About US Export controls with Go
1,240 views
Skip to first unread message
WeiWei Huang
Dec 10, 2020, 3:25:15 AM12/10/20
to golang-dev
Hi, Go-team.
I'm wondering about Is EAR ( https://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear) affected on Go or Go standard cryptographic library. Although Go is released with BSD3 license but we still has some concern since Go is sponsored by Google mostly.
The Linux foundation had issued a statement that Linux is not affected by EAR https://www.linuxfoundation.org/blog/2020/07/understanding-us-export-controls-with-open-source-projects/.
Could Go team issue a blog or statement about this?
Best regard and Thanks.
Weiwei Huang
Ian Lance Taylor
Dec 10, 2020, 1:49:18 PM12/10/20
to WeiWei Huang, golang-dev
As the article by the Linux Foundation says, the U.S. EAR does not
apply to open source projects. Go is an open source project, so the
EAR does not apply. I don't see any real reason that the Go project
needs to make any official statement about this. If anything it seems
like that might increase confusion rather than decreasing it.
Ian
Florian Weimer
Dec 11, 2020, 5:38:05 AM12/11/20
to Ian Lance Taylor, WeiWei Huang, golang-dev
* Ian Lance Taylor:
I think the Linux Foundation statement is more precise here:
| [T]he good news is open source technologies that are published and
| made publicly available to the world are not subject to the EAR.
It's not just about open source (i.e., licensing), but also the
development and distribution model. As far as I know, the expert
consensus is that the relative clause is really important in that
sentence.
Go forks which are not available to the general public may be covered by
different rules, irrespective of their licensing conditions. The same
applies to products built with the Go toolchain (forked or not).
I agree that further statements make things only more confusing.
Thanks,
Florian
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
| [T]he good news is open source technologies that are published and
| made publicly available to the world are not subject to the EAR.
It's not just about open source (i.e., licensing), but also the
development and distribution model. As far as I know, the expert
consensus is that the relative clause is really important in that
sentence.
Go forks which are not available to the general public may be covered by
different rules, irrespective of their licensing conditions. The same
applies to products built with the Go toolchain (forked or not).
I agree that further statements make things only more confusing.
Thanks,
Florian
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
WeiWei Huang
Jan 8, 2021, 3:29:46 AM1/8/21
to golang-dev
Hi, Ian, Florian
Sorry for the late reply, I'm relieved to know Go did subject to EAR since it's an open source project.
However, according to the EAR, I think Google or Go team still needs to send "email notification" to BIS even Go source code is "publicly available"
2. "Publicly available" encryption source code is not subject to the EAR once the email notification per section 742.15(b) is sent.
•A common example would be open source encryption source code available for free online.
•A common example would be open source encryption source code available for free online.
Best regrad,
Weiwei Huang
Ian Lance Taylor
Jan 8, 2021, 8:54:18 PM1/8/21
to WeiWei Huang, golang-dev
On Fri, Jan 8, 2021 at 12:29 AM WeiWei Huang <hvn...@gmail.com> wrote:
>
> Sorry for the late reply, I'm relieved to know Go did subject to EAR since it's an open source project.
>
> However, according to the EAR, I think Google or Go team still needs to send "email notification" to BIS even Go source code is "publicly available"
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/1-encryption-items-not-subject-to-the-ear
>
> 2. "Publicly available" encryption source code is not subject to the EAR once the email notification per section 742.15(b) is sent.
> •A common example would be open source encryption source code available for free online.
I checked with Google's export compliance department and they assured
>
> Sorry for the late reply, I'm relieved to know Go did subject to EAR since it's an open source project.
>
> However, according to the EAR, I think Google or Go team still needs to send "email notification" to BIS even Go source code is "publicly available"
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/1-encryption-items-not-subject-to-the-ear
>
> 2. "Publicly available" encryption source code is not subject to the EAR once the email notification per section 742.15(b) is sent.
> •A common example would be open source encryption source code available for free online.
me that all necessary steps have been taken.
Thanks for asking.
Ian
WeiWei Huang
Jan 10, 2021, 8:46:24 PM1/10/21
to golang-dev
Thanks Ian
sam...@google.com
Jan 28, 2021, 12:47:14 PM1/28/21
to Peter Weinberger (温博格), Filippo Valsorda, Russ Cox, golang-dev
Sorry for missing this, not sure how it skipped my inbox.
I have not spoken to anyone about this, but I'm happy to set up time with Elvin Lee if we're missing documented guidance on this.
Adding +Filippo Valsorda and +Russ Cox in case they already know.
S
On Fri, Jan 8, 2021 at 7:00 AM Peter Weinberger (温博格) <p...@google.com> wrote:
Hi Sameer, have we asked a lawyer about this?(It will come up intermittently and a simple authoritative answer would be good to have in hand. One of "we did talk to BIS" or "we got legal advice, and we have complied with regulations", for instance.)
--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-dev/203ed537-5aea-47b0-b8fe-2eeac960a496n%40googlegroups.com.
WeiWei Huang
Jan 29, 2021, 2:03:41 AM1/29/21
to golang-dev
Hi, Sameer
I believe Ian has done a great job which gives confidence to the community and some Chinese tech bloggers had disscusions about EAR by quoting this thread.
https://mp.weixin.qq.com/s/f_dEKys-pFKm03Wde7e-MQ (Well, written in Chinese of course)
It'll be GREAT to have "missing documented guidance" in the Go Wiki or go.dev.
But I don't want causing panic in the community (or runtime) too.
Thanks to all who cares and It makes me feel warm inside my heart.
Weiwei Huang
Reply all
Reply to author
Forward
0 new messages