Linux Foundation Statement on Huawei Entity List Ruling

By May 23, 2019 June 14th, 2019 Blog

We have received inquiries regarding concerns about a member subject to an Entity List Ruling. [1] The Huawei Entity List ruling was specifically scoped to activities and transactions subject to the Export Administration Regulations (EAR).

Open Source Software Not involving Encryption

The Linux Foundation is a free and open source software organization whose project communities publish collaboratively developed software publicly. All software published by Linux Foundation projects is made available to the public without restrictions other than those imposed by the open source licenses. Software that is published publicly, such as open source software, is not subject to the EAR [2], and therefore not relevant to the Entity List Ruling.

Open Source Encryption Software

Open source encryption software source code was reclassified by the US Department of Commerce, Bureau of Industry and Security (BIS) effective September 20, 2016 as publicly available and no longer subject to the EAR. [3] Each open source project that uses or implements encryption is still required to send a notice of the URL to BIS and NSA to satisfy the publicly available notice requirement in the EAR at 15 CFR § 742.15(b).

The Linux Foundation continues to work with our projects to ensure their notices are up to date and are maintained in the future. [4] Open source software, collaboration on open source code, attending telephonic or in person meetings, participating in training and providing membership or sponsorship funds are all activities which are not subject to the EAR and therefore should have no impact on our communities. If there is a unique situation of concern, we encourage you to reach out directly to legal@linuxfoundation.org.

Security Vulnerability Pre-Disclosure Lists

A few of the Linux Foundation’s project communities use security vulnerability pre-disclosure lists to alert known implementers of the project’s open source software about vulnerability fixes that will be disclosed by the developers and published publicly in the near future (typically within 2 weeks). In these situations, LF project communities are conveying knowledge, information and written software patches that will be made publicly available when accepted for publication by the committers on the project and such disclosures are permitted under 15 CFR § 734.7(a)(5). [2]

[1] https://www.bis.doc.gov/index.php/documents/regulations-docs/2394-huawei-and-affiliates-entity-list-rule/file

[2] https://www.ecfr.gov/cgi-bin/text-idx?SID=fcba36d2f267c2fdecc5694c1e754aa7&mc=true&node=se15.2.734_17&rgn=div8

[3] 81 Fed. Reg. 64656, 64668 (September 20, 2016). See also, https://www.bis.doc.gov/index.php/policy-guidance/encryption/223-new-encryption

[4] https://www.linuxfoundation.org/export/