US Blocks Open Source 'Help' From These Countries

Wednesday the Linux Foundation wrote that both "regulatory compliance" and "increased cybersecurity risk" were "creating burdens...that must be met" for open source communities.

And so, as Steven J. Vaughan-Nichols writes, "the Linux Foundation has released a comprehensive guide to help open source developers navigate the complex landscape of the U.S. Office of Foreign Assets Control (OFAC) sanctions..." These rules, aimed at achieving economic, foreign policy, and national security goals, apply to various interactions, including those in the open source community. The total Sanctions Programs and Country list amounts to over 17 thousand entries ranging from individuals to terrorist organizations to countries.

If that rings a bell, it's because, in October 2024, the Linux kernel developers ran right into this issue. The Linux kernel's leadership, including Greg Kroah-Hartman, the stable Linux kernel maintainer, and Linus Torvalds, Linux's founder, announced that eleven Russian kernel developers had been removed from their roles working on the Linux kernel. Why? Because, as Torvalds said, of "Russian sanctions." This, he added, in a Linux kernel mailing list (LKML) message was because "the 'various compliance requirements' are not just a US thing."

For developers, this means exercising caution about who they interact with and where their contributions originate. The sanctions target specific countries, regions, and individuals or organizations, many of which are listed on the Specially Designated Nationals and Blocked Persons (SDN) List... Most OFAC sanctions are exempted for "informational materials," which generally include open source code. However, this only applies to existing code and not to requests for new code or modifications. So, for example, working with a Russian developer on a code patch could land you in hot water... While reviewing unsolicited patches from contributors in sanctioned regions is generally acceptable, actively engaging them in discussions or improvements could cross legal boundaries... Developers are warned to be cautious of sanctioned entities attempting to contribute indirectly through third parties or developers acting "individually."
Countries currently sanctioned include:

• Russia
• Cuba
• Iran
• North Korea
• Syria
• The following regions of Ukraine: Crimea, Donetsk and Luhansk regions of the Ukraine.

The Linux Foundation had written that the OFAC sanctions rules are "strict liability" rules, "which means it does not matter whether you know about them or not. Violating these rules can lead to serious penalties, so it's important to understand how they might affect your open source work." But J. Vaughan-Nichols offers this quote from open source licensing attorney Heather Meeker.

"Let's be honest: Smaller companies usually ignore regulations like this because they just don't have the resources to analyze them, and a government usually ignores smaller companies because it doesn't have the resources to enforce against them. Big companies that are on the radar need specialized counsel."

US blocks?

[Registered Coward v2]

TFA says it’s not just a US thing, per Linus. Sanctions have been put in place by a variety of countries, and no one wants to get caught violating them, accidentally or innocently.

Re: US blocks?

[vbdasc]

What if someone gets caught? Gitmo? Social credit score -1000?

Re: US blocks?

[vbdasc]

Meaning collaborating with a North Korea developer on an open source project of course, not selling weapons to North Korea.

Re:

[Valgrus Thunderaxe]

Please stop. You're ruining the anti-US narrative.

Re:

[OrangeTide]

Those countries are part of the US-led political sphere. Might as well be subservient vassal states that work in orchestration to align their security policies with the US's.

There, that should be plenty of anti-US narrative to pass muster on this thread.

Re:

[ArmoredDragon]

Because, let's just be honest with ourselves, they'd much rather integrate their economy with Russia, who has always been such a great neighbor to them, but the mean ol' US won't let them.

Re:

[flink]

Nobody but the US cares about Cuba. That's our unique derangement.

Re:

[ceoyoyo]

They're US sanctions. Therefore, "the US blocks."

The US just has a habit of enforcing some of its laws outside the US so US sanctions are "not just a US thing." Asking Canada to apprehend a Hong Kong citizen for a meeting in Hong Kong with a British bank, for example.

And Linus lives in the US of course.

Re: Ridiculous

[vbdasc]

This might be the end of free software. The bastards finally found a way to get rid of it. Steve Ballmer can be happy, I guess.

Re:

[martin-boundary]

Only in America. Like tariffs, these sorts of limitations sound scary but are counterproductive. They are also technically silly. A makes patch, sends email with patch to B, lets B submit patch under his own name.

Re:

[test321]

They are also technically silly. A makes patch, sends email with patch to B, lets B submit patch under his own name.

Summary says it's a bad idea:

Developers are warned to be cautious of sanctioned entities attempting to contribute indirectly through third parties or developers acting "individually."

It's probably easy for the project leader to understand that A and B were already friends, or that the patch B is now submitting was originally an idea from A. Plausible deniability will not be of much help, B will just be banned, and that's a risk paid developers won't be very eager to take.

Re:

[martin-boundary]

That's arguable though. Only last year, we had an example of a developer who installed a backdoor into xz after gaining trust with a history of contributions.

Not every open source contributor is deterred from putting years of work into a project, just because there is a chance they might be banned from the project at some point in the future. And that also assumes that the bans themselves won't be reversed sooner, when the powers that be are replaced or change their mind. It might all just turn out to be

DeepSeek sanctions in 3, 2, 1

[oumuamua]

Download or try soon or US will likely sanction it to make it disappear in US and Europe:

The Commerce Department is said to be leading the probe, examining whether DeepSeek’s activities have violated U.S. export regulations. The department’s inquiry centers around how DeepSeek could have obtained the Nvidia AI chips—an advanced technology restricted due to its potential dual-use capabilities, which may pose national security risks if misused.

https://qz.com/u-s-investigate... [qz.com]

Re:

[ChunderDownunder]

Well, Syria is an interesting one. The jihadists recently kicked out the Russo-Anglo puppet dictator.

It's up to the new guys whether they want to rejoin civilization.

Re:

[ArchieBunker]

I know a group of people who spent their 4th of July vacations in Moscow. https://thehill.com/homenews/s... [thehill.com]

This is why you don't base FOSS in the US.

[Anonymous Coward]

I've never met a Cuban software developer but rejecting their contributions based on some 65yo feud seems nuts.

Re: This is why you don't base FOSS in the US.

[rnmartinez]

And they likely would not have connectivity

Re: This is why you don't base FOSS in the US.

[vbdasc]

Remember "domestic encryption" vs "international encryption"? Same shit record plays again.

Re:

[ArchieBunker]

A lot of people in this country think your average Cuban or Chinese person is sitting around reading communist propaganda and plotting the downfall of the USA.

Projects outside of the United States

[hwstar]

If the author(s) and server is located in a country outside of the United States, what can the US do? We did this with cryptography a couple of decades ago.

Would US developers be prohibited from contributing on a project hosted outside of the United States?

Could United States users eventually be prevented from downloading or installing such projects? This seems like a stretch to me. More likely the US would adise people not to use the code or programs on servers outside of the united states.

Re:

[znrt]

what can the US do?

emit even more paranoid sanctions, keep isolating itself, until eventually the cheerleaders and vassals are gone too. empires rise and fall, that's just a natural thing and they tend to fall kicking. as long as we can avoid a catastrophic war it will be fine, maintainers will contribute elsewhere, life goes on and ofc linux already belongs to all humanity. i'm sure american maintainers will be allowed to contribute if a fork eventually takes over.

"I'm Finnish. Did you think I'd be *supporting* Russian
aggression? Apparently it's not just lack of real news, it's lack of
history knowledge too."

https://lore.kernel.org/all/CA... [kernel.org]

and we all knew linus can b

Re:

[martin-boundary]

Linus is not a genius by any stretch. He's a good manager, who's made a lot of mistakes in the past and has learned from some of them.

Re:

[OngelooflijkHaribo]

Is he a good manager? What can he be compared with?

I have to say that I find the extremely high correlation between how early one joined Linux, and how high one is in the decision making hierarchy to be very suspicious. That does not seem like a meritocracy to me.

Re:

[Kernel Kurtz]

does his "history knowledge" (assuming it had any bearing in this issue, which it doesn't, but so he claims) actually register the fact that the finns collaborated with the nazis and jointly attacked russia in 1941?

More history knowledge; https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[ceoyoyo]

Would US developers be prohibited from contributing on a project hosted outside of the United States?

Yes. Contributing to a project hosted outside the US is exporting. If you're exporting arms to a sanctioned entity, or someone who does business with a sanctioned entity, you could get arrested.

Freedom!

no no!

[guygo]

"... now cut the red wire... NO WAIT the BLUE wire. Cut the blue wire... Uh, is anybody still there?"

MOVE IT to switzerland

[johnjones]

sorry but does anyone remember the whole PGP debacle

your penalising the flow of information and intellectual idea's which NEVER works well

the linux foundation needs to move to switzerland which also has regulations but actually targets companies and individual people not idea's and races

 

Glad Cuba's on the list,

[fredrated]

they are one hell of a threat to us.

Land of the free

[MeNeXT]

I can publish for everyone to see but I can't talk to someone to fix an issue or improve the code.

Yeah. This is freedom. makes a lot of sense. Just like every war and the sh1t that's going on in the US right now. Let's all start f4cking over our friends for just our selfish reasons and call this freedom.

For me this is insanity.

Re:

[OrangeTide]

The Cold War really screwed us up. Well, actually that's not true true. We like to claim that we're for freedom and equality and we were one of the biggest slave-using nations in the world in the 19th century.
We say one thing and do another, while believing we're in the right the whole time, so our values are basically some kind of delusion.

I'd recommend being cautious in dealing with the US government or Americans.

Welcome to ITAR land

[RightwingNutjob]

Although of course you've already been living in ITAR land this whole time. It's "always" been illegal for anyone based in the US to transmit technical data to a foreign national without a license. The arms manufacturers and defense contractors are acutely aware of this and only hire citizens. The aerospace companies and universities are also quite aware of it, and either pick whom their hire or what kind of research they do so as to avoid the kinds of applied research ITAR covers. But guess what: it's appl