Some Clarity On The Linux Kernel's "Compliance Requirements" Around Russian Sanctions
([Linux Kernel] 5 Hours Ago
US Sanctions Requirements)
- Reference: 0001501198
- News link: https://www.phoronix.com/news/Linux-Compliance-Requirements
- Source link:
When [1]a number of Russian Linux developers were removed from their MAINTAINERS file in the Linux kernel, it was described as due to "compliance requirements" but vague in what those requirements entailed. Linus Torvalds then [2]commented on the Russian Linux maintainers being de-listed and made it clear that they were done due to government compliance requirements / legal issues around Russia. Now today some additional light has been shed on those new Linux kernel "compliance requirements".
There's finally some clarity around the "compliance requirements" for the Linux kernel and comes down to sanctioned individuals/organizations. Serge Semin was one of the impacted Russian Linux developers who has maintained kernel code Russia's Baikal hardware, the libata Synopsys DWC controller driver, various media drivers, and more. Serge wrote [3]a lengthy goodbye message to the Linux kernel community . He was surprised by his removal as a maintainer, especially after he's provided 518 sign-offs for kernel patches, 253 reviewed/ack'ed patches, and another 80 tested-by patches over the years. He concluded his mailing list remarks with:
"Hope we'll meet someday in more pleasant circumstances and drink a couple or more beers together. But now it's time to say good bye. Sorry for a long-read text. I wish good luck on your Linux-way."
Serge Semin he hadn't been able to get a response over the new "compliance requirements" for the kernel or much insight into the matter. Veteran Linux kernel developer James Bottomley has now chimed in on that mailing list thread with [4]some clarity into the new requirements . James wrote:
"Please accept all of our apologies for the way this was handled. A summary of the legal advice the kernel is operating under is
###
If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.
###
Anyone who wishes to can query the list here:
https://sanctionssearch.ofac.treas.gov/
In your specific case, the problem is your employer is on that list. If there's been a mistake and your employer isn't on the list, that's the documentation Greg is looking for.
I would also like to thank you for all your past contributions and if you (or anyone else) would like an entry in the credit file, I'm happy to shepherd it for you if you send me what you'd like.
Again, we're really sorry it's come to this, but all of the Linux infrastructure and a lot of its maintainers are in the US and we can't ignore the requirements of US law. We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won't also have to remove any existing patches."
That legal advice relayed in the message is just around MAINTAINERS entries and still not clear, for example, if patches from Russian Linux developers are okay as long as they remain not within the MAINTAINERS file. But the details do at least make clear that they are checking against the US OFAC sanctions program for individuals/organizations.
As for the delay in recognizing these sanctions in the scope of the Linux kernel, Bottomley [5]wrote in a follow-up message:
"A big chunk of the reason it's taken so long just to get the above is that the Lawyers (of which I'm not one) are still discussing the specifics and will produce a much longer policy document later, so they don't want to be drawn into questions like this. However, my non-legal-advice rule of thumb that I'm applying until I hear otherwise is not on the SDN list, not a problem."
It's too bad all of this context was missing from the start when the original patch was posted and merged.
Update: Longtime Linux developer and EXT4 file-system maintainer Ted Ts'o has also provided some clarity on a separate Linux kernel mailing list thread. In response to a suggested patch removing Huawei from the MAINTAINERS file given their known relations with the Chinese government, Ted [6]commented :
"Note that there are multiple sanction regimes and exactly what the rules are vary from country to country. At least in the US there are exemptions that mean that I can accept patches and send code reviews or engineers from Huawei so long as they occur in a public forum, such as the LKML mailing lists. As a result, folks may have noticed that there are ext4 patches from Huawei, and I personally consider them very valuable contributors to the ext4 community.
These exemptions may not apply in different countries, and for different sanctioned entities. I will note that China is not currently attacking Taiwan militarily at the moment, while Russian misiles and drones, some of which might be using embedded Linux controllers, *are* actively attacking another country even as we speak. So it might not be surprising that the rules might be different for different sanctioned entities.
Finally, please remember that kernel developers don't make the rules. Those laws are made by the US, European, Japanese, and other governments. My personal priorites are to make sure that *I* don't run afoul of any local civil or criminal penalties, and to make sure that other Linux developers can also stay safe. That being said, I'm not a lawyer, and so please don't take anything I say as legal advice. What I'm comfortable doing as the ext4 maintainer living in the US might not be applicable for someone else who might have different circumstances.
So for example, it could very much be the case that other countries have *stricter* laws, and if you are acting as a maintainer, in terms of accepting other people's code, or providing design guidance (which may be considered "providing technical assistance" in some countries' laws) --- if you are uncertain, please reach out to a lawyer.
- Ted
P.S. This has always been the case, even before one country invaded another; maintainers take on real legal responsibilities as part of their work. It's just that the consequences of copyright and patent issues were much less than when there are sanctions involving countries who are actively at war with others."
[1] https://www.phoronix.com/news/Russian-Linux-Maintainers-Drop
[2] https://www.phoronix.com/news/Linus-Torvalds-Russian-Devs
[3] https://lore.kernel.org/lkml/2m53bmuzemamzc4jzk2bj7tli22ruaaqqe34a2shtdtqrd52hp@alifh66en3rj/
[4] https://lore.kernel.org/lkml/e7d548a7fc835f9f3c9cb2e5ed97dfdfa164813f.camel@HansenPartnership.com/
[5] https://lore.kernel.org/lkml/f90bba20e86dac698472d686be7ec565736adca0.camel@HansenPartnership.com/
[6] https://lore.kernel.org/lkml/20241024164939.GL3204734@mit.edu/
There's finally some clarity around the "compliance requirements" for the Linux kernel and comes down to sanctioned individuals/organizations. Serge Semin was one of the impacted Russian Linux developers who has maintained kernel code Russia's Baikal hardware, the libata Synopsys DWC controller driver, various media drivers, and more. Serge wrote [3]a lengthy goodbye message to the Linux kernel community . He was surprised by his removal as a maintainer, especially after he's provided 518 sign-offs for kernel patches, 253 reviewed/ack'ed patches, and another 80 tested-by patches over the years. He concluded his mailing list remarks with:
"Hope we'll meet someday in more pleasant circumstances and drink a couple or more beers together. But now it's time to say good bye. Sorry for a long-read text. I wish good luck on your Linux-way."
Serge Semin he hadn't been able to get a response over the new "compliance requirements" for the kernel or much insight into the matter. Veteran Linux kernel developer James Bottomley has now chimed in on that mailing list thread with [4]some clarity into the new requirements . James wrote:
"Please accept all of our apologies for the way this was handled. A summary of the legal advice the kernel is operating under is
###
If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.
###
Anyone who wishes to can query the list here:
https://sanctionssearch.ofac.treas.gov/
In your specific case, the problem is your employer is on that list. If there's been a mistake and your employer isn't on the list, that's the documentation Greg is looking for.
I would also like to thank you for all your past contributions and if you (or anyone else) would like an entry in the credit file, I'm happy to shepherd it for you if you send me what you'd like.
Again, we're really sorry it's come to this, but all of the Linux infrastructure and a lot of its maintainers are in the US and we can't ignore the requirements of US law. We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won't also have to remove any existing patches."
That legal advice relayed in the message is just around MAINTAINERS entries and still not clear, for example, if patches from Russian Linux developers are okay as long as they remain not within the MAINTAINERS file. But the details do at least make clear that they are checking against the US OFAC sanctions program for individuals/organizations.
As for the delay in recognizing these sanctions in the scope of the Linux kernel, Bottomley [5]wrote in a follow-up message:
"A big chunk of the reason it's taken so long just to get the above is that the Lawyers (of which I'm not one) are still discussing the specifics and will produce a much longer policy document later, so they don't want to be drawn into questions like this. However, my non-legal-advice rule of thumb that I'm applying until I hear otherwise is not on the SDN list, not a problem."
It's too bad all of this context was missing from the start when the original patch was posted and merged.
Update: Longtime Linux developer and EXT4 file-system maintainer Ted Ts'o has also provided some clarity on a separate Linux kernel mailing list thread. In response to a suggested patch removing Huawei from the MAINTAINERS file given their known relations with the Chinese government, Ted [6]commented :
"Note that there are multiple sanction regimes and exactly what the rules are vary from country to country. At least in the US there are exemptions that mean that I can accept patches and send code reviews or engineers from Huawei so long as they occur in a public forum, such as the LKML mailing lists. As a result, folks may have noticed that there are ext4 patches from Huawei, and I personally consider them very valuable contributors to the ext4 community.
These exemptions may not apply in different countries, and for different sanctioned entities. I will note that China is not currently attacking Taiwan militarily at the moment, while Russian misiles and drones, some of which might be using embedded Linux controllers, *are* actively attacking another country even as we speak. So it might not be surprising that the rules might be different for different sanctioned entities.
Finally, please remember that kernel developers don't make the rules. Those laws are made by the US, European, Japanese, and other governments. My personal priorites are to make sure that *I* don't run afoul of any local civil or criminal penalties, and to make sure that other Linux developers can also stay safe. That being said, I'm not a lawyer, and so please don't take anything I say as legal advice. What I'm comfortable doing as the ext4 maintainer living in the US might not be applicable for someone else who might have different circumstances.
So for example, it could very much be the case that other countries have *stricter* laws, and if you are acting as a maintainer, in terms of accepting other people's code, or providing design guidance (which may be considered "providing technical assistance" in some countries' laws) --- if you are uncertain, please reach out to a lawyer.
- Ted
P.S. This has always been the case, even before one country invaded another; maintainers take on real legal responsibilities as part of their work. It's just that the consequences of copyright and patent issues were much less than when there are sanctions involving countries who are actively at war with others."
[1] https://www.phoronix.com/news/Russian-Linux-Maintainers-Drop
[2] https://www.phoronix.com/news/Linus-Torvalds-Russian-Devs
[3] https://lore.kernel.org/lkml/2m53bmuzemamzc4jzk2bj7tli22ruaaqqe34a2shtdtqrd52hp@alifh66en3rj/
[4] https://lore.kernel.org/lkml/e7d548a7fc835f9f3c9cb2e5ed97dfdfa164813f.camel@HansenPartnership.com/
[5] https://lore.kernel.org/lkml/f90bba20e86dac698472d686be7ec565736adca0.camel@HansenPartnership.com/
[6] https://lore.kernel.org/lkml/20241024164939.GL3204734@mit.edu/
mphuZ