You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Roman Shaposhnik <ro...@shaposhnik.org> on 2021/07/15 23:05:17 UTC
Significant change to US Export Controls Guide
There was a modification to the US regulations earlier this year.
And now there's actually a formal guidance from the Linux Foundation
to their projects:
https://www.linuxfoundation.org/blog/understanding-us-export-controls-and-open-source-projects-2021-update/
The change now allows for projects that are publically available
and using standard cryptography to be exempt completely.
I believe this will greatly simplify our handling of it, but I wanted
to run it by all of you to confirm (and also give a heads-up).
Thanks,
Roman.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Fwd: Significant change to US Export Controls Guide
Posted by Matt Sicker <bo...@gmail.com>.
This is the relevant bit about how we no longer need to worry about
reporting cryptography code. Thus, we're clear to make a commons-codec
release as soon as I can find some release instructions.
---------- Forwarded message ---------
From: Roman Shaposhnik <ro...@shaposhnik.org>
Date: Thu, Jul 15, 2021 at 6:05 PM
Subject: Significant change to US Export Controls Guide
To: <le...@apache.org>
There was a modification to the US regulations earlier this year.
And now there's actually a formal guidance from the Linux Foundation
to their projects:
https://www.linuxfoundation.org/blog/understanding-us-export-controls-and-open-source-projects-2021-update/
The change now allows for projects that are publically available
and using standard cryptography to be exempt completely.
I believe this will greatly simplify our handling of it, but I wanted
to run it by all of you to confirm (and also give a heads-up).
Thanks,
Roman.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: Significant change to US Export Controls Guide
Posted by Roman Shaposhnik <ro...@shaposhnik.org>.
On Thu, Jul 15, 2021 at 5:06 PM Craig Russell <ap...@gmail.com> wrote:
>
> Hi Roman,
>
> I'm not qualified (from either legal or crypto standpoint) to comment on the details, but it appears to me that investing some time into investigating our previous use of the EAR notifications and our current use of external crypto projects is time well spent.
>
> Just one item that may need to be clarified: do the crypto libraries that our projects use simply implement "standard cryptography"?
As long as the libraries are open source -- it appears to fit
"standard cryptography" description -- and I would be really surprised
if any of our projects used anything else.
Thanks,
Roman.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Significant change to US Export Controls Guide
Posted by Craig Russell <ap...@gmail.com>.
Hi Roman,
I'm not qualified (from either legal or crypto standpoint) to comment on the details, but it appears to me that investing some time into investigating our previous use of the EAR notifications and our current use of external crypto projects is time well spent.
Just one item that may need to be clarified: do the crypto libraries that our projects use simply implement "standard cryptography"?
Craig
> On Jul 15, 2021, at 4:05 PM, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>
> There was a modification to the US regulations earlier this year.
> And now there's actually a formal guidance from the Linux Foundation
> to their projects:
> https://www.linuxfoundation.org/blog/understanding-us-export-controls-and-open-source-projects-2021-update/
>
> The change now allows for projects that are publically available
> and using standard cryptography to be exempt completely.
>
> I believe this will greatly simplify our handling of it, but I wanted
> to run it by all of you to confirm (and also give a heads-up).
>
> Thanks,
> Roman.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
Craig L Russell
clr@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Significant change to US Export Controls Guide
Posted by Matt Sicker <bo...@gmail.com>.
I’d assume standard cryptography covers all public domain algorithms at
least. Anything standardized at NIST would count as those are all public
domain typically.
On Fri, Jul 16, 2021 at 02:20 Bertrand Delacretaz <bd...@apache.org>
wrote:
> Hi,
>
> On Fri, Jul 16, 2021 at 1:06 AM Roman Shaposhnik <ro...@shaposhnik.org>
> wrote:
> > ...I believe this will greatly simplify our handling of it, but I wanted
> > to run it by all of you to confirm (and also give a heads-up)...
>
> I'm not qualified to provide an answer from a legal point of view, but
> anything that makes our project's life easier is worth the effort, so
> thanks for driving this!
>
> -Bertrand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: Significant change to US Export Controls Guide
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Fri, Jul 16, 2021 at 1:06 AM Roman Shaposhnik <ro...@shaposhnik.org> wrote:
> ...I believe this will greatly simplify our handling of it, but I wanted
> to run it by all of you to confirm (and also give a heads-up)...
I'm not qualified to provide an answer from a legal point of view, but
anything that makes our project's life easier is worth the effort, so
thanks for driving this!
-Bertrand
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Significant change to US Export Controls Guide
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
> On Jul 15, 2021, at 4:05 PM, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>
> There was a modification to the US regulations earlier this year.
> And now there's actually a formal guidance from the Linux Foundation
> to their projects:
> https://www.linuxfoundation.org/blog/understanding-us-export-controls-and-open-source-projects-2021-update/
>
> The change now allows for projects that are publically available
> and using standard cryptography to be exempt completely.
>
> I believe this will greatly simplify our handling of it, but I wanted
> to run it by all of you to confirm (and also give a heads-up).
>
> Thanks,
> Roman.
Yep, this matches my recent analysis in
https://lists.apache.org/thread.html/r015060afabeca07a597c4d9c6e9d91dfac764b11f1e08704fffe4c3e%40%3Clegal-discuss.apache.org%3E
though it looks like their examples at
https://www.linuxfoundation.org/export/
are all out of date (based on the old reporting format and fields).
You should probably suggest (with LF hat on) that they also
update their example page to the new spreadsheet format
(see SUPPLEMENT NO. 8 at the end of EAR section 742.).
Cheers,
....Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org