Linux Foundation Statement on Huawei Entity List Ruling
The Linux Foundation | 23 May 2019
We have received inquiries regarding concerns about a member subject to an Entity List Ruling. [1] The Huawei Entity List ruling was specifically scoped to activities and transactions subject to the Export Administration Regulations (EAR).
Open Source Software Not involving Encryption
The Linux Foundation is a free and open source software organization whose project communities publish collaboratively developed software publicly. All software published by Linux Foundation projects is made available to the public without restrictions other than those imposed by the open source licenses. Software that is published publicly, such as open source software, is not subject to the EAR [2], and therefore not relevant to the Entity List Ruling.
Open Source Encryption Software
Open source encryption software source code was reclassified by the US Department of Commerce, Bureau of Industry and Security (BIS) effective September 20, 2016 as publicly available and no longer subject to the EAR. [3] Each open source project that uses or implements encryption is still required to send a notice of the URL to BIS and NSA to satisfy the publicly available notice requirement in the EAR at 15 CFR § 742.15(b).
The Linux Foundation continues to work with our projects to ensure their notices are up to date and are maintained in the future. [4] Open source software, collaboration on open source code, attending telephonic or in person meetings, participating in training and providing membership or sponsorship funds are all activities which are not subject to the EAR and therefore should have no impact on our communities. If there is a unique situation of concern, we encourage you to reach out directly to legal@linuxfoundation.org.
Security Vulnerability Pre-Disclosure Lists
A few of the Linux Foundation’s project communities use security vulnerability pre-disclosure lists to alert known implementers of the project’s open source software about vulnerability fixes that will be disclosed by the developers and published publicly in the near future (typically within 2 weeks). In these situations, LF project communities are conveying knowledge, information and written software patches that will be made publicly available when accepted for publication by the committers on the project and such disclosures are permitted under 15 CFR § 734.7(a)(5). [2]
[3] 81 Fed. Reg. 64656, 64668 (September 20, 2016). See also, https://www.bis.doc.gov/index.php/policy-guidance/encryption/223-new-encryption
Similar Articles
Browse Categories
2023 Compliance and Security Cloud Computing Open Source Projects Linux How-To 2024 Diversity & Inclusion LF Research Open Source Best Practices Blog Linux Foundation Newsletter 2022 Training and Certification Research Cross Technology Linux lf blog research report LFX cybersecurity linux blog project news software development AI Cloud Native Computing Foundation Legal OpenSearch Topic: Data Announcements Financial Services In the news Networking and Edge lf events Data Governance Energy Featured Events Industry: Finance Industry: Fintech Interoperability LF Energy Open Mainframe Open Models OpenChain System Administration This week at FINOS Topic: Security Topic: Sustainability amazon web services aws brand perception cloud native cncf confidential computing challenges eBPF generative AI human capital japan spotlight kernel lf projects license compliance maintainer openssf research survey sbom tech talent techtalentsurvey updates