Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fedora To Have a "Don't Ask, Don't Tell" For Contributors

timothy posted about 7 months ago | from the the-right-kind-of-discretion dept.

Red Hat Software 212

An anonymous reader writes "The Fedora Project is now going to enforce a "Don't Ask, Don't Tell" policy for contributors. What the project's engineering committee is asking their members to conceal is a contributor's nationality, country of origin, or area of residence. There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?"

cancel ×

212 comments

Sorry! There are no comments related to the filter you selected.

Lawsuit? (-1)

Anonymous Coward | about 7 months ago | (#46420029)

So they want to hide wrongdoing and are now asking people to not incriminate them.? I smell a lawsuit in the making.

Re:Lawsuit? (5, Insightful)

SJHillman (1966756) | about 7 months ago | (#46420069)

If contributing to open source projects is wrong, then I don't want anybody to be right.

Re:Lawsuit? (2, Funny)

Anonymous Coward | about 7 months ago | (#46420599)

Those Open Source nuts should all be imprisoned! Or, at the very least, branded as the traitors they are, aiding and abetting the enemy. Perhaps they should all go to Russia with Snowden.

Re:Lawsuit? (3, Insightful)

Anonymous Coward | about 7 months ago | (#46420925)

Maybe the US should stop making enemies.

Absolutely (1)

Anonymous Coward | about 7 months ago | (#46420059)

Absolutely. Fedora is a US based company, yes? Then should they abide by US laws? Yes.
If they want to get code from countries that would otherwise be illegal in their current place of residence, they should not conceal the identies of the contributors and instead move the country they base their operations out of. Law is law.

Re:Absolutely (4, Interesting)

SJHillman (1966756) | about 7 months ago | (#46420121)

This could quite possibly qualify as "civil disobedience", which has a long history in the US.

Re:Absolutely (4, Insightful)

Sarten-X (1102295) | about 7 months ago | (#46420371)

...and an equally-long history of being illegal and getting people thrown in jail or slapped with fines. "Noble cause" isn't a defense in itself.

Re:Absolutely (1)

Lisias (447563) | about 7 months ago | (#46420429)

"Noble cause" isn't a defense in itself.

If you won the battle, it is.

Re:Absolutely (5, Informative)

Immerman (2627577) | about 7 months ago | (#46420463)

No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.

Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.

Re:Absolutely (5, Funny)

Anonymous Coward | about 7 months ago | (#46420553)

No, but it can be good enough for a jury to find them non-guilty despite the facts - a tradition that extends throughout US history and long before.

Remember, your obligation as a juror is not just to judge the facts of the case, but to ensure that justice is served. Despite the law if necessary. see Jury Nullification for more information.

Want to get out of jury duty, say the words "jury nullification".

Re:Absolutely (2)

Stormy Dragon (800799) | about 7 months ago | (#46421259)

If you've read "On Civil Disobedience" by Thoreau, the jury didn't get a chance to find non-guilty. He didn't contest the charges. The goal is to get thrown in prison so that it becomes too expensive for the civil authority to continue enforcing the law.

Re:Absolutely (1)

LordLimecat (1103839) | about 7 months ago | (#46421333)

And a citizens duty in a democracy is to-- in most circumstances-- obey the laws passed by its people.

Sometimes those laws are particularly egregious, and in those RARE circumstances civil disobedience may be justified. But that bar needs to be VERY high, otherwise it just degenerates into "I really think IP laws suck, so Im torrenting everything and calling it civil disobedience." Thats not a noble cause, its undermining democracy and society.

I dont really see how you could classify export restrictions as being serious enough to qualify.

Re:Absolutely (1)

Stormy Dragon (800799) | about 7 months ago | (#46421219)

Going to jail for civil disobediance has an equally long history in the US. In fact the book that coined the term was written when Thoreau was in prison for refusing to pay his war tax.

Re:Absolutely (1)

JoeMerchant (803320) | about 7 months ago | (#46420125)

Don't ask, don't tell passed legal muster for the U.S. armed forces...

Re:Absolutely (4, Informative)

Anubis IV (1279820) | about 7 months ago | (#46420435)

The situations are rather different. The stated purpose of the US military's DADT policy (which was repealed back in 2011, incidentally) was to allow homosexuals to serve while eliminating the perceived drawbacks (specifically, a reduction in unit cohesion and morale) that came with having them serve openly.

In contrast, the stated reason export restrictions are in place is to sanction or otherwise prevent the sharing of goods and information with certain countries. Fedora's DADT policy does nothing to address those issues, since those reasons are intact, regardless of whether the individual's nationality is known or not. If anything, it may make the problem worse by providing a false sense of legitimacy and legality to the nature of the business relationship, encouraging others to break the law as well. All Fedora is trying to do is eliminate their own culpability through willful ignorance, but the law makes it clear that they are required to proactively ensure that the people they share their data with are not from export-restricted countries. Willful ignorance is no excuse.

To be clear, I'm NOT addressing the topic of how things ought to work, how things should be, or whether these restrictions make any sense at all. That's a discussion for another comment thread.

Re:Absolutely (1)

king neckbeard (1801738) | about 7 months ago | (#46421013)

This allows individuals in restricted countries to contribute to greater software quality and security without the perceived drawbacks of having them contribute openly. The sharing of this software is not affected in any meaningful way because it's already FOSS, and the source code would almost certainly be mirrored in another country that is less ridiculous about imports.

Re:Absolutely (1)

Anonymous Coward | about 7 months ago | (#46420733)

And the Republicans attacked it nonstop because of their bigotry. They hate open source software even more than they hate gays. Expect them to attack this with the same religious fanaticism that they attacked Clinton for creating DADT. The bizarre thing is that Clinton telling gays that they would be put in prison if they used their first amendment rights is exactly the type of thing that Republicans love. They should have supported him putting gays in prison. Instead, they attacked him for not putting enough gays in prison. Expect the same to happen when Obama doesn't put enough developers in prison. The Republicans are going for blood. Their slang term "open sores" to describe open source software will ironically come true. We will bleed.

Re:Absolutely (0)

Anonymous Coward | about 7 months ago | (#46420969)

They hate open source software even more than they hate gays.

Pretty sure that's not possible.

Re:Absolutely (2)

MRe_nl (306212) | about 7 months ago | (#46420151)

"Law is Law".
Und Befehl ist befehl.
One may well ask, how can you advocate breaking some laws and obeying others?" The answer is found in the fact that there are two kinds of laws: just laws . . . and unjust laws."

Re:Absolutely (1)

funwithBSD (245349) | about 7 months ago | (#46420479)

And who decides which are which?

If society found a law unjust, it would be repealed.

If that is an individual, and not society at large, then all laws are unjust in someone's eyes.

Re:Absolutely (1)

i kan reed (749298) | about 7 months ago | (#46420505)

And who decides which are which?

If society found a law unjust, it would be repealed.

If that is an individual, and not society at large, then all laws are unjust in someone's eyes.

Only in an ideal world. We don't have that luxury.

Re:Absolutely (1)

Desler (1608317) | about 7 months ago | (#46421253)

If society found a law unjust, it would be repealed.

In which fantasy land? "Society" has and still does uphold unjust laws all the time. What you describe is a tyranny of the majority.

Re:Absolutely (1)

wisnoskij (1206448) | about 7 months ago | (#46420265)

Seems like it would just be better to lease a server in Zimbabwe or something, instead of the steps they are currently taking.

Re:Absolutely (2)

MickyTheIdiot (1032226) | about 7 months ago | (#46420585)

Since our purchased Congress is inherently incapable of understanding any project that doesn't conform to a corporate structure or corporate "profit at all costs" philosophy, it wouldn't be surprised if this is what happens. End the end no way to download source code from a US site.

Re:Absolutely (2)

i kan reed (749298) | about 7 months ago | (#46420287)

If you aren't paying, and you aren't taking ownership of something, is it really a violation of import restrictions? I mean, how does that hurt the sanctions against Cuba, for example?

Re:Absolutely (0)

Anonymous Coward | about 7 months ago | (#46420421)

Last time I checked Red Hat Enterprise charges

Re:Absolutely (1)

i kan reed (749298) | about 7 months ago | (#46420543)

That's an American company making money. That doesn't benefit Cuba at all.

Re:Absolutely (1)

king neckbeard (1801738) | about 7 months ago | (#46421025)

They charge for support contracts. These are contributing developers. There's an enormous difference.

Re:Absolutely (4, Interesting)

Sarten-X (1102295) | about 7 months ago | (#46420469)

Yes and "it's complicated".

The point of the sanctions is to say "If you're not going to play Global Economic Power nicely*, you're not going to play at all." That doesn't just mean "you're not going to win", but it also includes "you're not going to practice", "you're not going to have others play for you", and "you're not going to share the winnings with anyone who does play.

It has been upheld in US courts that even the minor fame from open-source authorship counts as economic gain (thus reinforcing the GPL's validity as being consequential). Acknowledging that Cuban programmers are good enough for inclusion in Fedora implies that Cuban programmers might be good enough for other projects, and that's marketing - certainly a part of that Global Economic Power game.

* For pro-American values of "nicely"

Re:Absolutely (1)

i kan reed (749298) | about 7 months ago | (#46420513)

Ah, but then the "don't ask" policy officially quashes the "minor fame" aspect. What other avenues of fake profit exist?

Re:Absolutely (1)

Sarten-X (1102295) | about 7 months ago | (#46420753)

Yes, that's exactly why the policy exists. Fedora's hoping they can do an end-run around the sanctions, but the problem lies in the "don't tell" side. If the submissions are traceable back to their contributors, then there's no reason a prolific contributor can't simply announce who he is, regardless of Fedora's policies. Then they get instant (minor) fame and can have their 15 minutes in the spotlight.

Re:Absolutely (2)

Rich0 (548339) | about 7 months ago | (#46420875)

If you aren't paying, and you aren't taking ownership of something, is it really a violation of import restrictions? I mean, how does that hurt the sanctions against Cuba, for example?

I've been involved in this discussion on another open source project where we have a potential contributor from a fairly-heavily-embargoed nation. The issue is that the wording of the laws is very broad. There isn't much question that we couldn't send money to the developer in question, but the problem is that the law would seem to cover even receiving donations from them (in goods, services, or money).

I suspect the reason is that the laws were written to be fairly loophole-proof. If you spot somebody sailing out of Iran with a tanker full of oil, the ship captain would just tell you that it was a gift and no money was exchanged. Unless you caught the money going in you might not have a case against him, even though he was obviously violating the embargo. So, the law presumes that nobody does something without getting SOMETHING for it, and thus anything moving in or out is forbidden.

I'm not sure if don't ask don't tell would work or not. I know that best practice in corporations is to screen any payee or shipment recipient daily against the various export control lists, and to place writing in contracts requiring their business partners to do the same. However, most corporations are not the beneficiaries of donations of code, so it is a bit of an untested area.

Re:Absolutely (1)

K. S. Kyosuke (729550) | about 7 months ago | (#46420445)

If a US citizen says "first multiply the numbers, then add them", how is that different from when a North Korean citizen says "first multiply the numbers, then add them"? Mathematics works the same everywhere. Science works the same everywhere. Computer programs work the same no matter who wrote them. Everything that a computer program does is dependent on its source code and nothing that a computer program does is dependent on its originator. There can't possibly be a rational reason for that.

Re:Absolutely (2)

bluefoxlucid (723572) | about 7 months ago | (#46420887)

I suggest to you that you should now rewrite Microsoft Office from scratch. Since computer programs work the same everywhere it doesn't matter that you have to originate the code yourself instead of having it shared with you (for a fee, and in binary form) from some vendor.

Re:Absolutely (1)

goombah99 (560566) | about 7 months ago | (#46420507)

Right. To begin with red hat is a company and they also make money. for both reasons they get no exception to export restrictions. It doesn't mean you have to like it. But that's the law and there's no reason to grant an exception

Re:Absolutely (1)

sirlark (1676276) | about 7 months ago | (#46420791)

I don't know the intricacies of U.S. law, but I was under the impression that the law regarding ecryption algorithms as munitions was no longer in place. Unless there's something else restricting software specifically, there's no economic value to restrict unless you have paid developers in restricted/embargoed territtories who are receiving money across the border. The economic value (if any) comes at a later stage when the software is distributed and possibly sold, or more likely services surrounding the software are sold. Why is this an issue?

Re:Absolutely (3, Insightful)

Rich0 (548339) | about 7 months ago | (#46420997)

I don't know the intricacies of U.S. law, but I was under the impression that the law regarding ecryption algorithms as munitions was no longer in place.

Correct. Software is not export-controlled specifically at all.

Unless there's something else restricting software specifically, there's no economic value to restrict unless you have paid developers in restricted/embargoed territtories who are receiving money across the border.

The problem is that the prohibitions are blanket ones against money, goods, and services moving in either way across the border with a few named countries like Iran (these kinds of laws exist in many countries, the specific targets vary, but Iran is a pretty common one so I just use that as an example). You actually need an exception to the law to ship anything at all in either direction, and those exceptions usually require specific licenses from the government (you're allowed to ship n kg of wheat into Iran or whatever).

Sure, it doesn't make as much sense when applied to FOSS, but the laws were written broadly without FOSS in mind. So, companies and non-profits aren't terribly eager to test them. It is entirely possible that a court would find accepting free contributions is non-infringing, but it is also possible that a court would treat you like somebody shipping crates full of missiles.

It is a big mess, and different FOSS organizations are handling it in different ways. Some try to have organizations in various jurisdictions so that they can keep different activities in different areas. Some just ban it. Some don't think it is a problem. Since nobody has gone to court yet, it is hard to say what the outcome would be the first time this happens.

Re:Absolutely (4, Interesting)

mrvan (973822) | about 7 months ago | (#46420931)

Maybe it's a stupid question, but can't you "launder" code by routing it through a third nation and recommitting the code from there?

What is the export restriction on anyway? The bits? The IP? And does it extend to any derived work of an export restricted IP burdened work? Because if any piece of code on which any citizen of a restricted country has copyright, I'm pretty sure the linux kernel would contain at least one line, meaning all android phones and most routers, servers etc would be illegal?

Also, DADT sounds really stupid as company policy. I don't know a lot about US law, but in the Netherlands corporate liability extends if the management knew or was in a position to know that law was breached, and having policy to conceal such breach is good evidence that management was in a position to know. Any US lawyers care to comment?

Do they apply to US-based commercial products? (1)

Anonymous Coward | about 7 months ago | (#46420067)

Yes. They do. Why should US-based Open Source products get special treatment? Would that be an unfair competitive advantage if they did?

Re:Do they apply to US-based commercial products? (1)

Anonymous Coward | about 7 months ago | (#46420215)

US-based commercial products aren't prevented from accepting contributions, only from exporting money to pay a salary to someone from a restricted countries.

Re:Do they apply to US-based commercial products? (3, Informative)

pla (258480) | about 7 months ago | (#46420339)

Do they apply to US-based commercial products?

No. No, they do not, for one simple reason - Microsoft doesn't take source code from their userbase and roll it into the next release of Windows. The entire issue simply doesn't come up with closed source, because no one outside has access to the source code in the first place.

Red Hat's problem in this situation really has no analog in the conventional business world. ITAR 18 USC 2339B simply don't address the situation of accepting material support from blacklisted entities. They just want to make sure that our ever-growing list of enemies doesn't someday someday require purging millions of lines of functioning source code. "Well what do we have here... Looks like you accepted code from one of those evil bastard terrorist(tm) Finns - Get ready for PMITA!"

Re:Do they apply to US-based commercial products? (1)

pla (258480) | about 7 months ago | (#46420369)

ITAR and 18 USC 2339B.

Re:Do they apply to US-based commercial products? (1)

Anonymous Coward | about 7 months ago | (#46420667)

Where does this end? I remember in the 1990s, IUST (Iranian University of Science and Technology) writing a major part of the SMP code for the Linux kernel. Are we going to have to find what nationality the code was checked from and rip it out line by line?

I am reminded about ITAR and PRZ, way back when PGP managed to float out of the US, and he nearly got nailed for the same crime that someone sending nukes to Iran would.

This is an edge condition where the law needs to be changed, because the alternative is simple... Fedora and RedHat would split their development projects to an offshore organization, and just import said organization's code as a gestalt.

Re:Do they apply to US-based commercial products? (3, Interesting)

Anonymous Coward | about 7 months ago | (#46420775)

ITAR is still alive and well, we recently had lots of "fun" trying to get a decent frequency standard for our internal cal lab in (non-EU) eastern Europe.
"OMG, the Russkies could steal the secrets of the atomic... clock?!?"

Willful ignorance is not a defense... (-1)

Anonymous Coward | about 7 months ago | (#46420133)

The US export restrictions require US citizens to actively verify with partners to confirm that there is no involvement with a restricted country. This is just going to bite them in the ass.

Huh? (1, Insightful)

Hognoxious (631665) | about 7 months ago | (#46420149)

If someone in Syria submits a contribution to US based software, how does that infringe an export ban?

Re:Huh? (2, Interesting)

Jane Q. Public (1010737) | about 7 months ago | (#46420207)

"If someone in Syria submits a contribution to US based software, how does that infringe an export ban?"

I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?

Re:Huh? (1, Insightful)

Anonymous Coward | about 7 months ago | (#46420343)

Interesting question. Perhaps a good one for the mercenary firm formerly known as Blackwater, also headquartered in NC.

Re:Huh? (1)

MickyTheIdiot (1032226) | about 7 months ago | (#46420477)

Pishaw. Vice Presidential corporate buddies get a free pass.

Re:Huh? (0)

Anonymous Coward | about 7 months ago | (#46420849)

They are called Academi now, keep up or you'll miss the next name-change.

Re:Huh? (1)

Lisias (447563) | about 7 months ago | (#46420475)

I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?

Exactly what do you define a "business"?

It's a business if no money changes hands?

Re:Huh? (2)

K. S. Kyosuke (729550) | about 7 months ago | (#46420491)

So when news reporters publish reports from people interviewed in those countries, is that "doing business" with those countries as well? That's also a transfer of copyrightable material from those countries into US, just like the FLOSS contributions.

Re:Huh? (1)

bill_mcgonigle (4333) | about 7 months ago | (#46421033)

I think the point here is more like: should a North Carolina-based company be doing business with countries that the U.S. government is sanctioning?

Of course they should - for all the reasons Americans hold dear.

Would the US Government think so? Probably not, but look at the shit going down in Venezuela as a direct consequence of Kennedy's EO on Cuba - they have no idea what they're doing (or are at least in severe denial about free markets and trade's effect on freedom because they want to be central planners and pretend like they value freedom).

Re:Huh? (1)

CanHasDIY (1672858) | about 7 months ago | (#46420219)

If someone in Syria submits a contribution to US based software, how does that infringe an export ban?

Ask yourself this - how could someone in Syria contribute to code they've never seen before?

Re:Huh? (-1)

Anonymous Coward | about 7 months ago | (#46420315)

Ask yourself this - How does open source code become bound to a single geopolitical location?

I'm fairly certain there's countries with whom the US does export and I'm confident some of those countries export to countries the US doesn't. What's to stop someone acquiring source code from an intermediary?

Licensing!?

Re:Huh? (3, Insightful)

cdrudge (68377) | about 7 months ago | (#46420677)

Ask yourself this - how could someone in Syria contribute to code they've never seen before?

The same way that Western goods make their way to any country under export control, through intermediaries.

Coke can't sell to North Korea. Coke however can be sold (or made) in China and then gets shipped across the line [projectcensored.org] to North Korea.

Is it really hard to imagine that Syria or Iran might be able to download from an intermediary country that might have a mirror of the distribution? Or had someone travel to such a country to download it? Or just went through a VPN or proxy? Or...

Re:Huh? (0)

Anonymous Coward | about 7 months ago | (#46420223)

Unless this theoretical Syrian national is also a great and powerful psychic, I doubt that they will be able to make a contribution to a code base without having seen it.

In other words, we would have to export the existing code base to them so that they may make updates and contributions to it.

Re:Huh? (1)

MickyTheIdiot (1032226) | about 7 months ago | (#46420501)

What if the check out server is in the Cayman Islands?

Re:Huh? (1)

NatasRevol (731260) | about 7 months ago | (#46421037)

Or a proxy server.

Or VPN.

Or intermediary country.

Re:Huh? (0)

Anonymous Coward | about 7 months ago | (#46420235)

To make this kind of contribution one usually needs to access sources first.

Re:Huh? (0)

Anonymous Coward | about 7 months ago | (#46420327)

If the source is open and distributed how will you keep them from getting it?
I think fedora should have to abide by US law.

Re:Huh? (0)

Anonymous Coward | about 7 months ago | (#46420285)

Presumably because it would not be possible for such a contribution to be made without the import ban first being broken.

Just like physical products. Not legal to export a banned product then import it back to the US.

Re:Huh? (1)

Lisias (447563) | about 7 months ago | (#46420511)

Presumably because it would not be possible for such a contribution to be made without the import ban first being broken.

So don't export to them. Export to someone's else, and then they export to them.

A huge part of the code isn't made in USA anyway. Worst case scenario is these guys making contributions on non-USA code on some other country's SVN server to be merged to Fedora later.

Re:Huh? (1)

Rich0 (548339) | about 7 months ago | (#46420921)

Presumably because it would not be possible for such a contribution to be made without the import ban first being broken.

So don't export to them. Export to someone's else, and then they export to them.

That is expressly forbidden with physical exports under US law. Your responsibility for an export doesn't end once it leaves your hands if you didn't do due diligence to ensure that the ultimate recipient wasn't a denied party. This is a fairly obvious loophole otherwise.

Now, how all of this applies to software is anybody's guess.

Re:Huh? (1)

Lisias (447563) | about 7 months ago | (#46421195)

Your responsibility for an export doesn't end once it leaves your hands if you didn't do due diligence to ensure that the ultimate recipient wasn't a denied party.

And exactly how the Law expects that the exporter manages that? That's impossible! It's the USA Government that have armed troops to enforce policies, not the civilian exporters!

Re:Huh? (1)

Rich0 (548339) | about 7 months ago | (#46421287)

Your responsibility for an export doesn't end once it leaves your hands if you didn't do due diligence to ensure that the ultimate recipient wasn't a denied party.

And exactly how the Law expects that the exporter manages that? That's impossible! It's the USA Government that have armed troops to enforce policies, not the civilian exporters!

The Law can expect anything it wants to - quite a few laws are unreasonable. The anti-smartphone-while-driving law in California appears to ban having a powered-on smartphone in the front passenger's purse, which is obviously unreasonable. That is why they're all selectively enforced.

Generally if you show due diligence you're fine. That's why big corporations require all their sub-contractors to screen their own shipments/payments against export control lists as a condition for getting business.

Just look at how many businesses do nothing but deal with imports and exports as a sole source of income. The laws in this space are incredibly complex. I'm sure lots of companies bend/break them, however.

Why do they need to know in the first place? (1)

Anonymous Coward | about 7 months ago | (#46420169)

It's not like they're being paid money for their work.

Who's actually upset by this? (0)

Anonymous Coward | about 7 months ago | (#46420181)

Not sure if this is the right way to look at it but if it's a case of US banning exports to the listed countries (I can't imagine how the US would ban exports from those countries short of a bloackade) then what's the problem?

People in those countries are exporting their work on the opensource project at hand.

As for how they got their hands on that code... it's open source! they could have downloaded it from anywhere (i.e. NOT the US).

Where's the issue?

I WANT to know where code comes from. (1)

Anonymous Coward | about 7 months ago | (#46420203)

Because I do NOT trust code from Russia, China, anywhere in the Middle East, and a few other places. Just look at all the crime (Target for one) that's based in Russia alone.

Re:I WANT to know where code comes from. (1)

SJHillman (1966756) | about 7 months ago | (#46420249)

I don't trust anonymous comments on Slashdot. Just look at all the nonsense (hosts files for one) that's based in this thread alone.

I'd trust code I can see from a place I don't trust more than I'd trust code I can't see from a place I like.

Re:I WANT to know where code comes from. (0, Informative)

Anonymous Coward | about 7 months ago | (#46420361)

That worked so well for GnutTLS. Thousands of eyes have looked over that code for years, and missed it. Open source didn't live up to it's hype in this case.

Re:I WANT to know where code comes from. (0)

SJHillman (1966756) | about 7 months ago | (#46420407)

I'm not saying Open Source is absolutely trustworthy, but I tend to trust it more than closed source - at least for large projects with a lot of people looking at it.

Fools (0)

Anonymous Coward | about 7 months ago | (#46420449)

The ONLY opinions that matter are the customers.

I am a customer and that makes my opinion correct.

Any asshole can get a dispoable email and create an account; therefore, this prejudice against ACs is completely illogical.

I'd trust code I can see from a place I don't trust more than I'd trust code I can't see from a place I like.

I see. So you examine every line of code? No you don't. It's impossible because of the MILLIONS of lines of code.

You know, everybody takes it for granted that someone else will look at the code and make sure there isn't anything malicious. I have never - ever - seen or met anyone who looks at FOSS code. They install it and run it.

You are a fool.

Re:Fools (1)

flyingfsck (986395) | about 7 months ago | (#46420865)

Meet me. I have on occasion not only read FLOSS code, but also contributed.

Re:I WANT to know where code comes from. (0)

Anonymous Coward | about 7 months ago | (#46420333)

If you are relying on the nationality of your contributors to secure your code, YER DOIN' IT WRONG.

Re:I WANT to know where code comes from. (1)

Frobnicator (565869) | about 7 months ago | (#46420399)

Because I do NOT trust code from Russia, China, anywhere in the Middle East, and a few other places. Just look at all the crime (Target for one) that's based in Russia alone.

Well, unfortunately, maintainers have found they also cannot trust sources in the US and other nations due to corporate and government intrusion either. Nor can you trust the code is entirely bug free, and who knows if the security flaw bug was intentionally introduced.

The only answer for open source maintainers is constant vigilance. NOBODY is to be trusted.

Search back to when Linus Torvalds was asked if the NSA and other agencies had ever tried to make him to install back doors in the kernel. He said "Noooo..." while emphatically nodding his head "yes". He also claims to verify all the submissions that make it in, and claims to double-check all submissions that claim to have been made by him since spoofed changes have been known to happen.

Based on the heated, usually profanity-laden messages from the kernel mailing list when a maintainer lets a kernel bug through and he caught it, I'd say his personal level of distrust is just about right for what he is maintaining. Not even the highest-level maintainers have his complete trust.

Re:I WANT to know where code comes from. (1)

Lisias (447563) | about 7 months ago | (#46420517)

Because I do NOT trust code from Russia, China, anywhere in the Middle East, and a few other places.

You are free to audit the code. ;-)

Don't ask, don't tell (1)

Anonymous Coward | about 7 months ago | (#46420257)

There's no need to ask. We already know that everyone who codes Linux is gay.

Only the final validation (1)

John.Banister (1291556) | about 7 months ago | (#46420311)

Only the final validation contributions should be of concern in relation to contributions from export ban countries. The process that removes problems induced by errors (stupidity) ought to be good enough catch the ones induced by malice as well.

Re:Only the final validation (0)

Anonymous Coward | about 7 months ago | (#46420641)

The process that removes problems induced by errors (stupidity) ought to be good enough catch the ones induced by malice as well.

Maybe, maybe not. [xcott.com] The technical aspects of designing stable code and understanding exploitable code do have a lot of overlap, but there are many cases relevant to one and rarely considered by the other. Someone with intent to add a vulnerability will not just change a login line to add 'or password=DaBears', although I suddenly wonder how long that change would stay in a repository before being caught.

IANAL! (1)

khb (266593) | about 7 months ago | (#46420325)

'but should these governmental restrictions apply to an open-source software project?' there would appear to be two different questions here. (1) does the current law apply and (2) should the law apply.

w.r.t. (1) Sounds like some cognizant group has determined that the law does (or at least may) apply, so the Fedora team is taking the steps they can.

As for (2), that is a matter for Congress. Lobby them if you think the law should carve out an exception for Open Source projects (all or some specific licenses).

Re:IANAL! (1)

MickyTheIdiot (1032226) | about 7 months ago | (#46420629)

Lobby Congress? Really?

That's part of the problem. The people with the most money always wins.

Re:IANAL! (1)

Rich0 (548339) | about 7 months ago | (#46420961)

You hit the nail on the head. I've seen discussion between a few FOSS projects around this, and they all would love to have contributors from countries like Iran, but the legalities around this are pretty muddy, so nobody with anything to lose wants to touch this.

The laws are written pretty broadly. It is hard to see how the regime in Iran benefits if an Iranian citizen can donate code to a project usable by anybody. I could see the argument against being allowed to pay them, or even donate to them or reimburse their expenses. However, the laws weren't written with FOSS in mind - code leaving Iran is no different from oil leaving Iran as far as it is concerned, and generally when goods are leaving a country, there is money going back in someplace else.

Understand, but its dangerous (1)

Anonymous Coward | about 7 months ago | (#46420411)

I understand what they are trying to do. They want to protect the identity of their contributors so that their contributors are safe, and (other) locals won't condemn software that was partially written by someone in a country they don't happen to like at the time. This is a dangerous policy insofar as software provenience is concerned. When patent trolls come a-calling (and anything created that's worth more than half a penny will have more patent attornies swarming it than ambulance chasers around a kid with a kazoo). I for one would worry more about the latter than the former. Have a sealed, sign-in to confirm identities, and keep an accurate log record of who contributed what and when. Its the only way to beat off the trolls.

Re:Understand, but its dangerous (0)

MickyTheIdiot (1032226) | about 7 months ago | (#46420665)

It's called *Open* Source for a reason. You or an agent you trust can download the code and look at it. If one is worried about nefariousness in the code you can actually look at it unlike Microsoft and closed source projects.

So if the purpose of this is to keep people from saying the code is bad because a guy from Russia worked on it they are promoting irrational behavior.

Elephants in the mist (2)

gmuslera (3436) | about 7 months ago | (#46420457)

If you will ban contributors because their home country intelligence agencies may be trying to plant backdoors or weaken security in a way or another, you should start with the main country by far engaged in such activities, else would be meaningless or just following an unrelated agenda. But if you trust in contributors of such country, why not of others?

"Go to jail. Go directly to jail. Do not pass Go" (1)

westlake (615356) | about 7 months ago | (#46420483)

There's growing concern about software development contributions coming from export restricted countries by the US (Cuba, Iran, North Korea, Sudan, and Syria) with Red Hat being based out of North Carolina, but should these governmental restrictions apply to an open-source software project?

In the name of god, why would a geek think open source development would give his US-based project Immunity from American law?

Export controls come with teeth that bite. Suggesting that your contributors conspire to evade those controls is an invitation to diasaster for everyone involved.

Re:"Go to jail. Go directly to jail. Do not pass G (0)

Anonymous Coward | about 7 months ago | (#46420697)

Please tell me how do you restrict any possible way to export something that is free, publicly accessible, that is available over a public distributed network?

With closed source software you can restrict who and when access the code, but for Open Source software there is no practical way of doing so.

How do you enforce the export control?... Blocking whole blocks of IP address from export controller countries? Using smart-filters to prevent the source code going out? Are you going to require to every open source software project to register to keep track of them and add them to a "forbidden to see outside de US" list?

Tell me how in earth do you think that control export of public and available knowledge is enforceable in a practical and/or economical way?

The problem at the end of the day is that the people in export-controller countries are going to have access to Open Source software in a way or another, and they might have valuable contributions but don't accepting those contributions could mean that US is going to be isolated on their development and their political "enemies" are going to have better software, just because a export control law that doesn't really reflects the way that the modern world works.

Re:"Go to jail. Go directly to jail. Do not pass G (1)

Junta (36770) | about 7 months ago | (#46420927)

To say it's 'export controlled' is an oversimplification of the restrictions around working with those nations.

But in simple terms, this is about *contributors*, not downloading. And if it weren't an issue, then Fedora people wouldn't be trying to game it for plausible deniability (which of course doesn't work when you say "Hey everyone, I want to be able to claim plausible deniability so could you just omit some information so I can do that?"

"Please help us to break the law." (0)

Anonymous Coward | about 7 months ago | (#46420559)

If anyone asks, we'll pretend we never asked you to do this.

P.S. If you are law enforcement, please ignore the subject line of this message.

(Oh, and if this makes it harder for to trace copy right should we ever decide to abuse the license to thecode you contribute, well, sucks to be you, but we're no charity.)

Common sense, upside down (1)

cowwoc2001 (976892) | about 7 months ago | (#46420695)

So you're telling me that North Korean and Iranian scientists are just as likely to contribute malicious code to libraries used by Western agencies as anyone else? I think not.

Open-source is supposed to be about maximum transparency, not about hiding information that might actually be relevant. Imagine having to apply security at airports if you had no idea whether the person you are about to scan is a 90 year old grandmother or an 18-25 male from the Middle East. Statistics and common sense tells you that one is a lot more likely to be malicious than the other, so why throw common sense out the window?

Re:Common sense, upside down (2)

MickyTheIdiot (1032226) | about 7 months ago | (#46420723)

Well, you totally failed at this one.

If you only scan the 18-25 year old male from the Middle East, then the radical element will find a way to use the person that is not scanned. They'll use the 90-year-grandmother with or without her knowledge.

You fail at security.

Re:Common sense, upside down (1)

Jiro (131519) | about 7 months ago | (#46420871)

The reason that terrorists use 18-25 year old males from the Middle East by default is that such people are the most practical for them to use, and that using someone else would be a lot harder and would make it more likely they would get caught (for instance, because such alternates have less loyalty to them).

Scanning the targets that are easiest for terrorists to use doesn't stop them, but it makes their plan harder compared to scanning random people, as long as you still scan the random people at some lower rate.

Due dilligence? (0)

Anonymous Coward | about 7 months ago | (#46420741)

In my experience, trying to be willfully ignorant of stuff like this is not going to work as a defense. Here, they are explicitly explaining 'we don't want to know so that we can deal with sanctioned nations and truthfully claim we don't know it's happening. There's a clear intent expressed that, if sanctions are relevant, they are trying to explicitly violate the sanctions.

It'd be one thing for contributors to naturally realize they should lie, or else if they *lazily* didn't bother to check/collect that information. But they are essentially instructing people on a specific course of action specifically to not get hit by sanction concerns.

Beta (0)

Anonymous Coward | about 7 months ago | (#46420891)

This slashdot beta is ugly as hell.

Government is incredibly stupid here. (0)

Anonymous Coward | about 7 months ago | (#46420937)

Export restrictions of non-classified information that's already "out there" are asinine. The very nature of software is such that you can clone infinite copies. If Iran wants something, it's trivial for them to plant just one guy in-country, have him download it at a coffee-shop and e-mail it out or whatever.

We went through this in the 90s. Remember the little form you had to fill out for strong encryption? I used to fill in my name as "Hafez the Enforcer". Nothing ever happened because not only is it impossible to stop the flow of information, even if I really were a terrorist and FUCKING TOLD THEM, they did nothing to stop it with a STUPID FUCKING FORM!!!

Meanwhile, any company that wants to follow the law has to burn that many more billable hours to make sure they're in compliance.

The security interests of the United States would be equally well served by requiring the Pledge of Allegience to appear on all electronic shopping carts. Maybe I shouldn't give them any ideas...

Did the NSA submit this? (1)

koan (80826) | about 7 months ago | (#46421077)

Don't ask don't tell.

Be aware of the consequences (1)

Brett Buck (811747) | about 7 months ago | (#46421167)

Fine, accept code from foreigners, but be well aware that this will make is certain that it will not be used in many corporate sites. One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content. Otherwise it cannot be used. No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.

Re:Be aware of the consequences (4, Informative)

vux984 (928602) | about 7 months ago | (#46421255)

One of the items I have to certify when using open-source in a corporate environment is that there is no foreign content.

That's pretty idiotic. Most projects involve foreign content. All it takes is one stealthy Canadian and you can't use it? What about Canadians living in the United States? Is that still foreign? Just how xenophobic are you?

Do you vet each commericial package as well to make sure they don't have a single line of code produced in India?

No one is going to go through the source code from something like OpenOffice and look for malicious code, and show that it does not exist, if it has off-shore content, it will not be used, period.

Enjoy going back to pen and paper then, you won't find much software anywhere that you can demonstrate has no "off-shore" content.

No, but yes (0)

Anonymous Coward | about 7 months ago | (#46421245)

Ideally, no; practically, yes. Some players, such as DPRK, have a long and celebrated history of trying to ruin everyone's fun just because they can. Demonstrable trolls should be faced with ever-increasing scrutiny where the legitimacy of the project is at stake, even if those trolls are nation-states.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?