1. 15

  2. 7

    I don’t think that a single unified free-software community actually exists in a meaningful way, and would avoid using the language of “community” when talking about developers who produce free software. Free software is an ethical principle and a practical approach to software use and development that anyone can in principle adapt. This includes different people who detest each other for reasons that have nothing to do with software, like being on opposite sides of a shooting war.

    Incidentally, I don’t view this as a repudiation of Barlow’s Declaration of the Independence of Cyberspace. I’m pretty aligned with the sentiment expressed in that manifesto, but I don’t think it’s reasonable to expect (nor was it reasonable to expect this in 1996) that an internet-based social space will be free of conflict, including conflict between people based on demographic characteristics. Programmers can build systems that work around the censorship laws of states, and still consider particular individuals or groups to be enemies whose goals they wish to thwart.

    Getting into the specific incidents mentioned here:

    Recently, though, our community has been lightly touched in a couple of ways. The ipmitool repository at GitHub was locked, and its maintainer denied access, as a result of his status as an employee of the sanctioned Russian firm Yadro.

    This is easy to work around - don’t use GitHub. GitHub is non-free software controlled by an American corporation subject to American law. They’ve deplatformed people before, they’ll surely do it again, there are a plenty of alternatives, ideally free software developers wouldn’t be relying on one corporation’s non-free infrastructure, war or no war.

    And, in the kernel community, a developer with the Russian firm Baikal Electronics was told by a networking maintainer that ““We don’t feel comfortable accepting patches from or relating to hardware produced by your organization””.

    Free software doesn’t oblige any particular maintainer to accept a patch from any particular person or organization. This is not really different from a situation where the developer associated with a Russian company was accused of violating a project code of conduct (or for that matter, a situation where a bunch of kernel devs simply personally dislike the guy and don’t want to work with him). Baikal Electronics can use and fork the Linux kernel under the same terms that I can.

    Personally, if I used a piece of hardware that the developers of some free-software project refused to support for political reasons, I’d be pretty upset, and it might induce me to try switching to a competing free-software project that does provide that support (or make my own competitor) - all of which is entirely consistent with the ethos of free software. In this case, the argument from the developer is that other than Baikal Electronics themselves and their Russian military clients, no one is actually using the hardware and will complain if support for it is kept out of the kernel. If this turns out not to be the case, those users can simply add their own patch, just as anyone might do this to the linux kernel for any number of reasons.

    1. 3

      I assumed that, since this was LWN and it was talking about LKML, the community in question was the Linux kernel community, rather than anything broader. There are a lot of F/OSS communities, with some roughly overlapping agendas.

      This is easy to work around - don’t use GitHub. GitHub is non-free software controlled by an American corporation subject to American law

      Avoiding GitHub is not always sufficient. Even without sanctions, the US government prohibited exporting strong crypto for a long time (this is a big part of why OpenBSD is hosted in Canada), which meant that you couldn’t use any US-based host if you included this technology. With the addition of GPUs to the controlled export list, I wouldn’t be surprised if some machine-learning tools end up with similar export restrictions. You have a choice here of either not allowing contributions from the US or not allowing downloads from out of the US. Eventually the export restrictions on crypto were weakened to allow export to any country that wasn’t embargoed (e.g. no Iran). I think there are also some special exemptions for open source, but I can’t remember exactly what.

      The crypto laws were particularly silly because they covered things like key length. You could export an RSA library that did 64-bit RSA, where the key length was controlled by a #define and then someone outside the USA could change that #define and turn it into something that would not be allowed to be exported from the US.

      If anything, using something like GitHub makes you safer if you live in (or visit) the US, because they will comply with the export laws. If you host your own server then you may find that you’re violating arms embargoes, which can come with a prison sentence.

      Moving to another country doesn’t eliminate the problem, it just gives you different ones. Potential contributors may not be able to submit code because their country doesn’t like yours, or your country may also impose export restrictions. Just because a country has friendly laws now doesn’t mean that they will continue to. The US and China both exert a lot of pressure on companies within their respective spheres and if a country gets a reputation for doing things that their closest superpower doesn’t like then they’ll probably be pressured to change them.

      1. 1

        I assumed that, since this was LWN and it was talking about LKML, the community in question was the Linux kernel community, rather than anything broader.

        IMHO LWN is not wrong to speak of the Linux kernel community as one community, but even this one community doesn’t exist in a vacuum – it’s at the intersection of many overlapping other communities (in the loose sense of the word, as some of them are really just loose associations of companies).

        Telecom vendors, cloud vendors, OEM manufacturers, and like it or not, government – and not just the US federal government – agencies, and the weapon manufacturers, all participate in the development of the kernel, but generally not across the board. If you squint a little, you can see not just their preferences in terms of hardware design and supply chain, but also their internal management quirks, and also their wider biases and interests, not all of which align.

        I suspect at some point – I’m not even sure when – even the people who’d realized this at some point forgot about it. There’s a certain expectation that, barring glaring quality issues (according to each project’s standards, of course :-P) or design/architecture mismatches, contributions – especially from commercial vendors – can’t get rejected. Between some FOSS projects being cross-vendor projects in the first place and popularity envy from “independent” FOSS projects, the idea that someone would reject a patch became unentertainable.

    2. 4

      I’m asking myself a closely related question since about last summer: I’m French, and I wrote and published a cryptographic library. The question is, am I even allowed to?

      L’utilisation d’un moyen de cryptologie est libre. Il n’y a aucune démarche à accomplir. En revanche, la fourniture, l’importation, le transfert intracommunautaire et l’exportation d’un moyen de cryptologie sont soumis, sauf exception, à déclaration ou à demande d’autorisation. Ces démarches incombent au fournisseur du moyen de cryptologie et sont à accomplir auprès de l’ANSSI.

      Here’s the best translation I could come up with (legalese is not trivial to translate):

      The use of cryptography is free. There is no special procedure to follow. However, the supply, importation, intra-communal transfer, and exportation of cryptography, must be (except in specific cases) declared or authorised beforehand. It is on the cryptography provider to follow those procedures with the ISSNA (Information Systems Security National Agency).

      The gist of it is, I can’t export my cryptographic library without first declaring it, or even asking the relevant authority to pretty please let me do it. Unless of course it is one of those special cases, but I haven’t found one that matches my case. They don’t seem to make an exception for Free Software, and though they may make an exception for standards, some of the primitives I ship are either slight deviations from existing standards (RFC 8439 authenticated encryption, except I use an extended nonce), or not standard at all (Elligator is not part of any standard I know).

      To date, I am not aware of any legal trouble headed my way.

      1. 3

        I wonder how much of Barlow’s and the cyberpunk’s optimism was a product of the quite recent end of the Cold War. It would have been more difficult to advocate for a system free of government control when the society in which they worked was locked in a life and death struggle[1] with an ideological adversary. “Let’s give the Russkies unbreakable encryption” would probably have landed some people in jail.

        Worth noting is that Stoll’s The Cuckoo’s Egg is set a few years earlier and the intruders to the Berkeley systems were German teens directed by the KGB. Part of that book’s success was that it tied into the theme of technothrillers popular at the time.

        [1] you could say that with a straight face then.

        1. 2

          In the very early days of the internet, before the fall of the USSR either my father or one of his colleagues had an export restricted encryption algorithm in his email signature. No one was dragged off to prison.

          1. 2

            While he wasn’t dragged off to prison, the government’s pursuit of a case against him using cold war-era laws in the early 1990s did cause significant expense and lost time for Phil Zimmermann. They eventually dropped the case, but only, as I recall, due to the Clinton administration’s ongoing weakening of the restrictions in the interest of fostering electronic payment processing over the internet.

            I do also recall projects that would not accept contributions from US nationals for anything even adjacent to cryptography. The fear of US government interference was real, and reasonable, even if “dragged off to prison” would maybe have been an hyperbolic overstatement of the fear.

            I think it’s absolutely fair to say that the US government’s softening on the matter had a lot more to do with the desire to enable international commerce than it did with any reduced fear of cryptography.

          2. 1

            First time I’ve ever heard cyberpunk described as “optimistic”, but I don’t know Barlow’s writings that well. All the stuff I’ve read that I’d describe as cyberpunk has depicted a system utterly locked down by big corporations and governments engaged in their own power struggles, and is mostly about the few people who are willing/able to work between the cracks of Big Brother.

            We’re pretty well on track for that future, so.

            1. 2

              I mixed up my punks. I guess Barlow was more adjacent to the people calling themselves “cypherpunks” (note that at that time the SFnal literary genre “cyberpunk” had already curdled into a cliche, so it was natural to apply the -punk suffix to all manner of techy stuff).

              A better term would be “cyber-libertarianism”.

              In Gibson’s Neuromancer, the Soviet Union is still around, having survived a US war launched against it using the precursors to the novel’s cyberspace technology. Not only does that war fail, it seems to have broken the US political system, allowing corporations to take over.

              1. 3

                Oh, yeah, that makes a lot more sense.

                IMO lots of anything-libertarianism is optimistic about the chances that individuals have against organized groups of people that have something to gain by pushing them around. There’s alllll sorts of historical examples to be had there.

            2. 1

              Worth noting is that Stoll’s The Cuckoo’s Egg is set a few years earlier and the intruders to the Berkeley systems were German teens directed by the KGB. Part of that book’s success was that it tied into the theme of technothrillers popular at the time.

              Has there been a significant anniversary related to The Cuckoo’s Egg recently? I feel like it’s getting a lot more attention over the past few weeks. If you enjoy that kind of thing, The Malicious Life podcast (part 1 and part 2) covered the Berkeley hack (along with Stoll’s role in solving the mystery) very nicely, with quite a few details that I either had forgotten or not ever heard.