Update on some maintainers / contributors.

Patrick Williams patrick at stwcx.xyz
Thu Oct 31 22:14:00 AEDT 2024 

On Thu, Oct 31, 2024 at 01:05:12PM +0300, Paul Fertser wrote:
> Hello Patrick,

Hi Paul,

For clarity I've tried to be very purposeful in my use of "I" and "we"
in both this email and the previous one.

    "I" - me personally
    "We" - the project as a whole, speaking as a member of both the
           TSC and TOF.

> 
> On Thu, Oct 31, 2024 at 12:31:33AM -0400, Patrick Williams wrote:
> > it seems like we should be more forward about what is going on.
> 
> Great to hear you think that, and thanks a lot for approaching this in
> a more humane way.
> 
> >    - We are not accepting new CCLAs from entities on the sanctions list
> >      or accepting ICLAs from individuals associated with these
> >      entities.
> 
> Please consider trying to do better than the "high ranking members of
> the kernel community" mentioned earlier and adding specific, explicit
> rules regarding this issue to the project documentation.

OpenBMC is a Linux Foundation project and we generally look to them to
provide policy for this sort of situation.  Thus far I have not seen
anything formal from them.

The usual "I am not a lawyer" disclaimer...

It is my understanding that, independent of any Linux Foundation policy,
a very large portion of our developers are bound by the US sanctions (even
if you have never even entered the US).  If you are covered by a CCLA,
you are also contributing to the project as an agent of your employer
and also have to comply with your employer's policy on the matter.  Based
on informal conversations I have had, for people that have had explicit
conversations with legal representation, there has been an array of 
"what to do" advice.

The best we can do at this time is what I have already written.

[[
    Re "very large portion": It would not surprise me if 100% of active
    contributors are subject to the SDN.  If you go back 2 years it was
    still probably over 90%.
]]

> In particular, it would be really important to clarify 
> 
> 1. Which sanctions list it is exactly; for Linux they say they are
> going to follow just the SDN and not the whole OFAC so even despite
> e.g. Huawei is sanctioned they are still allowed to not only
> contribute code but also maintain parts of the project.

Yes, the SDN is the primary list of concern right now.  LF has
previously made a statement about Huawei.

https://www.linuxfoundation.org/blog/blog/linux-foundation-statement-on-huawei-entity-list-ruling

Ultimately, there are current 21 different sanctions programs, with
different policies and lists, that many of us are required to follow
even if we are unaware.

https://www.state.gov/economic-sanctions-programs/

[[ 
   I realize I'm taking a very US-centric view here; other countries
   have their own sanctions programs.  It is quite likely that I am
   also required to personally comply with rules from the EU that I'm
   not even aware of.
]]

> 2. How association of an individual with an entity is established. The
> kernel people were mentioning some documents that a developer might
> provide to prove they're not associated but it's hard to imagine what
> kind of document that might even be.

For individuals covered by a CCLA, it is relatively easy; for those
that send an ICLA it is not.  Until there is a formal policy available
to us, I don't really want to say any more because I don't want what I
write here to be construed as the policy.


-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20241031/a11b489b/attachment.sig>

More information about the openbmc mailing list