近日，不仅华为站在了风口浪尖，开源软件也被推到了台前。ASF和GitHub官网先后更新了两则消息，消息的主旨如出一辙，旗下的项目、产品将受到美国出口法律的约束。

ASF受到美国出口法律约束

近日，ASF官网出现了一则关于ASF产品出口控制状态的说明。文中指出，ASF是位于美国的非盈利性慈善机构，所有产品通过公共论坛在线协作开发，并从美国的中央服务器发布，所以Apache项目的发行版需要遵循美国的出口法律和法规，并且随着产品和技术再出口到不同的地方依旧保持有效。

也就是说，出口、再出口、记录保存、ASF产品捆绑和嵌入、加密报告和装运文件都需要遵循出口管制分类和相关限制信息。如果说得再明白一点就是，除非经美国政府正式授权，否则ASF软件、技术或数据不得直接或间接出口/再出口到受美国禁运或贸易制裁的地方。美国政府保留出口禁止名单，包括但不限于财政部的特别指定国民名单和商务部的实体和被拒绝人名单。

划重点，美国时间2019年5月15日，特朗普签署了一份行政命令，宣布因为国家经济紧急状态，禁止企业使用对国家安全造成风险的外国制造设备。随后美国商务部声明，把华为及70个附属公司增列入出口管制的实体清单。

GitHub受到美国出口法律约束

不止ASF，GitHub官网也发消息称，“GitHub.com、GitHub Enterprise Server 以及您上传到任一产品的信息可能受美国出口管制法律的约束，包括美国出口管理条例（EAR）。”

GitHub官网发布的内容主要有以下几个要点：

根据GitHub的服务条款，用户只能按照适用法律访问和使用GitHub.com，包括美国出口管制和制裁法律。根据美国和其他适用法律，特别指定国民名单和其它被拒绝、被封锁的人士禁止访问、使用GitHub.com，用户不得代表此类各方使用GitHub.com，包括受制裁国家/地区的政府。
根据美国财政部海外资产控制办公室（OFAC）发布的授权，Github可允许受美国制裁的管辖区内或通常居住在管辖区内的用户访问某些Github.com服务。在访问GitHub服务时，这些管辖区内的人员和居民不得使用IP代理、VPN或其他方法来伪装其位置，并且只能使用GitHub进行非商业的个人通信。
GitHub Enterprise Server 不得出售、出口或再出口到清单中的国家，目前清单中已经包含古巴、伊朗、朝鲜、苏丹与叙利亚。

对开发者有何影响

在听到ASF和GitHub均受到美国出口法律约束时，很多技术人担心国内的开源项目也将迎来“至暗时刻”。那么，这两则消息到底真正约束的是什么？对于中国开发者来说，有什么影响？是否有比较好的应对措施呢？

ASF到底限制了什么？知乎网友李道兵分析称：“只是ASF提供的服务受到了美国法律的限制，例如会员服务、下载服务、网站服务等。”而ASF在官网发表的文章指出，公开可用软件只有ECCN为5D002或5D992时才会受到EAR约束。

至于GitHub，首先中国还没有被加入到清单中，还有缓冲时间。其次，主要受影响的是GitHub企业版，但是大多数企业在采购之后，都是在企业内部部署使用。最后，目前只有ERA限制的加密技术不可出口，其它开源软件项目很难被限制。

面对这些限制，开发者应该如何破解难题呢？根据李道兵的分析，想要解决限制的问题也不难，“用户只是不能从ASF网站下载软件，但是可以从任何发行版、镜像站或者其它能够获取到软件的地方（包括从你的朋友手上拷贝一份）去下载。而且受到License的保障，用户仍可以继续使用、修改、分发软件。如果该软件更换了不自由的软件协议，那么用户还可以继续使用比较自由的老版本。”

那么这是不是意味着美国这一举措毫无“攻击力”呢？当然不是，这一举措还是有很多隐忧的，例如，美国ERA条款中是否会增加更多的技术，如果通讯、大数据等相关技术被限制的话，那么对于中国企业和开发者也会有很多影响。另外，还有人担心编程语言是否会受到限制，毕竟像Java等各大语言的核心都在美国。

附ASF产品分类矩阵：

Apache Accumulo Project
Product Name	Versions	ECCN	Controlled Source
Apache Accumulo Project	development	5D002	ASF, Bouncy Castle
	1.6.0 and on	5D002	ASF, Bouncy Castle
	1.5.x	5D002	ASF
Apache ActiveMQ Project
Product Name	Versions	ECCN	Controlled Source
Apache ActiveMQ	development	5D002	ASF
	4.1 and later	5D002	ASF
Apache Camel	development	5D002	ASF
	1.0.0 and later	5D002	ASF
Apache Ant Project
Product Name	Versions	ECCN	Controlled Source
Apache Ant	development	5D002	ASF
	1.1 and later	5D002	ASF
Apache Ivy	development	5D002	ASF
	2.0.0-alpha-*-incubating	5D002	ASF
	2.0.0-alpha-*-incubating-bin-with-deps	5D002	ASF, JCraft, Inc.
	2.0.0-beta1-* and later	5D002	ASF
	2.0.0-beta1-bin-with-deps and later	5D002	ASF, JCraft, Inc.
Apache Cassandra Project
Product Name	Versions	ECCN	Controlled Source
Apache Cassandra	development	5D002	ASF, Oracle, The OpenSSL Project
	0.8 and later	5D002	ASF, Oracle
Apache Cayenne Project
Product Name	Versions	ECCN	Controlled Source
Apache Cayenne	development	5D002	ASF, Oracle
	3.2.M2 and later	5D002	ASF, Oracle
Apache Commons Project
Product Name	Versions	ECCN	Controlled Source
Apache Commons Compress	development	5D002	ASF
	1.6 and later	5D002	ASF
Apache Commons Crypto	development	5D002	ASF, The OpenSSL Project, Oracle
	1.0.0 and later	5D002	ASF, The OpenSSL Project, Oracle
Apache Commons OpenPGP	development	5D002	ASF
Apache CouchDB Project
Product Name	Versions	ECCN	Controlled Source
Apache CouchDB	development	5D002	ASF
	0.9.0 and later	5D002	ASF, ibrowse
Apache CXF Project
Product Name	Versions	ECCN	Controlled Source
Apache CXF	development	5D002	ASF, ASF, Bouncy Castle
	all 2.*	5D002	ASF, ASF, Bouncy Castle
	all 2.*-incubating	5D002	ASF, ASF, Bouncy Castle
Apache DB Project
Product Name	Versions	ECCN	Controlled Source
Apache Derby	development	5D002	ASF
	derby-10.*	5D002	ASF
Apache DdlUtils	development	5D002	ASF
	ddlutils-1.0 and higher	5D002	ASF
Apache ObjectRelationalBridge - OJB	development	5D002	ASF
	ojb-1.0.0 and higher	5D002	ASF
Apache Torque	development	5D002	ASF
	torque-3.1 and later	5D002	ASF
Apache Directory Project
Product Name	Versions	ECCN	Controlled Source
Apache Directory Server	development	5D002	ASF
	1.0 and later	5D002	ASF
	1.5 and later	5D002	ASF, Bouncy Castle
Apache Directory Studio	1.2 and later	5D002	ASF, Bouncy Castle
Apache Drill
Product Name	Versions	ECCN	Controlled Source
Apache Drill	1.2 and later	5D002	ASF, Oracle, The Eclipse Foundation, The Cyrus SASL project, MIT, The OpenSSL Project
Apache Forrest Project
Product Name	Versions	ECCN	Controlled Source
Apache Forrest	development	5D002	ASF
	apache-forrest-0.6 and later	5D002	ASF, JCraft, Inc.
Apache Geode Project
Product Name	Versions	ECCN	Controlled Source
Apache Geode	development	5D002	ASF, ASF, ASF, Oracle, The OpenSSL Project
	all releases	5D002	ASF, ASF, ASF, Oracle, The OpenSSL Project
Apache Geronimo Project
Product Name	Versions	ECCN	Controlled Source
Apache Geronimo	development	5D002	ASF
	1.0 and later	5D002	ASF
Apache Hadoop Project
Product Name	Versions	ECCN	Controlled Source
Apache Hadoop	development	5D002	ASF
	17.0 and later	5D002	ASF
Apache Harmony Project
Product Name	Versions	ECCN	Controlled Source
Apache Harmony	development	5D002	ASF
	5.0M1 and later	5D002	ASF, Bouncy Castle
Apache HAWQ (incubating) Project
Product Name	Versions	ECCN	Controlled Source
Apache HAWQ (incubating) Project	development	5D002	ASF
Apache HttpComponents Project
Product Name	Versions	ECCN	Controlled Source
Apache HttpComponents Core	development	5D002	ASF
	4.0 and later	5D002	ASF
Apache HttpComponents Client	development	5D002	ASF
	4.0 and later	5D002	ASF
	1.x, 2.x, 3.x	5D002	ASF
Apache HTTP Server Project
Product Name	Versions	ECCN	Controlled Source
Apache HTTP Server	development	5D002	ASF
	apache_1.3.x	n/a
	httpd-2.0.x	5D002	ASF
	httpd-2.2.x	5D002	ASF
	apache_2.2.x-win32--openssl-	5D002	ASF, The OpenSSL Project
	httpd-2.4.x	5D002	ASF
Apache Flood	development	5D002	ASF
	flood-0.4	5D002	ASF
Apache libapreq	development	5D002	ASF
	libapreq2	5D002	ASF
	libapreq	n/a
Apache mod_ftp	development	5D002	ASF
Apache mod_python	development	5D002	ASF
	mod_python-*	5D002	ASF
Apache Incubator Project
Product Name	Versions	ECCN	Controlled Source
Apache Abdera	development	5D002	ASF
	all 0.*-incubating	5D002	ASF, ASF, Bouncy Castle, Bouncy Castle
Apache Airavata	development	5D002	ASF, Bouncy Castle, The Cryptix project, Claymore Systems Puretls, Globus Project
Apache CloudStack	development	5D002	JaSypt.org, Oracle, Bouncy Castle, ASF, OpenSwan.org, JCraft, Inc., ASF
Apache Impala	development	5D002	ASF
	2.7.0 and later	5D002	ASF
Apache NiFi	development	5D002	JaSypt.org, Oracle, Bouncy Castle, JCraft, Inc., ASF
	0.0.1-incubating and later	5D002	JaSypt.org, Oracle, Bouncy Castle, JCraft, Inc., ASF
Apache PDFBox	development	5D002	ASF, Bouncy Castle, Bouncy Castle
Apache Pirk	development	5D002	ASF
	0.1.0-incubating and later	5D002	ASF
Apache Pulsar	development	5D002	ASF, Bouncy Castle
	1.20-incubating and greater	5D002	ASF, Bouncy Castle
Apache Shindig	development	5D002	ASF
Apache Slider	development	5D002	ASF, Oracle, The Eclipse Foundation
	0.30-incubating	5D002	ASF, Oracle
	0.40-incubating and later	5D002	ASF, Oracle, The Eclipse Foundation
Apache Taverna	development	5D002	ASF, ASF, ASF, ASF, ASF, ASF, ASF, ASF, ASF, ASF, ASF, ASF, ASF, ASF, Bouncy Castle, The Eclipse Foundation, Oracle, ASF, ASF, ASF, ASF, ASF, Dropbox, Google, Ruby Programming Language, The OpenSSL Project
	all releases	5D002	ASF, Bouncy Castle, The Eclipse Foundation, Oracle, ASF, ASF, ASF, ASF, ASF, Dropbox, Google, Ruby Programming Language, The OpenSSL Project
Apache Trafodion	development	5D002	ASF, The OpenSSL Project, Oracle
	all releases	5D002	ASF, The OpenSSL Project, Oracle
Apache Whirr	development	5D002	ASF
	all 0.*-incubating	5D002	ASF, Bouncy Castle, JCraft, Inc., Not-Yet-Commons-SSL
Apache Jakarta JMeter Project
Product Name	Versions	ECCN	Controlled Source
Apache Jakarta JMeter	1.0 and later	5D002	ASF
Apache JAMES Project
Product Name	Versions	ECCN	Controlled Source
Apache JAMES Server	development	5D002	ASF, Bouncy Castle
	2.3.0 and later	5D002	ASF, Bouncy Castle
Apache JAMES jDKIM	0.1 and later	5D002	ASF, Not-Yet-Commons-SSL
Apache JAMES Mailet Crypto	0.1 and later	5D002	ASF, Bouncy Castle
Apache JAMES Mime4J	0.4 and later	5D002	ASF
Apache Jena
Product Name	Versions	ECCN	Controlled Source
Apache Jena (distribution)	development	5D002	ASF
	binary distribution	5D002	ASF, ASF
Apache Kafka Project
Product Name	Versions	ECCN	Controlled Source
Apache Kafka	development	5D002	ASF, Oracle
	0.10.2 and later	5D002	ASF, Oracle
	0.9.0 and later	5D002	ASF, Oracle
Apache Kudu Project
Product Name	Versions	ECCN	Controlled Source
Apache Kudu	development	5D002	ASF
	1.1.0 and later	5D002	ASF
Apache Labs Project
Product Name	Versions	ECCN	Controlled Source
Apache BaDCA	development	5D002	ASF
Apache Vysper	development	5D002	ASF, Bouncy Castle
Apache Lucene Project
Product Name	Versions	ECCN	Controlled Source
Apache Nutch	development	5D002	ASF
	0.7 and later	5D002	ASF, PDFBox
Apache Solr	development	5D002	ASF
	1.4 and later	5D002	ASF, Apache Tika
Apache Tika	development	5D002	ASF
	0.2-incubating and later	5D002	ASF, Bouncy Castle, Bouncy Castle
Apache MyFaces Project
Product Name	Versions	ECCN	Controlled Source
Apache MyFaces	development	5D002	ASF
	1.1.2 and later	5D002	ASF
Apache Mynewt (incubating) Project
Product Name	Versions	ECCN	Controlled Source
Apache Mynewt	development	5D002	ARM mbed, TinyCrypt, PolarSSL
Apache Oltu Project
Product Name	Versions	ECCN	Controlled Source
Apache Oltu	development	5D002	ASF
Apache Open For Business Project
Product Name	Versions	ECCN	Controlled Source
Apache Open For Business	development	5D002	ASF
	4.0 release branch	5D002	ASF
Apache OpenEJB Project
Product Name	Versions	ECCN	Controlled Source
Apache OpenEJB	development	5D002	ASF
	1.0 and later	5D002	ASF
	All 0.x	n/a
Apache Perl Project
Product Name	Versions	ECCN	Controlled Source
mod_perl	Perl--win32-bin-.exe	5D002	ASF, The OpenSSL Project
Apache POI Project
Product Name	Versions	ECCN	Controlled Source
Apache POI	development	5D002	ASF
	3.5 and later	5D002	ASF
Apache Polygene Project
Product Name	Versions	ECCN	Controlled Source
Apache Polygene	development	5D002	ASF, Bouncy Castle
	2.1	5D002	ASF, Bouncy Castle
Apache Shiro Project
Product Name	Versions	ECCN	Controlled Source
Apache Shiro	development	5D002	ASF
	1.1 and later	5D002	ASF
	1.0	5D002	ASF
	All 0.x	n/a
Apache ServiceMix Project
Product Name	Versions	ECCN	Controlled Source
Apache ServiceMix 3.x	development	5D002	ASF, ASF, Bouncy Castle
	All 3.x versions	5D002	ASF, ASF, Bouncy Castle
Apache ServiceMix 4.x	development	5D002	ASF
	4.0-m1	n/a
Apache ServiceMix NMR	development	5D002	ASF
	1.0-m1, 1.0-m2	n/a
Apache ServiceMix Kernel	development	n/a
	All 1.0 milestones	n/a
Apache Portable Runtime Project
Product Name	Versions	ECCN	Controlled Source
APR	development	5D002	ASF
APR-Util	development	5D002	ASF
	0.9.x, 1.2.x	n/a
	1.4.x and later	5D002	ASF
Apache Santuario Project
Product Name	Versions	ECCN	Controlled Source
Apache XML Security for Java	development	5D002	ASF
	1.5.x	5D002	ASF
Apache XML Security for C++	development	5D002	ASF
Apache SpamAssassin Project
Product Name	Versions	ECCN	Controlled Source
Apache SpamAssassin	development	5D002	ASF, The OpenSSL Project, Steffen Ullrich
	3.0.x and later	5D002	ASF, The OpenSSL Project, Steffen Ullrich
Apache Spark Project
Product Name	Versions	ECCN	Controlled Source
Apache Spark	2.2.0 through 2.3.x	5D002	ASF, Bouncy Castle
	2.4.0 and later	5D002	ASF
Apache Tomcat Project
Product Name	Versions	ECCN	Controlled Source
Apache Tomcat	development	5D002	ASF
	3.x and later	5D002	ASF
Apache Tomcat native connector	development	5D002	ASF, The OpenSSL Project
	1.x and later	5D002	ASF, The OpenSSL Project
Apache UIMA Project
Product Name	Versions	ECCN	Controlled Source
Apache UIMA-AS	development	5D002	ASF
	all releases starting with 2.2.2-incubating	5D002	ASF
Apache UIMA Addons	development	5D002	ASF
	2.3.0 and later	5D002	ASF
Apache UIMA Addon Tika Annotator	development	5D002	ASF
	2.3.0 and later	5D002	ASF
Apache UIMA-DUCC	development	5D002	ASF
	all releases starting with 1.0	5D002	ASF
Apache VCL Project
Product Name	Versions	ECCN	Controlled Source
Apache VCL	development	5D002	ASF
	2.1 to 2.2.2	5D002	ASF
	2.3 and later	5D002	ASF, phpseclib
Apache Web Services Project
Product Name	Versions	ECCN	Controlled Source
Apache WSS4J	development	5D002	ASF, Bouncy Castle, ASF
	1.6	5D002	ASF, Bouncy Castle, ASF
	1.0 to 1.5	5D002	ASF, Bouncy Castle, Bouncy Castle, ASF
Apache Rampart/Java	development	5D002	ASF, Bouncy Castle, Bouncy Castle, Apache Santuario
	1.1 and later	5D002	ASF, Bouncy Castle, Bouncy Castle, Apache Santuario
Apache Rampart/C	development	5D002	ASF, The OpenSSL Project
	0.09 and later	5D002	ASF, The OpenSSL Project
Apache Synapse	1.0, 1.1, 1.1.1, 1.2, 2.0.0	5D002	ASF, Bouncy Castle, Bouncy Castle, Bouncy Castle, Bouncy Castle, Apache Santuario
Apache Synapse Project
Product Name	Versions	ECCN	Controlled Source
Apache Synapse	development	5D002	ASF, Bouncy Castle, Bouncy Castle, Bouncy Castle, Bouncy Castle, Apache Santuario
	1.1.1 and later	5D002	ASF, Bouncy Castle, Bouncy Castle, Apache Santuario
Apache Wicket Project
Product Name	Versions	ECCN	Controlled Source
Apache Wicket	1.3, development	5D002	ASF
Apache MINA Project
Product Name	Versions	ECCN	Controlled Source
Apache MINA	development	5D002	ASF
	1.0, 1.1, 2.0	5D002	ASF
Apache Vysper	development	5D002	ASF, Bouncy Castle
Apache FtpServer	development	5D002	ASF
	1.0	5D002	ASF
Apache SSHD	development	5D002	ASF, Bouncy Castle
Apache Wookie Project
Product Name	Versions	ECCN	Controlled Source
Apache Wookie	development	5D002	ASF, Apache Santuario
	0.13 and later	5D002	ASF, Apache Santuario

创作场景

Apache 基金会与 GitHub 均受美国出口法律约束，这对开发者有何影响？