I’m a little confused at people who are mad at GitLab here. I’m under the impression that sanctions and export control laws tend to be fairly strict, and penalties for knowing non-compliance are harsh, including the possibility of jail time. GitLab’s hands are pretty tied here.
We shouldn't be upset at github/githlab/npm/dockerhub but our industry and ourselves - how did we let our projects/packages/tools/infrastructure to be hosted on such platforms in the first place? Hopefully this will trigger more activity on decentralised solutions; git is decentralised already, needs some ipfs/torrent/etc wrapper for issues/rest or maybe something based on fossil etc.
I don’t think I want to live in a world where software engineers make up their own foreign policy.
At the very least, enforceable sanctions give us options other than war. Giving that up could carry an immense human cost. An understanding of distributed software architecture does not come with the ability to understand and weigh that cost, nor does it make you a legitimate authority on which tradeoffs to choose. It’s probably inevitable, but I’ll be disappointed in our community if it happens.
I appreciate what you're trying to say here, but a UNSC resolution is not even a full step away from "great power games". It's not the same, but it's hardly different.
If a resolution passes the UNSC without veto, as well as passes the UN GA, then there is much higher likelihood that it is a legitimate issue and not just a game of great powers, perhaps even close to a certainty.
That is not to say that there if it fails to go through the process it is necessarily just a game of great powers, but hey, that's the world we live in.
Well, we put our projects on the most popular platform, for visibility; and visibility is important for FOSS projects.
But you make a valid point. Perhaps we should put the "master reop" on something that's decentralized and not subject to US censorship, and only place a copy on GitHub/GitLab/etc.
There are tens of thousands of companies in the US which actively provide web-services, and which do not actively go fishing for accounts that may possibly be Iranian. Are they all possibly facing jail time?
Is there a requirement to actively monitor the service for possible Iranians? What kind of actions are required specifically to be safe from jail? Is it a requirement to actively block IPs? Spoiler: These things are not specified.
Maybe we should be angry with the US government for the lack of legal certainty provided to its citizens.
However, given that no one in a situation like Gitlab has been prosecuted, maybe their hands are bound after all.
Omission (https://en.wikipedia.org/wiki/Omission_(law)) creates the exact same liabilities. It's not about fishing for accounts.
Just because you're not being prosecuted, doesn't meant that you don't need to comply with law. For a large company like GitLab is a fiduciary responsibility to do this whether or not they have the federal government telling them to do it at the current time.
> ... sanctions and export control laws tend to be fairly strict, and penalties for knowing non-compliance are harsh, including the possibility of jail time.
Yeah, no kidding. It's not even "knowing non-compliance", though -- although that's almost certainly worse.
To illustrate this with an example that most HN readers will easily understand (and which some might even be affected by):
The Office of Foreign Assets Control (OFAC) of the Department of the Treasury recently issued an advisory [0,1] to "alert" U.S. companies of the potential risks of "facilitating" ransomware payments.
The TL;DR is that "U.S. persons, wherever located" are subject to heavy civil penalties -- under "strict liability" -- if you "facilitate" a payment from a ransomware victim that ultimately ends up going to an "entity" that's in one of the embargoed/sanctioned countries (Iran, North Korea, Syria, Crimea, Cuba, ...) or on OFAC's "Specially Designated Nationals and Blocked Persons List".
"Strict Liability", by the way, means that you're still liable and subject to penalties even if you "did not know or have reason to know".
"Oh, really? Oh, well, that's too bad. You're still liable, pay up!"
Finally, think about how broadly the vague term "facilitate" might possibly be interpreted (especially by the U.S. Government!) There's belief in some infosec circles that this even means that, for example, a consultant who told a ransomware victim, "yeah, you should probably pay if you want your data back" might be considered liable.
Not in an era when information is the most valuable commodity. Just look at the discrepancy in patent treatment been the US and China: openness on our part can still go unrequited and be taken advantage of. No matter what we give a sanctioned county free access to, they can just bend it to their own will.
In order to obtain patent protection, you have to make public the details of your invention, so "open" in the sense that the information is available, and vulnerable thereby to foreign manufacturers who don't respect the patent.
That’s getting off-topic: U.S. law currently requires this. Whether or not you agree with that policy, the question is whether GitLab should knowingly break that law, incurring potentially significantly or even ruinous impact to their business, until the law is changed or should they comply while working with their representatives to change the laws? That’s a lot of risk to ask a company to take on for something which doesn’t benefit Iranians that much.
The thing about the law is, it's not the company that suffers but employees can and will be thrown in jail. Executives aren't going to stick their necks out.
There’s heated debate whether companies have to be political or not. Even whether it’s in principle possible to not be political. If someone thinks all companies should have political stance, then “silence is violence”, even worse, since gitlab is complying. US sanctions against Iran aren’t universally supported even by US satellites, and some would say are immoral. So time for some activism?
Anyone on earth with access to the internet in non-sanctioned and non-sanctioning IP ranges could set up a mirror to help Iranians and other sanction victims. Private repos might be a little more difficult to handle, but still possible. Like the "Great Firewall", USA's petty totalitarianism can be routed around if people care to do so.
This happened because of US sanctions[0].
[0] https://about.gitlab.com/handbook/people-group/code-of-condu...