know where code comes from.

[shutdown+-p+now]

So, do you trust the code from Crimea?

Re:I WANT to know where code comes from.

[CurryCamel]

So, do you trust Linus Torvalds?

Re:I WANT to know where code comes from.

[Lisias]

As it should, by the way.

You should not handle government software in the same way you do the pop and mom's store's.

Don't ask, don't tell

There's no need to ask. We already know that everyone who codes Linux is gay.

Only the final validation

[John.Banister]

Only the final validation contributions should be of concern in relation to contributions from export ban countries. The process that removes problems induced by errors (stupidity) ought to be good enough catch the ones induced by malice as well.

Re:Only the final validation

The process that removes problems induced by errors (stupidity) ought to be good enough catch the ones induced by malice as well.

Maybe, maybe not. The technical aspects of designing stable code and understanding exploitable code do have a lot of overlap, but there are many cases relevant to one and rarely considered by the other. Someone with intent to add a vulnerability will not just change a login line to add 'or password=DaBears', although I suddenly wonder how long that change would stay in a repository before being caught.

Re:Only the final validation

[ultranova]

The process that removes problems induced by errors (stupidity) ought to be good enough catch the ones induced by malice as well.

But such process doesn't actually exist, since bugs exist so they must occasionally get through the validation.

Re:Only the final validation

[John.Banister]

When I think about this, I think that people who don't trust software with code contributions from people in export ban countries might also not want to trust software with bugs, since people in export ban countries could exploit those bugs, regardless of the bugs' origin. One might argue that really skillfully created problems would have the ability to preferentially go unnoticed by the validation process, but problem creators with that skill level would also have the skill to spoof the origin of their contributions.

Re:Only the final validation

And why bother? American interrestes have already backdoored and crippled the products. nothing a few syrian hackers can do will ever amount to that kind of crime against humanity.

IANAL!

[khb]

'but should these governmental restrictions apply to an open-source software project?' there would appear to be two different questions here. (1) does the current law apply and (2) should the law apply.

w.r.t. (1) Sounds like some cognizant group has determined that the law does (or at least may) apply, so the Fedora team is taking the steps they can.

As for (2), that is a matter for Congress. Lobby them if you think the law should carve out an exception for Open Source projects (all or some specific licenses).

Re:IANAL!

[MickyTheIdiot]

Lobby Congress? Really?

That's part of the problem. The people with the most money always wins.

Re:IANAL!

[Rich0]

You hit the nail on the head. I've seen discussion between a few FOSS projects around this, and they all would love to have contributors from countries like Iran, but the legalities around this are pretty muddy, so nobody with anything to lose wants to touch this.

The laws are written pretty broadly. It is hard to see how the regime in Iran benefits if an Iranian citizen can donate code to a project usable by anybody. I could see the argument against being allowed to pay them, or even donate to them or reimburse their expenses. However, the laws weren't written with FOSS in mind - code leaving Iran is no different from oil leaving Iran as far as it is concerned, and generally when goods are leaving a country, there is money going back in someplace else.

Understand, but its dangerous

I understand what they are trying to do. They want to protect the identity of their contributors so that their contributors are safe, and (other) locals won't condemn software that was partially written by someone in a country they don't happen to like at the time. This is a dangerous policy insofar as software provenience is concerned. When patent trolls come a-calling (and anything created that's worth more than half a penny will have more patent attornies swarming it than ambulance chasers around a kid with a kazoo). I for one would worry more about the latter than the former. Have a sealed, sign-in to confirm identities, and keep an accurate log record of who contributed what and when. Its the only way to beat off the trolls.

Re:Understand, but its dangerous

[MickyTheIdiot]

It's called *Open* Source for a reason. You or an agent you trust can download the code and look at it. If one is worried about nefariousness in the code you can actually look at it unlike Microsoft and closed source projects.

So if the purpose of this is to keep people from saying the code is bad because a guy from Russia worked on it they are promoting irrational behavior.

Fools

The ONLY opinions that matter are the customers.

I am a customer and that makes my opinion correct.

Any asshole can get a dispoable email and create an account; therefore, this prejudice against ACs is completely illogical.

I'd trust code I can see from a place I don't trust more than I'd trust code I can't see from a place I like.

I see. So you examine every line of code? No you don't. It's impossible because of the MILLIONS of lines of code.

You know, everybody takes it for granted that someone else will look at the code and make sure there isn't anything malicious. I have never - ever - seen or met anyone who looks at FOSS code. They install it and run it.

You are a fool.

Re:Fools

[flyingfsck]

Meet me. I have on occasion not only read FLOSS code, but also contributed.

Re:Fools

[HiThere]

The point isn't that your (or I) read all the code, but that the author can't control who will look at it, and lots of people are likely to, particularly if they notice anything suspicious about how it acts.

As for you being a customer of Fedora...how much did you pay them? I could see you claiming to be a customer of Red Hat, but of Fedora? (OTOH, it's true this code is likely to eventually make its way into Red Hat's commercial offerings...so if you are a customer of Red Hat, i.e. purchase one of their commercial packages with support contract), you do have reasonable grounds to claim to be a customer. But I rather doubt that you are.

P.S.: I rarely look at the code, but I do occasionally look at some piece if I want to figure out how they are doing some particular thing. And I suspect that the number of people who occasionally look at a piece of the code here and there is much higher than you expect, even though very few do it full time, or even very much of the time.

Elephants in the mist

[gmuslera]

If you will ban contributors because their home country intelligence agencies may be trying to plant backdoors or weaken security in a way or another, you should start with the main country by far engaged in such activities, else would be meaningless or just following an unrelated agenda. But if you trust in contributors of such country, why not of others?

Re:Elephants in the mist

You mean China?

Re:Elephants in the mist

[ne0n]

intelligence agencies may be trying to plant backdoors or weaken security in a way or another, you should start with the main country by far engaged in such activities

So start with the USA then?

"Go to jail. Go directly to jail. Do not pass Go"

[westlake]

There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?

In the name of god, why would a geek think open source development would give his US-based project Immunity from American law?

Export controls come with teeth that bite. Suggesting that your contributors conspire to evade those controls is an invitation to diasaster for everyone involved.

"Please help us to break the law."

If anyone asks, we'll pretend we never asked you to do this.

P.S. If you are law enforcement, please ignore the subject line of this message.

(Oh, and if this makes it harder for to trace copy right should we ever decide to abuse the license to thecode you contribute, well, sucks to be you, but we're no charity.)

Re:Lawsuit?

Those Open Source nuts should all be imprisoned! Or, at the very least, branded as the traitors they are, aiding and abetting the enemy. Perhaps they should all go to Russia with Snowden.

Common sense, upside down

[cowwoc2001]

So you're telling me that North Korean and Iranian scientists are just as likely to contribute malicious code to libraries used by Western agencies as anyone else? I think not.

Open-source is supposed to be about maximum transparency, not about hiding information that might actually be relevant. Imagine having to apply security at airports if you had no idea whether the person you are about to scan is a 90 year old grandmother or an 18-25 male from the Middle East. Statistics and common sense tells you that one is a lot more likely to be malicious than the other, so why throw common sense out the window?

Re:Common sense, upside down

[MickyTheIdiot]

Well, you totally failed at this one.

If you only scan the 18-25 year old male from the Middle East, then the radical element will find a way to use the person that is not scanned. They'll use the 90-year-grandmother with or without her knowledge.

You fail at security.

Re:Common sense, upside down

[Jiro]

The reason that terrorists use 18-25 year old males from the Middle East by default is that such people are the most practical for them to use, and that using someone else would be a lot harder and would make it more likely they would get caught (for instance, because such alternates have less loyalty to them).

Scanning the targets that are easiest for terrorists to use doesn't stop them, but it makes their plan harder compared to scanning random people, as long as you still scan the random people at some lower rate.

Re:Common sense, upside down

[Khashishi]

In game theory, when the rival player can adapt to any pure strategy, it makes sense to adopt a mixed strategy. In this example, it might mean that we randomly scan either the 18-25 year old male from the Middle East and/or the 90-year-grandmother. But the 18-25 year old is more likely to be picked, because the rival has a lower cost of training the 18-25 year old male.

Disclaimer: this has nothing to do with what is just, just what is more strategic.

Re:"Go to jail. Go directly to jail. Do not pass G

Please tell me how do you restrict any possible way to export something that is free, publicly accessible, that is available over a public distributed network?

With closed source software you can restrict who and when access the code, but for Open Source software there is no practical way of doing so.

How do you enforce the export control?... Blocking whole blocks of IP address from export controller countries? Using smart-filters to prevent the source code going out? Are you going to require to every open source software project to register to keep track of them and add them to a "forbidden to see outside de US" list?

Tell me how in earth do you think that control export of public and available knowledge is enforceable in a practical and/or economical way?

The problem at the end of the day is that the people in export-controller countries are going to have access to Open Source software in a way or another, and they might have valuable contributions but don't accepting those contributions could mean that US is going to be isolated on their development and their political "enemies" are going to have better software, just because a export control law that doesn't really reflects the way that the modern world works.

Due dilligence?

In my experience, trying to be willfully ignorant of stuff like this is not going to work as a defense. Here, they are explicitly explaining 'we don't want to know so that we can deal with sanctioned nations and truthfully claim we don't know it's happening. There's a clear intent expressed that, if sanctions are relevant, they are trying to explicitly violate the sanctions.

It'd be one thing for contributors to naturally realize they should lie, or else if they *lazily* didn't bother to check/collect that information. But they are essentially instructing people on a specific course of action specifically to not get hit by sanction concerns.

Beta

This slashdot beta is ugly as hell.

Re:Lawsuit?

Maybe the US should stop making enemies.

Re:"Go to jail. Go directly to jail. Do not pass G

[Junta]

To say it's 'export controlled' is an oversimplification of the restrictions around working with those nations.

But in simple terms, this is about *contributors*, not downloading. And if it weren't an issue, then Fedora people wouldn't be trying to game it for plausible deniability (which of course doesn't work when you say "Hey everyone, I want to be able to claim plausible deniability so could you just omit some information so I can do that?"

Government is incredibly stupid here.

Export restrictions of non-classified information that's already "out there" are asinine. The very nature of software is such that you can clone infinite copies. If Iran wants something, it's trivial for them to plant just one guy in-country, have him download it at a coffee-shop and e-mail it out or whatever.

We went through this in the 90s. Remember the little form you had to fill out for strong encryption? I used to fill in my name as "Hafez the Enforcer". Nothing ever happened because not only is it impossible to stop the flow of information, even if I really were a terrorist and FUCKING TOLD THEM, they did nothing to stop it with a STUPID FUCKING FORM!!!

Meanwhile, any company that wants to follow the law has to burn that many more billable hours to make sure they're in compliance.

The security interests of the United States would be equally well served by requiring the Pledge of Allegience to appear on all electronic shopping carts. Maybe I shouldn't give them any ideas...

Re:Government is incredibly stupid here.

[PPH]

Export restrictions

Except that this is an issue of imports, not exports.

Work is allegedly being done in some foreign country and then brought in as a component of a (supposedly) US product. Yes, the subsequent export of that product might raise some issues. But not logically over the foreign-built bits.

Re:Government is incredibly stupid here.

How could someone work on the code without it first being exported to them?

Re:Government is incredibly stupid here.

[PPH]

How could someone work on the code without it first being exported to them?

By working on a copy that originated and has been maintained outside the jurisdiction of the USA.

Re:Government is incredibly stupid here.

Why is /. overrun by fucking retarded dipshits?

Did the NSA submit this?

[koan]

Don't ask don't tell.

Be aware of the consequences

[Brett+Buck]

Fine, accept code from foreigners, but be well aware that this will make is certain that it will not be used in many corporate sites. One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content. Otherwise it cannot be used. No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.

Re:Be aware of the consequences

[vux984]

One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content.

That's pretty idiotic. Most projects involve foreign content. All it takes is one stealthy Canadian and you can't use it? What about Canadians living in the United States? Is that still foreign? Just how xenophobic are you?

Do you vet each commericial package as well to make sure they don't have a single line of code produced in India?

No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.

Enjoy going back to pen and paper then, you won't find much software anywhere that you can demonstrate has no "off-shore" content.

Re:Be aware of the consequences

If the concern is people building in back doors, then this policy leaves you more vulnerable, not less, as you're automatically, and without rational reason, trusting the onshore developers aren't building the exact backdoors that you fear.

Also, the vast majority of large-scale commercial software (including Office) contains quite a bit of code written by offshore developers. Major software companies have developers all over the planet, in part so that development can continue 24/7.

Re:Be aware of the consequences

[RabidReindeer]

One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content.

Well, let's see. There's the Linux kernel. I hear that was developed by some guy in Finland. Then there's Samba, which comes from Australia, I believe.

Anyone care to add to the list? This is just for starters.

Re:Be aware of the consequences

[PPH]

if it has off-shore content, it will not be used, period.

[citation needed]

Aside from some ITAR class stuff, I call B.S. on this.

Where companies might have a 'feel good' buy American policy, it usually isn't strictly followed. When I used to work for a local utility in the '80s, we were replacing full sized half ton pickup trucks used by our meter readers. The replacement: Chevy LUV pickups (Isuzus rebadged). Management recognized the paradox of the situation but said, "As long as it has an American name stamped on it, we don't give a sh*t."

Re:Be aware of the consequences

[shutdown+-p+now]

One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content. Otherwise it cannot be used.

So what kind of open source do you actually end up certifying for use, then? I'm not aware of any open source projects accepting contributions that require contributors to state their nationality.

Re:Be aware of the consequences

[MikeBabcock]

A lot of encryption software comes from Canada because we're friendly to both sides ;-)

Re:Be aware of the consequences

[MikeBabcock]

BS. There's no such guarantee on any open source software. Last I checked, even Microsoft uses foreign workers.

Re:Be aware of the consequences

You are aware that both Microsoft and Oracle employ large numbers of developers in Russia, India, and China, aren't you?

No, but yes

Ideally, no; practically, yes. Some players, such as DPRK, have a long and celebrated history of trying to ruin everyone's fun just because they can. Demonstrable trolls should be faced with ever-increasing scrutiny where the legitimacy of the project is at stake, even if those trolls are nation-states.

oh yes

[slashmydots]

You can easily assign a dollar amount in benefit from the development or distribution to a foreign company so yes, they definitely should remain banned. As for workers working on the project, that doesn't make a lot of sense until you consider that you're giving them a compilable version of the code to work on and thus a product that can be assigned value.

Re:oh yes

[HiThere]

*IS* Red Hat giving them a compilable version? I doubt it. I think they acquire it from a third party who legally acquired it.

Re:Lawsuit?

[noh8rz10]

maybe hostile nations should stop trying to pwn open source projects with back door code. you tell me that all code is inspected, I say bs. instead of "don't ask don't tell" we need rigorous account checking. Who is the person submitting the code? what is his background? what other code has he submitted?

Re: Lawsuit?

Well, I noticed you decided they are male before even running the hypothetical background check...

Doesn't an export restriction mean...

[Dcnjoe60]

Doesn't an export restriction mean you can't send goods to a restricted country? If somebody in Cuba sends code to Redhat, in the US, that would seem to be an import. There is an easy solution, even if it does apply. Said developer just needs to upload it to a server in a friendly country without the restriction and Redhat get it from there. In such cases, usually France is the go between.

Not really a policy.

[AdamWill]

This isn't really a policy.

The specific case arose, FESCo asked Fedora Legal for it, Fedora Legal asked for expert opinion from Red Hat's lawyers, and the guidance that came back was posted to the FESCo ticket and meeting log. That's it. It's a case where a general project committee asked for expert legal guidance.

You can read basically the entire thing happening at https://fedorahosted.org/fesco... .

Re:Not really a policy.

[AdamWill]

Also, note this salient part from the ticket comment:

"Export rules are very hard and very complicated (and they change from time to time)."

Red Hat has a very solid legal department. When serious legal issues crop up in relation to Fedora, Fedora goes and asks RH legal (which talks to SFLC, FSF, and other major bodies' legal teams when appropriate, of course). The advice we get back, we stick to.

In other words: we take legal advice from professional lawyers, not from Slashdot comments, folks. ;)

We all know DODT is an evil policy...

That's what we were told, when the left and libertarians wanted it eliminated re gays. Everybody should be "free" and "out" etc. Information "wants to be free". Hooray for "openness"....

Hang-on... idiots who only read first sentences will thinkk this is an anti-gay troll-fest... but it's not... it's about consistency and basic philosophy about disclosure.

Now we are told hiding information is good. How is this good? If truly being "free" and "open" is the ideal in modern society, then surely a CORE part of that openness and freedom is that the contributors to open-source code are "out" (not "outed" by others, but by their own hands). Are we to say that "free" software is better because we can all know all about it (and can examine the source code) but that it does not matter WHO contributed various code? Really? So if the NSA is contributing the bits of code that handle security or encryption that's NOT important for the community to know? Really? Well if it is important to know if the NSA is contributing code, then is it important to know if some hackers working for Putin and tied to Russian identity theft activity is involved? Well, if you don't trust the NSA or you don't trust Putin what makes you think it's good to have code submitted by somebody working for the North Korean thugocracy or the Iranian Revolutionary Guard?

It may well be currently fashionable to hate America (Thanks a lot, Bush and Obama...) but that CERTAINLY should not drive any rational person to be willing to entust vital things to anonymous sources in worse places. Many of which are home to some of the most tawdry and malicious coders. Surely the maximum freedom for users of open-source code includes complete openness on WHERE the code comes from (and thus allows each individual to decide for him/herself how much scrutiny is required on any particular bit). Whenever somebody seeks to hide something, there is a reason. What's being hidden? Why is it being hidden? When the NSA is caught hiding things from the citizens we get suspicious... Why should we be any less suspicious when somebody tells us they are going to hide information about contributors from some of the worst and most-evil places on Earth? To loop-back to my opening sentence: With DODT (the OP, not me, chose that particular metaphor) in the military we were told that hiding people's ID was bad in many ways; that it encouraged bad attitudes and bad behaviors, it led to less securtiy, was oppressive, etc. (dig-up any 1990's political argument you like) but suddenly this is good? Again, why?

Philosophical inconsistencies bother me. There are usually un-said (i.e. hidden and intentionally-obscured) reasons when a person or organization acts in a philosophically-inconsistent manner

Enough rope.

[westlake]

No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.

God help the geek who thinks that "jury nullification" will work for him.

Historically, it spares the home-town boy. The high school jock whose drunken spree ended with two kids dead in a hit and run. It's the outsider who risks getting nailed to the wall whether the evidence supports it or not.

The geek never quite comes to grips with the fact that he is the alien, the stranger, in the courtroom. The ne'er---do---well, the defendant who was born on the wrong side of the tracks.

The American juror is middle aged, middle class, small-C conservative.

He never responds well to the geek's cleverness or his arrogance --- and will not cut him any slack.

Re:Enough rope.

[Immerman]

I agree - if you count on your cleverness or arrogance, then by the time you get to court you're already screwed.

However, if you can convincingly present your actions as a fight for justice, honor, or human decency, maybe not. Jury nullification is no perch from which to thumb your nose at the law, at best it provides a tenuous chance for the honorable man to escape the mechanistic jaws of the legal system. And you're right, its probably used far more often to grant some home-town boy a "get out of jail free" card. But so far as I know there's yet to be an effective way to restrain a jury from handing out unethical "pardons" based on wink-n-nudge favoritism, so we may as well publicize the fact that it's an ethical and common-law obligation to do so when demanded by your conscience.

Re:Lawsuit?

Damn straight! We should all just run Microsoft software, and accept the fact that the NSA has exploits that can't be verified! Open source is total crap anyway, and only those with secrets to hide should run it, right? FOOL! Why dont you crawl back into the pit from which you came!

Re:Lawsuit?

So the NSA is working for a hostile nation? got it. No American citizen can be trusted to contribute code. its as simple as that. you talk about "hostile nations" when the largest warmonger on this planet is yourself? the ignorance must be strong in you.

Re:Lawsuit?

How are any of those question relevant?

Is the code up to par? Done deal.

It is not like these OSS projects allow anyone to commit to the main dev tree(s).

Are there really that many contributors from...

[unixisc]

Cuba, Iran, North Korea, Sudan, and Syria?

Re: Lawsuit?

[astar]

Check out openbsd policy on us citizen code contributions to the kernel or advice on where it might be safe to download code from. Years ago I thought this was just Theo being Theo. Send money.

Re:Lawsuit?

[fuzzy2k]

Maybe the US should stop making enemies.

If we stop making enemies, pretty soon we stop waging wars.

If we stop waging war, the military-industrial complex that Eisenhower talked about goes belly up.

If the military-industrial complex that Eisenhower talked about goes belly up, say goodbye to the American economy, and soon thereafter, the world economy.

If we say goodbye to the economy, all infrastructure will implode, including the publishers of /.

If /. goes the way of the dodo bird, all the nerds and nerd wanna-be's that troll and otherwise vent their bile here get all backed up and start expressing themselves in other, darker and more brick-and-mortar-y ways.

So, bob's your uncle, and the world ends badly.

Nobody wants that.