#377 Add legal geo restrictions to Council Policies documents
Closed: resolved 2 years ago by bcotton. Opened 2 years ago by mattdm.

Because Fedora is subject to US law, we are bound by a number of things which prevent us from providing services to people in currently-sanctioned regions, and from accepting contributions from them. This isn't really a Fedora policy, but it is something we are bound by. We should make this clear on the Fedora Accounts page -- I'd like to extend the line with the link to the code of conduct with a link explaining this as well.

While I personally do not think these restrictions are good for Fedora, good for people, good for the world, or good for the US, they're real and affect us whether we make it obvious or not, so I think it's better to be clear.

RH Legal tells me that we can use boilerplate based on the legal text at https://galaxy.ansible.com/. Specifically:

By contributing to and/or downloading Fedora content, you acknowledge that you understand all of the following: Fedora software and technical information may be subject to the U.S. Export Administration Regulations (the "EAR") and other U.S. and foreign laws and may not be exported, re-exported or transferred (a) to a prohibited destination country under the EAR and the U.S. Department of Treasury, Office of Foreign Assets Controls (currently Cuba, Iran, North Korea, Syria, and the Crimea Region of Ukraine, subject to change as posted by the United States government); (b) to any prohibited destination or to any end user who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government; or (c) for use in connection with the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, or sounding rockets, or unmanned air vehicle systems. You may not contribute to Fedora or download Fedora software or technical information if you are located in one of these countries or otherwise subject to these restrictions. You may not provide Fedora software or technical information to individuals or entities located in one of these countries or otherwise subject to these restrictions. You are also responsible for compliance with foreign law requirements applicable to the import, export and use of Fedora software and technical information.

Fedora software in source code and binary code form are publicly available and are not subject to the EAR in accordance with §742.15(b).

This isn't a policy change per se, but I think the Council Policies section of the doc is the best place for it.

Additionally, though, there is a related FESCo policy from 2014, given here: https://pagure.io/fesco/issue/1219#comment-26800:

Sponsors (or any other contributors) in Fedora should not make any effort to determine a contributor's nationality, country of origin, or area of residence. If a potential contributor independently (and explicitly) reveals their nationality, country of origin, or area of residence, and that nationality, country of origin, or area of residence is in one of the export restricted countries (currently: Cuba, Iran, North Korea, Sudan & Syria), then they are required to bring that information to the attention of Fedora Legal.

I would like to adopt this as not just engineering policy but general project policy. (With the country list updated, or just removed if we put both of these on the same page.) Does anyone object?


Hi @mattdm thanks for navigating this and figuring out a path forward. +1

These words seem vaguely familiar... +1.

This isn't a policy change per se, but I think the Council Policies section of the doc is the best place for it.

Agreed. It's not a policy change, just documenting an existing policy in a way that people can find it. It does not need to go through the Policy Change Policy.

Additionally, though, there is a related FESCo policy from 2014, given here: https://pagure.io/fesco/issue/1219#comment-26800:

I would like to adopt this as not just engineering policy but general project policy. (With the country list updated, or just removed if we put both of these on the same page.) Does anyone object?

Not I.

+1 all around

Metadata Update from @bcotton:
- Issue tagged with: policies, ticket-vote

2 years ago

@sergiomb As that link notes, this came about through a "lengthy and intensive process" with the Office of Foreign Assets Control at the US Treasury. We don't necessarily have the resources to do that. I am very interested in seeing what we can do and what resources we have to do it, but please have patience. In any case, I'd like to keep this ticket to the specific issue of what we can do now.

Because Fedora is subject to US law, we are bound by a number of things which prevent us from providing services to people in currently-sanctioned regions, and from accepting contributions from them. This isn't really a Fedora policy, but it is something we are bound by. We should make this clear on the Fedora Accounts page -- I'd like to extend the line with the link to the code of conduct with a link explaining this as well.

While I personally do not think these restrictions are good for Fedora, good for people, good for the world, or good for the US, they're real and affect us whether we make it obvious or not, so I think it's better to be clear.

RH Legal tells me that we can use boilerplate based on the legal text at https://galaxy.ansible.com/. Specifically:

By contributing to and/or downloading Fedora content, you acknowledge that you understand all of the following: Fedora software and technical information may be subject to the U.S. Export Administration Regulations (the "EAR") and other U.S. and foreign laws and may not be exported, re-exported or transferred (a) to a prohibited destination country under the EAR and the U.S. Department of Treasury, Office of Foreign Assets Controls (currently Cuba, Iran, North Korea, Syria, and the Crimea Region of Ukraine, subject to change as posted by the United States government); (b) to any prohibited destination or to any end user who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government; or (c) for use in connection with the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, or sounding rockets, or unmanned air vehicle systems. You may not contribute to Fedora or download Fedora software or technical information if you are located in one of these countries or otherwise subject to these restrictions. You may not provide Fedora software or technical information to individuals or entities located in one of these countries or otherwise subject to these restrictions. You are also responsible for compliance with foreign law requirements applicable to the import, export and use of Fedora software and technical information.

Fedora software in source code and binary code form are publicly available and are not subject to the EAR in accordance with §742.15(b).

This isn't a policy change per se, but I think the Council Policies section of the doc is the best place for it.

Additionally, though, there is a related FESCo policy from 2014, given here: https://pagure.io/fesco/issue/1219#comment-26800:

Sponsors (or any other contributors) in Fedora should not make any effort to determine a contributor's nationality, country of origin, or area of residence. If a potential contributor independently (and explicitly) reveals their nationality, country of origin, or area of residence, and that nationality, country of origin, or area of residence is in one of the export restricted countries (currently: Cuba, Iran, North Korea, Sudan & Syria), then they are required to bring that information to the attention of Fedora Legal.

I would like to adopt this as not just engineering policy but general project policy. (With the country list updated, or just removed if we put both of these on the same page.) Does anyone object?

+1 on both blocks, with a suggestion that the nationality of users part be rephrased a bit. It kind of reads like we're instructing our project on how to circumvent US law. I would just strike the first sentence and rephrase the second as something like:

"If a current or potential Fedora contributor independently (and explicitly) reveals their nationality, country of origin, or area of residence, and that nationality, country of origin, or area of residence is in one of the export restricted countries (currently: Cuba, Iran, North Korea, Sudan & Syria), then Fedora Legal must be notified."

I don't think the intent is to circumvent anything, but rather to avoid people being harassed on suspicion based on assumptions about race, ethnicity, or language.

I do have a preference for sticking to existing wording that's been in place for ~7 years rather than going through the process of vetting new wording. How important is that change to you?

"If a current or potential Fedora contributor independently (and explicitly) reveals their nationality, country of origin, or area of residence, and that nationality, country of origin, or area of residence is in one of the export restricted countries (currently: Cuba, Iran, North Korea, Sudan & Syria), then Fedora Legal must be notified."

I wonder if this kind of statement doesn't violate GPL licenses itself , is not a restriction of freedom of the code ?

I wonder if this kind of statement doesn't violate GPL licenses itself , is not a restriction of freedom of the code ?

It does not.

"If a current or potential Fedora contributor independently (and explicitly) reveals their nationality, country of origin, or area of residence, and that nationality, country of origin, or area of residence is in one of the export restricted countries (currently: Cuba, Iran, North Korea, Sudan & Syria), then Fedora Legal must be notified."

I wonder if this kind of statement doesn't violate GPL licenses itself , is not a restriction of freedom of the code ?

The GPL itself does not concern itself with allowance for distribution, only the grant of privilege of distribution. So EAR/ITAR restrictions supersede it and do not impair compliance with the license.

Licensing aside, I think it violates the spirit of: we should all be able to work together in improving the world and making something better together, regardless of where we're born or where we live. It is contrary to the Fedora Vision statement. But, the reality we live in means our ability to live up to that ideal is limited by things out of our control. We do what we can, the best we can. The goal here specifically is simply to document that limitation.

+1 for add these blocks to the docs.

I don't think the intent is to circumvent anything, but rather to avoid people being harassed on suspicion based on assumptions about race, ethnicity, or language.

I do have a preference for sticking to existing wording that's been in place for ~7 years rather than going through the process of vetting new wording. How important is that change to you?

Not very. If the above wording has been in use for that long, let's just stick with it.

Hi, I would like to add a counter-opinion, of course one that holds no weight as an official vote.

As Fedora Linux is forced to this decision by its relationship to its legal sponsor, Red Hat, I therefore believe it is also the responsibility of Red Hat to seek a solution that does not deny an individual their right to realize the Four Freedoms of Free Software on the basis of geography or citizenship.

I recognize no policy is being changed here. It is a deliberate clarification of rules that were always in effect. Yet this ticket opens the context behind the policy for greater scrutiny, and I posit the context is harmful both to the Fedora Project and to Red Hat.

This policy is harmful for diversity and inclusion, and compromises Fedora's position to be an innovative platform built by a global community. The U.S. laws and regulations driving this decision exist within a specific context, but that context is grossly incompatible with the dynamics of inclusive Free & Open Source communities. In practice, these laws and regulations deny individuals (really, other human beings) of their ability to be a beneficiary of the open licenses we employ for creating our work, collaborating on it together, and sharing it with others.

I see two outcomes of accepting this as an unchangeable norm.

Firstly, it creates confusion, doubt, and feelings of ill intent. These laws and regulations are meant to impact governments and nation-states. In a Free & Open Source community such as ours, these regulations impact individual people. Not governments or nation-states. As an example, a Fedora community member, Ahmad Haghighi, was recently permanently removed from the Fedora Community. In a few quick clicks, Ahmad's legacy in the project was erased. As a precedent, even if someone's contributions were not "supposed" to be accepted in the first place, it does not sit well with me that any one person's legacy of contributions can so easily be removed from project records.

Secondly, it challenges the vision and foundations of the Fedora Project. Particularly our vision statement and the Friends Foundation. When I contribute to the Fedora Project, I do not see people as a citizen of this-country or that-country. I see them as my peers and fellow Fedorans, helping meet that shared vision of creating "a world where everyone benefits from free and open source software built by inclusive, welcoming, and open-minded communities." As an American citizen, I know my country makes such discriminations about large groups of people based only on their nationality, but as a contributor to Free & Open Source communities, I see people by their individual character and intention to be a part of our shared vision. But how can we truly aspire to this vision if we are consciously making deliberate exclusions, even if they make little to no sense in our own context? This geographic restriction policy sits in contrast to the vision and purpose we spell out "on paper".

I understand why Fedora leadership is taking this action due to Fedora's legal and sociopolitical relationship to Red Hat, an American incorporation subject to American laws and regulations. To an extent, the hand of Fedora is forced.

But I believe this is a great opportunity for Red Hat to be an enabler of Fedora's First Foundation. Previously, Microsoft stood up for Iranian developers and successfully set a precedent about how the United States Office of Foreign Assets Control (OFAC) treats such cases. I found this excerpt from Nat Friedman's announcement to resonate:

Over the course of two years, we were able to demonstrate how developer use of GitHub advances human progress, international communication, and the enduring US foreign policy of promoting free speech and the free flow of information. We are grateful to OFAC for the engagement which has led to this great result for developers.

I believe Red Hat's legal team should take a stand for individuals in embargoed countries to remain a beneficiary of the free and open source licenses that enable a community Linux distribution like Fedora to exist in the first place.

After all, in Fedora, we are well-known for being first in the Open Source space for innovative new ideas and approaches. We know Fedora Linux is a digital public good that should be accessible to all and everyone. But to make this a reality, the Fedora Project cannot be first here on its own. We need our friendly primary sponsor, Red Hat, to help us clear this burden, which is brought on by our connection to Red Hat in the first place.

I'll close this counter-opinion with an excerpt from our First Foundation:

From What is Fedora all about?:
"However, the Fedora Project’s goal of advancing free software dictates that the Fedora Project itself pursue a strategy that preserves the forward momentum of our technical, collateral, and community-building progress. Fedora always aims to provide the future, first."

Here is a chance to be clear on the future we want to provide and for whom.

Hi Justin. Thank you for your thoughtful post. However, I don't think that this is actually a "counter-opinion". I certainly don't disagree with your general point.

I do disagree with one thing, which is that we are "consciously making deliberate exclusions". We are not. We are following the obligations dictated to us by law.

I am working with Legal and do think we should push towards an exception, but note from the Github post you link that it took Microsoft, with all of their resources, two years to get there. Fedora does not have that kind of resourcing, and for that matter the whole of Red Hat flat out does not either, nor even close to comparable clout with the US government. So, please, I ask for patience here, and understanding that we really just might not be able to do anything no matter how much we want to.

Given that, we need to be clear about the limitations, because the current situation, where we are not clear in that way, is worse.

I do understand where this is coming from and that all efforts here are well-intended, but maybe just 2 Euro-cents of additional thoughts:

  1. Not all legal texts are as clear as they pretend to be: E.g., what are "unmanned air vehicle systems", and are we even allowed to ship software in Fedora which helps operate drones and such? Part (c) of the above prohibits any military use of Fedora even by the U.S. forces since (c) is not qualified by (b) or (a)... In other words: that text cannot be taken verbatim anyways.

  2. If I am working on a project which is "free to share" in my jurisdiction and I submit it to Fedora, or someone packages it for Fedora, does it stop being free to share to certain countries because US law says so? US law rules the world, yeah... Do we really want to drive contributors to Debian?

Luckily, none of the above is in the FPCA which I agrred to, or I would have to retreat it (or not take it literally, as indicated in 1.).

Again, I know this ticket is not about making things worse, but it brings to mind how dangerous the situation already is for Fedora as a "free" project.

  1. I agree that legal texts can be unclear. We are not, in this case, speculating.

  2. As an individual, you are of course subject to the laws of your country of citizenship and location. As a project sponsored by a U.S. entity, we are bound by US law.

However, I don't think that this is actually a "counter-opinion". I certainly don't disagree with your general point.

I agree with this correction. A counter-opinion wasn't the right framing. "Unsolicited opinion" was probably better. :wink:

I do disagree with one thing, which is that we are "consciously making deliberate exclusions". We are not. We are following the obligations dictated to us by law.

I agree with the clarification. Consciously (as in deliberately making a conscious choice) isn't a fair representation. What I meant to convey is the knowing of a fact-of-the-matter that contradicts project governance like the vision statement.

I am working with Legal and do think we should push towards an exception, but note from the Github post you link that it took Microsoft, with all of their resources, two years to get there. Fedora does not have that kind of resourcing, and for that matter the whole of Red Hat flat out does not either, nor even close to comparable clout with the US government.

The deliberate effort towards a change is the effort that matters. I appreciate this advocacy work that consists of less-visible contributions. If Red Hat does not have these resources, maybe somebody else might.

So, please, I ask for patience here, and understanding that we really just might not be able to do anything no matter how much we want to. Given that, we need to be clear about the limitations, because the current situation, where we are not clear in that way, is worse.

I empathize that this is an unenviable situation to be in. I agree it makes the most sense to codify this in general project policy. It is better to communicate the context transparently than to have sad surprises.

  1. I agree that legal texts can be unclear. We are not, in this case, speculating.

We are speculating about the extent to which the EAR bind the project - even the boilerplate you suggest says "may be subject to the U.S. Export Administration Regulations".

In particular, while RedHat is a business company, Fedora is not and is not doing any business with EAR-affected countries.

Note that even before negotiating any EAR exceptions, GitHub - the business company - continued providing public unpaid (i.e. non-business) services to EAR residents. So it is fair to expect the same from the Fedora project, as we can even claim prior precedence (if that is the legal term).

  1. As an individual, you are of course subject to the laws of your country of citizenship and location. As a project sponsored by a U.S. entity, we are bound by US law.

Sure, and no-one questions that.

It seems, though, that the extent to which "the Fedora Project" has taken action against an Iranian individual is a rather excessive interpretation of the EAR, and I can only hope that those who executed these actions displayed a bit of humanity by at least contacting said individual before pulling the plug.

There is a huge difference between "Sorry, we are bound by EAR and need/want to be extra cautious, so we will have to..." and erasing someone digitally from the project right away.

This is now merged and will be live in the council docs in the policies section later.

And just a note: I am still working on what we can do to improve this, but do not have anything to report yet.

Further discussion on this issue should go to https://discussion.fedoraproject.org/tags/council

Metadata Update from @bcotton:
- Issue close_status updated to: resolved
- Issue status updated to: Closed (was: Open)

2 years ago

I'm reopening this, because it seems like the policy got lost from the documentation somehow.

Login to comment on this ticket.

Metadata