Forgot your password?
typodupeerror
Government Software Your Rights Online

SourceForge Removes Blanket Blocking 147

Posted by ScuttleMonkey
from the power-to-the-people dept.
Recently there was much gnashing of teeth as SourceForge (which shares a corporate overlord with Slashdot) started programmatically blocking users in certain countries to comply with US export restrictions. Thankfully they didn't let it end there and have found a way to put the power back in the hands of the users. "Beginning now, every project admin can click on Develop -> Project Admin -> Project Settings to find a new section called Export Control. By default, we've ticked the more restrictive setting. If you conclude that your project is *not* subject to export regulations, or any other related prohibitions, you may now tick the other check mark and click Update. After that, all users will be able to download your project files as they did before last month's change."
This discussion has been archived. No new comments can be posted.

SourceForge Removes Blanket Blocking

Comments Filter:
  • Liability? (Score:5, Interesting)

    by Anonymous Coward on Monday February 08, 2010 @12:14PM (#31062032)

    So they are letting people "opt in" to remove export controls. Who is liable if the code is subject to export restrictions, SF or the developer?

    • Re:Liability? (Score:5, Interesting)

      by Reason58 (775044) on Monday February 08, 2010 @12:17PM (#31062078)

      So they are letting people "opt in" to remove export controls. Who is liable if the code is subject to export restrictions, SF or the developer?

      Is Google liable if I Gmail you restricted encryption algorithms?

      • Re: (Score:3, Insightful)

        by Yvanhoe (564877)
        But before opening a project on sourceforge, you have to describe your proposal and they manually accept or not. That could be argued to be editorial control. This is not exactly a gmail situation.
        • Re: (Score:3, Interesting)

          by Ihmhi (1206036)

          Yes, but once you're actually in the project can change from exportable to non-exportable very quickly.

          For instance, let's say you start with an open source compressor sort of program like Winrar. No biggie there. But then in version 0.42 you add in encryption. At the start everything was peachy keen, but the second you put on that encryption you should, by law, restrict its export.

      • Re: (Score:3, Informative)

        by casualsax3 (875131)
        The distribution of source code (encryption in particular) is explicitly protected under the First Amendment:

        http://en.wikipedia.org/wiki/Bernstein_v._United_States [wikipedia.org]

      • Re: (Score:3, Insightful)

        by westlake (615356)

        Is Google liable if I Gmail you restricted encryption algorithms?

        Google isn't hosting the file or providing you with a "home page" for your project. Sourceforge is much more exposed.

      • Are torrent sites liable when they link to torrent files which allow you to download things?

        Logic doesn't always apply in the world of tech laws.
    • by snmpkid (93151)

      Likely both

    • It's a wink, and probably both.
    • That's why they are doing it this way. If they had it by default off someone might argue, perhaps successfully, that it was Sourceforge's fault since they didn't stop it from happening. However here they are blocking it by default and the screen probably has something along the lines of "You certify this is ok for export by removing this." Thus if it comes up, it is on the user. They made the change, they should have reasonably been aware of what it was for and made sure their software was ok.

  • This is dumb. The terrorists will just get their mates in another country to get whatever it is they want.

    Only the kind of stupid Americans that though that restricting the export of encryption technology would actually work would think of this. What happened there? They all got it anyway.

    What exactly do they hope to achieve with this stupidity?

    • by BHearsum (325814) on Monday February 08, 2010 @12:24PM (#31062158) Homepage

      They hope to avoid liability.

    • Re: (Score:3, Interesting)

      by Locke2005 (849178)
      Why does this requires "mates" in another country? Can't they just go through a proxy server in another country?
      • It requires mates to operate the proxy server.
        • Re: (Score:3, Insightful)

          by CastrTroy (595695)
          Or any of the millions of the completely open proxy servers.
          • by Locke2005 (849178)
            Is there a definitive list of these proxy servers anywhere? 'Cause I'm looking for some kiddy... er, looking to leak classified government... er, wanting to exercise my right to anonymous speech by stalking my ex... er, well I'd just like to surf anonymously, ok?
    • by 2short (466733) on Monday February 08, 2010 @12:34PM (#31062254)
      They are complying with the law. Certainly, what they are doing is stupid and will be completely ineffective. But that's hard to avoid when complying with a law that is stupid and completely ineffective.
      • Re: (Score:3, Insightful)

        by vlm (69642)

        But that's hard to avoid when complying with a law that is stupid and completely ineffective.

        How is it stupid and ineffective if the purpose was to enlarge/preserve the great American bureaucracy and secondarily harass O.S. developers?

        • by Gerald (9696)

          It's much easier to distribute open source crypto software than closed source in the U.S. You just have to send a couple of emails [doc.gov]. Closed source crypto requires jumping through many hoops, and is much closer to "harassment".

        • by 2short (466733)

          If we assume the purpose was to enlarge government bureaucracy, than it's ineffective because it hasn't much. The compliance burden is all on the developers. Ditto if the purpose is to harass O.S. developers, because it really only causes much problem for commercial encryption software, which is generally closed source.

          So the answer to "How is it ineffective?" is pretty much the same whether you assume it's overt purpose, or one of your supposed hidden ones.

          The answer to "How is it stupid?" does not depend
    • by Z00L00K (682162)

      And if they can't get it they will write their own encryption.

      It's a lot harder to decipher something that's encrypted than to apply a simple algorithm to it. If you do encounter something that's encrypted you will first have to figure out how it is encrypted before you even start to look for the key.

      And steganography is another way of doing exchange of information. Who knows - some pr0n may actually contain hidden messages.

    • by hairyfeet (841228)

      The hope to avoid liability and at the same time have a "wink wink, nudge nudge" kind of situation like those codecs you're not supposed to have in Linux in certain countries unless you bend over and pay your license fee, you cock smoking tea baggers?

      Seriously it is no different than the codecs you're not supposed to have in Linux, that everyone has anyway, or the DVD rippers you aren't supposed to use in the USA, which of course everyone...well you get the idea. YOU know it is bullshit, I know it is bulls

    • by harlows_monkeys (106428) on Monday February 08, 2010 @03:11PM (#31064168) Homepage

      Only the kind of stupid Americans that though that restricting the export of encryption technology would actually work[...]

      I'm curious. How do the stupid Americans who think that differ from the stupid Europeans who think that? Or were you not aware that European countries and the EU also have similar export restrictions?

  • Duh (Score:4, Interesting)

    by Locke2005 (849178) on Monday February 08, 2010 @12:29PM (#31062208)
    Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?
    • Re:Duh (Score:4, Insightful)

      by HungryHobo (1314109) on Monday February 08, 2010 @12:46PM (#31062374)

      Feel free to rent a server in some random country and mirror sourceforge.

    • Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?

      I'd imagine that not working too well if the company responsible is still located in the US. Hm, maybe if the non-US servers wouldn't accept uploads from US IP addresses?

    • Re: (Score:3, Interesting)

      by tagno25 (1518033)
      It is not considered a "munition" any more. http://xkcd.com/504/ [xkcd.com]
    • by steelfood (895457)

      IANAL, but I believe any US developer will then have to completely censor the code they upload to those servers. Though, I'm sure it'd be fine if a US developer gave a German developer the code to upload to said offshore servers, but it might still be a violation if the US developer uploaded it himself.

      Of course, proving that the code was downloaded by the "bad" people in the "bad" countries will be up to the government, but since Sourceforge is a US company, they'd suddenly be liable for the records.

      • I am fairly certain that Germany is already a member of the same treaties. The German developer would just be charged instead. Some information, like some physical devices, only has use for killing. Is there some qualitative difference that makes it wrong to regulate such information, but ok to regulate the devices?

        • Re: (Score:3, Insightful)

          by Locke2005 (849178)
          Some information... only has use for killing. I can't think of any information that would make it easier to kill that couldn't also be used to help prevent death. In the technological realm, almost everything is a two-edged sword. Security by obscurity is a poor means of defense.
          • by bws111 (1216812)
            Well if what you are dealing with is weapon systems (which is what these restrictions are about), then preventing your enemy from avoiding death is exactly what you want to do. Security by obscurity is only bad if you are counting on your enemy never figuring out a particular thing. However, it is very valuable as a way keeping your enemy off guard, by having him constantly have to figure out what you already know while you move on to the next thing.
            • by Locke2005 (849178)
              I didn't say that the government had no legitimate "national security" interest in preventing the dissemination of certain information. What I said was that I could not imagine any information that was useful only "for killing". The fact that one's enemies could use information about one's weapon systems to avoid getting killed by them only supports my point.
              • Isn't obscurity exactly what you want until you figure out a counter? If I figured out how to turn a bunch of smoke detectors and cleaning chemicals into a thermo-nuke that fits in a shoe heel, I don't think I'd make the plans public right away. Yes the public as a whole knowing how it worked would speed up the effort to build a detector, but not as much as it would speed up some teenager with a bad week making something nasty in chem lab. Don't they withhold details on a linux kernel bug until they get i

      • by bws111 (1216812)

        You are 100% wrong. First, the export controls are not simply 'ok to export freely and not ok to export to country x'. The controls are 'export license required' and 'no license required'. If you are developing something that is export controlled, and you wish to export it (including putting on an open server), you must obtain a license. That license will state the terms under which it may be exported, and who it may be exported to. If your license says it is OK to export to Germany, it will probably

        • (including putting on an open server)

          In my experience there seem to be (INAL and ICNYL) specific exceptions for systems which are publically available for free download. That should apply to most of sourceforge.

    • Re: (Score:3, Informative)

      by NeoSkandranon (515696)

      As was said many times in the original article, the issue is the country the business is based in and the laws there. It doesn't matter one ounce where the servers are located.

    • by westlake (615356)

      Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?

      Moving your servers abroad to avoid export controls pretty much guarantees that you will be prosecuted in the states.

      Export controls are not unique to the U.S., and they are not limited to encryption. This is serious shit and you had damn well better know what you are getting into.

    • by jittles (1613415)
      I think the issue at hand is that Sourceforge's corporate overlord is based out of the US. I'm pretty sure if they break any of the rules in ITAR (I believe encryption is considered to be a weapon) then they could be held liable. Even if they host everything out of the US.
    • Re: (Score:2, Interesting)

      by LingNoi (1066278)

      There already is. It's called launchpad.net and it's free from:

      - US software patent law
      - stupid DMCA take downs ala battle net emulator
      - this silly export law
      - sourceforge's adverts which take up 40% of the page

      I don't know why anyone bothers using sourceforge anymore. It was great when it was the only solution but now there are MUCH better options. Especially now they're blocking non-US connections.

      • by Locke2005 (849178)
        As usual, the unintended consequences of brain-dead US policy is to actively encourage progressive businesses to locate elsewhere... good work sending those jobs overseas, US Congress! Now if we could just find a way to offshore our politicians...
  • Hmmm (Score:5, Interesting)

    by mewsenews (251487) on Monday February 08, 2010 @12:29PM (#31062212) Homepage

    As a Canadian locked out of Hulu and Comedy Central's web clips, I wish geolocation based on IP would burn in hell already.

    That being said:

    There was a Syrian developer commenting on the story about the original announcement, he was justifiably pissed off that Sourceforge had decided to deny him access to his own work. Does this change allow him to work on his project in peace?

    Has Slashdot decided to stop mentioning that Sourceforge is owned by the same parent company? They're sure trying to do some damage control by going straight to Slashdot's front page with their weird opt-in workaround..

  • Huh? (Score:3, Interesting)

    by leuk_he (194174) on Monday February 08, 2010 @12:32PM (#31062236) Homepage Journal

    I can code. I am not american. I am not a lawyer. People are downloading from local mirrors, not from USA. How can i say if the project should be restricted or not?

    Why does the USA government not build a firewall to prevent exporting any American byte to the restricted list?

    • by thijsh (910751) on Monday February 08, 2010 @12:48PM (#31062402) Journal
      The problem is the cost of the special made-in-USA-color-electron-microscope, they have to check each byte to see if it contains red, white and blue electrons.
      • by clickety6 (141178)

        American bytes just have fatter bits than non-American bytes so it's easy to recognize them.
        They're the bytes made up of 0s and 2s.

      • Electron microscopes? You're making this way too hard on yourself. The "American byte" is right after the "evil bit" in the packet header.
    • Why does the USA government not build a firewall to prevent exporting any American byte to the restricted list?

      Have you got a list of the restricted bytes? Actually, it'd be simpler if you just listed which bits are restricted, 0s, 1s, or possibly both...

  • by JoshuaZ (1134087) on Monday February 08, 2010 @12:36PM (#31062276) Homepage
    Yeah. These restrictions make so much sense. Because we all know that North Korea has no way to get access to any servers outside North Korea. And no one can use a proxy server at all. And they really are going to be absolutely helpless without the tiny open-source projects. This is as ridiculous as the old restrictions on exporting encryption (at least those got removed a few years ago).
  • by neo00 (1667377) on Monday February 08, 2010 @12:39PM (#31062312)
    Great news, and this is a brave thing to do :) Blindly blocking all SF projects to some people was wrong. I said this before, US export laws should only apply to US products. OpenSource/Free software projects should stay "open" and "free/libre" to everybody. Those who worked hard on these projects, including developers from the banned countries, should have the right to decide whether their projects should be blocked or not. Some said the law applies to SF just because they host the projects. If the law was strict to this level then the whole internet should be banned to these countries.
    • Re: (Score:2, Insightful)

      should only...should stay...should have...should be...

      Well, if you really want want all these should've...could've...would've(s), then you and your neighbors should vote for politicians that will handle the issue properly. If if you're going to cry about how the "system" is rigged against you, save your breath. I'll have none of it. You all are just cursing darkness instead of lighting a candle. There is no law on the books that require you to vote for spoon fed by mass media candidates.. yet.

      • by HiThere (15173)

        Right. And I got two choices who have a reasonable chance of winning. Sometimes they both back this kind of law, the rest of the time one backs it, and the other doesn't mention it. Or occasionally neither mentions it.

        I can't even recall a time that one lied, and said he was opposed to it.

        In the above two paragraphs, "it" refers to "export conditions and controls on software". And the normal case is that nobody will tell you their position on it.

    • "Some said the law applies to SF just because they host the projects. If the law was strict to this level then the whole internet should be banned to these countries."

      The law IS that strict. And no, the whole internet should not be banned. This is about encryption, not information.

  • At least consider it.

    • To which country? (Score:3, Interesting)

      by tepples (727027)
      Which developed country is willing to take thousands of refugees from the U.S. copyright regime, software patent regime, mobile phone regulatory regime, and other results of bought senators [wikipedia.org]?
  • Dump sourceforge (Score:5, Insightful)

    by starsong (624646) on Monday February 08, 2010 @12:45PM (#31062360)

    Why the hell does anyone even use SourceForge anymore? Their tools suck, the site is beyond slow and plastered with ads, and you have to play download roulette with their crappy 90s-era mirroring system. Plus you get crazy decrees like this from whatever's going on at the top. It's not like there aren't alternatives these days. Google Code is awesome by comparison.

    • Re: (Score:2, Informative)

      by Infiniti2000 (1720222)

      Google Code is awesome by comparison.

      I'm guessing you didn't bother to read the Google Code TOS [google.com]? It puts the blame solely on the developer. Given that it's Google with a boatload of money to throw at attorneys, chances are that it's airtight for them in a legal battle should the need arise.

      • by starsong (624646)

        As opposed to what? If there is an export-control problem (not likely), do you really expect SourceForge's TOS to protect you?

      • by Toonol (1057698)
        I'm guessing you didn't bother to read the Google Code TOS [google.com]? It puts the blame solely on the developer.

        Isn't that where blame would belong?
    • Of my local ISPs, I can think of one which offers free access to google code, but they almost all mirror sourceforge for their customers. Free, fast, access is pretty appealing to project founders.

  • by steelfood (895457) on Monday February 08, 2010 @12:48PM (#31062394)

    ...that projects such as TOR and Freenet exist.

  • Stupid, stupid law (Score:4, Insightful)

    by bcmm (768152) on Monday February 08, 2010 @12:53PM (#31062450)
    The USA has compiled a list of the countries it considers most repressive, and attempted to forbid the citizens of those countries from using encrypted communications... I don't think the governments on that list mind.
  • by John Hasler (414242) on Monday February 08, 2010 @12:56PM (#31062472) Homepage

    ...necessary. Why has Source Forge suddenly decided that it is?

  • war (Score:3, Funny)

    by anonieuweling (536832) on Monday February 08, 2010 @01:17PM (#31062768)
    A couple of weeks ago, to ensure compliance with US law as we roll out improvements to SourceForge.net, we began programmatically blocking access to the site for users in certain countries against which the US government imposes sanctions.
    `Sanctions` are acts of WAR
    So private corporations assist in illegal types of warfare by the US goverment which is legally owned by the deepest pockets.
    How can SourceForge allow project admins to circumvent this law that provides for teh safety of all scared american peeple?
    I mean, first it is law and now the project admin, who can be non-american -terrorist?- , can decide?
    • by vlm (69642)

      `Sanctions` are acts of WAR

      Uh, no, they are not.

      You can work it two directions, going from "acts of war" toward sanctions or from sanctions toward acts of war. Neither direction works either logically or by authoritative definitions or by historical precedence.

      illegal types of warfare by the US goverment

      So, you can evaluate this one, either by the golden rule, he whom has the gold makes the rules, in which case its not possible for a government to do something illegal (although individual members might do something illegal). Or, you can evaluate it in a traditional historica

      • by Zey (592528)
        vlm (69642) wrote:

        anonieuweling (536832) wrote:

        `Sanctions` are acts of WAR

        Uh, no, they are not.

        Quite true. They're not an act of war of themselves, just the last non-combat stage before an American war against whichever third world nation they've opted to target during this Presidential term, usually for resources or strategic advantage.

        Sanctions by non-US groups tend to be more about changing behavior rather than intentionally starving a nation to weaken it prior to an invasion.

    • "`Sanctions` are acts of WAR"

      Don't be silly.

  • The choices are

    1) This project does NOT incorporate, access, call upon, or otherwise use encryption of any kind, including, but not limited to, open source algorithms and/or calls to encryption in the operating system or underlying platform.

    and

    2) This project DOES incorporate, access, call upon or otherwise use encryption. Posting of open source encryption is controlled under U.S. Export Control Classification Number "ECCN" 5D002 and must be simultaneously reported by email to the U.S. government. You are r

    • by vlm (69642)

      However, I firmly believe that the U.S. Bureau of Industry and Security will not appreciate my TSU notification.

      And you'd be wrong. Somewhere out there, a bureaucrat is pining away daydreaming of being able to successfully process just one more TSU notification, whatever that means. Probably just index it and file it away somewhere. Just one more dot on his metrics graph and he gets the big performance bonus, and/or gets to hire another headcount to process the notifications. Come on Lorens(597774), send in a notification and make his day!

    • Whoa there Tiger (Score:3, Informative)

      by mpapet (761907)

      My project FileUniq is plain python, and executes a call to "md5" in order to get a hash.

      MD5 is non-special (and deprecated anyway) no one at the BIS would give you a moment's difficulty. Worst case scenario, notify the BIS and they send you an official reply. I know this because I've worked with the BIS to export encryption technology. They were very easy to work with and tolerated my inexperience. Call them and explain your situation.

      Sourceforge's language is a little daunting. A (new?) lawyer (justi

      • by mpapet (761907)

        Pfft... I forgot to mention MD5 is a hashing algorithm, not really encryption per se...

  • I guess SourceForge has vetted this process with its attorneys, but I must be missing something. If a project admin opens up his project's block, he's personally criminally liable should some citizen of a country on the wrong list [gpo.gov] see a controlled technology from one of SourceForge's servers. That's scary enough for US citizens residing in the US. However, SourceForge doesn't provide the admins (AFAIK) with any export control training, or even vet their citizenship; an admin in Syria, with Syrian citizen

  • Reality Check (Score:3, Insightful)

    by mpapet (761907) on Monday February 08, 2010 @01:54PM (#31063246) Homepage

    The number one reason why this is *very* much ado about nothing is that the projects the U.S. Government would have any interest in AT ALL are novel and strong encryption schemes. To satisfy both novel and strong conditions puts one into a *very* small and elite group.

    Sure, there are many projects that implement standard/weak/known encryption. That's completely different than a project that implements legitimately novel AND strong to the point of piquing the interest of the BIS/spooks. I don't know for sure, but zrtp might be an example.

    An American company can export SSL/TLS/PKI and similar, crypto products without ever drawing the interest of the BIS. I guess at some point in distant history, this was not the case. As someone that actually worked with the BIS on getting encryption export compliance it has been easy for a long time.

    • by jonwil (467024)

      Unless the NSA has a supercomputer more powerful than anything on the Top 10 list hidden underneath their building somewhere I dont see them being able to crack 2048 bit RSA or 256 bit AES anytime soon.

      • But those are both already available all over the world, so preventing yet another implementation of them being exported wouldn't achieve anything.

  • by presidenteloco (659168) on Monday February 08, 2010 @01:56PM (#31063266)

    The USA is squandering some of its technological lead and economic opportunities with dumb-ass laws.

    I've already had to stop hosting several online businesses in the US due to the patriot act and international customers' unwillingness to have there data stored in the US.

    Stem cell research was set back a decade by Christian fundamentalist opposition making its way into
    federal law.

    Laws restricting export of US software just result in software being innovated faster elsewhere.

    As Freeman Dyson once said: The best way to defeat soviet communism would be to ship Apple computers to their population en masse. He was basically right, though who knew it would be cloned PCs that would do the trick.

  • I congratulate SourceForge on empowering their users to choose for themselves, but I'm still moving my stuff elsewhere. Not just because of the country restrictions, but also because I don't like the new (slow, heavy, buggy) interface, and because I've been getting dropped connections from them.

    The question is: what is the best place to move to?

  • Source forge was blocking downloads by Blanket Jackson [mirror.co.uk]??? I didn't even know he was an open source hacker! He doesn't really look old enough...
  • The two options given in the SourceForge.net project settings are:

    1. This project does NOT incorporate, access, call upon, or otherwise use encryption of any kind, including, but not limited to, open source algorithms and/or calls to encryption in the operating system or underlying platform.

    2. This project DOES incorporate, access, call upon or otherwise use encryption. Posting of open source encryption is controlled under U.S. Export Control Classification Number "ECCN" 5D002 and must be simultaneously rep

    • Lie lie lie
      Lye lie lye
      Li li Lie li li lie lye lye la la Lie

      (variations in spelling to defeat postercomment compression filter.)

    • by Tanuki64 (989726)
      I activated the first option for all my projects. First, I don't care for American laws. I am not American and will never visit Satan's own country. Second, some of my projects use the openssl libs, but they are not included in my projects, so I don't even less.
  • Last I looked the GPL doesn't allow the distributor (sourceforge in this case) to discriminate against "persons or groups". Thus saying sourceforge legally cannot distribute GPL code if they promote a discriminatory system (and they are) even if you can duck shove the responsibility to the author (nor can the author use the GPL under these circumstances).
    • by RoboRay (735839)

      In that case, the GPL is illegal in the US. I'm pretty sure law trumps licensing.

  • Damnit, I need my blanket to keep warm!

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (2) Thank you for your generous donation, Mr. Wirth.

Working...