Linux Foundation Statement on Huawei Entity List Ruling
The Linux Foundation | 23 May 2019
We have received inquiries regarding concerns about a member subject to an Entity List Ruling. [1] The Huawei Entity List ruling was specifically scoped to activities and transactions subject to the Export Administration Regulations (EAR).
Open Source Software Not involving Encryption
The Linux Foundation is a free and open source software organization whose project communities publish collaboratively developed software publicly. All software published by Linux Foundation projects is made available to the public without restrictions other than those imposed by the open source licenses. Software that is published publicly, such as open source software, is not subject to the EAR [2], and therefore not relevant to the Entity List Ruling.
Open Source Encryption Software
Open source encryption software source code was reclassified by the US Department of Commerce, Bureau of Industry and Security (BIS) effective September 20, 2016 as publicly available and no longer subject to the EAR. [3] Each open source project that uses or implements encryption is still required to send a notice of the URL to BIS and NSA to satisfy the publicly available notice requirement in the EAR at 15 CFR § 742.15(b).
The Linux Foundation continues to work with our projects to ensure their notices are up to date and are maintained in the future. [4] Open source software, collaboration on open source code, attending telephonic or in person meetings, participating in training and providing membership or sponsorship funds are all activities which are not subject to the EAR and therefore should have no impact on our communities. If there is a unique situation of concern, we encourage you to reach out directly to legal@linuxfoundation.org.
Security Vulnerability Pre-Disclosure Lists
A few of the Linux Foundation’s project communities use security vulnerability pre-disclosure lists to alert known implementers of the project’s open source software about vulnerability fixes that will be disclosed by the developers and published publicly in the near future (typically within 2 weeks). In these situations, LF project communities are conveying knowledge, information and written software patches that will be made publicly available when accepted for publication by the committers on the project and such disclosures are permitted under 15 CFR § 734.7(a)(5). [2]
[3] 81 Fed. Reg. 64656, 64668 (September 20, 2016). See also, https://www.bis.doc.gov/index.php/policy-guidance/encryption/223-new-encryption
Similar Articles
Browse Categories
Cloud Computing Compliance and Security Open Source Projects 2024 Linux How-To LF Research Open Source Ecosystem and Governance Blog Diversity & Inclusion Research Newsletter Data, AI, and Analytics linux blog Training and Certification Linux Cross Technology Cloud Native Computing Foundation cybersecurity software development Announcements Decentralized Technology Legal OpenSearch Sustainability and Green Initiatives cloud native generative AI lf events Finance and Business Technology Networking and Edge cncf industries Emerging Technology Health and Public Sector Interoperability Kubernetes Topic: Security Web Application & Development amazon web services aws community tools confidential computing challenges decentralized AI decentralized computing eBPF funding japan spotlight kernel license compliance openssf ospo research survey skills development state of open source tech talent