Slashdot Mirror
Fedora To Have a "Don't Ask, Don't Tell" For Contributors
An anonymous reader writes "The Fedora Project is now going to enforce a "Don't Ask, Don't Tell" policy for contributors. What the project's engineering committee is asking their members to conceal is a contributor's nationality, country of origin, or area of residence. There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?"
If contributing to open source projects is wrong, then I don't want anybody to be right.
This could quite possibly qualify as "civil disobedience", which has a long history in the US.
"Law is Law".
Und Befehl ist befehl.
One may well ask, how can you advocate breaking some laws and obeying others?" The answer is found in the fact that there are two kinds of laws: just laws . . . and unjust laws."
"Kill 'em all and let Root sort 'em out"
"If someone in Syria submits a contribution to US based software, how does that infringe an export ban?"
I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?
If you aren't paying, and you aren't taking ownership of something, is it really a violation of import restrictions? I mean, how does that hurt the sanctions against Cuba, for example?
Do they apply to US-based commercial products?
No. No, they do not, for one simple reason - Microsoft doesn't take source code from their userbase and roll it into the next release of Windows. The entire issue simply doesn't come up with closed source, because no one outside has access to the source code in the first place.
Red Hat's problem in this situation really has no analog in the conventional business world. ITAR 18 USC 2339B simply don't address the situation of accepting material support from blacklisted entities. They just want to make sure that our ever-growing list of enemies doesn't someday someday require purging millions of lines of functioning source code. "Well what do we have here... Looks like you accepted code from one of those evil bastard terrorist(tm) Finns - Get ready for PMITA!"
...and an equally-long history of being illegal and getting people thrown in jail or slapped with fines. "Noble cause" isn't a defense in itself.
You do not have a moral or legal right to do absolutely anything you want.
The situations are rather different. The stated purpose of the US military's DADT policy (which was repealed back in 2011, incidentally) was to allow homosexuals to serve while eliminating the perceived drawbacks (specifically, a reduction in unit cohesion and morale) that came with having them serve openly.
In contrast, the stated reason export restrictions are in place is to sanction or otherwise prevent the sharing of goods and information with certain countries. Fedora's DADT policy does nothing to address those issues, since those reasons are intact, regardless of whether the individual's nationality is known or not. If anything, it may make the problem worse by providing a false sense of legitimacy and legality to the nature of the business relationship, encouraging others to break the law as well. All Fedora is trying to do is eliminate their own culpability through willful ignorance, but the law makes it clear that they are required to proactively ensure that the people they share their data with are not from export-restricted countries. Willful ignorance is no excuse.
To be clear, I'm NOT addressing the topic of how things ought to work, how things should be, or whether these restrictions make any sense at all. That's a discussion for another comment thread.
If you will ban contributors because their home country intelligence agencies may be trying to plant backdoors or weaken security in a way or another, you should start with the main country by far engaged in such activities, else would be meaningless or just following an unrelated agenda. But if you trust in contributors of such country, why not of others?
No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.
Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Yes and "it's complicated".
The point of the sanctions is to say "If you're not going to play Global Economic Power nicely*, you're not going to play at all." That doesn't just mean "you're not going to win", but it also includes "you're not going to practice", "you're not going to have others play for you", and "you're not going to share the winnings with anyone who does play.
It has been upheld in US courts that even the minor fame from open-source authorship counts as economic gain (thus reinforcing the GPL's validity as being consequential). Acknowledging that Cuban programmers are good enough for inclusion in Fedora implies that Cuban programmers might be good enough for other projects, and that's marketing - certainly a part of that Global Economic Power game.
* For pro-American values of "nicely"
You do not have a moral or legal right to do absolutely anything you want.
So when news reporters publish reports from people interviewed in those countries, is that "doing business" with those countries as well? That's also a transfer of copyrightable material from those countries into US, just like the FLOSS contributions.
Ezekiel 23:20
No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.
Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.
Want to get out of jury duty, say the words "jury nullification".
Since our purchased Congress is inherently incapable of understanding any project that doesn't conform to a corporate structure or corporate "profit at all costs" philosophy, it wouldn't be surprised if this is what happens. End the end no way to download source code from a US site.
Those Open Source nuts should all be imprisoned! Or, at the very least, branded as the traitors they are, aiding and abetting the enemy. Perhaps they should all go to Russia with Snowden.
The same way that Western goods make their way to any country under export control, through intermediaries.
Coke can't sell to North Korea. Coke however can be sold (or made) in China and then gets shipped across the line to North Korea.
Is it really hard to imagine that Syria or Iran might be able to download from an intermediary country that might have a mirror of the distribution? Or had someone travel to such a country to download it? Or just went through a VPN or proxy? Or...
Well, you totally failed at this one.
If you only scan the 18-25 year old male from the Middle East, then the radical element will find a way to use the person that is not scanned. They'll use the 90-year-grandmother with or without her knowledge.
You fail at security.
ITAR is still alive and well, we recently had lots of "fun" trying to get a decent frequency standard for our internal cal lab in (non-EU) eastern Europe.
"OMG, the Russkies could steal the secrets of the atomic... clock?!?"
If you aren't paying, and you aren't taking ownership of something, is it really a violation of import restrictions? I mean, how does that hurt the sanctions against Cuba, for example?
I've been involved in this discussion on another open source project where we have a potential contributor from a fairly-heavily-embargoed nation. The issue is that the wording of the laws is very broad. There isn't much question that we couldn't send money to the developer in question, but the problem is that the law would seem to cover even receiving donations from them (in goods, services, or money).
I suspect the reason is that the laws were written to be fairly loophole-proof. If you spot somebody sailing out of Iran with a tanker full of oil, the ship captain would just tell you that it was a gift and no money was exchanged. Unless you caught the money going in you might not have a case against him, even though he was obviously violating the embargo. So, the law presumes that nobody does something without getting SOMETHING for it, and thus anything moving in or out is forbidden.
I'm not sure if don't ask don't tell would work or not. I know that best practice in corporations is to screen any payee or shipment recipient daily against the various export control lists, and to place writing in contracts requiring their business partners to do the same. However, most corporations are not the beneficiaries of donations of code, so it is a bit of an untested area.
I suggest to you that you should now rewrite Microsoft Office from scratch. Since computer programs work the same everywhere it doesn't matter that you have to originate the code yourself instead of having it shared with you (for a fee, and in binary form) from some vendor.
Support my political activism on Patreon.
Maybe the US should stop making enemies.
Maybe it's a stupid question, but can't you "launder" code by routing it through a third nation and recommitting the code from there?
What is the export restriction on anyway? The bits? The IP? And does it extend to any derived work of an export restricted IP burdened work? Because if any piece of code on which any citizen of a restricted country has copyright, I'm pretty sure the linux kernel would contain at least one line, meaning all android phones and most routers, servers etc would be illegal?
Also, DADT sounds really stupid as company policy. I don't know a lot about US law, but in the Netherlands corporate liability extends if the management knew or was in a position to know that law was breached, and having policy to conceal such breach is good evidence that management was in a position to know. Any US lawyers care to comment?
I don't know the intricacies of U.S. law, but I was under the impression that the law regarding ecryption algorithms as munitions was no longer in place.
Correct. Software is not export-controlled specifically at all.
Unless there's something else restricting software specifically, there's no economic value to restrict unless you have paid developers in restricted/embargoed territtories who are receiving money across the border.
The problem is that the prohibitions are blanket ones against money, goods, and services moving in either way across the border with a few named countries like Iran (these kinds of laws exist in many countries, the specific targets vary, but Iran is a pretty common one so I just use that as an example). You actually need an exception to the law to ship anything at all in either direction, and those exceptions usually require specific licenses from the government (you're allowed to ship n kg of wheat into Iran or whatever).
Sure, it doesn't make as much sense when applied to FOSS, but the laws were written broadly without FOSS in mind. So, companies and non-profits aren't terribly eager to test them. It is entirely possible that a court would find accepting free contributions is non-infringing, but it is also possible that a court would treat you like somebody shipping crates full of missiles.
It is a big mess, and different FOSS organizations are handling it in different ways. Some try to have organizations in various jurisdictions so that they can keep different activities in different areas. Some just ban it. Some don't think it is a problem. Since nobody has gone to court yet, it is hard to say what the outcome would be the first time this happens.
One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content.
That's pretty idiotic. Most projects involve foreign content. All it takes is one stealthy Canadian and you can't use it? What about Canadians living in the United States? Is that still foreign? Just how xenophobic are you?
Do you vet each commericial package as well to make sure they don't have a single line of code produced in India?
No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.
Enjoy going back to pen and paper then, you won't find much software anywhere that you can demonstrate has no "off-shore" content.
If you've read "On Civil Disobedience" by Thoreau, the jury didn't get a chance to find non-guilty. He didn't contest the charges. The goal is to get thrown in prison so that it becomes too expensive for the civil authority to continue enforcing the law.
Fedora is a US based company, yes? Then should they abide by US laws?
Actually, it's the position of the U.S. government that you should have to abide by U.S. laws no matter where you're based.
SJW's don't eliminate discrimination. They just expropriate it for themselves.
Want to have a shot at being able to fight for justice? Keep your mouth shut.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
No, there's one kind of civil disobedience. It's just there's a lot of posers out there who want the "cool factor" of claiming martydom without having to following through on all the down sides of actually being a martyr.
No, he wasn't. King was imprisoned 29 times during his movement, during which he would not even accept being released on bail before trial. Most Notably in Birmingham, Alabama where he was almost a thousand people to be arrested. Again, getting sent to jail was the deliberate goal of the protest, as it overloaded the civil authority's ability to enforce an unjust law.
http://en.wikipedia.org/wiki/L...