Apache 基金会与 GitHub 均受美国出口法律约束,这对开发者有何影响?

2019 年 5 月 21 日

Apache 基金会与 GitHub 均受美国出口法律约束,这对开发者有何影响?

近日,不仅华为站在了风口浪尖,开源软件也被推到了台前。ASF和GitHub官网先后更新了两则消息,消息的主旨如出一辙,旗下的项目、产品将受到美国出口法律的约束。


ASF 受到美国出口法律约束


近日,ASF 官网出现了一则关于ASF产品出口控制状态的说明。文中指出,ASF 是位于美国的非盈利性慈善机构,所有产品通过公共论坛在线协作开发,并从美国的中央服务器发布,所以 Apache 项目的发行版需要遵循美国的出口法律和法规,并且随着产品和技术再出口到不同的地方依旧保持有效。


也就是说,出口、再出口、记录保存、ASF 产品捆绑和嵌入、加密报告和装运文件都需要遵循出口管制分类和相关限制信息。如果说得再明白一点就是,除非经美国政府正式授权,否则 ASF 软件、技术或数据不得直接或间接出口/再出口到受美国禁运或贸易制裁的地方。美国政府保留出口禁止名单,包括但不限于财政部的特别指定国民名单和 商务部的实体和被拒绝人名单


划重点,美国时间 2019 年 5 月 15 日,特朗普签署了一份行政命令,宣布因为国家经济紧急状态,禁止企业使用对国家安全造成风险的外国制造设备。随后美国商务部声明,把华为及 70 个附属公司增列入出口管制的实体清单。


GitHub 受到美国出口法律约束


不止 ASF,GitHub 官网也发消息称,“GitHub.com、GitHub Enterprise Server 以及您上传到任一产品的信息可能受美国出口管制法律的约束,包括美国出口管理条例(EAR)。”


GitHub 官网发布的内容主要有以下几个要点:


  • 根据GitHub的服务条款用户只能按照适用法律访问和使用GitHub.com,包括美国出口管制和制裁法律。根据美国和其他适用法律,特别指定国民名单和其它被拒绝、被封锁的人士禁止访问、使用GitHub.com用户不得代表此类各方使用GitHub.com,包括受制裁国家/地区的政府。

  • 根据美国财政部海外资产控制办公室(OFAC)发布的授权,Github可允许受美国制裁的管辖区内或通常居住在管辖区内的用户访问某些Github.com服务。在访问GitHub服务时,这些管辖区内的人员和居民不得使用IP代理、VPN或其他方法来伪装其位置,并且只能使用GitHub进行非商业的个人通信。

  • GitHub Enterprise Server 不得出售、出口或再出口到清单中的国家,目前清单中已经包含古巴、伊朗、朝鲜、苏丹与叙利亚。


对开发者有何影响


在听到 ASF 和 GitHub 均受到美国出口法律约束时,很多技术人担心国内的开源项目也将迎来“至暗时刻”。那么,这两则消息到底真正约束的是什么?对于中国开发者来说,有什么影响?是否有比较好的应对措施呢?


ASF 到底限制了什么?知乎网友李道兵分析称:“只是 ASF 提供的服务受到了美国法律的限制,例如会员服务、下载服务、网站服务等。”而 ASF 在官网发表的文章指出,公开可用软件只有 ECCN 为 5D002 或 5D992 时才会受到 EAR 约束。


至于 GitHub,首先中国还没有被加入到清单中,还有缓冲时间。其次,主要受影响的是 GitHub 企业版,但是大多数企业在采购之后,都是在企业内部部署使用。最后,目前只有 ERA 限制的加密技术不可出口,其它开源软件项目很难被限制。


面对这些限制,开发者应该如何破解难题呢?根据李道兵的分析,想要解决限制的问题也不难,“用户只是不能从 ASF 网站下载软件,但是可以从任何发行版、镜像站或者其它能够获取到软件的地方(包括从你的朋友手上拷贝一份)去下载。而且受到 License 的保障,用户仍可以继续使用、修改、分发软件。如果该软件更换了不自由的软件协议,那么用户还可以继续使用比较自由的老版本。”


那么这是不是意味着美国这一举措毫无“攻击力”呢?当然不是,这一举措还是有很多隐忧的,例如,美国 ERA 条款中是否会增加更多的技术,如果通讯、大数据等相关技术被限制的话,那么对于中国企业和开发者也会有很多影响。另外,还有人担心编程语言是否会受到限制,毕竟像 Java 等各大语言的核心都在美国。


附 ASF 产品分类矩阵:


Apache Accumulo Project
Product NameVersionsECCNControlled Source
Apache Accumulo Projectdevelopment5D002ASFBouncy Castle
1.6.0 and on5D002ASFBouncy Castle
1.5.x5D002ASF
Apache ActiveMQ Project
Product NameVersionsECCNControlled Source
Apache ActiveMQdevelopment5D002ASF
4.1 and later5D002ASF
Apache Cameldevelopment5D002ASF
1.0.0 and later5D002ASF
Apache Ant Project
Product NameVersionsECCNControlled Source
Apache Antdevelopment5D002ASF
1.1 and later5D002ASF
Apache Ivydevelopment5D002ASF
2.0.0-alpha-*-incubating5D002ASF
2.0.0-alpha-*-incubating-bin-with-deps5D002ASFJCraft, Inc.
2.0.0-beta1-* and later5D002ASF
2.0.0-beta1-bin-with-deps and later5D002ASFJCraft, Inc.
Apache Cassandra Project
Product NameVersionsECCNControlled Source
Apache Cassandradevelopment5D002ASFOracleThe OpenSSL Project
0.8 and later5D002ASFOracle
Apache Cayenne Project
Product NameVersionsECCNControlled Source
Apache Cayennedevelopment5D002ASFOracle
3.2.M2 and later5D002ASFOracle
Apache Commons Project
Product NameVersionsECCNControlled Source
Apache Commons Compressdevelopment5D002ASF
1.6 and later5D002ASF
Apache Commons Cryptodevelopment5D002ASFThe OpenSSL ProjectOracle
1.0.0 and later5D002ASFThe OpenSSL ProjectOracle
Apache Commons OpenPGPdevelopment5D002ASF
Apache CouchDB Project
Product NameVersionsECCNControlled Source
Apache CouchDBdevelopment5D002ASF
0.9.0 and later5D002ASFibrowse
Apache CXF Project
Product NameVersionsECCNControlled Source
Apache CXFdevelopment5D002ASFASFBouncy Castle
all 2.*5D002ASFASFBouncy Castle
all 2.*-incubating5D002ASFASFBouncy Castle
Apache DB Project
Product NameVersionsECCNControlled Source
Apache Derbydevelopment5D002ASF
derby-10.*5D002ASF
Apache DdlUtilsdevelopment5D002ASF
ddlutils-1.0 and higher5D002ASF
Apache ObjectRelationalBridge - OJBdevelopment5D002ASF
ojb-1.0.0 and higher5D002ASF
Apache Torquedevelopment5D002ASF
torque-3.1 and later5D002ASF
Apache Directory Project
Product NameVersionsECCNControlled Source
Apache Directory Serverdevelopment5D002ASF
1.0 and later5D002ASF
1.5 and later5D002ASFBouncy Castle
Apache Directory Studio1.2 and later5D002ASFBouncy Castle
Apache Drill
Product NameVersionsECCNControlled Source
Apache Drill1.2 and later5D002ASFOracleThe Eclipse FoundationThe Cyrus SASL projectMITThe OpenSSL Project
Apache Forrest Project
Product NameVersionsECCNControlled Source
Apache Forrestdevelopment5D002ASF
apache-forrest-0.6 and later5D002ASFJCraft, Inc.
Apache Geode Project
Product NameVersionsECCNControlled Source
Apache Geodedevelopment5D002ASFASFASFOracleThe OpenSSL Project
all releases5D002ASFASFASFOracleThe OpenSSL Project
Apache Geronimo Project
Product NameVersionsECCNControlled Source
Apache Geronimodevelopment5D002ASF
1.0 and later5D002ASF
Apache Hadoop Project
Product NameVersionsECCNControlled Source
Apache Hadoopdevelopment5D002ASF
17.0 and later5D002ASF
Apache Harmony Project
Product NameVersionsECCNControlled Source
Apache Harmonydevelopment5D002ASF
5.0M1 and later5D002ASFBouncy Castle
Apache HAWQ (incubating) Project
Product NameVersionsECCNControlled Source
Apache HAWQ (incubating) Projectdevelopment5D002ASF
Apache HttpComponents Project
Product NameVersionsECCNControlled Source
Apache HttpComponents Coredevelopment5D002ASF
4.0 and later5D002ASF
Apache HttpComponents Clientdevelopment5D002ASF
4.0 and later5D002ASF
1.x, 2.x, 3.x5D002ASF
Apache HTTP Server Project
Product NameVersionsECCNControlled Source
Apache HTTP Serverdevelopment5D002ASF
apache_1.3.xn/a
httpd-2.0.x5D002ASF
httpd-2.2.x5D002ASF
apache_2.2.x-win32--openssl-5D002ASFThe OpenSSL Project
httpd-2.4.x5D002ASF
Apache Flooddevelopment5D002ASF
flood-0.45D002ASF
Apache libapreqdevelopment5D002ASF
libapreq25D002ASF
libapreqn/a
Apache mod_ftpdevelopment5D002ASF
Apache mod_pythondevelopment5D002ASF
mod_python-*5D002ASF
Apache Incubator Project
Product NameVersionsECCNControlled Source
Apache Abderadevelopment5D002ASF
all 0.*-incubating5D002ASFASFBouncy CastleBouncy Castle
Apache Airavatadevelopment5D002ASFBouncy CastleThe Cryptix projectClaymore Systems PuretlsGlobus Project
Apache CloudStackdevelopment5D002JaSypt.orgOracleBouncy CastleASFOpenSwan.orgJCraft, Inc.ASF
Apache Impaladevelopment5D002ASF
2.7.0 and later5D002ASF
Apache NiFidevelopment5D002JaSypt.orgOracleBouncy CastleJCraft, Inc.ASF
0.0.1-incubating and later5D002JaSypt.orgOracleBouncy CastleJCraft, Inc.ASF
Apache PDFBoxdevelopment5D002ASFBouncy CastleBouncy Castle
Apache Pirkdevelopment5D002ASF
0.1.0-incubating and later5D002ASF
Apache Pulsardevelopment5D002ASFBouncy Castle
1.20-incubating and greater5D002ASFBouncy Castle
Apache Shindigdevelopment5D002ASF
Apache Sliderdevelopment5D002ASFOracleThe Eclipse Foundation
0.30-incubating5D002ASFOracle
0.40-incubating and later5D002ASFOracleThe Eclipse Foundation
Apache Tavernadevelopment5D002ASFASFASFASFASFASFASFASFASFASFASFASFASFASFBouncy CastleThe Eclipse FoundationOracleASFASFASFASFASFDropboxGoogleRuby Programming LanguageThe OpenSSL Project
all releases5D002ASFBouncy CastleThe Eclipse FoundationOracleASFASFASFASFASFDropboxGoogleRuby Programming LanguageThe OpenSSL Project
Apache Trafodiondevelopment5D002ASFThe OpenSSL ProjectOracle
all releases5D002ASFThe OpenSSL ProjectOracle
Apache Whirrdevelopment5D002ASF
all 0.*-incubating5D002ASFBouncy CastleJCraft, Inc.Not-Yet-Commons-SSL
Apache Jakarta JMeter Project
Product NameVersionsECCNControlled Source
Apache Jakarta JMeter1.0 and later5D002ASF
Apache JAMES Project
Product NameVersionsECCNControlled Source
Apache JAMES Serverdevelopment5D002ASFBouncy Castle
2.3.0 and later5D002ASFBouncy Castle
Apache JAMES jDKIM0.1 and later5D002ASFNot-Yet-Commons-SSL
Apache JAMES Mailet Crypto0.1 and later5D002ASFBouncy Castle
Apache JAMES Mime4J0.4 and later5D002ASF
Apache Jena
Product NameVersionsECCNControlled Source
Apache Jena (distribution)development5D002ASF
binary distribution5D002ASFASF
Apache Kafka Project
Product NameVersionsECCNControlled Source
Apache Kafkadevelopment5D002ASFOracle
0.10.2 and later5D002ASFOracle
0.9.0 and later5D002ASFOracle
Apache Kudu Project
Product NameVersionsECCNControlled Source
Apache Kududevelopment5D002ASF
1.1.0 and later5D002ASF
Apache Labs Project
Product NameVersionsECCNControlled Source
Apache BaDCAdevelopment5D002ASF
Apache Vysperdevelopment5D002ASFBouncy Castle
Apache Lucene Project
Product NameVersionsECCNControlled Source
Apache Nutchdevelopment5D002ASF
0.7 and later5D002ASFPDFBox
Apache Solrdevelopment5D002ASF
1.4 and later5D002ASFApache Tika
Apache Tikadevelopment5D002ASF
0.2-incubating and later5D002ASFBouncy CastleBouncy Castle
Apache MyFaces Project
Product NameVersionsECCNControlled Source
Apache MyFacesdevelopment5D002ASF
1.1.2 and later5D002ASF
Apache Mynewt (incubating) Project
Product NameVersionsECCNControlled Source
Apache Mynewtdevelopment5D002ARM mbedTinyCryptPolarSSL
Apache Oltu Project
Product NameVersionsECCNControlled Source
Apache Oltudevelopment5D002ASF
Apache Open For Business Project
Product NameVersionsECCNControlled Source
Apache Open For Businessdevelopment5D002ASF
4.0 release branch5D002ASF
Apache OpenEJB Project
Product NameVersionsECCNControlled Source
Apache OpenEJBdevelopment5D002ASF
1.0 and later5D002ASF
All 0.xn/a
Apache Perl Project
Product NameVersionsECCNControlled Source
mod_perlPerl--win32-bin-.exe5D002ASFThe OpenSSL Project
Apache POI Project
Product NameVersionsECCNControlled Source
Apache POIdevelopment5D002ASF
3.5 and later5D002ASF
Apache Polygene Project
Product NameVersionsECCNControlled Source
Apache Polygenedevelopment5D002ASFBouncy Castle
2.15D002ASFBouncy Castle
Apache Shiro Project
Product NameVersionsECCNControlled Source
Apache Shirodevelopment5D002ASF
1.1 and later5D002ASF
1.05D002ASF
All 0.xn/a
Apache ServiceMix Project
Product NameVersionsECCNControlled Source
Apache ServiceMix 3.xdevelopment5D002ASFASFBouncy Castle
All 3.x versions5D002ASFASFBouncy Castle
Apache ServiceMix 4.xdevelopment5D002ASF
4.0-m1n/a
Apache ServiceMix NMRdevelopment5D002ASF
1.0-m1, 1.0-m2n/a
Apache ServiceMix Kerneldevelopmentn/a
All 1.0 milestonesn/a
Apache Portable Runtime Project
Product NameVersionsECCNControlled Source
APRdevelopment5D002ASF
APR-Utildevelopment5D002ASF
0.9.x, 1.2.xn/a
1.4.x and later5D002ASF
Apache Santuario Project
Product NameVersionsECCNControlled Source
Apache XML Security for Javadevelopment5D002ASF
1.5.x5D002ASF
Apache XML Security for C++development5D002ASF
Apache SpamAssassin Project
Product NameVersionsECCNControlled Source
Apache SpamAssassindevelopment5D002ASFThe OpenSSL ProjectSteffen Ullrich
3.0.x and later5D002ASFThe OpenSSL ProjectSteffen Ullrich
Apache Spark Project
Product NameVersionsECCNControlled Source
Apache Spark2.2.0 through 2.3.x5D002ASFBouncy Castle
2.4.0 and later5D002ASF
Apache Tomcat Project
Product NameVersionsECCNControlled Source
Apache Tomcatdevelopment5D002ASF
3.x and later5D002ASF
Apache Tomcat native connectordevelopment5D002ASFThe OpenSSL Project
1.x and later5D002ASFThe OpenSSL Project
Apache UIMA Project
Product NameVersionsECCNControlled Source
Apache UIMA-ASdevelopment5D002ASF
all releases starting with 2.2.2-incubating5D002ASF
Apache UIMA Addonsdevelopment5D002ASF
2.3.0 and later5D002ASF
Apache UIMA Addon Tika Annotatordevelopment5D002ASF
2.3.0 and later5D002ASF
Apache UIMA-DUCCdevelopment5D002ASF
all releases starting with 1.05D002ASF
Apache VCL Project
Product NameVersionsECCNControlled Source
Apache VCLdevelopment5D002ASF
2.1 to 2.2.25D002ASF
2.3 and later5D002ASFphpseclib
Apache Web Services Project
Product NameVersionsECCNControlled Source
Apache WSS4Jdevelopment5D002ASFBouncy CastleASF
1.65D002ASFBouncy CastleASF
1.0 to 1.55D002ASFBouncy CastleBouncy CastleASF
Apache Rampart/Javadevelopment5D002ASFBouncy CastleBouncy CastleApache Santuario
1.1 and later5D002ASFBouncy CastleBouncy CastleApache Santuario
Apache Rampart/Cdevelopment5D002ASFThe OpenSSL Project
0.09 and later5D002ASFThe OpenSSL Project
Apache Synapse1.0, 1.1, 1.1.1, 1.2, 2.0.05D002ASFBouncy CastleBouncy CastleBouncy CastleBouncy CastleApache Santuario
Apache Synapse Project
Product NameVersionsECCNControlled Source
Apache Synapsedevelopment5D002ASFBouncy CastleBouncy CastleBouncy CastleBouncy CastleApache Santuario
1.1.1 and later5D002ASFBouncy CastleBouncy CastleApache Santuario
Apache Wicket Project
Product NameVersionsECCNControlled Source
Apache Wicket1.3, development5D002ASF
Apache MINA Project
Product NameVersionsECCNControlled Source
Apache MINAdevelopment5D002ASF
1.0, 1.1, 2.05D002ASF
Apache Vysperdevelopment5D002ASFBouncy Castle
Apache FtpServerdevelopment5D002ASF
1.05D002ASF
Apache SSHDdevelopment5D002ASFBouncy Castle
Apache Wookie Project
Product NameVersionsECCNControlled Source
Apache Wookiedevelopment5D002ASFApache Santuario
0.13 and later5D002ASFApache Santuario


2019 年 5 月 21 日 10:3711331
用户头像
田晓旭 InfoQ 编辑

发布了 414 篇内容, 共 192.3 次阅读, 收获喜欢 1224 次。

关注

评论

发布
暂无评论
发现更多内容

[Pulsar 社区周报] 2020-10-31 ~ 2020-11-06

Apache Pulsar

大数据 开源

曾陷“数据风暴”危机的赛默飞世尔如何化险为夷的?

华为云开发者社区

数据库 大数据 云服务 华为云 RDS

架构师Week4作业

lggl

作业

JVM真香系列:堆内存详解

田维常

Java JVM 堆栈 虚拟机

详解快速开发平台与工作流通用组件的设计规范

Marilyn

敏捷开发 企业应用

深入解析 Flink 的算子链机制

Apache Flink

flink 流计算

[译文]设计模式01 – 抽象工厂模式(附代码实例)

YoungZY

设计模式 译文

堪称完美!11月华为官方首发Spring响应式微服务,Spring+SpringBoot+SpringCloud三管齐下

Java架构追梦

Java 架构 微服务 springboot SpringCloud

【活动回顾】Flutter实时音视频应用场景实践

ZEGO即构

flutter RTC

架构师Week4总结

lggl

作业

携oneAPI Gold版本和服务器GPU 英特尔领先业界进入XPU时代

intel001

十年资深架构师分享:如果这么做还收不到一线互联网大厂面试,请来找我。

Java架构师迁哥

面经手册 · 第17篇《码农会锁,ReentrantLock之AQS原理分析和实践使用》

小傅哥

Java AQS CAS unsafe CLH

再拔头筹,FusionInsight为华为云大数据打造硬实力

华为云开发者社区

大数据 数据仓库 数据湖 FusionInsight 华为云

护航11.11,如何筑牢安全防御系统?

京东智联云开发者

云计算 云安全 DDoS

apipost如何设置断言

测试人生路

接口测试

聚焦高交会:感受“区块链+”科技创新浪潮

WX13823153201

Linux一切皆文件,如果你没做到这一步,那这就是句话而已

小Q

Java Linux 学习 架构 面试

秋风到,ModelArts“ AI市场算法Fast-SCNN指南”秋膘贴起来

华为云开发者社区

AI 算法 开发 OBS modelarts

三部门联合发言不得虚报直播销售额业绩:双十一何以刺激了用户的购买欲

石头IT视角

《分布式Java应用基础与实践》.pdf

田维常

分布式 电子书

堪称完美!11月华为首发Spring响应式微服务,三管齐下

小Q

Java spring 学习 架构 面试

基于Fabric的性能测试与调优实践

华为云开发者社区

区块链 算法 测试 fabric 华为云

薇娅和李佳琦带货百亿奇迹背后是这些技术团队的努力

阿里云视频云

双十一背后的技术

anyRTC开发者

大数据 AI 音视频 WebRTC RTC

当代程序员必备技能(算法)之:递归详解

Java架构师迁哥

快速了解阿里微服务热门开源分布式事务框架——Seata

比伯

Java 架构 微服务 seata

氪信团队再夺冠!易观数科第四届OLAP算法大赛前三甲诞生!

易观大数据

数据库 算法 OLAP

深入浅出node中间件原理

徐小夕

Java node.js 前端 中间件 数据可视化

2020双11:看阿里背后的黑科技!

阿里云情报局

人工智能 云计算 大数据 运维 黑科技

阿里P8整理出SQL笔记:收获不止SOL优化抓住SQL的本质

马士兵老师

MySQL 阿里 sql查询 SQL优化 SQL光标

Apache 基金会与 GitHub 均受美国出口法律约束,这对开发者有何影响?-InfoQ