On Tue, 2014-01-07 at 21:09 +0000, Karanbir Singh wrote:
With great excitement I'd like to announce that we are joining the Red Hat family. The CentOS Project ( http://www.centos.org ) is joining forces with Red Hat. Working as part of the Open Source and Standards team ( http://community.redhat.com/ ) to foster rapid innovation beyond the platform into the next generation of emerging technologies. Working alongside the Fedora and RHEL ecosystems, we hope to further expand on the community offerings by providing a platform that is easily consumed, by other projects to promote their code while we maintain the established base.
But there is more to Red Hat's de facto "take-over" including the imposition of USA's domestic law on citizens all around the world.
The compulsory imposition of USA law on all Centos downloaders creates the possibility of being arrested in one's home country and sent to the USA for a criminal trial. A few people in Britain have been extradited to the USA for criminal trials for matters which are not criminal in Britain.
Can anyone remember seeing this on the old Centos .... ?
Export Regulations
By downloading CentOS software, you acknowledge that you understand all of the following: CentOS software and technical information may be subject to the U.S. Export Administration Regulations (the “EAR”) and other U.S. and foreign laws and may not be exported, re-exported or transferred (a) to any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR (currently, Cuba, Iran, North Korea, Sudan & Syria); (b) to any prohibited destination or to any end user who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government; or (c) for use in connection with the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, or sounding rockets, or unmanned air vehicle systems. You may not download CentOS software or technical information if you are located in one of these countries or otherwise subject to these restrictions. You may not provide CentOS software or technical information to individuals or entities located in one of these countries or otherwise subject to these restrictions. You are also responsible for compliance with foreign law requirements applicable to the import, export and use of CentOS software and technical information.
This is a Community mantained site. Red Hat, Inc is not responsible for its content.
--------------------------------------
On Wed, Jan 08, 2014 at 01:04:29AM +0000, Always Learning wrote:
The compulsory imposition of USA law on all Centos downloaders creates the possibility of being arrested in one's home country and sent to the
[...]
Can anyone remember seeing this on the old Centos .... ?
By downloading CentOS software, you acknowledge that you understand all of the following: CentOS software and technical information may be subject to the U.S. Export Administration Regulations (the ???EAR???) and
Whether this was there, before, is irrelevant. If the software was subject to EAR then it was subject to it regardless of a web page stating it.
On Tue, 2014-01-07 at 20:14 -0500, Stephen Harris wrote:
If the software was subject to EAR then it was subject to it regardless of a web page stating it.
[EAR = USA's Export Administration Regulations]
How would a mere downloader from a mirror, or a purchaser of a Centos disk or even a beneficiary of a free Centos disk at a Centos event beware of USA law restrictions and understand the full legal implications of USA law ?
Its reminiscent of the PGP farce from nearly 20? years ago.
With Google slowly removing, or not updating, the open source bits of Android and replacing them by closed sources, will the same commercial strategy emerge from Red Hat into Centos ?
On 07/01/14 08:27 PM, Always Learning wrote:
On Tue, 2014-01-07 at 20:14 -0500, Stephen Harris wrote:
If the software was subject to EAR then it was subject to it regardless of a web page stating it.
[EAR = USA's Export Administration Regulations]
How would a mere downloader from a mirror, or a purchaser of a Centos disk or even a beneficiary of a free Centos disk at a Centos event beware of USA law restrictions and understand the full legal implications of USA law ?
Its reminiscent of the PGP farce from nearly 20? years ago.
With Google slowly removing, or not updating, the open source bits of Android and replacing them by closed sources, will the same commercial strategy emerge from Red Hat into Centos ?
RH has a long history of being a benevolent supporter of 3rd party projects under their umbrella. Look at Fedora, Gluster, KVM, etc.
What RH did was guarantee the long term health and sustainability of the CentOS community. They've provided that same community access to tremendous resources, both technical and human, to grow and maintain the project.
Red Hat's benefit is that they help grow the community of EL users. A very many paid RHEL users got their start with CentOS. They've given CentOS instant corporate credibility that will help grow that "incubator" user base even further, increasing the pool of users who might one day grow into needing commercial support. They're building the foundation for their future customer base.
I am very confident that this will prove to be a very good thing for both CentOS and RH.
On Wed, Jan 08, 2014 at 01:27:49AM +0000, Always Learning wrote:
On Tue, 2014-01-07 at 20:14 -0500, Stephen Harris wrote:
If the software was subject to EAR then it was subject to it regardless of a web page stating it.
[EAR = USA's Export Administration Regulations]
How would a mere downloader from a mirror, or a purchaser of a Centos disk or even a beneficiary of a free Centos disk at a Centos event beware of USA law restrictions and understand the full legal implications of USA law ?
You're missing the point.
This is not RedHat causing "[t]he compulsory imposition of USA law on all Centos downloaders" (your words); that imposition _already existed_ regardless of a web page telling you. The difference, now is that you're told about it (presumably standard RedHat legal boiler template 'cos RH lawyers believe it adds some protection to _them_ - and thus the CentOS board - by having it there).
The legal situation for downloaders _has not changed_ by the presence of that section on the web site (and the page has even less importance considering you can download the DVDs without even having to see that page; it's not an agreement you sign or click through).
Its reminiscent of the PGP farce from nearly 20? years ago.
It's the same farce.
On 01/07/2014 08:38 PM, Stephen Harris wrote:
On Wed, Jan 08, 2014 at 01:27:49AM +0000, Always Learning wrote:
On Tue, 2014-01-07 at 20:14 -0500, Stephen Harris wrote:
If the software was subject to EAR then it was subject to it regardless of a web page stating it.
[EAR = USA's Export Administration Regulations]
How would a mere downloader from a mirror, or a purchaser of a Centos disk or even a beneficiary of a free Centos disk at a Centos event beware of USA law restrictions and understand the full legal implications of USA law ?
You're missing the point.
This is not RedHat causing "[t]he compulsory imposition of USA law on all Centos downloaders" (your words); that imposition _already existed_ regardless of a web page telling you. The difference, now is that you're told about it (presumably standard RedHat legal boiler template 'cos RH lawyers believe it adds some protection to _them_ - and thus the CentOS board - by having it there).
The legal situation for downloaders _has not changed_ by the presence of that section on the web site (and the page has even less importance considering you can download the DVDs without even having to see that page; it's not an agreement you sign or click through).
Its reminiscent of the PGP farce from nearly 20? years ago.
It's the same farce.
No. That was ITAR, and no farce. ITAR is very proscriptive, and only the loophole on printed algorithms allowed PGPv3 to be shipped out legally. It took us some time, but we finally weakened ITAR. I remember well, as I was running the IPsec international interoperablity work back then and had a major hand in showing the non-enforceablity of ITAR wrt cryptography as munitions.
On 08-01-2014 3:04, Always Learning wrote:
On Tue, 2014-01-07 at 21:09 +0000, Karanbir Singh wrote:
With great excitement I'd like to announce that we are joining the Red Hat family. The CentOS Project ( http://www.centos.org ) is joining forces with Red Hat. Working as part of the Open Source and Standards team ( http://community.redhat.com/ ) to foster rapid innovation beyond the platform into the next generation of emerging technologies. Working alongside the Fedora and RHEL ecosystems, we hope to further expand on the community offerings by providing a platform that is easily consumed, by other projects to promote their code while we maintain the established base.
But there is more to Red Hat's de facto "take-over" including the imposition of USA's domestic law on citizens all around the world.
The compulsory imposition of USA law on all Centos downloaders creates the possibility of being arrested in one's home country and sent to the USA for a criminal trial. A few people in Britain have been extradited to the USA for criminal trials for matters which are not criminal in Britain.
Can anyone remember seeing this on the old Centos .... ?
Export Regulations
By downloading CentOS software, you acknowledge that you understand all of the following: CentOS software and technical information may be subject to the U.S. Export Administration Regulations (the “EAR”) and other U.S. and foreign laws and may not be exported, re-exported or transferred (a) to any country listed in Country Group E:1 in Supplement No. 1 to part 740 of the EAR (currently, Cuba, Iran, North Korea, Sudan & Syria); (b) to any prohibited destination or to any end user who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government; or (c) for use in connection with the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, or sounding rockets, or unmanned air vehicle systems. You may not download CentOS software or technical information if you are located in one of these countries or otherwise subject to these restrictions. You may not provide CentOS software or technical information to individuals or entities located in one of these countries or otherwise subject to these restrictions. You are also responsible for compliance with foreign law requirements applicable to the import, export and use of CentOS software and technical information.
This is a Community mantained site. Red Hat, Inc is not responsible for its content.
Apparently nto all is well with the take-over. Here is an example. Should I stop mirroring CentOS in the fear of being arrested next time a I visit the US on vacation?
--- Hi,
We are mirroring centos in Iran.
IP: 94.182.146.125
Protocols: http
Location: Asia / Iran / Tehran
Bandwidth: 1 Gbps
Version: All
Architecture: All
Direct DVD Download: Yes
Organisation: http://iransamaneh.com (Web application development and web hosting)
Email: admin@iranmirror.ir
Thanks
XX XXXX
On 01/13/2014 09:14 AM, Andreas Kasenides wrote:
Apparently nto all is well with the take-over. Here is an example. Should I stop mirroring CentOS in the fear of being arrested next time a I visit the US on vacation?
I dont understand your question or statement, what are you saying here ? Can you say the same thing, but a bit in a more verbose manner ?
Am 17.01.2014 um 01:18 schrieb Karanbir Singh mail-lists@karan.org:
On 01/13/2014 09:14 AM, Andreas Kasenides wrote:
Apparently nto all is well with the take-over. Here is an example. Should I stop mirroring CentOS in the fear of being arrested next time a I visit the US on vacation?
I dont understand your question or statement, what are you saying here ? Can you say the same thing, but a bit in a more verbose manner ?
I think he refers to:
"You may not provide CentOS software or technical information to individuals or entities located in one of these countries or otherwise subject to these restrictions.“
He fears that he’s held responsible if someone from Iran uses e.g. his mirror to download the stuff.
Maybe thinking of this incident: http://www.huffingtonpost.com/2012/06/19/apple-store-refuses-to-sell-ipad-to...
Though the ban on iPhones seems to have been lifted, actually:
http://appleinsider.com/articles/13/08/27/apple-to-start-sales-of-devices-go...
Can you check with „your“ legal department if Open Source operating systems are still not allowed to be exported to „certain" countries?
I really hope someone at the treasury department gets the irony of not allowing a „free“ operating system being exported from a „free“ country to an „unfree“ country….
If I recall this was about a CentOS mirror in Iran and the new export restrictions prohibit that.
Joe
On Fri, 2014-01-17 at 00:18 +0000, Karanbir Singh wrote:
On 01/13/2014 09:14 AM, Andreas Kasenides wrote:
Apparently nto all is well with the take-over. Here is an example. Should I stop mirroring CentOS in the fear of being arrested next time a I visit the US on vacation?
I dont understand your question or statement, what are you saying here ? Can you say the same thing, but a bit in a more verbose manner ?
On Thu, Jan 16, 2014 at 10:00:39PM -0500, Joseph Godino wrote:
If I recall this was about a CentOS mirror in Iran and the new export restrictions prohibit that.
There are no *new* export restrictions. You're just now aware of them. It's the US gubmint that puts those restrictions, not RedHat, and they've always applied to CentOS.
I say "new" because the original email referred to what I believe was about an existing CentOS mirror in Iran. This prompted me to look at the CentOS website and I found the export restrictions to which the email was referring. Then I looked at the Fedora project website and found the same restrictions. I don't know much about open source export restrictions. I know they must exist for proprietary software developed in the United States. I was merely pointing out what the the email stating and what it was referring to. Please retract the word new.
Joe
On Thu, 2014-01-16 at 22:12 -0500, Stephen Harris wrote:
On Thu, Jan 16, 2014 at 10:00:39PM -0500, Joseph Godino wrote:
If I recall this was about a CentOS mirror in Iran and the new export restrictions prohibit that.
There are no *new* export restrictions. You're just now aware of them. It's the US gubmint that puts those restrictions, not RedHat, and they've always applied to CentOS.
On Thu, Jan 16, 2014 at 10:29:09PM -0500, Joseph Godino wrote:
stating and what it was referring to. Please retract the word new.
That's the point though. If "you" (for generic values of "you") export code under US legal restriction from the US then you're in breach of US regulations. Whether you know about it or not.
Fun, huh?
If "you" run a mirror then you get to determine your legal risk and whether you should keep the mirror. The CentOS team are not lawyers; they can't tell you.
It's a fun legal question as to who does the export; the person making available for export on a web site or the person downloading from that website. As far as I know it's not really settled. In my opinion the RedHat wording is a prayer hoping that'll cover them :-) But I'm not a lawyer, either!
If you're really concerned then consult a lawyer.
(This actually applies to _any_ downloader, not just people who mirror).
On 01/16/2014 10:45 PM, Stephen Harris wrote:
On Thu, Jan 16, 2014 at 10:29:09PM -0500, Joseph Godino wrote:
stating and what it was referring to. Please retract the word new.
That's the point though. If "you" (for generic values of "you") export code under US legal restriction from the US then you're in breach of US regulations. Whether you know about it or not.
Fun, huh?
If "you" run a mirror then you get to determine your legal risk and whether you should keep the mirror. The CentOS team are not lawyers; they can't tell you.
It's a fun legal question as to who does the export; the person making available for export on a web site or the person downloading from that website. As far as I know it's not really settled. In my opinion the RedHat wording is a prayer hoping that'll cover them :-) But I'm not a lawyer, either!
At one point a major unix manufacturer tried to get around this by having the crypto code written in another country by citizens of that country. They got shut down as re-exporting. In the end, they had to ship broken software that required customers to optain the critical code from this other country. This was part of our action to show how unenforceable ITAR was wrt cryptography as munitions. Some likened it to shipping guns without firing pins or ammo; which were readily available from other sources.
But at any point, someone in State can decide someone's actions violate the law and go after them. Ask Phil Zimmerman...
On 08.01.2014 01:04, Always Learning wrote:
On Tue, 2014-01-07 at 21:09 +0000, Karanbir Singh wrote:
With great excitement I'd like to announce that we are joining the Red Hat family. The CentOS Project ( http://www.centos.org ) is joining forces with Red Hat. Working as part of the Open Source and Standards team ( http://community.redhat.com/ ) to foster rapid innovation beyond the platform into the next generation of emerging technologies. Working alongside the Fedora and RHEL ecosystems, we hope to further expand on the community offerings by providing a platform that is easily consumed, by other projects to promote their code while we maintain the established base.
But there is more to Red Hat's de facto "take-over" including the imposition of USA's domestic law on citizens all around the world.
The compulsory imposition of USA law on all Centos downloaders creates the possibility of being arrested in one's home country and sent to the USA for a criminal trial. A few people in Britain have been extradited to the USA for criminal trials for matters which are not criminal in Britain.
Can anyone remember seeing this on the old Centos .... ?
These restrictions were always inherited. Theoretically if you use cryptographic software developed in USA you are "bound" to these rules. In many cases if you use for example OpenSSL in Windows, Ubuntu, Android etc etc you are still affected (I think), it's just that now it's written somewhere. In practice this is not very relevant and also pretty unenforceable; not to mention that - to my understanding - it contradicts the GPL. RH needs to specify this legal bit so uncle Sam is happy. Just do whatever everyone else does, ignore it.
On 01/16/2014 09:14 PM, Nux! wrote:
On 08.01.2014 01:04, Always Learning wrote:
On Tue, 2014-01-07 at 21:09 +0000, Karanbir Singh wrote:
With great excitement I'd like to announce that we are joining the Red Hat family. The CentOS Project ( http://www.centos.org ) is joining forces with Red Hat. Working as part of the Open Source and Standards team ( http://community.redhat.com/ ) to foster rapid innovation beyond the platform into the next generation of emerging technologies. Working alongside the Fedora and RHEL ecosystems, we hope to further expand on the community offerings by providing a platform that is easily consumed, by other projects to promote their code while we maintain the established base.
But there is more to Red Hat's de facto "take-over" including the imposition of USA's domestic law on citizens all around the world.
The compulsory imposition of USA law on all Centos downloaders creates the possibility of being arrested in one's home country and sent to the USA for a criminal trial. A few people in Britain have been extradited to the USA for criminal trials for matters which are not criminal in Britain.
Can anyone remember seeing this on the old Centos .... ?
These restrictions were always inherited. Theoretically if you use cryptographic software developed in USA you are "bound" to these rules. In many cases if you use for example OpenSSL in Windows, Ubuntu, Android etc etc you are still affected (I think), it's just that now it's written somewhere. In practice this is not very relevant and also pretty unenforceable; not to mention that - to my understanding - it contradicts the GPL. RH needs to specify this legal bit so uncle Sam is happy. Just do whatever everyone else does, ignore it.
ITAR is a 1947 treaty the binds all signatures to treat cryptographic 'artifacts' as munitions and abide by the export restrictions that exist for all munitions. Period. Full stop.
This includes Crackerjacks (tm) encoder rings that I played with as a kid! Really! Someone in the US State department figured this out.
The only exception in the treaty is cryptographic academic papers (how we got pgpv3 exported, in book form); but even this got challenged because of the pgp export.
And like all treaty provisions regarding munitions export, they are open to interpretaton and enforcement. I leave the rest of the logic, or lack thereof to you.
(I lived this very closely back in the late '90s. I could, and have, tell you stories of the conversations back then)
On Fri, 2014-01-17 at 08:04 -0500, Robert Moskowitz wrote:
The only exception in the treaty is cryptographic academic papers (how we got pgpv3 exported, in book form); but even this got challenged because of the pgp export.
Still have the sources and Windoze binaries from PGP 2. Those were the days :-)
On Fri, 2014-01-17 at 08:04 -0500, Robert Moskowitz wrote:
The only exception in the treaty is cryptographic academic papers (how we got pgpv3 exported, in book form); but even this got challenged because of the pgp export.
I really mean ....
Still have the sources and M$ DOS binaries from PGP 2. Those were the days :-)
-
Always Learning -
Andreas Kasenides -
Digimer -
Joseph Godino -
Karanbir Singh -
Nux! -
Rainer Duffner -
Robert Moskowitz -
Stephen Harris