OSSF should be more specific about why certain countries are "banned"

[evverx]

From https://github.com/ossf/great-mfa-project/pull/37#discussion_r766474420

it seems to me that at least two whole countries on the list shouldn't have been "banned" by OSSF because the sanctions are actually imposed against certain regions and individuals. Anyway, even if those countries are really "banned", the link to https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information isn't exactly helpful

[david-a-wheeler]

NO countries are banned by the OpenSSF. We want to distribute them wherever they'll do some good.

These tokens are being distributed from the US. Various US laws & regulations forbid the exportation of tokens to certain countries. If you think there's an error, let us know & we'll try to correct it. That's the best list I've been able to put together, given the information available to us and given a complicated situation. I'd love to know of a better authoritative link than https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information

It's worded a little vaguely because we don't control the shipping limitations. They're limited by US law & also by other factors, in particular the practical costs (and dangers) of shipping to some places. In short, Google Store & GitHub Shop can/will only ship to certain places, so those are the only places they can be sent to.

[evverx]

Various US laws & regulations forbid the exportation of tokens to certain countries

They do but I think they affect Crimea for the most part.

If you think there's an error, let us know & we'll try to correct it

I'm not a lawyer so I can't say what exactly is incorrect there but I believe I can get US online stores to ship Yubikeys to both Russia and Ukraine.

[evverx]

I can get US online stores to ship Yubikeys to both Russia and Ukraine

It wouldn't be necessary though because according to https://www.yubico.com/support/shipping-and-buying-information/resellers/ their resellers sell Yubikeys in both Russia and Ukraine

[evverx]

Anyway, considering that those devices are already sold in those countries they have already been imported and licenced properly there so it seems the customs (which I assume is the main reason why they couldn't have been shipped) wouldn't have problem with them. I'm pretty sure if OSSF really wanted to distribute yubikeys it would find a way (which I agree wouldn't be that easy). So I guess the OSSF motto should read "OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all (unless they are located in ...)" :-) Closing

[david-a-wheeler]

@evverx - we try to use all resources made available to us, be it money or free tokens. In this case, the tokens are free but because they're distributed from the US they're subject to those laws. If you want to complain about those laws, you're free to do so.

[evverx]

they're subject to those laws

@david-a-wheeler could you be more specific about what laws exactly? I went to https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information and found nothing there.

I mean, the OpenSSF sent the invitation letter where it simply referenced some sanctions that seem to have nothing to do with cryptographic devices and expected open source developers to go through that. And in this issue it seems it's somehow expected that I'm a lawyer of some sort that can figure out what "those laws" are exactly.

[evverx]

FWIW looking at those vague references to the sanctions I'm starting to think that all that stuff hasn't actually been vetted by any lawyers and that the tokens aren't shipped to two whole countries just because OpenSSF decided to err on the side of caution without even trying. Still if anyone could point me in the direction of the laws preventing OSSF from shipping yubikeys to Moscow for example it would be great.

[david-a-wheeler]

Google & GitHub won't ship them to various locations, and we're relying on their shipping systems. We do NOT want the OpenSSF to ever have physical possession of the tokens. They're also the ones providing the tokens at no cost. You'll need to convince their respective Store & Shop.

[evverx]

Google & GitHub won't ship them to various locations, and we're relying on their shipping systems

@david-a-wheeler thanks! That's what I think should have been in the invitation letter instead of the misleading link to the sanctions.

They're also the ones providing the tokens at no cost.

Neither of those stores are on the official list of the resellers of Yubikeys. I wonder why OSSF insists on ordering them there instead of letting people buy them at stores that are approved by the manufacturer?

[david-a-wheeler]

Because Google & GitHub are who is providing them. We are taking time out of our busy days to distribute tokens freely offered from Google & GitHub. If you're eligible but don't want one, that's fine, just say no thank you.

[evverx]

We are taking time out of our busy days to distribute tokens freely offered from Google & GitHub

I don't know how to react to that. Looking at https://openssf.org/ I don't think it's all based on volunteers only. If it is, I obviously wouldn't have expected it to be thought out carefully and vetted by lawyers or anything like that.

If you're eligible but don't want one, that's fine, just say no thank you

Of course because of this iffy scheme with weird deadlines and coupons allowing me to order tokens from certains stores only I don't want one :-)

[evverx]

Before I go I just wanted to say that comments like

If you want to complain about those laws, you're free to do so. ... You'll need to convince their respective Store & Shop ... just say no thank you

addressed to an open source developer seem a bit weird to me when they come from an OSSF member in reply to specific questions (that by they way haven't been answered). Anyway, I think this discussion was helpful in the sense that now I more of less understand the way OSSF operates.