[OpenStack Foundation] OpenStack Foundation & Export / EAR

Mark Collier mark at openstack.org
Wed May 22 17:58:36 UTC 2019


The OpenStack Foundation has received inquiries regarding concerns with a member subject to an Entity List Ruling.[1] While statements in the Executive Order prompting the listing used language granting a broader scope of authority, the Huawei Entity List ruling was specifically scoped to activities and transactions subject to the Export Administration Regulation (EAR).

Open source encryption software source code was reclassified by the US Department of Commerce, Bureau of Industry and Security (BIS) effective September 20, 2016 as "publicly available" and no longer “subject to the EAR.”[2] Each open source project is still required to send a notice of the URL to BIS and NSA to satisfy the "publicly available" notice requirement in the EAR at 15 CFR § 742.15(b). 

The OpenStack Foundation (OSF) continues to work with our projects to ensure their notices are up to date and are maintained in the future.[3]

Open source software, collaboration on open source code, attending telephonic or in person meetings, participating in training and providing membership or sponsorship funds are all activities which are not subject to the EAR and therefore should have no impact on our communities. If there is a unique situation of concern, we encourage you to reach out directly to mark at openstack.org or jonathan at openstack.org. 

[1] https://www.bis.doc.gov/index.php/documents/regulations-docs/2394-huawei-and-affiliates-entity-list-rule/file

[2] 81 Fed. Reg. 64656, 64668 (September 20, 2016).  See also,
 https://www.bis.doc.gov/index.php/policy-guidance/encryption/223-new-encryption

[3] https://osf.dev/export 

P.S. Special thanks to Mark Radcliffe and Thomas deButts from DLA Piper, who've been working with OSF, LF and others to pull the necessary information together for benefit of many open source communities.




More information about the Foundation mailing list