Re: US Wassenaar legislation and ASF security forums

[William A Rowe Jr <wr...@rowe-clan.net>]

On Fri, May 29, 2015 at 1:35 AM, Mark Thomas <ma...@apache.org> wrote:

> On 29/05/2015 03:31, William A Rowe Jr wrote:
> > Reviewing...
> >
> >
> https://www.eff.org/deeplinks/2015/05/we-must-fight-proposed-us-wassenaar-implementation
> >
> > Reading into this, it appears that it might become problematic for ASF
> > security team members in the US to share exploits more widely with PMC
> > members in other countries.
> >
> > In terms of automated channels (security@pmc.a.o distribution lists) I
> > don't expect there to be so much of an issue, but purely in terms of US
> > contributors, smells like the exploits equivalent of crypto as munitions.
> >
> > Comments and observations welcomed.
>
> That looks troubling. If implemented as currently written that would
> cause a heap of problems for anyone in the US wanting to submit a
> security vulnerability report to the ASF. I'm also not convinced that
> the security@ lists wouldn't have issues.
>
> I think we should:
> - submit a formal comment
> - blog about doing the above
> - issue a press release to highlight our blog
>
> I'm happy to try drafting something assuming there is agreement we want
> to submit something. Who needs to sign off on that? Jim as V.P.
>

Yes, or perhaps the President of the Foundation.

With John and anyone else's input, I think it's significant that we weigh
into this discussion.  That said...

We are likely one of three most significant sources of open source code
in the world, as a foundation.  We should measure and weigh our words
appropriately.

We don't need to go off on tangents - a simple and concise explanation
of how the proposed interpretation will harm our abillity to provide
software
to the US Military and Government agencies, along with many domestic
and international commercial interests, along with other end users, should
suffice.  Why does this impede us from solving their problems?

I and several other members would be happy to carry that message to
the relevant committee members in DC.  The best solution might be an
unarchived drafting list under Chatham House Rule, consisting no less
of you, and John (first volunteers), Jim, Brett and Ross (at their
discretion)
and any other invited guests/experts.

I'd strongly caution you to enforce a strict message retention policy,
as with VP Legal capitulation, this structure has worked against the
ASF's interests in the past.