KubeCon + CloudNativeCon Europe · Apr 1-4 · London REGISTER TODAY

Search

    Join
    • Home
    • Blog
    • Linux Foundation Statement on Huawei Entity List Ruling
    2 MIN READ

    Linux Foundation Statement on Huawei Entity List Ruling

    The Linux Foundation | 23 May 2019

    We have received inquiries regarding concerns about a member subject to an Entity List Ruling. [1] The Huawei Entity List ruling was specifically scoped to activities and transactions subject to the Export Administration Regulations (EAR).

    Open Source Software Not involving Encryption

    The Linux Foundation is a free and open source software organization whose project communities publish collaboratively developed software publicly. All software published by Linux Foundation projects is made available to the public without restrictions other than those imposed by the open source licenses. Software that is published publicly, such as open source software, is not subject to the EAR [2], and therefore not relevant to the Entity List Ruling.

    Open Source Encryption Software

    Open source encryption software source code was reclassified by the US Department of Commerce, Bureau of Industry and Security (BIS) effective September 20, 2016 as publicly available and no longer subject to the EAR. [3] Each open source project that uses or implements encryption is still required to send a notice of the URL to BIS and NSA to satisfy the publicly available notice requirement in the EAR at 15 CFR § 742.15(b).

    The Linux Foundation continues to work with our projects to ensure their notices are up to date and are maintained in the future. [4] Open source software, collaboration on open source code, attending telephonic or in person meetings, participating in training and providing membership or sponsorship funds are all activities which are not subject to the EAR and therefore should have no impact on our communities. If there is a unique situation of concern, we encourage you to reach out directly to legal@linuxfoundation.org.

    Security Vulnerability Pre-Disclosure Lists

    A few of the Linux Foundation’s project communities use security vulnerability pre-disclosure lists to alert known implementers of the project’s open source software about vulnerability fixes that will be disclosed by the developers and published publicly in the near future (typically within 2 weeks). In these situations, LF project communities are conveying knowledge, information and written software patches that will be made publicly available when accepted for publication by the committers on the project and such disclosures are permitted under 15 CFR § 734.7(a)(5). [2]

    [1] https://www.bis.doc.gov/index.php/documents/regulations-docs/2394-huawei-and-affiliates-entity-list-rule/file

    [2] https://www.ecfr.gov/cgi-bin/text-idx?SID=fcba36d2f267c2fdecc5694c1e754aa7&mc=true&node=se15.2.734_17&rgn=div8

    [3] 81 Fed. Reg. 64656, 64668 (September 20, 2016). See also, https://www.bis.doc.gov/index.php/policy-guidance/encryption/223-new-encryption

    [4] https://www.linuxfoundation.org/export/
    Similar Articles
    Browse Categories
    Open Source Cloud Computing Compliance and Security Projects LF Research 2024 Blog Linux How-To Open Source Ecosystem and Governance Diversity & Inclusion Research Newsletter Data, AI, and Analytics linux blog Linux Training and Certification Cross Technology lf events software development Cloud Native Computing Foundation cybersecurity Announcements Decentralized Technology Legal

    Stay Connected with the Linux Foundation