Slashdot Mirror
Fedora To Have a "Don't Ask, Don't Tell" For Contributors
An anonymous reader writes "The Fedora Project is now going to enforce a "Don't Ask, Don't Tell" policy for contributors. What the project's engineering committee is asking their members to conceal is a contributor's nationality, country of origin, or area of residence. There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?"
If contributing to open source projects is wrong, then I don't want anybody to be right.
This could quite possibly qualify as "civil disobedience", which has a long history in the US.
Do they apply to US-based commercial products?
No. No, they do not, for one simple reason - Microsoft doesn't take source code from their userbase and roll it into the next release of Windows. The entire issue simply doesn't come up with closed source, because no one outside has access to the source code in the first place.
Red Hat's problem in this situation really has no analog in the conventional business world. ITAR 18 USC 2339B simply don't address the situation of accepting material support from blacklisted entities. They just want to make sure that our ever-growing list of enemies doesn't someday someday require purging millions of lines of functioning source code. "Well what do we have here... Looks like you accepted code from one of those evil bastard terrorist(tm) Finns - Get ready for PMITA!"
...and an equally-long history of being illegal and getting people thrown in jail or slapped with fines. "Noble cause" isn't a defense in itself.
You do not have a moral or legal right to do absolutely anything you want.
The situations are rather different. The stated purpose of the US military's DADT policy (which was repealed back in 2011, incidentally) was to allow homosexuals to serve while eliminating the perceived drawbacks (specifically, a reduction in unit cohesion and morale) that came with having them serve openly.
In contrast, the stated reason export restrictions are in place is to sanction or otherwise prevent the sharing of goods and information with certain countries. Fedora's DADT policy does nothing to address those issues, since those reasons are intact, regardless of whether the individual's nationality is known or not. If anything, it may make the problem worse by providing a false sense of legitimacy and legality to the nature of the business relationship, encouraging others to break the law as well. All Fedora is trying to do is eliminate their own culpability through willful ignorance, but the law makes it clear that they are required to proactively ensure that the people they share their data with are not from export-restricted countries. Willful ignorance is no excuse.
To be clear, I'm NOT addressing the topic of how things ought to work, how things should be, or whether these restrictions make any sense at all. That's a discussion for another comment thread.
No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.
Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Yes and "it's complicated".
The point of the sanctions is to say "If you're not going to play Global Economic Power nicely*, you're not going to play at all." That doesn't just mean "you're not going to win", but it also includes "you're not going to practice", "you're not going to have others play for you", and "you're not going to share the winnings with anyone who does play.
It has been upheld in US courts that even the minor fame from open-source authorship counts as economic gain (thus reinforcing the GPL's validity as being consequential). Acknowledging that Cuban programmers are good enough for inclusion in Fedora implies that Cuban programmers might be good enough for other projects, and that's marketing - certainly a part of that Global Economic Power game.
* For pro-American values of "nicely"
You do not have a moral or legal right to do absolutely anything you want.
No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.
Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.
Want to get out of jury duty, say the words "jury nullification".
The same way that Western goods make their way to any country under export control, through intermediaries.
Coke can't sell to North Korea. Coke however can be sold (or made) in China and then gets shipped across the line to North Korea.
Is it really hard to imagine that Syria or Iran might be able to download from an intermediary country that might have a mirror of the distribution? Or had someone travel to such a country to download it? Or just went through a VPN or proxy? Or...
ITAR is still alive and well, we recently had lots of "fun" trying to get a decent frequency standard for our internal cal lab in (non-EU) eastern Europe.
"OMG, the Russkies could steal the secrets of the atomic... clock?!?"
Maybe the US should stop making enemies.
Maybe it's a stupid question, but can't you "launder" code by routing it through a third nation and recommitting the code from there?
What is the export restriction on anyway? The bits? The IP? And does it extend to any derived work of an export restricted IP burdened work? Because if any piece of code on which any citizen of a restricted country has copyright, I'm pretty sure the linux kernel would contain at least one line, meaning all android phones and most routers, servers etc would be illegal?
Also, DADT sounds really stupid as company policy. I don't know a lot about US law, but in the Netherlands corporate liability extends if the management knew or was in a position to know that law was breached, and having policy to conceal such breach is good evidence that management was in a position to know. Any US lawyers care to comment?
I don't know the intricacies of U.S. law, but I was under the impression that the law regarding ecryption algorithms as munitions was no longer in place.
Correct. Software is not export-controlled specifically at all.
Unless there's something else restricting software specifically, there's no economic value to restrict unless you have paid developers in restricted/embargoed territtories who are receiving money across the border.
The problem is that the prohibitions are blanket ones against money, goods, and services moving in either way across the border with a few named countries like Iran (these kinds of laws exist in many countries, the specific targets vary, but Iran is a pretty common one so I just use that as an example). You actually need an exception to the law to ship anything at all in either direction, and those exceptions usually require specific licenses from the government (you're allowed to ship n kg of wheat into Iran or whatever).
Sure, it doesn't make as much sense when applied to FOSS, but the laws were written broadly without FOSS in mind. So, companies and non-profits aren't terribly eager to test them. It is entirely possible that a court would find accepting free contributions is non-infringing, but it is also possible that a court would treat you like somebody shipping crates full of missiles.
It is a big mess, and different FOSS organizations are handling it in different ways. Some try to have organizations in various jurisdictions so that they can keep different activities in different areas. Some just ban it. Some don't think it is a problem. Since nobody has gone to court yet, it is hard to say what the outcome would be the first time this happens.
One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content.
That's pretty idiotic. Most projects involve foreign content. All it takes is one stealthy Canadian and you can't use it? What about Canadians living in the United States? Is that still foreign? Just how xenophobic are you?
Do you vet each commericial package as well to make sure they don't have a single line of code produced in India?
No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.
Enjoy going back to pen and paper then, you won't find much software anywhere that you can demonstrate has no "off-shore" content.
Want to have a shot at being able to fight for justice? Keep your mouth shut.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
No, there's one kind of civil disobedience. It's just there's a lot of posers out there who want the "cool factor" of claiming martydom without having to following through on all the down sides of actually being a martyr.