Debian or Arch or Ubuntu never ask for my confirmation ?

Example :

You acknowledge that openSUSE Leap 15.3 is subject to the U.S. Export Administration Regulations (the “EAR”) and you agree to comply with the EAR. You will not export or re-export openSUSE Leap 15.3 directly or indirectly, to: (1) any countries that are subject to US export restrictions; (2) any end user who you know or have reason to know will utilize openSUSE Leap 15.3 in the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, and sounding rockets, or unmanned air vehicle systems, except as authorized by the relevant government agency by regulation or specific license; or (3) any end user who has been prohibited from participating in the US export transactions by any federal agency of the US government. By downloading or using openSUSE Leap 15.3, you are agreeing to the foregoing and you are representing and warranting that You are not located in,under the control of, or a national or resident of any such country or on any such list. In addition, you are responsible for complying with any local laws in Your jurisdiction which may impact Your right to import, export or use openSUSE Leap 15.3. Please consult the Bureau of Industry and Security web page www.bis.doc.gov before exporting items subject to the EAR. It is your responsibility to obtain any necessary export approvals.

  • BCsven
    link
    fedilink
    arrow-up
    59
    ·
    3 months ago

    Its a CYA for SUSE. Certain technologies aren’t permitted to be shared outside of USA unless you go through the ETAR and assign if it commerically restricted/unrestricted, etc. If you are in USA you are bound by this anyway, even without a EULA.

    They don’t know what you may install or transfer, even though it is opensource and you could download in another country.

    We get hung up with this at work. We may have a software issue and send to USA parent company for review, they then need to know if the data represents a certain class so they can direct where (country) the software review or fix can be sent for evaluation.

    There are obious things like military, but then there are commercial, transit infrastructure, aero, etc.

    But it can get stupid, like the parent company received a CAD file I sent in as a demomstration of a display bug. i made a cube 4x4x4. the agent wanted to know what ETAR class it was, I argued it isn’t because it is a cube I made as demo only, they would not review till i choose a class from a long list. None applied. But I had to pick one for them to proceed. So somewhere some guy is doing data chain of custody on a cube. lol

    In cases where it does fall into restricted commercial interest or other restrictions only a USA citizen can work on the data.

    This agreement poses no restrictiona on you that aren’t already present if you are in the USA. And you shouldn’t need to worry, unless you actively are designing or stealing data to hand over to a USA “enemy” for purposes of espionage , war, weapons etc

    • kbal@fedia.io
      link
      fedilink
      arrow-up
      34
      ·
      3 months ago

      Certain technologies aren’t permitted to be shared outside of USA unless you go through the ETAR

      I’m guessing you mean ITAR, if anyone’s having trouble searching for it.

    • lemmyreader@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      13
      ·
      3 months ago

      Its a CYA for SUSE. Certain technologies aren’t permitted to be shared outside of USA unless you go through the ETAR and assign if it commerically restricted/unrestricted, etc. If you are in USA you are bound by this anyway, even without a EULA.

      Thanks. Yes, I noticed that openSUSE mentions it takes its sources from SLES Enterprise version (and Fedora is connected with RedHat RHLE Enterprise USA) so I guess that’s where the corporate lawyers started chiming in :)

      • BCsven
        link
        fedilink
        arrow-up
        7
        ·
        3 months ago

        Yeah, exactly. with OpenSUSE having SUSE binaries I’m sure they legal mumbo jumbo just tranafers for covering all scenarios

  • socphoenix@midwest.social
    link
    fedilink
    arrow-up
    47
    ·
    3 months ago

    This has to do with encryption protocols. Offhand my assumption is either they are trying to be extra cautious as the rules are incredibly complex, or they have a different algorithm included by default that would be subject to those rules.

    • Hobbes_Dent@lemmy.world
      link
      fedilink
      arrow-up
      41
      arrow-down
      1
      ·
      edit-2
      3 months ago

      It is my limited understanding that encryption beyond a certain level is illegal to export from the US. For example one of the positives of OpenBSD being based in Canada was is the ability to include crypto at a level that that the US wouldn’t permit to export.

      From https://www.openbsd.org/crypto.html

      Edit: tense

    • ShadowCatEXE@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      3 months ago

      Out of curiosity, would they be subject to these laws/protocols/regulations if they are (developers or organization) based in the US, but offer releases hosted elsewhere in the world AND/OR develop the product with code hosted elsewhere in the world?

      • BCsven
        link
        fedilink
        arrow-up
        8
        ·
        3 months ago

        It’s one of those bureacratic things. You could download OpenSUSE in a restricted country and install it, but if you were in the USA and transfered the data to a restricted country you would be in violation of ETAR restrictions, even without the EULA

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      3
      ·
      edit-2
      3 months ago

      Cryptography is protected under the first amendment

      A while back the NSA tried to argue it was a weapon and subject to weapons export restrictions but that was shot down in court

      • Richard@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        3
        ·
        3 months ago

        No, they are not. Sovereign countries are bound by the WTO (World Trade Organisation), not US export laws.

        • Jimmyeatsausage@lemmy.world
          link
          fedilink
          arrow-up
          6
          ·
          3 months ago

          “Among other restrictions, US federal law controls the export of strong cryptographic materials, which are classified as a munition. Under these restrictions, the Fedora Project cannot export or provide Fedora software to any forbidden entity, including through the FreeMedia program”

          You should let Fedora know that.

  • ILikeBoobies
    link
    fedilink
    arrow-up
    22
    ·
    3 months ago

    To avoid being sanctioned themselves

    It’s helpful to follow if you want to deal with the US government

  • catloaf@lemm.ee
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    2
    ·
    3 months ago

    Because their lawyers said so. Canonical is based in England so their lawyers didn’t say so. I don’t know where the Debian project is based. OpenSUSE is based in Germany so I’m not sure why they feel the need, but I assume that’s what the lawyers said they need to do.

      • NaN@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        Debian is legally part of Software in the Public Interest, Inc., which it also founded.

        • wildbus8979@sh.itjust.works
          link
          fedilink
          arrow-up
          9
          ·
          edit-2
          3 months ago

          No it isn’t. The foundation only holds on to the trademarks and logos. It also allows the group to hold funds.

          The project itself isn’t held, led, or otherwise directed by the foundation.

          • NaN@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            6
            ·
            edit-2
            3 months ago

            Eh, you’re right.

            The legal identity of an SPI associated project is not changed through their association with SPI, nor does it become part of SPI

            • wildbus8979@sh.itjust.works
              link
              fedilink
              arrow-up
              5
              ·
              edit-2
              3 months ago

              It was founded for donations. Hard to do if they aren’t legally associated.

              Not at all hard to do. The foundation receives funds and gives them out to whomever. That’s it.

    • IsoKiero@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      6
      ·
      3 months ago

      I don’t know where the Debian project is based.

      Trademark and at least some copyright for the project is owned by an entity in the New York and Ian Murdoch who started the project was US citizen. But calling the whole project as USA based is wrong, it is based ‘on the internet’ as even the core team is spread across the globe.

  • chalk46@kbin.social
    link
    fedilink
    arrow-up
    16
    arrow-down
    3
    ·
    3 months ago

    oh yeah, I’m sure that’ll work 👍
    about as effective as a mystical incantation

    • Richard@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      2
      ·
      3 months ago

      I kind of feel coerced by that text into sending a copy of OpenSUSE Leap to some obscure nuclear missile programme now, just for the sake of it

    • ReversalHatchery@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      It seems it’s often unclear whether it does. A user under this post has linked Debian’s wiki page that writes about this, and they don’t have a definitive answer either, just pointers on how to make sure that you are safe

  • 0x0@programming.dev
    link
    fedilink
    arrow-up
    8
    ·
    3 months ago

    I thought OpenSUSE is German, so why would you export it?

    The only rationale is that it ships with cryptography that’s made in 'murica and probably stored in US servers, hence the export warning.

      • 0x0@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        And then they continued by not implementing the certified format correctly in Office anyway.

        Enter the hefty fines. Like 5% of last year’s revenue.