Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SourceForge Removes Blanket Blocking

ScuttleMonkey posted more than 4 years ago | from the power-to-the-people dept.

Government 147

Recently there was much gnashing of teeth as SourceForge (which shares a corporate overlord with Slashdot) started programmatically blocking users in certain countries to comply with US export restrictions. Thankfully they didn't let it end there and have found a way to put the power back in the hands of the users. "Beginning now, every project admin can click on Develop -> Project Admin -> Project Settings to find a new section called Export Control. By default, we've ticked the more restrictive setting. If you conclude that your project is *not* subject to export regulations, or any other related prohibitions, you may now tick the other check mark and click Update. After that, all users will be able to download your project files as they did before last month's change."

Sorry! There are no comments related to the filter you selected.

Good (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31062016)

It was getting kinda chilly, and my blanket allows me to remain warmer.

Re:Good (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31062052)

only you can prevent stupid, unrelated, incredibly not funny comments from being posted.

Liability? (5, Interesting)

Anonymous Coward | more than 4 years ago | (#31062032)

So they are letting people "opt in" to remove export controls. Who is liable if the code is subject to export restrictions, SF or the developer?

Re:Liability? (4, Interesting)

Reason58 (775044) | more than 4 years ago | (#31062078)

So they are letting people "opt in" to remove export controls. Who is liable if the code is subject to export restrictions, SF or the developer?

Is Google liable if I Gmail you restricted encryption algorithms?

Re:Liability? (2, Insightful)

Yvanhoe (564877) | more than 4 years ago | (#31063218)

But before opening a project on sourceforge, you have to describe your proposal and they manually accept or not. That could be argued to be editorial control. This is not exactly a gmail situation.

Re:Liability? (2, Insightful)

westlake (615356) | more than 4 years ago | (#31063622)

Is Google liable if I Gmail you restricted encryption algorithms?

Google isn't hosting the file or providing you with a "home page" for your project. Sourceforge is much more exposed.

Re:Liability? (1)

snmpkid (93151) | more than 4 years ago | (#31062080)

Likely both

Re:Liability? (1)

religious freak (1005821) | more than 4 years ago | (#31062128)

It's a wink, and probably both.

Re:Liability? (0)

Anonymous Coward | more than 4 years ago | (#31062176)

Opt out, not in.
Opt in is whem you choose yourself to do something, or actively allow a third party to do something which relates to you.
Opt out is when the third party does it anyway, but leaves the onus on you to say you don't want them to do it after all.

The user (1)

Sycraft-fu (314770) | more than 4 years ago | (#31063594)

That's why they are doing it this way. If they had it by default off someone might argue, perhaps successfully, that it was Sourceforge's fault since they didn't stop it from happening. However here they are blocking it by default and the screen probably has something along the lines of "You certify this is ok for export by removing this." Thus if it comes up, it is on the user. They made the change, they should have reasonably been aware of what it was for and made sure their software was ok.

Re:Liability? (0)

Anonymous Coward | more than 4 years ago | (#31064896)

Just curious, is there an offshore version of SourceForge? Do the mirrors cover liability? I can see issues where it may not be an issue in other parts of the world, but since the project is stored on (or replicated to) US servers (?), it may fall foul of US export rules.

This is completely stupid. (2, Insightful)

frinkacheese (790787) | more than 4 years ago | (#31062112)

This is dumb. The terrorists will just get their mates in another country to get whatever it is they want.

Only the kind of stupid Americans that though that restricting the export of encryption technology would actually work would think of this. What happened there? They all got it anyway.

What exactly do they hope to achieve with this stupidity?

Re:This is completely stupid. (3, Insightful)

BHearsum (325814) | more than 4 years ago | (#31062158)

They hope to avoid liability.

Re:This is completely stupid. (0, Offtopic)

rtfa-troll (1340807) | more than 4 years ago | (#31063726)

Now, I have to admit, that I'm one of the first mods to moderate insightful when I think it's deeply funny (people who can't get a joke deserve all the low flying fighter jets that pass over them). However, I still find moderating this insightful extremely scary. What if the other mods aren't joking??

Re:This is completely stupid. (2, Interesting)

Locke2005 (849178) | more than 4 years ago | (#31062226)

Why does this requires "mates" in another country? Can't they just go through a proxy server in another country?

Mates in another country (1)

tepples (727027) | more than 4 years ago | (#31062608)

It requires mates to operate the proxy server.

Re:Mates in another country (2, Insightful)

CastrTroy (595695) | more than 4 years ago | (#31063082)

Or any of the millions of the completely open proxy servers.

Re:This is completely stupid. (5, Insightful)

2short (466733) | more than 4 years ago | (#31062254)

They are complying with the law. Certainly, what they are doing is stupid and will be completely ineffective. But that's hard to avoid when complying with a law that is stupid and completely ineffective.

Re:This is completely stupid. (0, Troll)

steelfood (895457) | more than 4 years ago | (#31062886)

Nowhere does GP mention Sourceforge explicitly. I may be wrong, but GP may be saying that the US law is stupid, hence the US lawmakers who enacted the law are stupid, hence the populace of the US who voted the lawmakers into office are stupid.

And there's nothing inaccurate about that as far as I can tell.

Re:This is completely stupid. (2, Interesting)

HiThere (15173) | more than 4 years ago | (#31063838)

Well, when you need to choose between a stupid candidate and an abominable one, sometimes stupid is the better choice. Usually, though, they aren't *actually* stupid. They're just cleverly disguising their goals. But they *aren't* experts in any field except getting elected, and, possibly, law. So they make decisions that look stupid to anyone expert in ANY other field. And that's almost everybody. (They just disagree about which decisions were stupid.)

Re:This is completely stupid. (1)

mustafap (452510) | more than 4 years ago | (#31064410)

>hence the corporations of the US who got the lawmakers into office are stupid.

There, corrected that for you.

Re:This is completely stupid. (2, Insightful)

vlm (69642) | more than 4 years ago | (#31063074)

But that's hard to avoid when complying with a law that is stupid and completely ineffective.

How is it stupid and ineffective if the purpose was to enlarge/preserve the great American bureaucracy and secondarily harass O.S. developers?

Re:This is completely stupid. (0)

Anonymous Coward | more than 4 years ago | (#31062590)

stupid Australian.

Re:This is completely stupid. (1)

Z00L00K (682162) | more than 4 years ago | (#31063036)

And if they can't get it they will write their own encryption.

It's a lot harder to decipher something that's encrypted than to apply a simple algorithm to it. If you do encounter something that's encrypted you will first have to figure out how it is encrypted before you even start to look for the key.

And steganography is another way of doing exchange of information. Who knows - some pr0n may actually contain hidden messages.

Re:This is completely stupid. (1)

hairyfeet (841228) | more than 4 years ago | (#31064090)

The hope to avoid liability and at the same time have a "wink wink, nudge nudge" kind of situation like those codecs you're not supposed to have in Linux in certain countries unless you bend over and pay your license fee, you cock smoking tea baggers?

Seriously it is no different than the codecs you're not supposed to have in Linux, that everyone has anyway, or the DVD rippers you aren't supposed to use in the USA, which of course everyone...well you get the idea. YOU know it is bullshit, I know it is bullshit, but some damned pencil pusher came up with a law that the Internet makes less than worthless but it is still a law, hence the hoop jumping. Deity forbid that anyone should have common sense when it comes to the law and the Internet. I always thought that export ban was as ridiculous as the ban on game consoles, saying the would be used for weapons research, when we all know they could just show up in China with a suitcase full of cash and probably get any hardware they wanted straight from the factory.

it is just another example of the USA acting like the global black market doesn't exist or that information in the age of the Internet can be neatly locked away. Kinda like how we pretend China is our friend while they try to "Haxorz teh planet!!! LOL!". Just the same political bullshit, different day.

Re:This is completely stupid. (3, Informative)

harlows_monkeys (106428) | more than 4 years ago | (#31064168)

Only the kind of stupid Americans that though that restricting the export of encryption technology would actually work[...]

I'm curious. How do the stupid Americans who think that differ from the stupid Europeans who think that? Or were you not aware that European countries and the EU also have similar export restrictions?

Duh (3, Interesting)

Locke2005 (849178) | more than 4 years ago | (#31062208)

Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?

Re:Duh (3, Insightful)

HungryHobo (1314109) | more than 4 years ago | (#31062374)

Feel free to rent a server in some random country and mirror sourceforge.

Re:Duh (0)

Anonymous Coward | more than 4 years ago | (#31062852)

I did, but it ended up in the states anyway.
Talk about bad luck with random numbers!

Re:Duh (1)

creimer (824291) | more than 4 years ago | (#31063450)

Try a different seed next time. :P

Re:Duh (0)

Anonymous Coward | more than 4 years ago | (#31064210)

Point invalid.

If I mirrored Sourceforge the default setting would still block many countries, including the one I may host the mirror in.

Re:Duh (1)

Timothy Brownawell (627747) | more than 4 years ago | (#31062474)

Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?

I'd imagine that not working too well if the company responsible is still located in the US. Hm, maybe if the non-US servers wouldn't accept uploads from US IP addresses?

Re:Duh (2, Interesting)

tagno25 (1518033) | more than 4 years ago | (#31062642)

It is not considered a "munition" any more. http://xkcd.com/504/ [xkcd.com]

Re:Duh (1)

steelfood (895457) | more than 4 years ago | (#31062744)

IANAL, but I believe any US developer will then have to completely censor the code they upload to those servers. Though, I'm sure it'd be fine if a US developer gave a German developer the code to upload to said offshore servers, but it might still be a violation if the US developer uploaded it himself.

Of course, proving that the code was downloaded by the "bad" people in the "bad" countries will be up to the government, but since Sourceforge is a US company, they'd suddenly be liable for the records.

Don't think so (1)

nten (709128) | more than 4 years ago | (#31063126)

I am fairly certain that Germany is already a member of the same treaties. The German developer would just be charged instead. Some information, like some physical devices, only has use for killing. Is there some qualitative difference that makes it wrong to regulate such information, but ok to regulate the devices?

Re:Don't think so (2, Insightful)

Locke2005 (849178) | more than 4 years ago | (#31064188)

Some information... only has use for killing. I can't think of any information that would make it easier to kill that couldn't also be used to help prevent death. In the technological realm, almost everything is a two-edged sword. Security by obscurity is a poor means of defense.

Re:Duh (1)

bws111 (1216812) | more than 4 years ago | (#31063620)

You are 100% wrong. First, the export controls are not simply 'ok to export freely and not ok to export to country x'. The controls are 'export license required' and 'no license required'. If you are developing something that is export controlled, and you wish to export it (including putting on an open server), you must obtain a license. That license will state the terms under which it may be exported, and who it may be exported to. If your license says it is OK to export to Germany, it will probably also require you to get a statement from the receiver that says they will not re-export it. If your licensed export finds it's way somewhere it shouldn't, YOU are who they are coming after, and you better have all your documentation when they do.

Also, don't delude yourself into thinking that they have to 'prove' anyone from a restricted country downloaded it to prosecute you. Just putting it on an open server is exporting it.

Having said all that, the list of restricted types of software is very small, and not likely to be something you would find on SourceForge. This mostly involves things that could be used for real-time control of weapons.

Re:Duh (1)

rtfa-troll (1340807) | more than 4 years ago | (#31063790)

(including putting on an open server)

In my experience there seem to be (INAL and ICNYL) specific exceptions for systems which are publically available for free download. That should apply to most of sourceforge.

Re:Duh (2, Informative)

NeoSkandranon (515696) | more than 4 years ago | (#31062806)

As was said many times in the original article, the issue is the country the business is based in and the laws there. It doesn't matter one ounce where the servers are located.

Re:Duh (0)

Anonymous Coward | more than 4 years ago | (#31063650)

That's exactly what I expected this to be all about. Unfortunately, it's not. Fuck the US foreign policy.

Re:Duh (1)

westlake (615356) | more than 4 years ago | (#31063962)

Why not simply host the servers in a country that doesn't have brain-dead restrictions on the "export" of ones and zeros? One that doesn't classify encryption/decryption code as a "munition"?

Moving your servers abroad to avoid export controls pretty much guarantees that you will be prosecuted in the states.

Export controls are not unique to the U.S., and they are not limited to encryption. This is serious shit and you had damn well better know what you are getting into.

Re:Duh (1)

jittles (1613415) | more than 4 years ago | (#31064218)

I think the issue at hand is that Sourceforge's corporate overlord is based out of the US. I'm pretty sure if they break any of the rules in ITAR (I believe encryption is considered to be a weapon) then they could be held liable. Even if they host everything out of the US.

Hmmm (4, Interesting)

mewsenews (251487) | more than 4 years ago | (#31062212)

As a Canadian locked out of Hulu and Comedy Central's web clips, I wish geolocation based on IP would burn in hell already.

That being said:

There was a Syrian developer commenting on the story about the original announcement, he was justifiably pissed off that Sourceforge had decided to deny him access to his own work. Does this change allow him to work on his project in peace?

Has Slashdot decided to stop mentioning that Sourceforge is owned by the same parent company? They're sure trying to do some damage control by going straight to Slashdot's front page with their weird opt-in workaround..

Re:Hmmm (1)

mewsenews (251487) | more than 4 years ago | (#31062264)

Crap, the story does have a "shares a corporate overlord" clause.

Re:Hmmm (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31062460)

Canadian locked out of Hulu

Allowing Canadians to watch Hulu would be letting the terrorists win.

Re:Hmmm (0)

Anonymous Coward | more than 4 years ago | (#31064150)

Allowing Canadians to watch Hulu would be letting the terrorists win.

Man, the moderators have no sense of humor today. Which is also why I'm posting AC.

Re:Hmmm (0)

Anonymous Coward | more than 4 years ago | (#31062922)

As a Canadian locked out of Hulu and Comedy Central's web clips

Maybe I'm thinking of something different, but at least from Belgium I can perfectly watch all of Comedy Central's shows that they put online (The Daily Show, The Colbert Report, South Park, Drawn Together, ...), and everything linked on http://www.comedycentral.com . Hulu is another matter...

Huh? (3, Interesting)

leuk_he (194174) | more than 4 years ago | (#31062236)

I can code. I am not american. I am not a lawyer. People are downloading from local mirrors, not from USA. How can i say if the project should be restricted or not?

Why does the USA government not build a firewall to prevent exporting any American byte to the restricted list?

How to check for an 'American' byte? (3, Funny)

thijsh (910751) | more than 4 years ago | (#31062402)

The problem is the cost of the special made-in-USA-color-electron-microscope, they have to check each byte to see if it contains red, white and blue electrons.

Re:How to check for an 'American' byte? (0)

Anonymous Coward | more than 4 years ago | (#31062822)

I don't know about the electrons, but all the quarks in the neutrons and protons in my hard drive are red, green and blue. Is that enough to be safe?

Re:How to check for an 'American' byte? (1)

nashv (1479253) | more than 4 years ago | (#31063152)

No, you need loopy strings of all colors tangled into more dimensions than you can access. Your data needs to be holographically encoded along the 15th dimension to be safe. Oh wait, I think the inventor of 15th dimension claims copyright on his IP.

Re:How to check for an 'American' byte? (1)

clickety6 (141178) | more than 4 years ago | (#31063194)

American bytes just have fatter bits than non-American bytes so it's easy to recognize them.
They're the bytes made up of 0s and 2s.

Re:How to check for an 'American' byte? (1)

orgelspieler (865795) | more than 4 years ago | (#31063198)

Electron microscopes? You're making this way too hard on yourself. The "American byte" is right after the "evil bit" in the packet header.

Re:Huh? (0)

Anonymous Coward | more than 4 years ago | (#31062442)

Because, although we have laws, we are supposed to be innocent until proven guilty. Fortunately, this is not China, yet.

Re:Huh? (0)

Anonymous Coward | more than 4 years ago | (#31062828)

More interestingly, can I check a checkbox indicating the project not to be hosted *in* the US? Or to be accessible to people in the US? So as to not be liable under US CYA laws?

Re:Huh? (1)

noidentity (188756) | more than 4 years ago | (#31063042)

Why does the USA government not build a firewall to prevent exporting any American byte to the restricted list?

Have you got a list of the restricted bytes? Actually, it'd be simpler if you just listed which bits are restricted, 0s, 1s, or possibly both...

And these restrictions makes so much sense (4, Insightful)

JoshuaZ (1134087) | more than 4 years ago | (#31062276)

Yeah. These restrictions make so much sense. Because we all know that North Korea has no way to get access to any servers outside North Korea. And no one can use a proxy server at all. And they really are going to be absolutely helpless without the tiny open-source projects. This is as ridiculous as the old restrictions on exporting encryption (at least those got removed a few years ago).

Re:And these restrictions makes so much sense (2, Insightful)

HungryHobo (1314109) | more than 4 years ago | (#31062404)

I'm fairly sure those restrictions were never actually dropped.
they just gave up trying to enforce them.

Re:And these restrictions makes so much sense (4, Informative)

JoshuaZ (1134087) | more than 4 years ago | (#31062466)

Not exactly. In 1996, Clinton issued an executive order which took commercial encryption off the munitions list. It is still on the list of controled commecial exports but that's a lot less restrictive (much, much easier to get permission to export, less severe punishments for violations, and lower priorities for federal investigators).

Re:And these restrictions makes so much sense (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31062804)

Because we all know that North Korea has no way to get access to any servers outside North Korea.

I wouldn't worry about that since North Korea basically has no Internet [wikipedia.org] .

Re:And these restrictions makes so much sense (0)

Anonymous Coward | more than 4 years ago | (#31062980)

The law is not about preventing such espionage from occurring, because that is unrealistic.

It is about being able to punish someone for doing it.

The right thing to do :) (4, Insightful)

neo00 (1667377) | more than 4 years ago | (#31062312)

Great news, and this is a brave thing to do :) Blindly blocking all SF projects to some people was wrong. I said this before, US export laws should only apply to US products. OpenSource/Free software projects should stay "open" and "free/libre" to everybody. Those who worked hard on these projects, including developers from the banned countries, should have the right to decide whether their projects should be blocked or not. Some said the law applies to SF just because they host the projects. If the law was strict to this level then the whole internet should be banned to these countries.

Re:The right thing to do :) (2, Insightful)

countertrolling (1585477) | more than 4 years ago | (#31063092)

should only...should stay...should have...should be...

Well, if you really want want all these should've...could've...would've(s), then you and your neighbors should vote for politicians that will handle the issue properly. If if you're going to cry about how the "system" is rigged against you, save your breath. I'll have none of it. You all are just cursing darkness instead of lighting a candle. There is no law on the books that require you to vote for spoon fed by mass media candidates.. yet.

Re:The right thing to do :) (1)

HiThere (15173) | more than 4 years ago | (#31063970)

Right. And I got two choices who have a reasonable chance of winning. Sometimes they both back this kind of law, the rest of the time one backs it, and the other doesn't mention it. Or occasionally neither mentions it.

I can't even recall a time that one lied, and said he was opposed to it.

In the above two paragraphs, "it" refers to "export conditions and controls on software". And the normal case is that nobody will tell you their position on it.

Re:The right thing to do :) (1)

SwashbucklingCowboy (727629) | more than 4 years ago | (#31063724)

"Some said the law applies to SF just because they host the projects. If the law was strict to this level then the whole internet should be banned to these countries."

The law IS that strict. And no, the whole internet should not be banned. This is about encryption, not information.

Move outside of the United States (1)

davidwr (791652) | more than 4 years ago | (#31062350)

At least consider it.

To which country? (2, Interesting)

tepples (727027) | more than 4 years ago | (#31062674)

Which developed country is willing to take thousands of refugees from the U.S. copyright regime, software patent regime, mobile phone regulatory regime, and other results of bought senators [wikipedia.org] ?

Re:To which country? (0)

Anonymous Coward | more than 4 years ago | (#31063380)

Canada. Highest rate of immigration in the world, per capita, and you get bonus points for speaking English.

The benefits work both ways: American immigrants displace the Chinese, who are rapidly colonising us.

Dump sourceforge (4, Insightful)

starsong (624646) | more than 4 years ago | (#31062360)

Why the hell does anyone even use SourceForge anymore? Their tools suck, the site is beyond slow and plastered with ads, and you have to play download roulette with their crappy 90s-era mirroring system. Plus you get crazy decrees like this from whatever's going on at the top. It's not like there aren't alternatives these days. Google Code is awesome by comparison.

Re:Dump sourceforge (3, Informative)

Infiniti2000 (1720222) | more than 4 years ago | (#31062446)

Google Code is awesome by comparison.

I'm guessing you didn't bother to read the Google Code TOS [google.com] ? It puts the blame solely on the developer. Given that it's Google with a boatload of money to throw at attorneys, chances are that it's airtight for them in a legal battle should the need arise.

Re:Dump sourceforge (1)

starsong (624646) | more than 4 years ago | (#31062888)

As opposed to what? If there is an export-control problem (not likely), do you really expect SourceForge's TOS to protect you?

Re:Dump sourceforge (1)

Toonol (1057698) | more than 4 years ago | (#31063736)

I'm guessing you didn't bother to read the Google Code TOS [google.com]? It puts the blame solely on the developer.

Isn't that where blame would belong?

Re:Dump sourceforge (0, Funny)

Anonymous Coward | more than 4 years ago | (#31062458)

What ads?

    -Firefox with AdBlock Plus user

Re:Dump sourceforge (0, Offtopic)

Sir_Lewk (967686) | more than 4 years ago | (#31062810)

Not to mention, Subversion and CVS are sooo 90's. I'm hugely a fan of github, their site is great, their people are awesomely responsive, and git itself just rocks. With distributed version control you never have to worry about this sort of thing either.

It is for these reasons... (3, Insightful)

steelfood (895457) | more than 4 years ago | (#31062394)

...that projects such as TOR and Freenet exist.

Re:It is for these reasons... (1)

stephanruby (542433) | more than 4 years ago | (#31063228)

You mean http://portabletor.sourceforge.net/ [sourceforge.net] or http://sourceforge.net/projects/freenet/ [sourceforge.net] . Thank god those projects are already mirrored internationally by a decentralized network, otherwise the net effect of this export control would be to just keep encryption out of the citizens of those same repressive governments, not those governments themselves.

Important Internet Reminder: Remember (0)

Anonymous Coward | more than 4 years ago | (#31062426)

to encrypt EVERYTHING !!!

Google wants to "do no evil" for the N.S.A.

Yours In Astrakhan,
Kilgore Trout [youtube.com]

Stupid, stupid law (3, Insightful)

bcmm (768152) | more than 4 years ago | (#31062450)

The USA has compiled a list of the countries it considers most repressive, and attempted to forbid the citizens of those countries from using encrypted communications... I don't think the governments on that list mind.

Re:Stupid, stupid law (1)

countertrolling (1585477) | more than 4 years ago | (#31063262)

I don't think the governments on that list mind.

Probably so. In fact, I would go so far as to say the US did it at their requests. The real arms race throughout the world is between a government and its citizens. I believe the US regards only those who restrict American business as "repressive". Otherwise most of Latin America, Asia, and Africa would be on the list.

Debian has never found this sort of blocking... (4, Interesting)

John Hasler (414242) | more than 4 years ago | (#31062472)

...necessary. Why has Source Forge suddenly decided that it is?

Re:Debian has never found this sort of blocking... (2, Informative)

vlm (69642) | more than 4 years ago | (#31062694)

Never say never... Admittedly this battle ended about a decade ago. Not sure how/why SF caught up with the 90s and had their little fit.

http://www.debian.org/legal/cryptoinmain [debian.org]

Re:Debian has never found this sort of blocking... (1)

steelfood (895457) | more than 4 years ago | (#31062996)

Not sure how/why SF caught up with the 90s and had their little fit.

Judging from their site's appearance, I'd say they never left the 90's.

Because they distribute standard crypto (1)

mpapet (761907) | more than 4 years ago | (#31063410)

OpenSSL and PKI-integrated projects all use standard crypto libraries that are based on standard crypto technology.

The BIS's interest lies in novel and strong encryption schemes. The difficulty of which is hard to describe.

war (2, Funny)

anonieuweling (536832) | more than 4 years ago | (#31062768)

A couple of weeks ago, to ensure compliance with US law as we roll out improvements to SourceForge.net, we began programmatically blocking access to the site for users in certain countries against which the US government imposes sanctions.
`Sanctions` are acts of WAR
So private corporations assist in illegal types of warfare by the US goverment which is legally owned by the deepest pockets.
How can SourceForge allow project admins to circumvent this law that provides for teh safety of all scared american peeple?
I mean, first it is law and now the project admin, who can be non-american -terrorist?- , can decide?

Re:war (1)

vlm (69642) | more than 4 years ago | (#31062952)

`Sanctions` are acts of WAR

Uh, no, they are not.

You can work it two directions, going from "acts of war" toward sanctions or from sanctions toward acts of war. Neither direction works either logically or by authoritative definitions or by historical precedence.

illegal types of warfare by the US goverment

So, you can evaluate this one, either by the golden rule, he whom has the gold makes the rules, in which case its not possible for a government to do something illegal (although individual members might do something illegal). Or, you can evaluate it in a traditional historical method, where the victors write the history and therefore were the good guys. And I don't think the US is going to lose (although the US may change policy). Either way, I'm not seeing it.

As far as ends and means, I think we have the same ends, but your means are just not going to work.

Re:war (1)

SwashbucklingCowboy (727629) | more than 4 years ago | (#31063066)

"`Sanctions` are acts of WAR"

Don't be silly.

Stupid options, need CowboyMcNeal (1)

Lorens (597774) | more than 4 years ago | (#31062994)

The choices are

1) This project does NOT incorporate, access, call upon, or otherwise use encryption of any kind, including, but not limited to, open source algorithms and/or calls to encryption in the operating system or underlying platform.

and

2) This project DOES incorporate, access, call upon or otherwise use encryption. Posting of open source encryption is controlled under U.S. Export Control Classification Number "ECCN" 5D002 and must be simultaneously reported by email to the U.S. government. You are responsible for submitting this email report to the U.S. government in accordance with procedures described in: http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNotify.html [doc.gov] and Section 740.13(e) of the Export Administration Regulations ("EAR") 15 C.F.R. Parts 730-772.

My project FileUniq is plain python, and executes a call to "md5" in order to get a hash. Obtaining a python library that provides the md5 function is not even described in the documentation, but I definitely do make a call to encryption in the underlying platform. However, I firmly believe that the U.S. Bureau of Industry and Security will not appreciate my TSU notification.

Maybe Sourceforge actually wants to overwhelm the BIS with useless submissions?

Re:Stupid options, need CowboyMcNeal (1)

vlm (69642) | more than 4 years ago | (#31063172)

However, I firmly believe that the U.S. Bureau of Industry and Security will not appreciate my TSU notification.

And you'd be wrong. Somewhere out there, a bureaucrat is pining away daydreaming of being able to successfully process just one more TSU notification, whatever that means. Probably just index it and file it away somewhere. Just one more dot on his metrics graph and he gets the big performance bonus, and/or gets to hire another headcount to process the notifications. Come on Lorens(597774), send in a notification and make his day!

Whoa there Tiger (2, Informative)

mpapet (761907) | more than 4 years ago | (#31063580)

My project FileUniq is plain python, and executes a call to "md5" in order to get a hash.

MD5 is non-special (and deprecated anyway) no one at the BIS would give you a moment's difficulty. Worst case scenario, notify the BIS and they send you an official reply. I know this because I've worked with the BIS to export encryption technology. They were very easy to work with and tolerated my inexperience. Call them and explain your situation.

Sourceforge's language is a little daunting. A (new?) lawyer (justifying his job?) at sourceforge MegaCorp probably has quite a bit to do with the entire fiasco.

Re:Whoa there Tiger (1)

mpapet (761907) | more than 4 years ago | (#31063586)

Pfft... I forgot to mention MD5 is a hashing algorithm, not really encryption per se...

Will this work? (1)

dtmos (447842) | more than 4 years ago | (#31063136)

I guess SourceForge has vetted this process with its attorneys, but I must be missing something. If a project admin opens up his project's block, he's personally criminally liable should some citizen of a country on the wrong list [gpo.gov] see a controlled technology from one of SourceForge's servers. That's scary enough for US citizens residing in the US. However, SourceForge doesn't provide the admins (AFAIK) with any export control training, or even vet their citizenship; an admin in Syria, with Syrian citizenship, who did this would seem to be out of reach of the US, which would then fall back to SourceForge, since it did not control access to the technology on its servers. Unless SourceForge has now asked to see citizenship papers of each of its project admins ... ?

This problem covers all sorts of technology far beyond encryption but, just to continue the encryption example, there is a little note on p. 7 of Category 5 (Part 2: Information Security) [gpo.gov] of the Commerce Control List [gpo.gov] :

License Requirement Note: When a person performs or provides technical assistance that incorporates, or otherwise draws upon, “technology” that was either obtained in the United States or is of US-origin, then a release of the “technology” takes place. Such technical assistance, when rendered with the intent to aid in the “development” or “production” of encryption commodities or software that would be controlled for “EI” reasons under ECCN 5A002 or 5D002.a or 5D002.c, may require authorization under the EAR even if the underlying encryption algorithm to be implemented is from the public domain or is not of U.S. origin.

Because simple site blocking... (0)

Anonymous Coward | more than 4 years ago | (#31063144)

...will stop those terrorists from getting their hands on PGP...

I just wish ... (0)

Anonymous Coward | more than 4 years ago | (#31063180)

they would stop exporting all this crap television.

Reality Check (2, Insightful)

mpapet (761907) | more than 4 years ago | (#31063246)

The number one reason why this is *very* much ado about nothing is that the projects the U.S. Government would have any interest in AT ALL are novel and strong encryption schemes. To satisfy both novel and strong conditions puts one into a *very* small and elite group.

Sure, there are many projects that implement standard/weak/known encryption. That's completely different than a project that implements legitimately novel AND strong to the point of piquing the interest of the BIS/spooks. I don't know for sure, but zrtp might be an example.

An American company can export SSL/TLS/PKI and similar, crypto products without ever drawing the interest of the BIS. I guess at some point in distant history, this was not the case. As someone that actually worked with the BIS on getting encryption export compliance it has been easy for a long time.

Re:Reality Check (0)

Anonymous Coward | more than 4 years ago | (#31063758)

So what you're saying is that SSL is too weak to be worthy of notice? That just fills me with confidence...

Counterproductive laws (4, Insightful)

presidenteloco (659168) | more than 4 years ago | (#31063266)

The USA is squandering some of its technological lead and economic opportunities with dumb-ass laws.

I've already had to stop hosting several online businesses in the US due to the patriot act and international customers' unwillingness to have there data stored in the US.

Stem cell research was set back a decade by Christian fundamentalist opposition making its way into
federal law.

Laws restricting export of US software just result in software being innovated faster elsewhere.

As Freeman Dyson once said: The best way to defeat soviet communism would be to ship Apple computers to their population en masse. He was basically right, though who knew it would be cloned PCs that would do the trick.

Congratulations, but too late (1)

RAMMS+EIN (578166) | more than 4 years ago | (#31063292)

I congratulate SourceForge on empowering their users to choose for themselves, but I'm still moving my stuff elsewhere. Not just because of the country restrictions, but also because I don't like the new (slow, heavy, buggy) interface, and because I've been getting dropped connections from them.

The question is: what is the best place to move to?

Wait... (1)

Locke2005 (849178) | more than 4 years ago | (#31063862)

Source forge was blocking downloads by Blanket Jackson [mirror.co.uk] ??? I didn't even know he was an open source hacker! He doesn't really look old enough...

Most Projects Will Remain Blocked (1)

CritterNYC (190163) | more than 4 years ago | (#31064146)

The two options given in the SourceForge.net project settings are:

1. This project does NOT incorporate, access, call upon, or otherwise use encryption of any kind, including, but not limited to, open source algorithms and/or calls to encryption in the operating system or underlying platform.

2. This project DOES incorporate, access, call upon or otherwise use encryption. Posting of open source encryption is controlled under U.S. Export Control Classification Number "ECCN" 5D002 and must be simultaneously reported by email to the U.S. government. You are responsible for submitting this email report to the U.S. government in accordance with procedures described in: http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNotify.html [doc.gov] and Section 740.13(e) of the Export Administration Regulations ("EAR") 15 C.F.R. Parts 730-772.

The 2nd option is the default and what all projects are currently set to.

In order to select the first, you can't be using any kind of encryption at all. Our project, PortableApps.com, isn't really about encryption, it's about taking your favorite software with you on a flash drive wherever you go. But we do bundle a number of open source apps that use encryption including Firefox, Thunderbird, Sunbird, Songbird, FileZilla, KeePass, Toucan, KompoZer, 7-Zip, Miranda IM, Pidgin, PuTTY, SeaMonkey, WinSCP, WinWGet, OpenOffice.org, PDFTK Builder, PNotes and PeaZip. That means we need to keep the 2nd option selected and those countries remain blocked.

In reality that means pretty much every project on source forge that is or includes a web browser, ftp client, email client, scp client, im client, archive tool, etc will have to keep the 2nd option selected and remain blocked as well.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?