25

Apache 基金会与 GitHub 均受美国出口法律约束,这对开发者有何影响?

 4 years ago
source link: https://www.tuicool.com/articles/Nvm2mqA
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

ASF 受到美国 出口 法律约束

近日,ASF 官网出现了一则关于 ASF 产品出口控制状态 的说明。文中指出,ASF 是位于美国的非盈利性慈善机构,所有产品通过公共论坛在线协作开发,并从美国的中央服务器发布,所以 Apache 项目的发行版需要遵循美国的出口法律和法规,并且随着产品和技术再出口到不同的地方依旧保持有效。

也就是说,出口、再出口、记录保存、ASF 产品捆绑和嵌入、加密报告和装运文件都需要遵循出口管制分类和相关限制信息。如果说得再明白一点就是,除非经美国政府正式授权,否则 ASF 软件、技术或数据不得直接或间接出口 / 再出口到受美国禁运或贸易制裁的地方。美国政府保留 出口禁止名单 ,包括但不限于 财政部的特别指定国民名单 和  商务部的实体和被拒绝人名单

划重点,美国时间 2019 年 5 月 15 日,特朗普签署了一份行政命令,宣布因为国家经济紧急状态,禁止企业使用对国家安全造成风险的外国制造设备。随后美国商务部声明,把华为及 70 个附属公司增列入出口管制的实体清单。

GitHub 受到美国 出口 法律约束

不止 ASF,GitHub 官网也发消息称,“ GitHub.com 、GitHub Enterprise Server 以及您上传到任一产品的信息可能受美国出口管制法律的约束,包括美国出口管理条例(EAR)。”

GitHub 官网发布的内容主要有以下几个要点:

  • 根据 GitHub 的服务条款用户只能按照适用法律访问和使用 GitHub.com ,包括美国出口管制和制裁法律。根据美国和其他适用法律,特别指定国民名单和其它被拒绝、被封锁的人士禁止访问、 使用 GitHub.com用户不得代表此类各方使用 GitHub.com ,包括受制裁国家 / 地区的政府。
  • 根据美国财政部海外资产控制办公室(OFAC)发布的授权,Github 可允许受美国制裁的管辖区内或通常居住在管辖区内的用户访问某些 Github.com 服务。在访问 GitHub 服务时,这些管辖区内的人员和居民不得使用 IP 代理、VPN 或其他方法来伪装其位置,并且只能使用 GitHub 进行非商业的个人通信。
  • GitHub Enterprise Server 不得出售、出口或再出口到清单中的国家,目前清单中已经包含古巴、伊朗、朝鲜、苏丹与叙利亚。

对开发者有何影响

在听到 ASF 和 GitHub 均受到美国出口法律约束时,很多技术人担心国内的开源项目也将迎来“至暗时刻”。那么,这两则消息到底真正约束的是什么?对于中国开发者来说,有什么影响?是否有比较好的应对措施呢?

ASF 到底限制了什么?知乎网友李道兵分析称:“只是 ASF 提供的服务受到了美国法律的限制,例如会员服务、下载服务、网站服务等。”而 ASF 在官网发表的文章指出,公开可用软件只有 ECCN 为 5D002 或 5D992 时才会受到 EAR 约束。

至于 GitHub,首先中国还没有被加入到清单中,还有缓冲时间。其次,主要受影响的是 GitHub 企业版,但是大多数企业在采购之后,都是在企业内部部署使用。最后,目前只有 ERA 限制的加密技术不可出口,其它开源软件项目很难被限制。

面对这些限制,开发者应该如何破解难题呢?根据李道兵的分析,想要解决限制的问题也不难,“用户只是不能从 ASF 网站下载软件,但是可以从任何发行版、镜像站或者其它能够获取到软件的地方(包括从你的朋友手上拷贝一份)去下载。而且受到 License 的保障,用户仍可以继续使用、修改、分发软件。如果该软件更换了不自由的软件协议,那么用户还可以继续使用比较自由的老版本。”

那么这是不是意味着美国这一举措毫无“攻击力”呢?当然不是,这一举措还是有很多隐忧的,例如,美国 ERA 条款中是否会增加更多的技术,如果通讯、大数据等相关技术被限制的话,那么对于中国企业和开发者也会有很多影响。另外,还有人担心编程语言是否会受到限制,毕竟像 Java 等各大语言的核心都在美国。

附 ASF 产品分类矩阵:

Apache Accumulo Project Product Name Versions ECCN Controlled Source Apache Accumulo Project development 5D002 ASFBouncy Castle 1.6.0 and on 5D002 ASFBouncy Castle 1.5.x 5D002 ASF Apache ActiveMQ Project Product Name Versions ECCN Controlled Source Apache ActiveMQ development 5D002 ASF 4.1 and later 5D002 ASF Apache Camel development 5D002 ASF 1.0.0 and later 5D002 ASF Apache Ant Project Product Name Versions ECCN Controlled Source Apache Ant development 5D002 ASF 1.1 and later 5D002 ASF Apache Ivy development 5D002 ASF 2.0.0-alpha-*-incubating 5D002 ASF 2.0.0-alpha-*-incubating-bin-with-deps 5D002 ASFJCraft, Inc. 2.0.0-beta1-* and later 5D002 ASF 2.0.0-beta1-bin-with-deps and later 5D002 ASFJCraft, Inc. Apache Cassandra Project Product Name Versions ECCN Controlled Source Apache Cassandra development 5D002 ASFOracleThe OpenSSL Project 0.8 and later 5D002 ASFOracle Apache Cayenne Project Product Name Versions ECCN Controlled Source Apache Cayenne development 5D002 ASFOracle 3.2.M2 and later 5D002 ASFOracle Apache Commons Project Product Name Versions ECCN Controlled Source Apache Commons Compress development 5D002 ASF 1.6 and later 5D002 ASF Apache Commons Crypto development 5D002 ASFThe OpenSSL ProjectOracle 1.0.0 and later 5D002 ASFThe OpenSSL ProjectOracle Apache Commons OpenPGP development 5D002 ASF Apache CouchDB Project Product Name Versions ECCN Controlled Source Apache CouchDB development 5D002 ASF 0.9.0 and later 5D002 ASFibrowse Apache CXF Project Product Name Versions ECCN Controlled Source Apache CXF development 5D002 ASFASFBouncy Castle all 2.* 5D002 ASFASFBouncy Castle all 2.*-incubating 5D002 ASFASFBouncy Castle Apache DB Project Product Name Versions ECCN Controlled Source Apache Derby development 5D002 ASF derby-10.* 5D002 ASF Apache DdlUtils development 5D002 ASF ddlutils-1.0 and higher 5D002 ASF Apache ObjectRelationalBridge - OJB development 5D002 ASF ojb-1.0.0 and higher 5D002 ASF Apache Torque development 5D002 ASF torque-3.1 and later 5D002 ASF Apache Directory Project Product Name Versions ECCN Controlled Source Apache Directory Server development 5D002 ASF 1.0 and later 5D002 ASF 1.5 and later 5D002 ASFBouncy Castle Apache Directory Studio 1.2 and later 5D002 ASFBouncy Castle Apache Drill Product Name Versions ECCN Controlled Source Apache Drill 1.2 and later 5D002 ASFOracleThe Eclipse FoundationThe Cyrus SASL projectMITThe OpenSSL Project Apache Forrest Project Product Name Versions ECCN Controlled Source Apache Forrest development 5D002 ASF apache-forrest-0.6 and later 5D002 ASFJCraft, Inc. Apache Geode Project Product Name Versions ECCN Controlled Source Apache Geode development 5D002 ASFASFASFOracleThe OpenSSL Project all releases 5D002 ASFASFASFOracleThe OpenSSL Project Apache Geronimo Project Product Name Versions ECCN Controlled Source Apache Geronimo development 5D002 ASF 1.0 and later 5D002 ASF Apache Hadoop Project Product Name Versions ECCN Controlled Source Apache Hadoop development 5D002 ASF 17.0 and later 5D002 ASF Apache Harmony Project Product Name Versions ECCN Controlled Source Apache Harmony development 5D002 ASF 5.0M1 and later 5D002 ASFBouncy Castle Apache HAWQ (incubating) Project Product Name Versions ECCN Controlled Source Apache HAWQ (incubating) Project development 5D002 ASF Apache HttpComponents Project Product Name Versions ECCN Controlled Source Apache HttpComponents Core development 5D002 ASF 4.0 and later 5D002 ASF Apache HttpComponents Client development 5D002 ASF 4.0 and later 5D002 ASF 1.x, 2.x, 3.x 5D002 ASF Apache HTTP Server Project Product Name Versions ECCN Controlled Source Apache HTTP Server development 5D002 ASF apache_1.3.x n/a httpd-2.0.x 5D002 ASF httpd-2.2.x 5D002 ASF apache_2.2.x-win32- -openssl- 5D002 ASFThe OpenSSL Project httpd-2.4.x 5D002 ASF Apache Flood development 5D002 ASF flood-0.4 5D002 ASF Apache libapreq development 5D002 ASF libapreq2 5D002 ASF libapreq n/a Apache mod_ftp development 5D002 ASF Apache mod_python development 5D002 ASF mod_python-* 5D002 ASF Apache Incubator Project Product Name Versions ECCN Controlled Source Apache Abdera development 5D002 ASF all 0.*-incubating 5D002 ASFASFBouncy CastleBouncy Castle Apache Airavata development 5D002 ASFBouncy CastleThe Cryptix projectClaymore Systems PuretlsGlobus Project Apache CloudStack development 5D002 JaSypt.orgOracleBouncy CastleASFOpenSwan.orgJCraft, Inc.ASF Apache Impala development 5D002 ASF 2.7.0 and later 5D002 ASF Apache NiFi development 5D002 JaSypt.orgOracleBouncy CastleJCraft, Inc.ASF 0.0.1-incubating and later 5D002 JaSypt.orgOracleBouncy CastleJCraft, Inc.ASF Apache PDFBox development 5D002 ASFBouncy CastleBouncy Castle Apache Pirk development 5D002 ASF 0.1.0-incubating and later 5D002 ASF Apache Pulsar development 5D002 ASFBouncy Castle 1.20-incubating and greater 5D002 ASFBouncy Castle Apache Shindig development 5D002 ASF Apache Slider development 5D002 ASFOracleThe Eclipse Foundation 0.30-incubating 5D002 ASFOracle 0.40-incubating and later 5D002 ASFOracleThe Eclipse Foundation Apache Taverna development 5D002 ASFASFASFASFASFASFASFASFASFASFASFASFASFASFBouncy CastleThe Eclipse FoundationOracleASFASFASFASFASFDropboxGoogleRuby Programming LanguageThe OpenSSL Project all releases 5D002 ASFBouncy CastleThe Eclipse FoundationOracleASFASFASFASFASFDropboxGoogleRuby Programming LanguageThe OpenSSL Project Apache Trafodion development 5D002 ASFThe OpenSSL ProjectOracle all releases 5D002 ASFThe OpenSSL ProjectOracle Apache Whirr development 5D002 ASF all 0.*-incubating 5D002 ASFBouncy CastleJCraft, Inc.Not-Yet-Commons-SSL Apache Jakarta JMeter Project Product Name Versions ECCN Controlled Source Apache Jakarta JMeter 1.0 and later 5D002 ASF Apache JAMES Project Product Name Versions ECCN Controlled Source Apache JAMES Server development 5D002 ASFBouncy Castle 2.3.0 and later 5D002 ASFBouncy Castle Apache JAMES jDKIM 0.1 and later 5D002 ASFNot-Yet-Commons-SSL Apache JAMES Mailet Crypto 0.1 and later 5D002 ASFBouncy Castle Apache JAMES Mime4J 0.4 and later 5D002 ASF Apache Jena Product Name Versions ECCN Controlled Source Apache Jena (distribution) development 5D002 ASF binary distribution 5D002 ASFASF Apache Kafka Project Product Name Versions ECCN Controlled Source Apache Kafka development 5D002 ASFOracle 0.10.2 and later 5D002 ASFOracle 0.9.0 and later 5D002 ASFOracle Apache Kudu Project Product Name Versions ECCN Controlled Source Apache Kudu development 5D002 ASF 1.1.0 and later 5D002 ASF Apache Labs Project Product Name Versions ECCN Controlled Source Apache BaDCA development 5D002 ASF Apache Vysper development 5D002 ASFBouncy Castle Apache Lucene Project Product Name Versions ECCN Controlled Source Apache Nutch development 5D002 ASF 0.7 and later 5D002 ASFPDFBox Apache Solr development 5D002 ASF 1.4 and later 5D002 ASFApache Tika Apache Tika development 5D002 ASF 0.2-incubating and later 5D002 ASFBouncy CastleBouncy Castle Apache MyFaces Project Product Name Versions ECCN Controlled Source Apache MyFaces development 5D002 ASF 1.1.2 and later 5D002 ASF Apache Mynewt (incubating) Project Product Name Versions ECCN Controlled Source Apache Mynewt development 5D002 ARM mbedTinyCryptPolarSSL Apache Oltu Project Product Name Versions ECCN Controlled Source Apache Oltu development 5D002 ASF Apache Open For Business Project Product Name Versions ECCN Controlled Source Apache Open For Business development 5D002 ASF 4.0 release branch 5D002 ASF Apache OpenEJB Project Product Name Versions ECCN Controlled Source Apache OpenEJB development 5D002 ASF 1.0 and later 5D002 ASF All 0.x n/a Apache Perl Project Product Name Versions ECCN Controlled Source mod_perl Perl- -win32-bin- .exe 5D002 ASFThe OpenSSL Project Apache POI Project Product Name Versions ECCN Controlled Source Apache POI development 5D002 ASF 3.5 and later 5D002 ASF Apache Polygene Project Product Name Versions ECCN Controlled Source Apache Polygene development 5D002 ASFBouncy Castle 2.1 5D002 ASFBouncy Castle Apache Shiro Project Product Name Versions ECCN Controlled Source Apache Shiro development 5D002 ASF 1.1 and later 5D002 ASF 1.0 5D002 ASF All 0.x n/a Apache ServiceMix Project Product Name Versions ECCN Controlled Source Apache ServiceMix 3.x development 5D002 ASFASFBouncy Castle All 3.x versions 5D002 ASFASFBouncy Castle Apache ServiceMix 4.x development 5D002 ASF 4.0-m1 n/a Apache ServiceMix NMR development 5D002 ASF 1.0-m1, 1.0-m2 n/a Apache ServiceMix Kernel development n/a All 1.0 milestones n/a Apache Portable Runtime Project Product Name Versions ECCN Controlled Source APR development 5D002 ASF APR-Util development 5D002 ASF 0.9.x, 1.2.x n/a 1.4.x and later 5D002 ASF Apache Santuario Project Product Name Versions ECCN Controlled Source Apache XML Security for Java development 5D002 ASF 1.5.x 5D002 ASF Apache XML Security for C++ development 5D002 ASF Apache SpamAssassin Project Product Name Versions ECCN Controlled Source Apache SpamAssassin development 5D002 ASFThe OpenSSL ProjectSteffen Ullrich 3.0.x and later 5D002 ASFThe OpenSSL ProjectSteffen Ullrich Apache Spark Project Product Name Versions ECCN Controlled Source Apache Spark 2.2.0 through 2.3.x 5D002 ASFBouncy Castle 2.4.0 and later 5D002 ASF Apache Tomcat Project Product Name Versions ECCN Controlled Source Apache Tomcat development 5D002 ASF 3.x and later 5D002 ASF Apache Tomcat native connector development 5D002 ASFThe OpenSSL Project 1.x and later 5D002 ASFThe OpenSSL Project Apache UIMA Project Product Name Versions ECCN Controlled Source Apache UIMA-AS development 5D002 ASF all releases starting with 2.2.2-incubating 5D002 ASF Apache UIMA Addons development 5D002 ASF 2.3.0 and later 5D002 ASF Apache UIMA Addon Tika Annotator development 5D002 ASF 2.3.0 and later 5D002 ASF Apache UIMA-DUCC development 5D002 ASF all releases starting with 1.0 5D002 ASF Apache VCL Project Product Name Versions ECCN Controlled Source Apache VCL development 5D002 ASF 2.1 to 2.2.2 5D002 ASF 2.3 and later 5D002 ASFphpseclib Apache Web Services Project Product Name Versions ECCN Controlled Source Apache WSS4J development 5D002 ASFBouncy CastleASF 1.6 5D002 ASFBouncy CastleASF 1.0 to 1.5 5D002 ASFBouncy CastleBouncy CastleASF Apache Rampart/Java development 5D002 ASFBouncy CastleBouncy CastleApache Santuario 1.1 and later 5D002 ASFBouncy CastleBouncy CastleApache Santuario Apache Rampart/C development 5D002 ASFThe OpenSSL Project 0.09 and later 5D002 ASFThe OpenSSL Project Apache Synapse 1.0, 1.1, 1.1.1, 1.2, 2.0.0 5D002 ASFBouncy CastleBouncy CastleBouncy CastleBouncy CastleApache Santuario Apache Synapse Project Product Name Versions ECCN Controlled Source Apache Synapse development 5D002 ASFBouncy CastleBouncy CastleBouncy CastleBouncy CastleApache Santuario 1.1.1 and later 5D002 ASFBouncy CastleBouncy CastleApache Santuario Apache Wicket Project Product Name Versions ECCN Controlled Source Apache Wicket 1.3, development 5D002 ASF Apache MINA Project Product Name Versions ECCN Controlled Source Apache MINA development 5D002 ASF 1.0, 1.1, 2.0 5D002 ASF Apache Vysper development 5D002 ASFBouncy Castle Apache FtpServer development 5D002 ASF 1.0 5D002 ASF Apache SSHD development 5D002 ASFBouncy Castle Apache Wookie Project Product Name Versions ECCN Controlled Source Apache Wookie development 5D002 ASFApache Santuario 0.13 and later 5D002 ASFApache Santuario

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK