authority issues about trade issues on EAR

[ilikelucifer]

We are concerned about the authority of openssl as recently arised trade issues between US and the rest of the world (especially China). We are looking forward to get your official answers for the questions below:

1. Is the openssl project subject to U.S. Export Administration Regulations (EAR) and classified under ECCN 0D521? Or such AI software is subject to EAR, but not classified under ECCN 0D521?
2. Is U..S. Bureau of Industry and Security license required for exporting this project to China？

[levitte]

We are not US based, and most specifically, our main source code repo isn't. Does that answer your question?

[mattcaswell]

We are not US based, and most specifically, our main source code repo isn't. Does that answer your question?

To clarify that a little:. Our developers are based all over the world. We may and do receive contributions from anyone in any country (including China and the US). The source code repo is based in servers that are outside the US. The OpenSSL Software Foundation is a US incorporated company. However when you download source code from www.openssl.org you are not downloading it from the US.

We're not lawyers. If you want legal advice you should speak to a a lawyer.

[richsalz]

when you download source code from www.openssl.org you are not downloading it from the US.

This is dangerously inaccurate. When you download from that website, you are actually connecting to a global CDN, and depending on where you are, you will probably end up talking to a server that is in, or "close to" then country where your browser is. Regardless, that CDN is a US company and it will obey US rules.

According to https://www.openssl.org/source/gitrepo.html, you can download directly from an OpenSSL server, git.openssl.org hosted by SpaceNet AG. According to https://www.openssl.org/community/thanks.html) they are not a US corporation, by my view of traceroute output, that server is not in the United States.

As Matt said, OSF is a US corporation; last I knew it used a US bank and at least for some of its legal services, US lawyers. The first means it must follow US rules, the second means there is a way to exert pressure, and the third means that they are likely to be told to cooperate. For example, if the US said "stop paying your staff because they contribute code to China" then Matt and Richard become volunteers, at least for a time. Another possible scenario is that the US decides that charitable contributions from Huawei should not be accepted because of US concerns about that company's 5G work.

NOW, having said all that, the US changed the export regulations a long time ago so that open source was no longer export-controlled. I cannot imagine that they will change that, nor will they be able to; the industry, including the largest computer firms in the world, would be likely to fight that.

I am not a lawyer. Hire one and get advice. Or just do whatever everyone else does because they won't come for you, they'll come for bigger folks.

[mattcaswell]

When you download from that website, you are actually connecting to a global CDN, and depending on where you are, you will probably end up talking to a server that is in, or "close to" then country where your browser is. Regardless, that CDN is a US company and it will obey US rules.

That's a good point and something I had over looked. Thanks for the clarification.

[ilikelucifer]

when you download source code from www.openssl.org you are not downloading it from the US.

This is dangerously inaccurate. When you download from that website, you are actually connecting to a global CDN, and depending on where you are, you will probably end up talking to a server that is in, or "close to" then country where your browser is. Regardless, that CDN is a US company and it will obey US rules.

According to https://www.openssl.org/source/gitrepo.html, you can download directly from an OpenSSL server, git.openssl.org hosted by SpaceNet AG. According to https://www.openssl.org/community/thanks.html) they are not a US corporation, by my view of traceroute output, that server is not in the United States.

As Matt said, OSF is a US corporation; last I knew it used a US bank and at least for some of its legal services, US lawyers. The first means it must follow US rules, the second means there is a way to exert pressure, and the third means that they are likely to be told to cooperate. For example, if the US said "stop paying your staff because they contribute code to China" then Matt and Richard become volunteers, at least for a time. Another possible scenario is that the US decides that charitable contributions from Huawei should not be accepted because of US concerns about that company's 5G work.

NOW, having said all that, the US changed the export regulations a long time ago so that open source was no longer export-controlled. I cannot imagine that they will change that, nor will they be able to; the industry, including the largest computer firms in the world, would be likely to fight that.

I am not a lawyer. Hire one and get advice. Or just do whatever everyone else does because they won't come for you, they'll come for bigger folks.

wow, Very thoughtful advice! Thanks.