Apache 基金会与 GitHub 均受美国出口法律约束,这对开发者有何影响?
2015 年 3 月 5 日
ASF 受到美国
出口
法律约束
近日,ASF 官网出现了一则关于 ASF 产品出口控制状态
的说明。文中指出,ASF 是位于美国的非盈利性慈善机构,所有产品通过公共论坛在线协作开发,并从美国的中央服务器发布,所以 Apache 项目的发行版需要遵循美国的出口法律和法规,并且随着产品和技术再出口到不同的地方依旧保持有效。
也就是说,出口、再出口、记录保存、ASF 产品捆绑和嵌入、加密报告和装运文件都需要遵循出口管制分类和相关限制信息。如果说得再明白一点就是,除非经美国政府正式授权,否则 ASF 软件、技术或数据不得直接或间接出口 / 再出口到受美国禁运或贸易制裁的地方。美国政府保留 出口禁止名单
,包括但不限于 财政部的特别指定国民名单
和 商务部的实体和被拒绝人名单
。
划重点,美国时间 2019 年 5 月 15 日,特朗普签署了一份行政命令,宣布因为国家经济紧急状态,禁止企业使用对国家安全造成风险的外国制造设备。随后美国商务部声明,把华为及 70 个附属公司增列入出口管制的实体清单。
GitHub 受到美国
出口
法律约束
不止 ASF,GitHub 官网也发消息称,“ GitHub.com
、GitHub Enterprise Server 以及您上传到任一产品的信息可能受美国出口管制法律的约束,包括美国出口管理条例(EAR)。”
GitHub 官网发布的内容主要有以下几个要点:
-
根据 GitHub 的服务条款
, 用户只能按照适用法律访问和使用 GitHub.com
,包括美国出口管制和制裁法律。根据美国和其他适用法律,特别指定国民名单和其它被拒绝、被封锁的人士禁止访问、 使用 GitHub.com
, 用户不得代表此类各方使用 GitHub.com
,包括受制裁国家 / 地区的政府。 - 根据美国财政部海外资产控制办公室(OFAC)发布的授权,Github 可允许受美国制裁的管辖区内或通常居住在管辖区内的用户访问某些 Github.com 服务。在访问 GitHub 服务时,这些管辖区内的人员和居民不得使用 IP 代理、VPN 或其他方法来伪装其位置,并且只能使用 GitHub 进行非商业的个人通信。
- GitHub Enterprise Server 不得出售、出口或再出口到清单中的国家,目前清单中已经包含古巴、伊朗、朝鲜、苏丹与叙利亚。
对开发者有何影响
在听到 ASF 和 GitHub 均受到美国出口法律约束时,很多技术人担心国内的开源项目也将迎来“至暗时刻”。那么,这两则消息到底真正约束的是什么?对于中国开发者来说,有什么影响?是否有比较好的应对措施呢?
ASF 到底限制了什么?知乎网友李道兵分析称:“只是 ASF 提供的服务受到了美国法律的限制,例如会员服务、下载服务、网站服务等。”而 ASF 在官网发表的文章指出,公开可用软件只有 ECCN 为 5D002 或 5D992 时才会受到 EAR 约束。
至于 GitHub,首先中国还没有被加入到清单中,还有缓冲时间。其次,主要受影响的是 GitHub 企业版,但是大多数企业在采购之后,都是在企业内部部署使用。最后,目前只有 ERA 限制的加密技术不可出口,其它开源软件项目很难被限制。
面对这些限制,开发者应该如何破解难题呢?根据李道兵的分析,想要解决限制的问题也不难,“用户只是不能从 ASF 网站下载软件,但是可以从任何发行版、镜像站或者其它能够获取到软件的地方(包括从你的朋友手上拷贝一份)去下载。而且受到 License 的保障,用户仍可以继续使用、修改、分发软件。如果该软件更换了不自由的软件协议,那么用户还可以继续使用比较自由的老版本。”
那么这是不是意味着美国这一举措毫无“攻击力”呢?当然不是,这一举措还是有很多隐忧的,例如,美国 ERA 条款中是否会增加更多的技术,如果通讯、大数据等相关技术被限制的话,那么对于中国企业和开发者也会有很多影响。另外,还有人担心编程语言是否会受到限制,毕竟像 Java 等各大语言的核心都在美国。
附 ASF 产品分类矩阵:
| Apache Accumulo Project | |||
|---|---|---|---|
| Product Name | Versions | ECCN | Controlled Source |
| Apache Accumulo Project | development | 5D002 |
ASF , Bouncy Castle |
| 1.6.0 and on | 5D002 |
ASF , Bouncy Castle |
|
| 1.5.x | 5D002 | ASF | |
| Apache ActiveMQ Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache ActiveMQ | development | 5D002 | ASF |
| 4.1 and later | 5D002 | ASF | |
| Apache Camel | development | 5D002 | ASF |
| 1.0.0 and later | 5D002 | ASF | |
| Apache Ant Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Ant | development | 5D002 | ASF |
| 1.1 and later | 5D002 | ASF | |
| Apache Ivy | development | 5D002 | ASF |
| 2.0.0-alpha-*-incubating | 5D002 | ASF | |
| 2.0.0-alpha-*-incubating-bin-with-deps | 5D002 |
ASF , JCraft, Inc. |
|
| 2.0.0-beta1-* and later | 5D002 | ASF | |
| 2.0.0-beta1-bin-with-deps and later | 5D002 |
ASF , JCraft, Inc. |
|
| Apache Cassandra Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Cassandra | development | 5D002 |
ASF , Oracle , The OpenSSL Project |
| 0.8 and later | 5D002 |
ASF , Oracle |
|
| Apache Cayenne Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Cayenne | development | 5D002 |
ASF , Oracle |
| 3.2.M2 and later | 5D002 |
ASF , Oracle |
|
| Apache Commons Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Commons Compress | development | 5D002 | ASF |
| 1.6 and later | 5D002 | ASF | |
| Apache Commons Crypto | development | 5D002 |
ASF , The OpenSSL Project , Oracle |
| 1.0.0 and later | 5D002 |
ASF , The OpenSSL Project , Oracle |
|
| Apache Commons OpenPGP | development | 5D002 | ASF |
| Apache CouchDB Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache CouchDB | development | 5D002 | ASF |
| 0.9.0 and later | 5D002 |
ASF , ibrowse |
|
| Apache CXF Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache CXF | development | 5D002 |
ASF , ASF , Bouncy Castle |
| all 2.* | 5D002 |
ASF , ASF , Bouncy Castle |
|
| all 2.*-incubating | 5D002 |
ASF , ASF , Bouncy Castle |
|
| Apache DB Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Derby | development | 5D002 | ASF |
| derby-10.* | 5D002 | ASF | |
| Apache DdlUtils | development | 5D002 | ASF |
| ddlutils-1.0 and higher | 5D002 | ASF | |
| Apache ObjectRelationalBridge – OJB | development | 5D002 | ASF |
| ojb-1.0.0 and higher | 5D002 | ASF | |
| Apache Torque | development | 5D002 | ASF |
| torque-3.1 and later | 5D002 | ASF | |
| Apache Directory Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Directory Server | development | 5D002 | ASF |
| 1.0 and later | 5D002 | ASF | |
| 1.5 and later | 5D002 |
ASF , Bouncy Castle |
|
| Apache Directory Studio | 1.2 and later | 5D002 |
ASF , Bouncy Castle |
| Apache Drill | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Drill | 1.2 and later | 5D002 |
ASF , Oracle , The Eclipse Foundation , The Cyrus SASL project , MIT , The OpenSSL Project |
| Apache Forrest Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Forrest | development | 5D002 | ASF |
| apache-forrest-0.6 and later | 5D002 |
ASF , JCraft, Inc. |
|
| Apache Geode Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Geode | development | 5D002 |
ASF , ASF , ASF , Oracle , The OpenSSL Project |
| all releases | 5D002 |
ASF , ASF , ASF , Oracle , The OpenSSL Project |
|
| Apache Geronimo Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Geronimo | development | 5D002 | ASF |
| 1.0 and later | 5D002 | ASF | |
| Apache Hadoop Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Hadoop | development | 5D002 | ASF |
| 17.0 and later | 5D002 | ASF | |
| Apache Harmony Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Harmony | development | 5D002 | ASF |
| 5.0M1 and later | 5D002 |
ASF , Bouncy Castle |
|
| Apache HAWQ (incubating) Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache HAWQ (incubating) Project | development | 5D002 | ASF |
| Apache HttpComponents Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache HttpComponents Core | development | 5D002 | ASF |
| 4.0 and later | 5D002 | ASF | |
| Apache HttpComponents Client | development | 5D002 | ASF |
| 4.0 and later | 5D002 | ASF | |
| 1.x, 2.x, 3.x | 5D002 | ASF | |
| Apache HTTP Server Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache HTTP Server | development | 5D002 | ASF |
| apache_1.3.x | n/a | ||
| httpd-2.0.x | 5D002 | ASF | |
| httpd-2.2.x | 5D002 | ASF | |
| apache_2.2.x-win32- -openssl- | 5D002 |
ASF , The OpenSSL Project |
|
| httpd-2.4.x | 5D002 | ASF | |
| Apache Flood | development | 5D002 | ASF |
| flood-0.4 | 5D002 | ASF | |
| Apache libapreq | development | 5D002 | ASF |
| libapreq2 | 5D002 | ASF | |
| libapreq | n/a | ||
| Apache mod_ftp | development | 5D002 | ASF |
| Apache mod_python | development | 5D002 | ASF |
| mod_python-* | 5D002 | ASF | |
| Apache Incubator Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Abdera | development | 5D002 | ASF |
| all 0.*-incubating | 5D002 |
ASF , ASF , Bouncy Castle , Bouncy Castle |
|
| Apache Airavata | development | 5D002 |
ASF , Bouncy Castle , The Cryptix project , Claymore Systems Puretls , Globus Project |
| Apache CloudStack | development | 5D002 |
JaSypt.org , Oracle , Bouncy Castle , ASF , OpenSwan.org , JCraft, Inc. , ASF |
| Apache Impala | development | 5D002 | ASF |
| 2.7.0 and later | 5D002 | ASF | |
| Apache NiFi | development | 5D002 |
JaSypt.org , Oracle , Bouncy Castle , JCraft, Inc. , ASF |
| 0.0.1-incubating and later | 5D002 |
JaSypt.org , Oracle , Bouncy Castle , JCraft, Inc. , ASF |
|
| Apache PDFBox | development | 5D002 |
ASF , Bouncy Castle , Bouncy Castle |
| Apache Pirk | development | 5D002 | ASF |
| 0.1.0-incubating and later | 5D002 | ASF | |
| Apache Pulsar | development | 5D002 |
ASF , Bouncy Castle |
| 1.20-incubating and greater | 5D002 |
ASF , Bouncy Castle |
|
| Apache Shindig | development | 5D002 | ASF |
| Apache Slider | development | 5D002 |
ASF , Oracle , The Eclipse Foundation |
| 0.30-incubating | 5D002 |
ASF , Oracle |
|
| 0.40-incubating and later | 5D002 |
ASF , Oracle , The Eclipse Foundation |
|
| Apache Taverna | development | 5D002 |
ASF , ASF , ASF , ASF , ASF , ASF , ASF , ASF , ASF , ASF , ASF , ASF , ASF , ASF , Bouncy Castle , The Eclipse Foundation , Oracle , ASF , ASF , ASF , ASF , ASF , Dropbox , Ruby Programming Language , The OpenSSL Project |
| all releases | 5D002 |
ASF , Bouncy Castle , The Eclipse Foundation , Oracle , ASF , ASF , ASF , ASF , ASF , Dropbox , Ruby Programming Language , The OpenSSL Project |
|
| Apache Trafodion | development | 5D002 |
ASF , The OpenSSL Project , Oracle |
| all releases | 5D002 |
ASF , The OpenSSL Project , Oracle |
|
| Apache Whirr | development | 5D002 | ASF |
| all 0.*-incubating | 5D002 |
ASF , Bouncy Castle , JCraft, Inc. , Not-Yet-Commons-SSL |
|
| Apache Jakarta JMeter Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Jakarta JMeter | 1.0 and later | 5D002 | ASF |
| Apache JAMES Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache JAMES Server | development | 5D002 |
ASF , Bouncy Castle |
| 2.3.0 and later | 5D002 |
ASF , Bouncy Castle |
|
| Apache JAMES jDKIM | 0.1 and later | 5D002 |
ASF , Not-Yet-Commons-SSL |
| Apache JAMES Mailet Crypto | 0.1 and later | 5D002 |
ASF , Bouncy Castle |
| Apache JAMES Mime4J | 0.4 and later | 5D002 | ASF |
| Apache Jena | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Jena (distribution) | development | 5D002 | ASF |
| binary distribution | 5D002 |
ASF , ASF |
|
| Apache Kafka Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Kafka | development | 5D002 |
ASF , Oracle |
| 0.10.2 and later | 5D002 |
ASF , Oracle |
|
| 0.9.0 and later | 5D002 |
ASF , Oracle |
|
| Apache Kudu Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Kudu | development | 5D002 | ASF |
| 1.1.0 and later | 5D002 | ASF | |
| Apache Labs Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache BaDCA | development | 5D002 | ASF |
| Apache Vysper | development | 5D002 |
ASF , Bouncy Castle |
| Apache Lucene Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Nutch | development | 5D002 | ASF |
| 0.7 and later | 5D002 |
ASF , PDFBox |
|
| Apache Solr | development | 5D002 | ASF |
| 1.4 and later | 5D002 |
ASF , Apache Tika |
|
| Apache Tika | development | 5D002 | ASF |
| 0.2-incubating and later | 5D002 |
ASF , Bouncy Castle , Bouncy Castle |
|
| Apache MyFaces Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache MyFaces | development | 5D002 | ASF |
| 1.1.2 and later | 5D002 | ASF | |
| Apache Mynewt (incubating) Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Mynewt | development | 5D002 |
ARM mbed , TinyCrypt , PolarSSL |
| Apache Oltu Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Oltu | development | 5D002 | ASF |
| Apache Open For Business Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Open For Business | development | 5D002 | ASF |
| 4.0 release branch | 5D002 | ASF | |
| Apache OpenEJB Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache OpenEJB | development | 5D002 | ASF |
| 1.0 and later | 5D002 | ASF | |
| All 0.x | n/a | ||
| Apache Perl Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| mod_perl |
Perl- -win32-bin- .exe |
5D002 |
ASF , The OpenSSL Project |
| Apache POI Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache POI | development | 5D002 | ASF |
| 3.5 and later | 5D002 | ASF | |
| Apache Polygene Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Polygene | development | 5D002 |
ASF , Bouncy Castle |
| 2.1 | 5D002 |
ASF , Bouncy Castle |
|
| Apache Shiro Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Shiro | development | 5D002 | ASF |
| 1.1 and later | 5D002 | ASF | |
| 1.0 | 5D002 | ASF | |
| All 0.x | n/a | ||
| Apache ServiceMix Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache ServiceMix 3.x | development | 5D002 |
ASF , ASF , Bouncy Castle |
| All 3.x versions | 5D002 |
ASF , ASF , Bouncy Castle |
|
| Apache ServiceMix 4.x | development | 5D002 | ASF |
| 4.0-m1 | n/a | ||
| Apache ServiceMix NMR | development | 5D002 | ASF |
| 1.0-m1, 1.0-m2 | n/a | ||
| Apache ServiceMix Kernel | development | n/a | |
| All 1.0 milestones | n/a | ||
| Apache Portable Runtime Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| APR | development | 5D002 | ASF |
| APR-Util | development | 5D002 | ASF |
| 0.9.x, 1.2.x | n/a | ||
| 1.4.x and later | 5D002 | ASF | |
| Apache Santuario Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache XML Security for Java | development | 5D002 | ASF |
| 1.5.x | 5D002 | ASF | |
| Apache XML Security for C++ | development | 5D002 | ASF |
| Apache SpamAssassin Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache SpamAssassin | development | 5D002 |
ASF , The OpenSSL Project , Steffen Ullrich |
| 3.0.x and later | 5D002 |
ASF , The OpenSSL Project , Steffen Ullrich |
|
| Apache Spark Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Spark | 2.2.0 through 2.3.x | 5D002 |
ASF , Bouncy Castle |
| 2.4.0 and later | 5D002 | ASF | |
| Apache Tomcat Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Tomcat | development | 5D002 | ASF |
| 3.x and later | 5D002 | ASF | |
| Apache Tomcat native connector | development | 5D002 |
ASF , The OpenSSL Project |
| 1.x and later | 5D002 |
ASF , The OpenSSL Project |
|
| Apache UIMA Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache UIMA-AS | development | 5D002 | ASF |
| all releases starting with 2.2.2-incubating | 5D002 | ASF | |
| Apache UIMA Addons | development | 5D002 | ASF |
| 2.3.0 and later | 5D002 | ASF | |
| Apache UIMA Addon Tika Annotator | development | 5D002 | ASF |
| 2.3.0 and later | 5D002 | ASF | |
| Apache UIMA-DUCC | development | 5D002 | ASF |
| all releases starting with 1.0 | 5D002 | ASF | |
| Apache VCL Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache VCL | development | 5D002 | ASF |
| 2.1 to 2.2.2 | 5D002 | ASF | |
| 2.3 and later | 5D002 |
ASF , phpseclib |
|
| Apache Web Services Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache WSS4J | development | 5D002 |
ASF , Bouncy Castle , ASF |
| 1.6 | 5D002 |
ASF , Bouncy Castle , ASF |
|
| 1.0 to 1.5 | 5D002 |
ASF , Bouncy Castle , Bouncy Castle , ASF |
|
| Apache Rampart/Java | development | 5D002 |
ASF , Bouncy Castle , Bouncy Castle , Apache Santuario |
| 1.1 and later | 5D002 |
ASF , Bouncy Castle , Bouncy Castle , Apache Santuario |
|
| Apache Rampart/C | development | 5D002 |
ASF , The OpenSSL Project |
| 0.09 and later | 5D002 |
ASF , The OpenSSL Project |
|
| Apache Synapse | 1.0, 1.1, 1.1.1, 1.2, 2.0.0 | 5D002 |
ASF , Bouncy Castle , Bouncy Castle , Bouncy Castle , Bouncy Castle , Apache Santuario |
| Apache Synapse Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Synapse | development | 5D002 |
ASF , Bouncy Castle , Bouncy Castle , Bouncy Castle , Bouncy Castle , Apache Santuario |
| 1.1.1 and later | 5D002 |
ASF , Bouncy Castle , Bouncy Castle , Apache Santuario |
|
| Apache Wicket Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Wicket | 1.3, development | 5D002 | ASF |
| Apache MINA Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache MINA | development | 5D002 | ASF |
| 1.0, 1.1, 2.0 | 5D002 | ASF | |
| Apache Vysper | development | 5D002 |
ASF , Bouncy Castle |
| Apache FtpServer | development | 5D002 | ASF |
| 1.0 | 5D002 | ASF | |
| Apache SSHD | development | 5D002 |
ASF , Bouncy Castle |
| Apache Wookie Project | |||
| Product Name | Versions | ECCN | Controlled Source |
| Apache Wookie | development | 5D002 |
ASF , Apache Santuario |
| 0.13 and later | 5D002 |
ASF , Apache Santuario |
About The Author
bjmayor
程序员,码农,php,python,ios,android,go,产品经理,创业。