Hi Martin,

Thank you for your analysis and detailed explanation. I will take your comments 
into consideration as part of our ECCN determination process.

To clarify, we do not intend to sell, export, or transfer this software outside 
the United States. The product is currently located in the U.S. and will be 
used exclusively within the U.S. Our review is strictly for internal trade 
compliance purposes to confirm whether the software is controlled under the EAR 
and whether it incorporates encryption functionality that could require 
additional review.

We appreciate your insights regarding the potential EAR exemption and the 
open-source nature of Bash. Your feedback is very helpful in our assessment.


Thank you again for your time and support.


Best regards,

Carmen Rubio


From: Martin D Kealey <[email protected]>
Sent: Thursday, July 2, 2026 1:04 AM
To: Carmen Rubio (CW) <[email protected]>
Cc: Eduardo Bustamante <[email protected]>; bug-bash <[email protected]>; 
Abraham Reynoso (CW) <[email protected]>
Subject: Re: ECCN " SHELL AND BASH SCRIPTING LANGUAGES" Request

You don't often get email from 
[email protected]<mailto:[email protected]>. Learn why this is 
important<https://aka.ms/LearnAboutSenderIdentification>

Caution: External Email

I admit I had to ask around to find out what "ECCN" might mean. If by "ECCN" 
you mean an Export Control Classification 
Number<https://www.trade.gov/how-do-i-determine-my-export-control-classification-number-eccn>,
 then I believe (*1) that Bash is exempt.

Are you in the US? Are you planning to sell Bash to customers who are Parties 
of Concern, or who are domiciled in Embargoed Countries? If so:

  *   Why can't you self-certify? (*2)
  *   Please make sure you have a plan to meet your licensing obligations under 
the GNU General Public Licence.
If not, then why do you believe you need an ECCN?

I believe Bash is not subject to EAR for 3 reasons:

  *   Firstly, Bash is a general-purpose software-only product, which one might 
tentatively categorise as EAR99.
The ECCN categories that apply to software are for software that controls or 
designs some specific mechanism, and Bash by its general-purpose nature does 
not qualify for any of these.
The only categories needing special consideration are 5D002 & 5D992, but Bash 
does not implement any secure encryption algorithms.
All of this is obvious simply by reading the source code - you don't need to 
take my word for it.
  *   Secondly, Bash is already installed in several hundred million devices 
around the world.
  *   Thirdly, Bash is open source, meaning it is strictly exempt under Title 
15 Subtitle B Chapter VII Subchapter C Part 734 
§734.3(b)(3)<https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-734/section-734.3>
 subject to the definition of "published" in 
§734.7(a)(4)<https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-734/section-734.7>.
Since Bash is not subject to EAR, it requires no categorisation, not even as 
EAR99.

-Martin

(*1: I'm just a member of this mailing list; I do not speak for the Free 
Software Foundation<https://www.fsf.org/>, I am not a resident or citizen of 
the US, and I am not a lawyer. You should carefully read title Title 15 
Subtitle B Chapter VII Subchapter C Part 734 
§734.3(b)(3)<https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-734/section-734.3>
 and 
§734.7(a)(4)<https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-734/section-734.7>
 for yourself, and if you still have any doubts, you can contact the Export 
Counselling Division of the Office of Exporter Services at 
[email protected]<mailto:[email protected]> who will be able to confirm (or 
maybe deny) what I've suggested here.)

(*2: It is the exporter's responsibility to provide an ECCN, not the software 
"vendor"; in particular the Free Software Foundation has no obligation in 
respect of other people's export activities. I'm answering this question only 
because 
trade.gov<https://www.trade.gov/how-do-i-determine-my-export-control-classification-number-eccn>
 is rather messed up at the moment: many internal links get redirected to 
bis.gov<http://www.bis.gov/>, and then its onward links fail to load. That 
obviously makes it difficult to do your own research, but please be aware that 
you're asking a non-profit volunteer group (*3) to do legal leg-work without 
any recompense.)

(*3:  the description "non-profit volunteer group" applies both to this mailing 
list and to the Free Software Foundation which owns the copyright in Bash.)

CONFIDENTIALITY NOTICE: This email and any files attached may contain 
confidential information and may be restricted from disclosure by corporate 
confidentiality guidelines, or applicable state and federal law. It is intended 
solely for the use of the person or entity to whom the email was addressed. If 
you are not the intended recipient of this message, be advised that any 
dissemination, distribution, or use of the contents of this message is strictly 
prohibited. Please delete this email from your system if you are not the 
intended recipient.

Reply via email to