US Blocks Open Source 'Help' From These Countries (thenewstack.io) 58
Wednesday the Linux Foundation wrote that both "regulatory compliance" and "increased cybersecurity risk" were "creating burdens...that must be met" for open source communities.
And so, as Steven J. Vaughan-Nichols writes, "the Linux Foundation has released a comprehensive guide to help open source developers navigate the complex landscape of the U.S. Office of Foreign Assets Control (OFAC) sanctions..." These rules, aimed at achieving economic, foreign policy, and national security goals, apply to various interactions, including those in the open source community. The total Sanctions Programs and Country list amounts to over 17 thousand entries ranging from individuals to terrorist organizations to countries.
If that rings a bell, it's because, in October 2024, the Linux kernel developers ran right into this issue. The Linux kernel's leadership, including Greg Kroah-Hartman, the stable Linux kernel maintainer, and Linus Torvalds, Linux's founder, announced that eleven Russian kernel developers had been removed from their roles working on the Linux kernel. Why? Because, as Torvalds said, of "Russian sanctions." This, he added, in a Linux kernel mailing list (LKML) message was because "the 'various compliance requirements' are not just a US thing."
For developers, this means exercising caution about who they interact with and where their contributions originate. The sanctions target specific countries, regions, and individuals or organizations, many of which are listed on the Specially Designated Nationals and Blocked Persons (SDN) List... Most OFAC sanctions are exempted for "informational materials," which generally include open source code. However, this only applies to existing code and not to requests for new code or modifications. So, for example, working with a Russian developer on a code patch could land you in hot water... While reviewing unsolicited patches from contributors in sanctioned regions is generally acceptable, actively engaging them in discussions or improvements could cross legal boundaries... Developers are warned to be cautious of sanctioned entities attempting to contribute indirectly through third parties or developers acting "individually."
Countries currently sanctioned include:
And so, as Steven J. Vaughan-Nichols writes, "the Linux Foundation has released a comprehensive guide to help open source developers navigate the complex landscape of the U.S. Office of Foreign Assets Control (OFAC) sanctions..." These rules, aimed at achieving economic, foreign policy, and national security goals, apply to various interactions, including those in the open source community. The total Sanctions Programs and Country list amounts to over 17 thousand entries ranging from individuals to terrorist organizations to countries.
If that rings a bell, it's because, in October 2024, the Linux kernel developers ran right into this issue. The Linux kernel's leadership, including Greg Kroah-Hartman, the stable Linux kernel maintainer, and Linus Torvalds, Linux's founder, announced that eleven Russian kernel developers had been removed from their roles working on the Linux kernel. Why? Because, as Torvalds said, of "Russian sanctions." This, he added, in a Linux kernel mailing list (LKML) message was because "the 'various compliance requirements' are not just a US thing."
For developers, this means exercising caution about who they interact with and where their contributions originate. The sanctions target specific countries, regions, and individuals or organizations, many of which are listed on the Specially Designated Nationals and Blocked Persons (SDN) List... Most OFAC sanctions are exempted for "informational materials," which generally include open source code. However, this only applies to existing code and not to requests for new code or modifications. So, for example, working with a Russian developer on a code patch could land you in hot water... While reviewing unsolicited patches from contributors in sanctioned regions is generally acceptable, actively engaging them in discussions or improvements could cross legal boundaries... Developers are warned to be cautious of sanctioned entities attempting to contribute indirectly through third parties or developers acting "individually."
Countries currently sanctioned include:
- Russia
- Cuba
- Iran
- North Korea
- Syria
- The following regions of Ukraine: Crimea, Donetsk and Luhansk regions of the Ukraine.
The Linux Foundation had written that the OFAC sanctions rules are "strict liability" rules, "which means it does not matter whether you know about them or not. Violating these rules can lead to serious penalties, so it's important to understand how they might affect your open source work." But J. Vaughan-Nichols offers this quote from open source licensing attorney Heather Meeker.
"Let's be honest: Smaller companies usually ignore regulations like this because they just don't have the resources to analyze them, and a government usually ignores smaller companies because it doesn't have the resources to enforce against them. Big companies that are on the radar need specialized counsel."
US blocks? (Score:4)
Re: US blocks? (Score:2)
What if someone gets caught? Gitmo? Social credit score -1000?
Re: US blocks? (Score:2)
Meaning collaborating with a North Korea developer on an open source project of course, not selling weapons to North Korea.
Re: (Score:1)
Re: (Score:2)
Those countries are part of the US-led political sphere. Might as well be subservient vassal states that work in orchestration to align their security policies with the US's.
There, that should be plenty of anti-US narrative to pass muster on this thread.
Re: (Score:2)
Because, let's just be honest with ourselves, they'd much rather integrate their economy with Russia, who has always been such a great neighbor to them, but the mean ol' US won't let them.
Re:US blocks? (Score:5, Interesting)
Were a part of the US-led political sphere.
As of a few weeks ago the US have discarded their traditional politics and have adopted instead an explosive mixture of reactionary concepts of ideas and unadulterated ignorance and stupidity as an ideological and political framework and have so put themselves in one line with putinist russia, xijinping's china and the fundamentalist autocratic regimes in the Middle East.
The current US administration has already destroyed the US-led political sphere by attacking the US allies openly, by destroying the soft power US used to wield and by withdrawing from the position of the global power to position of a regional one. This is something that xi, putin and a bunch of other folks were trying to do unsuccessfully for decades; the US republicans managed this and more in three short weeks - and I'm not even mentioning the destruction of the US government institutions, which will ruin any chance of a recovery.
We're literally seeing a repeat of the 1930s, except now it is driven by the new American muskite Nazism, which back then was limited to a minority of the conservative public aping Hitler.
Re: (Score:2)
0/10, really, darling.
Is there any other fantasy about me that you just came up with and want to share here?
Re:US blocks? (Score:5, Insightful)
Nobody but the US cares about Cuba. That's our unique derangement.
Re:US blocks? (Score:4, Informative)
They're US sanctions. Therefore, "the US blocks."
The US just has a habit of enforcing some of its laws outside the US so US sanctions are "not just a US thing." Asking Canada to apprehend a Hong Kong citizen for a meeting in Hong Kong with a British bank, for example.
And Linus lives in the US of course.
Re: Ridiculous (Score:2)
This might be the end of free software. The bastards finally found a way to get rid of it. Steve Ballmer can be happy, I guess.
Re: (Score:3)
You can't enforce the GPL anonymously. If you tried to sue, the defendant's legal team would be stupid not to motion for summary dismissal on the grounds that the plaintiff has no standing to sue unless they can somehow prove that it's their work, which would be borderline impossible if it was truly anonymous.
Re: (Score:2)
Re: (Score:2)
They are also technically silly. A makes patch, sends email with patch to B, lets B submit patch under his own name.
Summary says it's a bad idea:
Developers are warned to be cautious of sanctioned entities attempting to contribute indirectly through third parties or developers acting "individually."
It's probably easy for the project leader to understand that A and B were already friends, or that the patch B is now submitting was originally an idea from A. Plausible deniability will not be of much help, B will just be banned, and that's a risk paid developers won't be very eager to take.
Re: (Score:3)
Not every open source contributor is deterred from putting years of work into a project, just because there is a chance they might be banned from the project at some point in the future. And that also assumes that the bans themselves won't be reversed sooner, when the powers that be are replaced or change their mind. It might all just turn out to be
DeepSeek sanctions in 3, 2, 1 (Score:3)
https://qz.com/u-s-investigate... [qz.com]
Re: (Score:3)
Well, Syria is an interesting one. The jihadists recently kicked out the Russo-Anglo puppet dictator.
It's up to the new guys whether they want to rejoin civilization.
Re: (Score:2)
Anglo? No. He was a puppet of Russia and Iran.
Re: (Score:2)
His wife, a Londoner.
Assad's kids would be eligible for British citizenship. Soft diplomacy is marrying into respectability.
Re: (Score:2)
That doesn't make him a puppet of the British government, which is what you claimed.
Re: (Score:2)
I know a group of people who spent their 4th of July vacations in Moscow. https://thehill.com/homenews/s... [thehill.com]
Re: (Score:2, Insightful)
You make it sound like it was leisure time, but it seems more like it was a diplomatic effort, particularly given they stayed at the US embassy.
We've seen more blatant examples of American politicians spending leisure time there, like for example Bernie Sanders having his honeymoon there. After all, nothing gets him more in the mood for sex than being in a country where everybody except the political elite are equally impoverished.
This is why you don't base FOSS in the US. (Score:2, Insightful)
I've never met a Cuban software developer but rejecting their contributions based on some 65yo feud seems nuts.
Re: This is why you don't base FOSS in the US. (Score:1)
Re: (Score:1)
Not legally, anyways.
Re: This is why you don't base FOSS in the US. (Score:3)
Remember "domestic encryption" vs "international encryption"? Same shit record plays again.
Re: (Score:2)
A lot of people in this country think your average Cuban or Chinese person is sitting around reading communist propaganda and plotting the downfall of the USA.
Re: (Score:2)
No, that's North Korea. I think they just think Chinese and Cubans all dirt poor, which is a fair assessment for Cuba but not necessarily China.
Projects outside of the United States (Score:3)
If the author(s) and server is located in a country outside of the United States, what can the US do? We did this with cryptography a couple of decades ago.
Would US developers be prohibited from contributing on a project hosted outside of the United States?
Could United States users eventually be prevented from downloading or installing such projects? This seems like a stretch to me. More likely the US would adise people not to use the code or programs on servers outside of the united states.
Re: (Score:2)
what can the US do?
emit even more paranoid sanctions, keep isolating itself, until eventually the cheerleaders and vassals are gone too. empires rise and fall, that's just a natural thing and they tend to fall kicking. as long as we can avoid a catastrophic war it will be fine, maintainers will contribute elsewhere, life goes on and ofc linux already belongs to all humanity. i'm sure american maintainers will be allowed to contribute if a fork eventually takes over.
"I'm Finnish. Did you think I'd be *supporting* Russian
aggression? Apparently it's not just lack of real news, it's lack of
history knowledge too."
https://lore.kernel.org/all/CA... [kernel.org]
and we all knew linus can b
Re: (Score:2)
Re: (Score:2)
Is he a good manager? What can he be compared with?
I have to say that I find the extremely high correlation between how early one joined Linux, and how high one is in the decision making hierarchy to be very suspicious. That does not seem like a meritocracy to me.
Re: (Score:1)
does his "history knowledge" (assuming it had any bearing in this issue, which it doesn't, but so he claims) actually register the fact that the finns collaborated with the nazis and jointly attacked russia in 1941?
More history knowledge; https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
the finns were allied with the nazi germans... that's gotta put a stain on a country's history they'd rather hide to the world and complain about being invaded...
well, they'll have to accept their mistakes.
Re: Projects outside of the United States (Score:3)
His history knowledge includes the fact that the Soviets invaded his country in 1940 with the goal to grab land and this knowledge is enough.
Bonus point. Back then the Soviet Union was no better than Nazi Germany. They have been allies, after all. (before June 1941). So helping one against the other is not necessarily a bad thing.
Re: (Score:2)
Yes. Contributing to a project hosted outside the US is exporting. If you're exporting arms to a sanctioned entity, or someone who does business with a sanctioned entity, you could get arrested.
Freedom!
Re: (Score:2)
Its just mildly more difficult to print the source code to Linux on a T-shirt ... or to include its entirety in your E-mail signature.
no no! (Score:2)
"... now cut the red wire... NO WAIT the BLUE wire. Cut the blue wire... Uh, is anybody still there?"
MOVE IT to switzerland (Score:2)
sorry but does anyone remember the whole PGP debacle
your penalising the flow of information and intellectual idea's which NEVER works well
the linux foundation needs to move to switzerland which also has regulations but actually targets companies and individual people not idea's and races
Glad Cuba's on the list, (Score:2)
they are one hell of a threat to us.
Land of the free (Score:2)
I can publish for everyone to see but I can't talk to someone to fix an issue or improve the code.
Yeah. This is freedom. makes a lot of sense. Just like every war and the sh1t that's going on in the US right now. Let's all start f4cking over our friends for just our selfish reasons and call this freedom.
For me this is insanity.
Re:Land of the free (Score:4, Insightful)
The Cold War really screwed us up. Well, actually that's not true true. We like to claim that we're for freedom and equality and we were one of the biggest slave-using nations in the world in the 19th century.
We say one thing and do another, while believing we're in the right the whole time, so our values are basically some kind of delusion.
I'd recommend being cautious in dealing with the US government or Americans.
Welcome to ITAR land (Score:2)
Although of course you've already been living in ITAR land this whole time. It's "always" been illegal for anyone based in the US to transmit technical data to a foreign national without a license. The arms manufacturers and defense contractors are acutely aware of this and only hire citizens. The aerospace companies and universities are also quite aware of it, and either pick whom their hire or what kind of research they do so as to avoid the kinds of applied research ITAR covers. But guess what: it's appl
ARMs? (Score:2)
It's true, the FSF has been dealing extensively in stuff related to ARMs, in addition to x64s and, increasingly, RISC-Vs. So obviously control of International Traffic in Arms is highly relevant to the FSF work.
the end of an empire (Score:1)
the US are soon to become irrelevant, as China is slowly taking over. all this sanctions business will start to slowly be ignored into oblivion.
I don't see the point (Score:2)
Why is collaboration on open source with people in sanctioned countries matter?
I'm assuming that these people don't get paid, so this isn't contributing financially to these countries. It's also open source, so it's not like it's a secret that these countries might get their hands on. So what's the big deal?