Author | Wu Xingling
Zebian | TANG lead
Exhibition | CSDN (ID: CSDNnews)
In recent days, due to the US-based BIS Huawei will be included in control "entity list", Google will stop cooperating Huawei hardware, software and technology, despite itself "open source" Android can still use parts of the system, but Google itself is closed source mobile services (Google mobile service) as well as technical support and other services will not be available, thus, causing widespread hot. At the same time, more people found, Apache Foundation and GitHub is also suspected by the United States export control laws and regulations. This causes fear and think a lot of developers: If the next day, the United States gave the order, "control" them, whether we are Chinese companies and programmers to fall into a difficult situation?
So it was suggested that Chinese code hosted in foreign countries do not code a warehouse! For security, the code quickly moved back to our own bar code repository.
The truth is true, as the public can say "GitHub is the United States, the code inside the United States are subject to control" it? The solution road is really a "closed-door lock GitHub" it?
In this regard, CSDN (ID: CSDNnews) to interview Chinese OSS Promotion Union Vice Chairman and Secretary-General Liu Jun Li Peng and intellectual property firm, Lin Cheng Xia open source community legal advice advisory committee, together we dispel misunderstanding.
Whether mainstream open-source software is closed source?
Talking copyright of open source software, Liu Peng introduced the Road, our copyright is usually called the Copyright, but there is a free software copyleft (Copyleft), is a use of the existing copyright system to protect all users and developers secondary the license freedom. It represents the software to give up a great part of the commercial rights, is shared, open and free.
For a lot of people worried about "the current has become the mainstream into our lives and business development in the open source hardware and software, system tools will face difficulties if suddenly closed source?"
Lin Cheng Xia bluntly, no. Unless the US export control regulations heavily modified (Export Administration Regulation, EAR) relevant content, otherwise such a vision will not happen.
The main target US export control regulations, in fact, is a patented technology, or in accordance with the output of the patented technology hardware products, such as chips or embedded software patents project. Less direct impact on software copyrights, but to do Controls on software copyrights, the explanation is also possible, but, two open-source software in accordance 734.7 merge EAR 15 CFR § 734.3 (b) and 15 CFR § explained: "Technology or software has been the general public may contact, and limited its follow-mongers (when it has been made available to the public without restrictions upon its further dissemination), the EAR is not listed in control of. "
Although the software involved in encryption technology, even open-source software, must still go through the United States BIS (Bureau of Industry and Security, BIS), recognized encryption technology that is "publicly available", only to completely subject to EAR binding, However, this is not the same as saying that open source software when it comes to export, it must be reviewed and approved by the BIS.
The actual process is to send a notification to the BIS and the US National Security Agency (National Security Agency, NSA) by the exporter, for future reference, which allows the two units is understood that although the export of software involves encryption and decryption, but the encryption technology EAR indeed in line with paragraph 15 CFR § 742.15 (b) of "publicly available" standard.
So, according to a Reuters report, Google can no longer provide Google Apps to Huawei, this is because these Apps is not open source software, can not meet the EAR 'contact with the public, and not spread its follow-up "condition, will likely fix a day by the US Government to stop the export of Huawei, with this comparison, Android open Source Project, the column is not intended to limit the export list, the main reason is to AOSP, mining is "publicly available" open source model release.
We have to understand, EAR export restrictions management behavior, and who is a software copyright interest, not necessarily related.
The definition of "export", as interpreted by the United States Bureau of Industry and Security (Bureau of Industry and Security, BIS), including:
- Any behavior transported out of the United States;
- Any use of electronic transactions sent US actions;
- The technology to send any behavior in a non-US citizen of the United States.
So, if an open source project is carried out through international cooperation mode, just take the local manufacturers from the United States to do business support services, which may not be involved in export, as in other countries, there may be other non-manufacturers directly from US source, open source software to achieve these business services.
It should be understood that, in principle, international cooperation, public network can download the open source project, there is not much doubt EAR terms, but said, like Red Hat or companies such as Google, in fact, is to provide an open source project on the public network is the basic version It will be provided on commercial cooperation 'open source projects + additional elements. "
For example, Red Hat's Fedora Distro is open source based version, RedHat Distro is based on the bonus version of Fedora; Android Open Source Project is an open source version of the foundation, plus an additional component of Google Apps, on these "additional non-open source components" EAR is more likely to have been regulated. In other words, if the content of its open source projects and commercial projects exactly, would theoretically less likely to have doubts EAR Controls of exports.
Control between different foundations What difference does it make?
Lin Cheng Xia said, in fact, very different, if the establishment of the Foundation in the United States, the relevant software release natural explanation, may fall into the definition of export behavior, so the major foundations will reveal more than a statement, reminding the use of open source software who released although US export control regulations in principle, strictly control open source software.
However, EAR exception to this principle is still room for interpretation, such as encryption and decryption technology must be notified for future reference, is one example. Foundation doing notices stated intention is to provide users, when the relevant export control involves software export from the United States, is still valid, the publisher must take the initiative to declare whether the requirements of the EAR to BIS and NSA discretion on a case from the line .
China will not enter the "blacklist"
Liu Peng said, GitHub original development code is not regulated, but because Enterprise Edition (GitHub Enterprise Server) code is private, so it will be regulated.
Agreement on GitHub Enterprise Server writes: "may not be sold, exported or re-exported to the country group E EAR Part 740 additional documents or Ukraine's Crimea region: 1 in any country listed in the list currently includes Cuba, Iran, North Korea, Sudan and Syria, but it may vary. "
Many Chinese developers worried about the "black list" will not add China, Liu Peng said that China is an economic power, if the Chinese "blacklisted", will undermine the global economic order.
Xia Lin Cheng also said that the possibility is very low. The above list of countries involved in armed conflict between the United States and had, or the possibility of involving armed conflict, it is related export controls, the US adopt the most stringent assurance standards, such standards to be applied to China, the world's direct conflict with the second largest market economy, greatly implicated. Therefore, Lin Cheng Xia think that such a control list, will not be the designated country or region, which may be company-specific business entities.
Also, for "those involving encryption and decryption will be regulated," saying, Xia Lin Cheng further explained that, in accordance with the reasons EAR 15 CFR § 742.15 of the encryption program (Encryption items) by EAR highly regulated in principle. Because such items are used to hide the content of information, so there are likely to be used to harm national security, foreign policy, and other legally enforceable interests of the United States of foreigners.
So, the software containing encryption technology, encryption can be used to make the project, which is why the principle of open source software is not already EAR control, but if it involves encryption technology, open source software, even if the publicly available encryption technology and , treatment is still required to do reporting for future reference.
Such open-source software such as OpenSSL project is an open source software library package, the application can use this package to secure communications, preventing eavesdropping. In other words, this software can help users to encrypt communications, mainly can implement SSL and TLS that encrypt communications protocol used OpenSSL software code, according to past habits, EAR still require the exporter, must always take the initiative notification is sent to the BIS and NSA, to allow the two units acquire the relevant information.
Chinese developers originality weak
"Regulated" after the news came out, some developers began to "give GitHub, migrating code to the country code repository," saying that Liu Peng bluntly, this is not desirable.
He said that our biggest problem is that originality is not enough, if we are to escape the GitHub, and migration code back to the warehouse, then the country code, this does not become a "closed source" yet? It will affect the innovation of our developers.
Liu Peng said that China is in fact, there are some outstanding original projects, such as TiDB newSQL database and Rocket MQ message queue, is a world-class excellent open-source software.
Open source project like this, China is there, but the number is not enough, there are many "own" operating system, in fact, the kernel is Linux-based, non-full is their own original research and development. There are not as original critical infrastructure software United States, Google's Android, Linux systems. Such as Linux update last year alone 8.9 million lines of code, which is the focus of global resources to change, which is the benefits of open source.
China does not currently own operating system, if we want to develop its own operating system, the difficulty is how hard is it?
Liu Peng describe: "The harder than the atomic bomb" because it involves thousands of households use test.
Currently, in the open source environment, the lack of open-source software projects Foundation, not much less than the local, influential industrial original capital investment of open source software projects, resulting in China does not now own open-source license, reflecting the open source ecosystem elements incomplete .
Developers in managed code, select open source software, how to choose it?
Lin Cheng Xia said that if you want to cross-border effects doubts dropped open source licenses a minimum, the following several "old" unless there are specific reasons, it is recommended not to use because of its early embedded with applicable law provisions (Choice of law ), or specify the jurisdiction of the regional court, but in addition to following these licenses, for most of the world's open source license, are not specified applicable law and the trial court.
Lin Cheng Xia again reiterate briefly, not to say that the MPL-1.0, MPL-1.1, QPL-1.0, MS-RL, as well as MS-PL license on software projects that US exports of software, in fact, it can also be independent, but several old open source licenses embedded with applicable law or requirements, or asked to explain the legal basis for the United States.
If you want to use open source projects in the future, not narrow down in law or jurisdiction explanation, which several software projects related to the old license, it is recommended to use low. In addition, MPL-2.0 Canceled designated court and applicable law, so this latest version is no doubt related.
MOZILLA PUBLIC LICENSE Version 1.0 (MPL-1.0), specify the California Court
Mozilla Public License Version 1.1 (MPL-1.1), specify the California Court
The Q Public License Version (QPL-1.0), specify the Oslo court
Microsoft Reciprocal License (MS-RL), the definition of the term specified in accordance with the United States Copyright Law
Microsoft Public License (MS-PL), the definition of the term specified in accordance with the United States Copyright Law
In addition, more than we have in the way of selecting managed code, the most important question is: how do we do to "open source independence" mean?
Developer: become the guardian of good code
Why are we in the current situation it embarrassing?
Liu Peng said that domestic revenue is only 20 years, the knowledge transfer process takes time to learn to understand, and now we toddler process, has not been able to run.
This time the EAR event, not necessarily a bad thing, it allows developers to start thinking about a domestic problem: As a developer, how do we "open source independence"?
He suggested: As a developer, should be actively involved in the open source community, from the contributors to continue contributors, reviewers and then to the code, then the code Keeper.
Liu Peng concedes, not particularly outstanding domestic projects, resulting in good code reviewer, the number of codes guardian few, let alone leaders of the open source community.
Therefore, to enhance our contribution to the code quality and code review, and became the guardian of good code, we developers need to do.
In addition, Liu Peng spoke excellent domestic super-user, such as Alibaba, Jingdong, Baidu, Tencent, Huawei, Lenovo and other companies, open source contributions are a lot of good code, but also the application of open source software business model innovation.
The Chinese open source community, "earthquake" for Chinese developers is not just a bad thing, but to strengthen our own awareness of technological innovation, may follow China will accelerate open source development.
As Hawking said, "The whole history of science is a process of self-realization progressive, major events do not occur randomly, they reflect an underlying order, and not simply produce."