Access to Fedora from Iran

Hi,

Currently Fedora servers block access to discussion.fedoraproject.org and ask.fedoraproject.org for IPs from Iran. (With message “Access forbidden based on location.”)

According to US treasury “Iran General License (No. D-2) - General License with Respect to Certain Services, Software, and Hardware Incident to Communications (September 23, 2022)”

Which can be found here:

https://ofac.treasury.gov/sanctions-programs-and-country-information/iran-sanctions
https://ofac.treasury.gov/media/928096/download?inline

Operating systems such as Fedora as well as services necessary for its operation should be exempt from US sanctions on Iran:

“(1) Fee-based or no-cost services. The exportation or reexportation, directly or
indirectly, from the United States or by a U.S. person, wherever located, to Iran of fee-based or
no-cost services incident to the exchange of communications over the Internet, such as instant
messaging, chat and email, social networking, sharing of photos and movies, web browsing,
blogging, social media platforms, collaboration platforms, video conferencing, e-gaming, elearning platforms, automated translation, web maps, and user authentication services, as well as cloud-based services in support of the foregoing or of any other transaction authorized or exempt under the ITSR.”

"(2) Fee-based or no-cost software. (i) Software subject to the EAR. The exportation,
reexportation, or provision, directly or indirectly, to Iran of fee-based or no-cost software subject
to the Export Administration Regulations, 15 CFR parts 730 through 774 (EAR), that is incident
to, or enables services incident to, the exchange of communications over the Internet, such as
instant messaging, chat and email, social networking, sharing of photos and movies, web
browsing, blogging, social media platforms, collaboration platforms, video conferencing, egaming, e-learning platforms, automated translation, web maps, and user authentication services, as well as cloud-based services in support of the foregoing or of any other transaction authorized or exempt under the ITSR, provided that such software is designated EAR99 or classified by the U.S. Department of Commerce on the Commerce Control List, 15 CFR part 774, supplement No. 1 (CCL), under export control classification number (ECCN) 5D992.c. "

"(ii) Software that is not subject to the EAR because it is of foreign origin and is located
outside the United States. The exportation, reexportation, or provision, directly or indirectly, by
a U.S. person, wherever located, to Iran of fee-based or no-cost software that is not subject to the EAR because it is of foreign origin and is located outside the United States, that is incident to, or enables services incident to, the exchange of communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, blogging, social media platforms, collaboration platforms, video conferencing, e-gaming, e-learning platforms, automated translation, web maps, and user authentication services, as well as cloud-based services in support of the foregoing or of any other transaction authorized or exempt under the ITSR, provided that such software would be designated EAR99 if it were located in the United States or would meet the criteria for classification under ECCN 5D992.c if it were subject to the EAR. "

“5.) Laptops, tablets, and personal computing devices, and peripherals for such devices
(including but not limited to consumer* disk drives and other data storage devices) and
accessories for such devices (including but not limited to keyboards and mice) designated
EAR99 or classified on the CCL under ECCNs 5A992.c, 5A991.b.2, 5A991.b.4, or
4A994.b; computer operating systems and software required for effective consumer use of
such hardware, including software updates and patches, designated EAR99 or classified
under ECCN 5D992.c; and services necessary for the operation of such hardware and
software.”

Would it be possible for the council to start the process for the review of this matter by the legal team?

Regards

I’m not a lawyer, this is not legal advice, I have not worked for Red Hat for many years now… but I used to help out with Fedora’s export policies, so I know a little bit about this topic.

First thing: the punishment for violating US Export laws is … a lot. Criminal penalties can involve fines up to $1 million and up to 20 years in Federal prison, while civil penalties can include fines of up to $250,000 per violation. And this isn’t something where IBM/Red Hat just pays a fee, the people involved in the situation are responsible. So, while most of the people involved in this think it sucks, no one really wants to go to prison for 20 years because they got it wrong.

Second, export regulations are INCREDIBLY complicated. There’s the top level set of restrictions, but then there are people in specific groups and categorizations, and then there are lists of people within those countries. When it comes to open source, it’s really really hard to comply at the finer grained levels. It’s so much simpler to just restrict the country at issue and be able to make the argument that you’re blocking in good faith across the whole locale.

Three: This stuff changes a lot. Especially when you have major regime change. The document you’ve cited is already obsoleted, by 31 CFR § 560.540 of the Iranian Transactions and Sanctions Regulations (ITSR).

Fourth, the material you’ve cited covers software. Fedora already openly states that “Fedora software in source code and binary code form are publicly available and are not subject to the EAR in accordance with §742.15(b).” The EAR is “U.S. Export Administration Regulations (the “EAR”) . But… access to those websites isn’t software. It’s distributing “technical information”, and none of the general licensing that I’ve ever seen covers that.

Again, everyone thinks this sucks. We get that people are not countries and lots of good people are getting screwed over/inconvenienced/limited by the acts of governments for reasons that aren’t always logical or reasonable. But it’s not as simple as you think it is and it’s done very very very carefully.

TLDR: This probably isn’t going to change. You’re probably not going to get an official response. I couldn’t have given you an official response when I worked there. Your references don’t change the situation. Sorry.

Thanks @spot for sharing historical context here.

I know the topic has come recently with regards to Syria and the potential lifting of the Syrian sanctions, but the Iranian issue is more complex. Also like @spot said, many of us think this sucks and it goes against the values of Free Software that underpin a project like Fedora. I even wrote a personal blog post about this a few years ago before I began working at Red Hat:

There will not be an official response here, like @spot said. Because of the current situation, I don’t see this changing at the present moment either. If the situation changes in the future like we are seeing with Syria, then we can always revisit. But for now, there is not much to do about this.

Great article. I had no idea Microsoft allowed access to Git Hub in Iran, while Red Hat denies Fedora access to our friends there.

I think it is worth being very clear that it is not Red Hat specifically denying this, but rather, the federal government of the United States of America. And they have a really, really big stick that they can whack someone with for noncompliance.

Microsoft did something great in pushing for GitHub as a platform to be open in Iran, but Microsoft also has access to a lot more resources and government relationships than Red Hat. (Ask me about my past career life in the United Nations and the reaction I had when I discovered that Microsoft had an entire division specifically focused on the United Nations and public sector engagement.)

Since I wrote my blog post, I recognize that there is a limited degree of influence Red Hat can ultimately have on this. The larger issue at hand is that any US-registered business or corporation is always going to have challenges like this when subject to US federal government laws and restrictions on export compliance, as @spot detailed in his previous reply.