As already known to all respected Habrasoobshchestvo, for some time now the administration of the current US President Barack Obama has embarked on tightening the screws in the sphere of interactions with countries disliked by the US government: Cuba, Iran, Syria, Libya, Sudan and North Korea (sometimes on this list include Iraq). Engaged in this task fell to the unforgettable US Department of Commerce, Bureau of Industry and Security - organizations, as is known from its past deeds, are quite bureaucratic and take all orders fairly straightforwardly.

Events developed rapidly: in mid-January 2010, this resulted in the fact that the largest hosting of open source projects, such as SourceForge and Google Code, received “letters of happiness” with persistent recommendations to stop accessing open source software projects, as they may contain [ I quote] certain technology [/ I quote], which are prohibited for export from the United States. By these "certain technologies" is meant cryptography, and this time - the whole.

SourceForge and Google Code obeyed, apologizing to their users, but spreading their arms - after all - they are ordinary American companies, they say, we are very sorry, but we also live in the real world and are forced to obey the laws.
')
Yesterday, February 7, 2010, SourceForge lawyers, after a couple of weeks of battles, developed a compromise solution, which is certainly better than what it was, but ...

It was decided to shift the “responsibility” and “blame” from SourceForge to the project administrators.

Now I will try to explain and show what is good and what is bad with. If you are a SourceForge project administrator, then starting from Sunday you have a choice of 2 items. Clicking on the links Develop → Project Admin → Project Settings, you can contemplate them:



By default, the item “Yes, my project USES cryptographic algorithms, therefore subject to export restrictions” is enabled. (Of course, this is now spelled out in terms of service, which, as they themselves say, may change at the discretion of the SourceForge administration as they like at any time.)

So, if you have a project at SourceForge - and you have at least some use of cryptography - no matter how - any - it may even be a banal survey for the presence of libraries in the system - you and your project fall under this wonderful item.

What are the options for action:

If the project does not use any cryptography

That, of course, it does not fall under the restrictions. It is possible and necessary to go and boldly include the first point - “my project DOES NOT USE cryptographic algorithms” - and sleep well, knowing that you have not violated any laws, and do not harm the rights of poor Cubans and Koreans - and the wolves are fed and the sheep are intact.

If the project falls under the "use of cryptography"

That is, in fact, three options, all really bad:

Lying to SourceForge "do not use cryptography"

Pros : a clear conscience in front of the open source community - we don’t impose anyone on a national-geographical basis; tick - easy.
Disadvantages : if this deception is ever revealed - the consequences may be ... diverse. Everyone, I think, well remembers the case of Dmitry Sklyarov , a Russian programmer who went to a conference in the United States and was arrested immediately after the end of the event. Even if you are not planning to travel to the USA right now, this is a reason to think.

Leave the second paragraph "use cryptography"

Pros : fair to SourceForge and the US government; no problem with the law.
Disadvantages : this is a decision against hacker ethics - the rights of a mass of people who are “lucky enough” to be born in countries subject to the US embargo are infringed upon. In addition, if you carefully read what is written in small print next to this option, you will be required to register with the software in the aforementioned US department (get ready, this is where the real circus begins!).

The department requires you to send them some form of registration of a software product using cryptographic algorithms (in the broadest sense of the word “using”), but it also requires attaching all source codes, and each time they change, you need to update the data in their database. Fortunately, this can be done by e-mail (in view of the attachment) - although for particular freaks, an alternative method is also offered: print and send the source codes by mail or by fax.

Leave SourceForge

Pros : do not make a deal with a conscience, or a deal with the notorious department.
Cons : moving a project from one place to another is always painful. You will lose some number of your users, you will lose some number of links placed on you. To go, in fact, almost nowhere.

In addition, looking at a review of what kind of hosting for free software is , sorting them out by popularity of the Alexa rating (which means how hosting will contribute to creating and maintaining the community around your project) it becomes sad:

Hosting	Users	Projects	A country
Sourceforge	2.6 million	156 thousand	USA
Google code	?	250 thousand	USA
Github	100 thousand	?	USA
CodePlex	151 thousand	9.2 thousand	USA
Tigris	137 thousand	1.5 thousand	USA
Launchpad	930 thousand	15 thousand	USA
Assembla	170 thousand	60 thousand	USA
BerliOS	43 thousand	5.3 thousand	Germany
Gitorious	?	?	Norway

It becomes clear why the “letters of happiness” received precisely SF and GC: they occupy the honorary 2 top positions in the list. All the 7 top positions in a row are occupied by hosting from the USA: it is clear that sooner or later they will receive exactly the same letters and will be forced to enter exactly the same measures. If you run - then where?

And, completing this post, I would like to ask the opinion of the habrasoobshchestva - what will you do and how will you advise me to act ? As I understand it - there are a lot of those who will be prone to this scourge. Authors of Jabber-clients, authors of web browsers and plug-ins for them, developers of OS kernels and their components, etc. etc. - everyone who has something related to SSL , SSH , MD5 , SHA1 - this automatically concerns us all.

I have two serious projects at SourceForge - KGuitar (editor of guitar tablature - it, fortunately, has nothing to do with cryptography, everything is clear with it) and Inquisitor is a Linux-based system (meta-distribution) for automating load and benchmarking gland. Of course, as with any Linux distribution, there is ssh, openssl as well. Even worse, we, such bad ones, are testing the performance of this very openssl as one of our benchmarks.

How to be? Leaving with SF means not only losing the SF community, but also the extensive system of myrrhs through which our ISO images were distributed, a fairly stable repository hosting service, and a convenient mechanism for including new people in the project. Alternatives to SF? About BerliOS heard a lot of bad reviews in terms of stability, and even he is less than SF somewhere 50 times. All the others are even smaller and more incomprehensible in terms of stability ...