8 Aug
2024
8 Aug
'24
1:47 a.m.
On Wed, Aug 07, 2024 at 10:56:14PM +0200, Steffen Nurpmeso wrote:
Btw how ridiculous is the view onto those Chinese
Linux
Distributions which put effort in making Linux POSIX compatible,
and even pay money for making that official?
Well, that's their choice. No US companies that I know of care about
POSIX compliance, so I don't know if any US-based distributions that
are paying money (or more importantly) engineer time, to make it
official. If Chinese distributions are investing resources in that
way, well.... that's there stupidity or maybe, a very good business
choice. :-)
I personally was *tremendously*, well, pissed, once
one of those
distributions was (just recently, ie, years later) not allowed to
join the encrypted part of oss-security.
Too much politics in a non-free world.
In the real wrld things get complicated. In 2019 the US put export
restrictions for Huawei, which was interpreted at the time that public
discussions on open mailing lists relating to Linux was totally fine.
But there was some legal interpreations that direct
engineer-to-engineer e-mail might be considered lending assistance
that could potentially run afoul some of the export restrictions. I'm
not a lawyer, but an encrypted distribution to certain chinese
entities might be... complex from a legal perspective. Talk to your
corporate legal counsel for specific legal advice.
Things are even worse with Russian companies, since the OFAC (Office
of Foreign Assets Controls, at https://ofac.trasury.gov) sanctions are
even more strict. Even if the exchange happens on an open source
mailing list, if the patches come from a sanctioned entity, or an
entity controlled by a sanctioned entity, and the patches say, contain
device drivers used by a Russian SOC that is known to be used in
Russin missiles used against Ukraine (completely hypothetically, of
course...) --- if a US based engineer accepts those patches, that's
considered rendering assistance to a sanctioned entity, and you and
your company have to file paperwork acknowledging that it was done
unknowingly, and the patches need to be reverted. Again, talk to your
friendly neighborhood legal counsel before you do anything with an
entity that may be from Russia, because the OFAC database of
sanctioned entities is constantly changing, and its search functions
are terribly primitive.
The joys of being an open source maintainer in the 21st century....
Not only do you have to worry about trojan horse constributions from
agents of the Chinese Ministry of State Security (ala xz), you also
have to worry about the US government and OFAC-administered sanctions.
- Ted