SourceForge Removes Blanket Blocking 147
Recently there was much gnashing of teeth as SourceForge (which shares a corporate overlord with Slashdot) started programmatically blocking users in certain countries to comply with US export restrictions. Thankfully they didn't let it end there and have found a way to put the power back in the hands of the users. "Beginning now, every project admin can click on Develop -> Project Admin -> Project Settings to find a new section called Export Control. By default, we've ticked the more restrictive setting. If you conclude that your project is *not* subject to export regulations, or any other related prohibitions, you may now tick the other check mark and click Update. After that, all users will be able to download your project files as they did before last month's change."
Liability? (Score:5, Interesting)
So they are letting people "opt in" to remove export controls. Who is liable if the code is subject to export restrictions, SF or the developer?
Re:Liability? (Score:5, Interesting)
So they are letting people "opt in" to remove export controls. Who is liable if the code is subject to export restrictions, SF or the developer?
Is Google liable if I Gmail you restricted encryption algorithms?
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Yes, but once you're actually in the project can change from exportable to non-exportable very quickly.
For instance, let's say you start with an open source compressor sort of program like Winrar. No biggie there. But then in version 0.42 you add in encryption. At the start everything was peachy keen, but the second you put on that encryption you should, by law, restrict its export.
Re: (Score:2)
I challenge you to sell rum to Cuba via Sourceforge!
Re: (Score:3, Informative)
http://en.wikipedia.org/wiki/Bernstein_v._United_States [wikipedia.org]
Re: (Score:3, Insightful)
Is Google liable if I Gmail you restricted encryption algorithms?
Google isn't hosting the file or providing you with a "home page" for your project. Sourceforge is much more exposed.
Re: (Score:2)
Re: (Score:2)
Logic doesn't always apply in the world of tech laws.
Re: (Score:1)
Likely both
Re: (Score:2)
The user (Score:2)
That's why they are doing it this way. If they had it by default off someone might argue, perhaps successfully, that it was Sourceforge's fault since they didn't stop it from happening. However here they are blocking it by default and the screen probably has something along the lines of "You certify this is ok for export by removing this." Thus if it comes up, it is on the user. They made the change, they should have reasonably been aware of what it was for and made sure their software was ok.
This is completely stupid. (Score:2, Insightful)
This is dumb. The terrorists will just get their mates in another country to get whatever it is they want.
Only the kind of stupid Americans that though that restricting the export of encryption technology would actually work would think of this. What happened there? They all got it anyway.
What exactly do they hope to achieve with this stupidity?
Re:This is completely stupid. (Score:4, Insightful)
They hope to avoid liability.
Re: (Score:3, Interesting)
Mates in another country (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Re:This is completely stupid. (Score:5, Insightful)
Re: (Score:3, Insightful)
But that's hard to avoid when complying with a law that is stupid and completely ineffective.
How is it stupid and ineffective if the purpose was to enlarge/preserve the great American bureaucracy and secondarily harass O.S. developers?
Re: (Score:2)
It's much easier to distribute open source crypto software than closed source in the U.S. You just have to send a couple of emails [doc.gov]. Closed source crypto requires jumping through many hoops, and is much closer to "harassment".
Re: (Score:2)
If we assume the purpose was to enlarge government bureaucracy, than it's ineffective because it hasn't much. The compliance burden is all on the developers. Ditto if the purpose is to harass O.S. developers, because it really only causes much problem for commercial encryption software, which is generally closed source.
So the answer to "How is it ineffective?" is pretty much the same whether you assume it's overt purpose, or one of your supposed hidden ones.
The answer to "How is it stupid?" does not depend
Re: (Score:3, Interesting)
Well, when you need to choose between a stupid candidate and an abominable one, sometimes stupid is the better choice. Usually, though, they aren't *actually* stupid. They're just cleverly disguising their goals. But they *aren't* experts in any field except getting elected, and, possibly, law. So they make decisions that look stupid to anyone expert in ANY other field. And that's almost everybody. (They just disagree about which decisions were stupid.)
Re: (Score:2)
>hence the corporations of the US who got the lawmakers into office are stupid.
There, corrected that for you.
Re: (Score:2)
If you were correct, the word "this" in his third sentence would refer to "restricting the export of encryption technology", so he'd be saying only those who would think this would would think this would work. So my interpretation is correct, unless you suggest a slashdot poster might say something silly, or with imperfect grammar; which I refuse to contemplate.
Re: (Score:2)
And if they can't get it they will write their own encryption.
It's a lot harder to decipher something that's encrypted than to apply a simple algorithm to it. If you do encounter something that's encrypted you will first have to figure out how it is encrypted before you even start to look for the key.
And steganography is another way of doing exchange of information. Who knows - some pr0n may actually contain hidden messages.
Re: (Score:2)
Re:This is completely stupid. (Score:4, Informative)
Only the kind of stupid Americans that though that restricting the export of encryption technology would actually work[...]
I'm curious. How do the stupid Americans who think that differ from the stupid Europeans who think that? Or were you not aware that European countries and the EU also have similar export restrictions?
Duh (Score:4, Interesting)
Re:Duh (Score:4, Insightful)
Feel free to rent a server in some random country and mirror sourceforge.
Re: (Score:2)
Re: (Score:2)
Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?
I'd imagine that not working too well if the company responsible is still located in the US. Hm, maybe if the non-US servers wouldn't accept uploads from US IP addresses?
Re: (Score:3, Interesting)
Re: (Score:2)
IANAL, but I believe any US developer will then have to completely censor the code they upload to those servers. Though, I'm sure it'd be fine if a US developer gave a German developer the code to upload to said offshore servers, but it might still be a violation if the US developer uploaded it himself.
Of course, proving that the code was downloaded by the "bad" people in the "bad" countries will be up to the government, but since Sourceforge is a US company, they'd suddenly be liable for the records.
Don't think so (Score:2)
I am fairly certain that Germany is already a member of the same treaties. The German developer would just be charged instead. Some information, like some physical devices, only has use for killing. Is there some qualitative difference that makes it wrong to regulate such information, but ok to regulate the devices?
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Obscurity (Score:2)
Isn't obscurity exactly what you want until you figure out a counter? If I figured out how to turn a bunch of smoke detectors and cleaning chemicals into a thermo-nuke that fits in a shoe heel, I don't think I'd make the plans public right away. Yes the public as a whole knowing how it worked would speed up the effort to build a detector, but not as much as it would speed up some teenager with a bad week making something nasty in chem lab. Don't they withhold details on a linux kernel bug until they get i
Re: (Score:2)
You are 100% wrong. First, the export controls are not simply 'ok to export freely and not ok to export to country x'. The controls are 'export license required' and 'no license required'. If you are developing something that is export controlled, and you wish to export it (including putting on an open server), you must obtain a license. That license will state the terms under which it may be exported, and who it may be exported to. If your license says it is OK to export to Germany, it will probably
Re: (Score:2)
(including putting on an open server)
In my experience there seem to be (INAL and ICNYL) specific exceptions for systems which are publically available for free download. That should apply to most of sourceforge.
Re: (Score:3, Informative)
As was said many times in the original article, the issue is the country the business is based in and the laws there. It doesn't matter one ounce where the servers are located.
Re: (Score:2)
Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?
Moving your servers abroad to avoid export controls pretty much guarantees that you will be prosecuted in the states.
Export controls are not unique to the U.S., and they are not limited to encryption. This is serious shit and you had damn well better know what you are getting into.
Re: (Score:2)
Re: (Score:2, Interesting)
There already is. It's called launchpad.net and it's free from:
- US software patent law
- stupid DMCA take downs ala battle net emulator
- this silly export law
- sourceforge's adverts which take up 40% of the page
I don't know why anyone bothers using sourceforge anymore. It was great when it was the only solution but now there are MUCH better options. Especially now they're blocking non-US connections.
Re: (Score:2)
Hmmm (Score:5, Interesting)
As a Canadian locked out of Hulu and Comedy Central's web clips, I wish geolocation based on IP would burn in hell already.
That being said:
There was a Syrian developer commenting on the story about the original announcement, he was justifiably pissed off that Sourceforge had decided to deny him access to his own work. Does this change allow him to work on his project in peace?
Has Slashdot decided to stop mentioning that Sourceforge is owned by the same parent company? They're sure trying to do some damage control by going straight to Slashdot's front page with their weird opt-in workaround..
Re: (Score:2)
Crap, the story does have a "shares a corporate overlord" clause.
Huh? (Score:3, Interesting)
I can code. I am not american. I am not a lawyer. People are downloading from local mirrors, not from USA. How can i say if the project should be restricted or not?
Why does the USA government not build a firewall to prevent exporting any American byte to the restricted list?
How to check for an 'American' byte? (Score:4, Funny)
Re: (Score:2)
American bytes just have fatter bits than non-American bytes so it's easy to recognize them.
They're the bytes made up of 0s and 2s.
Re: (Score:2)
Re: (Score:2)
Have you got a list of the restricted bytes? Actually, it'd be simpler if you just listed which bits are restricted, 0s, 1s, or possibly both...
And these restrictions makes so much sense (Score:5, Insightful)
Re: (Score:3, Insightful)
I'm fairly sure those restrictions were never actually dropped.
they just gave up trying to enforce them.
Re:And these restrictions makes so much sense (Score:5, Informative)
Re: (Score:1, Interesting)
Because we all know that North Korea has no way to get access to any servers outside North Korea.
I wouldn't worry about that since North Korea basically has no Internet [wikipedia.org].
The right thing to do :) (Score:4, Insightful)
Re: (Score:2, Insightful)
should only...should stay...should have...should be...
Well, if you really want want all these should've...could've...would've(s), then you and your neighbors should vote for politicians that will handle the issue properly. If if you're going to cry about how the "system" is rigged against you, save your breath. I'll have none of it. You all are just cursing darkness instead of lighting a candle. There is no law on the books that require you to vote for spoon fed by mass media candidates.. yet.
Re: (Score:2)
Right. And I got two choices who have a reasonable chance of winning. Sometimes they both back this kind of law, the rest of the time one backs it, and the other doesn't mention it. Or occasionally neither mentions it.
I can't even recall a time that one lied, and said he was opposed to it.
In the above two paragraphs, "it" refers to "export conditions and controls on software". And the normal case is that nobody will tell you their position on it.
Re: (Score:2)
Sorry. Somehow the 've must have been skipped after "And I". (Yeah, it's still not literally true, as it's not currently time for an election.)
Sometimes I vote for a minority candidate, but I know how the voting system works. The fix is in, so I might as well not vote as vote for a minority party. (And in any case, the minority party candidates are often as bad as the majority party candidate, and almost none of them mention exports of software.)
OTOH, local elections are going to start being instant run
Re: (Score:2)
I read that, but I ignored it. Intentionally. It seems to me a stupid argument. (Note my comment about how IRV changes things.)
Tell me, do you buy lottery tickets? Do you expect to win? Do you buy more to increase your chance of winning? That would make as much sense as your argument, and is roughly analogous.
Re: (Score:2)
"Some said the law applies to SF just because they host the projects. If the law was strict to this level then the whole internet should be banned to these countries."
The law IS that strict. And no, the whole internet should not be banned. This is about encryption, not information.
Move outside of the United States (Score:1)
At least consider it.
To which country? (Score:3, Interesting)
Dump sourceforge (Score:5, Insightful)
Why the hell does anyone even use SourceForge anymore? Their tools suck, the site is beyond slow and plastered with ads, and you have to play download roulette with their crappy 90s-era mirroring system. Plus you get crazy decrees like this from whatever's going on at the top. It's not like there aren't alternatives these days. Google Code is awesome by comparison.
Re: (Score:2, Informative)
Google Code is awesome by comparison.
I'm guessing you didn't bother to read the Google Code TOS [google.com]? It puts the blame solely on the developer. Given that it's Google with a boatload of money to throw at attorneys, chances are that it's airtight for them in a legal battle should the need arise.
Re: (Score:2)
As opposed to what? If there is an export-control problem (not likely), do you really expect SourceForge's TOS to protect you?
Re: (Score:2)
Isn't that where blame would belong?
Re: (Score:2)
Of my local ISPs, I can think of one which offers free access to google code, but they almost all mirror sourceforge for their customers. Free, fast, access is pretty appealing to project founders.
Re: (Score:2)
Re: (Score:2)
In fact I did. Seems they only added it sometime last year, well after I had abandoned them for greener fields. Github still has sourceforge cornered in the "good website" ring though, particularly with sourceforge's recent godawful website redesign.
It is for these reasons... (Score:4, Insightful)
...that projects such as TOR and Freenet exist.
Re: (Score:2)
Stupid, stupid law (Score:4, Insightful)
Debian has never found this sort of blocking... (Score:5, Interesting)
...necessary. Why has Source Forge suddenly decided that it is?
Re: (Score:3, Informative)
Never say never... Admittedly this battle ended about a decade ago. Not sure how/why SF caught up with the 90s and had their little fit.
http://www.debian.org/legal/cryptoinmain [debian.org]
Re: (Score:2)
Not sure how/why SF caught up with the 90s and had their little fit.
Judging from their site's appearance, I'd say they never left the 90's.
Because they distribute standard crypto (Score:2)
OpenSSL and PKI-integrated projects all use standard crypto libraries that are based on standard crypto technology.
The BIS's interest lies in novel and strong encryption schemes. The difficulty of which is hard to describe.
war (Score:3, Funny)
`Sanctions` are acts of WAR
So private corporations assist in illegal types of warfare by the US goverment which is legally owned by the deepest pockets.
How can SourceForge allow project admins to circumvent this law that provides for teh safety of all scared american peeple?
I mean, first it is law and now the project admin, who can be non-american -terrorist?- , can decide?
Re: (Score:2)
`Sanctions` are acts of WAR
Uh, no, they are not.
You can work it two directions, going from "acts of war" toward sanctions or from sanctions toward acts of war. Neither direction works either logically or by authoritative definitions or by historical precedence.
illegal types of warfare by the US goverment
So, you can evaluate this one, either by the golden rule, he whom has the gold makes the rules, in which case its not possible for a government to do something illegal (although individual members might do something illegal). Or, you can evaluate it in a traditional historica
Re: (Score:2)
Quite true. They're not an act of war of themselves, just the last non-combat stage before an American war against whichever third world nation they've opted to target during this Presidential term, usually for resources or strategic advantage.
Sanctions by non-US groups tend to be more about changing behavior rather than intentionally starving a nation to weaken it prior to an invasion.
Re: (Score:2)
"`Sanctions` are acts of WAR"
Don't be silly.
Stupid options, need CowboyMcNeal (Score:2)
The choices are
1) This project does NOT incorporate, access, call upon, or otherwise use encryption of any kind, including, but not limited to, open source algorithms and/or calls to encryption in the operating system or underlying platform.
and
2) This project DOES incorporate, access, call upon or otherwise use encryption. Posting of open source encryption is controlled under U.S. Export Control Classification Number "ECCN" 5D002 and must be simultaneously reported by email to the U.S. government. You are r
Re: (Score:2)
However, I firmly believe that the U.S. Bureau of Industry and Security will not appreciate my TSU notification.
And you'd be wrong. Somewhere out there, a bureaucrat is pining away daydreaming of being able to successfully process just one more TSU notification, whatever that means. Probably just index it and file it away somewhere. Just one more dot on his metrics graph and he gets the big performance bonus, and/or gets to hire another headcount to process the notifications. Come on Lorens(597774), send in a notification and make his day!
Whoa there Tiger (Score:3, Informative)
My project FileUniq is plain python, and executes a call to "md5" in order to get a hash.
MD5 is non-special (and deprecated anyway) no one at the BIS would give you a moment's difficulty. Worst case scenario, notify the BIS and they send you an official reply. I know this because I've worked with the BIS to export encryption technology. They were very easy to work with and tolerated my inexperience. Call them and explain your situation.
Sourceforge's language is a little daunting. A (new?) lawyer (justi
Re: (Score:2)
Pfft... I forgot to mention MD5 is a hashing algorithm, not really encryption per se...
Will this work? (Score:2)
I guess SourceForge has vetted this process with its attorneys, but I must be missing something. If a project admin opens up his project's block, he's personally criminally liable should some citizen of a country on the wrong list [gpo.gov] see a controlled technology from one of SourceForge's servers. That's scary enough for US citizens residing in the US. However, SourceForge doesn't provide the admins (AFAIK) with any export control training, or even vet their citizenship; an admin in Syria, with Syrian citizen
Reality Check (Score:3, Insightful)
The number one reason why this is *very* much ado about nothing is that the projects the U.S. Government would have any interest in AT ALL are novel and strong encryption schemes. To satisfy both novel and strong conditions puts one into a *very* small and elite group.
Sure, there are many projects that implement standard/weak/known encryption. That's completely different than a project that implements legitimately novel AND strong to the point of piquing the interest of the BIS/spooks. I don't know for sure, but zrtp might be an example.
An American company can export SSL/TLS/PKI and similar, crypto products without ever drawing the interest of the BIS. I guess at some point in distant history, this was not the case. As someone that actually worked with the BIS on getting encryption export compliance it has been easy for a long time.
Re: (Score:2)
Unless the NSA has a supercomputer more powerful than anything on the Top 10 list hidden underneath their building somewhere I dont see them being able to crack 2048 bit RSA or 256 bit AES anytime soon.
Re: (Score:2)
But those are both already available all over the world, so preventing yet another implementation of them being exported wouldn't achieve anything.
Counterproductive laws (Score:5, Insightful)
The USA is squandering some of its technological lead and economic opportunities with dumb-ass laws.
I've already had to stop hosting several online businesses in the US due to the patriot act and international customers' unwillingness to have there data stored in the US.
Stem cell research was set back a decade by Christian fundamentalist opposition making its way into
federal law.
Laws restricting export of US software just result in software being innovated faster elsewhere.
As Freeman Dyson once said: The best way to defeat soviet communism would be to ship Apple computers to their population en masse. He was basically right, though who knew it would be cloned PCs that would do the trick.
Congratulations, but too late (Score:2)
I congratulate SourceForge on empowering their users to choose for themselves, but I'm still moving my stuff elsewhere. Not just because of the country restrictions, but also because I don't like the new (slow, heavy, buggy) interface, and because I've been getting dropped connections from them.
The question is: what is the best place to move to?
Wait... (Score:2)
Most Projects Will Remain Blocked (Score:2)
The two options given in the SourceForge.net project settings are:
1. This project does NOT incorporate, access, call upon, or otherwise use encryption of any kind, including, but not limited to, open source algorithms and/or calls to encryption in the operating system or underlying platform.
2. This project DOES incorporate, access, call upon or otherwise use encryption. Posting of open source encryption is controlled under U.S. Export Control Classification Number "ECCN" 5D002 and must be simultaneously rep
In the immortal words of Simon & Garfunkle (Score:2)
Lie lie lie
Lye lie lye
Li li Lie li li lie lye lye la la Lie
(variations in spelling to defeat postercomment compression filter.)
Re: (Score:2)
Read the GPL (Score:2)
Re: (Score:2)
In that case, the GPL is illegal in the US. I'm pretty sure law trumps licensing.
No blanket blocking! (Score:2)
Damnit, I need my blanket to keep warm!