Some of you may have caught something I said as the Thursday meeting was clearing along the lines of "let's hope that open source does not become like THIS." Not having a chance to elaborate then, I will do so now:
It may come as a surprise that there are institutions who do not support open source, privacy or overall technology freedom. This may be for control, profits or both. Regardless, threats to software freedom such as software patents force developers to carefully consider their design choices and we all must work to guarantee that software development and even system administration do not become as pedantic as choosing or destroying the specific domestic or foreign parts that the speaker described. I quickly lost track of which part is which as did others, and the presenter pointed out that you cannot simply stamp "Made in the USA" on a part as the authorities can conduct metallurgical analysis of the part. The parts (or perhaps sections of code) in question are identical in function and appearance but to use the wrong one can result in a felony and all of the life-destroying benefits associated with it. Sadly, this can apply to software. Page 9 of the OpenBSD/Gnome presentation I linked to earlier only hints at the issues at hand: http://www.openbsd.org/papers/opencon07-gnome.pdf * Export compliance from US software or US origin software, to some countries * BIS, EAR99, ECCN, Wassenaar, ... * What are the risks where you’re not compliant? Remember early 1990's when a 486 was considered munitions one could not export to say, Latvia? Even somewhat laughable by today's standards crypto routines could not be exported (recall the non-exportable t-shirt?). In short, governments like to control what cryptography exits and enters their borders to 1. prevent aid to the enemy (albeit completely unenforceably) and 2. snoop on guests. This thus creates a challenge to the administrators who presented on GNOME: How do you satisfy every government that a say, minerals explorer might come in contact with while preserving business obligations? Full compliance with all rules could leave you with little more than a laptop containing no data and running FreeDOS. Should a company violate BIS guidelines, they will be blessed with the rough equivalent of an individual felony: http://www.bis.doc.gov/index.php/enforcement http://www.bis.doc.gov/index.php/enforcement/oee/penalties http://www.bis.doc.gov/index.php/about-bis/newsroom/press-releases/102-about-bis/newsroom/press-releases/press-releases-2013/603-texas-company-to-pay-100-million-for-export-violations-to-iran-syria-cuba-and-other-countries "Texas Company to Pay $100 Million for Export Violations to Iran, Syria, Cuba, and Other Countries - Fine is largest civil penalty ever levied by the Bureau of Industry and Security" Now the part that impacts the majority of PLUG members: As US citizens, the open source projects of the world prefer you not touch their crypto software because to do so, even if from a foreign land on a foreign computer would instantly subject the code to US export controls. Digital transubstantiation? Don't hack crypto? Let's look at what Sun did: The StarOffice/OpenOffice, VirtualBox and MySQL projects all came from Germany, Germany and Sweden respectively. The Sun acquisition of these instantly subjected them to US export controls in a completely avoidable manner. Worse, they did not choose to entrust them to non-US public-benfit NGOs and thus they ended up in the hands of Oracle and in the case of OpenOffice, the US-based Apache Foundation. (I respect that not everyone has been lectured on this by a German ex-military sysadmin at 3AM in front of the OpenCON hotel in Venice though I do recommend it.) If you are involved with an open source project, please don't do what Sun did. That said, there are countless lessons in the last PLUG talk and I am happy to continue to explain them. I do not expect everyone to take technology freedom as seriously as I do but ask that you make an effort to respect those who do. Michael Dexter PLUG Volunteer _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
