Hi Martin, Thank you for your analysis and detailed explanation. I will take your comments into consideration as part of our ECCN determination process.
To clarify, we do not intend to sell, export, or transfer this software outside the United States. The product is currently located in the U.S. and will be used exclusively within the U.S. Our review is strictly for internal trade compliance purposes to confirm whether the software is controlled under the EAR and whether it incorporates encryption functionality that could require additional review. We appreciate your insights regarding the potential EAR exemption and the open-source nature of Bash. Your feedback is very helpful in our assessment. Thank you again for your time and support. Best regards, Carmen Rubio From: Martin D Kealey <[email protected]> Sent: Thursday, July 2, 2026 1:04 AM To: Carmen Rubio (CW) <[email protected]> Cc: Eduardo Bustamante <[email protected]>; bug-bash <[email protected]>; Abraham Reynoso (CW) <[email protected]> Subject: Re: ECCN " SHELL AND BASH SCRIPTING LANGUAGES" Request You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Caution: External Email I admit I had to ask around to find out what "ECCN" might mean. If by "ECCN" you mean an Export Control Classification Number<https://www.trade.gov/how-do-i-determine-my-export-control-classification-number-eccn>, then I believe (*1) that Bash is exempt. Are you in the US? Are you planning to sell Bash to customers who are Parties of Concern, or who are domiciled in Embargoed Countries? If so: * Why can't you self-certify? (*2) * Please make sure you have a plan to meet your licensing obligations under the GNU General Public Licence. If not, then why do you believe you need an ECCN? I believe Bash is not subject to EAR for 3 reasons: * Firstly, Bash is a general-purpose software-only product, which one might tentatively categorise as EAR99. The ECCN categories that apply to software are for software that controls or designs some specific mechanism, and Bash by its general-purpose nature does not qualify for any of these. The only categories needing special consideration are 5D002 & 5D992, but Bash does not implement any secure encryption algorithms. All of this is obvious simply by reading the source code - you don't need to take my word for it. * Secondly, Bash is already installed in several hundred million devices around the world. * Thirdly, Bash is open source, meaning it is strictly exempt under Title 15 Subtitle B Chapter VII Subchapter C Part 734 §734.3(b)(3)<https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-734/section-734.3> subject to the definition of "published" in §734.7(a)(4)<https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-734/section-734.7>. Since Bash is not subject to EAR, it requires no categorisation, not even as EAR99. -Martin (*1: I'm just a member of this mailing list; I do not speak for the Free Software Foundation<https://www.fsf.org/>, I am not a resident or citizen of the US, and I am not a lawyer. You should carefully read title Title 15 Subtitle B Chapter VII Subchapter C Part 734 §734.3(b)(3)<https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-734/section-734.3> and §734.7(a)(4)<https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-734/section-734.7> for yourself, and if you still have any doubts, you can contact the Export Counselling Division of the Office of Exporter Services at [email protected]<mailto:[email protected]> who will be able to confirm (or maybe deny) what I've suggested here.) (*2: It is the exporter's responsibility to provide an ECCN, not the software "vendor"; in particular the Free Software Foundation has no obligation in respect of other people's export activities. I'm answering this question only because trade.gov<https://www.trade.gov/how-do-i-determine-my-export-control-classification-number-eccn> is rather messed up at the moment: many internal links get redirected to bis.gov<http://www.bis.gov/>, and then its onward links fail to load. That obviously makes it difficult to do your own research, but please be aware that you're asking a non-profit volunteer group (*3) to do legal leg-work without any recompense.) (*3: the description "non-profit volunteer group" applies both to this mailing list and to the Free Software Foundation which owns the copyright in Bash.) CONFIDENTIALITY NOTICE: This email and any files attached may contain confidential information and may be restricted from disclosure by corporate confidentiality guidelines, or applicable state and federal law. It is intended solely for the use of the person or entity to whom the email was addressed. If you are not the intended recipient of this message, be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. Please delete this email from your system if you are not the intended recipient.
