[OSGeo-Discuss] Re: on Google Code and export restrictions

Frank Warmerdam warmerdam at pobox.com
Thu Jun 5 17:02:49 EDT 2008 

Marco,

I'll try to address these questions, but understand that OSGeo has not
yet had our board meeting where we hope to discuss this, and we have
not as an organization made any policy decision.

Marco Tuckner wrote:
> Here my questions:
> 1) Why do you intend to follow the US governmental export rules and
> restrictions?

OSGeo is registered as a corporation in the USA and is bound by law to
follow US laws on export, etc.

> 2) How to you want to track any misuse (e.g. mirroring of OSGEO download
> servers)?

I have not seen any evidence that OSGeo is obligated to track misuse
or block OSGeo download servers based on automated identification of
who a downloader is, or where they might come from.

> 3) If you are really serious with that, how to you intend to maintain the
> attractiveness of OSGEO to people from outside US?
>     => Why should someone from Europe, Brazil, China, Sudan, etc. contribute
>     to any OSGEO project if he/she cannot control/guarantee the freedom of that
>      code?

First, it should be noted that many nations have treaty obligations
under the Wassenaar Arrangement (http://www.wassenaar.org) to avoid
export of "dual use military products" such as cryptography to target
states.  These nations include most of Western Europe, Russia, Japan,
Korea, etc

   http://www.wassenaar.org/participants/index.html

While some other nations many not be as organized in enforcing these
rules, they still apply.  If we find these issues sufficiently serious
we could attempt to reincorporate in a nation (like Switzerland)
that deliberately avoids entanglements in international treaties.

I think OSGeo can remain attractive to people from outside the US because
the rules on the export of cryptography have relatively little actual
impact.  For instance, OpenSSL based products are exempt from restrictions
in the USA as long as they are registered with the appropriate authorities.

I would note that other software distributed by US based organizations,
such as the various Apache project software remains interesting, and
have good participation from outside the US.

I would encourage reading of:

   http://www.apache.org/licenses/exports/
   http://www.apache.org/dev/crypto.html

for some good background on how Apache handles things.

> For instance I percived gvSIG to be an Spanish/European product.
> Europeans maintain good relations with countries where US-americans do not go.
> If, for instance the Spanish government decides to help the Cuban people in a
> sanitation project and use gvSIG, will they get punished using their
> own software?

OSGeo has no role in interfering in such an arrangement.  But I think we
would require that no OSGeo officer (acting on behalf of OSGeo) initiate
an export of a controlled product contrary to US law.  That might mean,
for instance, that OSGeo would not be able to have an official association
with a particular initiative involving deliverying gvSIG to Cuba.  But
that would not interfere with the cooperation occuring.

I would add that I'm not exactly clear on the US export rules with regard
to Cuba.

> I am at the momemnt in the decicion taking phase whether or not to use QGIS,
> GRASS, gvSIG for projects in my company.
> If I cannot send these programs out to my clients anywhere in the world then
> they are just useless for that purpose.

First, let me say that OSGeo has no way, nor desire to prevent you from
redistributing OSGeo software.  In the Apache case they seem to publish a
sort of "terms of use" document (not part of the software license) that
declares that their products are exported from the US and that users are
expected to investigate their legal obligations under the various export
laws, and comply with them and that Apache does not accept any responsibility.
I anticipate we will follow a simple model to Apache.

> So taking an official statement is really important. Please think twice here
> before opting for the US understanding of freedome and security
> (Saying that some days after the US announced they gonna implement
> even more strict visa rules on European flight passengers.)

I would prefer to keep this focused on our concrete responsibilities
and the actual impact on the distribution of OSGeo software rather than
on whether or not we like the aspects of US policy.  (Though feel free
to ask me for some *personal opinions* at a pub over a pint one day!)

I would add, it will likely be hard (and perhaps even self defeating)
to make a particularly definative declaration on our export control
approach.  It is essentially impossible for us to understand all the
export law from the US and other nations OSGeo has involvement in.  I
think it is better for us to follow established practice in other well
managed projects (like Apache), and to avoid taking on any restrictions
that we aren't clearly mandated to adopt.  For instance, I suspect that
the Google Code problem is due to an "excess of caution" on Google's
part.

PS. I would note that download.osgeo.org supports mirroring using rsync.
I would encourage local chapters or individuals with their own servers
to consider mirroring the download server for the sake of fast local
access, and to ensure no one can take anything away.  See:

   http://wiki.osgeo.org/wiki/Download_Server

I would be interested in listing such mirrors in a README at the top of
the site.

Best regards,
-- 
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | President OSGeo, http://osgeo.org

More information about the Discuss mailing list