ONE Summit 2024 - April 29 - May 1, San Jose, CA  LEARN MORE

Search

    Join
    2 MIN READ

    Linux Foundation Statement on Huawei Entity List Ruling

    The Linux Foundation | 23 May 2019

    We have received inquiries regarding concerns about a member subject to an Entity List Ruling. [1] The Huawei Entity List ruling was specifically scoped to activities and transactions subject to the Export Administration Regulations (EAR).

    Open Source Software Not involving Encryption

    The Linux Foundation is a free and open source software organization whose project communities publish collaboratively developed software publicly. All software published by Linux Foundation projects is made available to the public without restrictions other than those imposed by the open source licenses. Software that is published publicly, such as open source software, is not subject to the EAR [2], and therefore not relevant to the Entity List Ruling.

    Open Source Encryption Software

    Open source encryption software source code was reclassified by the US Department of Commerce, Bureau of Industry and Security (BIS) effective September 20, 2016 as publicly available and no longer subject to the EAR. [3] Each open source project that uses or implements encryption is still required to send a notice of the URL to BIS and NSA to satisfy the publicly available notice requirement in the EAR at 15 CFR § 742.15(b).

    The Linux Foundation continues to work with our projects to ensure their notices are up to date and are maintained in the future. [4] Open source software, collaboration on open source code, attending telephonic or in person meetings, participating in training and providing membership or sponsorship funds are all activities which are not subject to the EAR and therefore should have no impact on our communities. If there is a unique situation of concern, we encourage you to reach out directly to legal@linuxfoundation.org.

    Security Vulnerability Pre-Disclosure Lists

    A few of the Linux Foundation’s project communities use security vulnerability pre-disclosure lists to alert known implementers of the project’s open source software about vulnerability fixes that will be disclosed by the developers and published publicly in the near future (typically within 2 weeks). In these situations, LF project communities are conveying knowledge, information and written software patches that will be made publicly available when accepted for publication by the committers on the project and such disclosures are permitted under 15 CFR § 734.7(a)(5). [2]

    [1] https://www.bis.doc.gov/index.php/documents/regulations-docs/2394-huawei-and-affiliates-entity-list-rule/file

    [2] https://www.ecfr.gov/cgi-bin/text-idx?SID=fcba36d2f267c2fdecc5694c1e754aa7&mc=true&node=se15.2.734_17&rgn=div8

    [3] 81 Fed. Reg. 64656, 64668 (September 20, 2016). See also, https://www.bis.doc.gov/index.php/policy-guidance/encryption/223-new-encryption

    [4] https://www.linuxfoundation.org/export/
    Similar Articles
    Browse Categories

    2023 Compliance and Security Cloud Computing Projects Linux How-To Diversity & Inclusion Open Source Open Source Best Practices 2022 Cross Technology Training and Certification Newsletter 2024 LF Research LFX AI Legal Linux Foundation Research Topic: Data Blog Linux Networking and Edge Data Governance LF Energy Open Mainframe Open Models OpenChain System Administration Topic: Security Topic: Sustainability cybersecurity eBPF generative AI kernel license compliance maintainer openssf techtalentsurvey

    Stay Connected with the Linux Foundation