Fred,
Yeah I just googled for Debian [1], Suse [2], Ubuntu [3]. They all
pretty much say the same thing. US Law, blah, blah, blag. Like I said, I am
now 99% sure the whole world is just "doing it wrong" and most entities
(projects, people, companies) are too small for the government to notice.
I also scheduled a call with our legal export team to better understand
this myself. I need to be able to, at least describe it to communities,
partners and customers...
Like I said, quay.io can manually turn on an enforcing feature if you need
it. I suspect DockerHub can too...
[1]: Debian: https://www.debian.org/legal/cryptoinmain.en.html
[2]: Suse: https://www.suse.com/company/legal/terms-of-use/
[3]: https://ubuntu.com/legal/ubuntu-advantage-service-terms
Best Regards
Scott M
On Wed, Jun 19, 2019, 6:16 PM Fred Blaise <[email protected]> wrote:
> Thank you Scott for going the extra mile.
>
> Your answer is what I expected it to be, and I would somehow concur on the
> fact that it's been around forever, but noone ever really cared.
>
> CentOS has them too, as you mentioned: https://www.centos.org/legal/
>
> On Wed, Jun 19, 2019 at 3:45 PM Scott McCarty <[email protected]>
> wrote:
>
>> So, I went and did some research on this. Disclaimer, I am not a lawyer,
>> and Red Hat can't give specific legal advice. That said, these export
>> restrictions are in place and applicable no matter which base image you
>> choose/use (Alpine, CentOS, Debian, Ubuntu, etc). Essentially, the law is
>> the same no matter what, and can extend to non-US citizens as well (I
>> remember this from our yearly legal training) which I dread in December :-/
>>
>> The difference here is that the UBI EULA is basically making people pay
>> attention to the problem now. Obviously, Red Hat is not going to be the
>> entity suing you if you break export compliance, it would be the US
>> government. Apparently, the whole world is "doing this wrong" today and
>> the world hasn't ended. I totally understand your nervousness with seeing
>> this in writing now.
>>
>> I tried to check the DockerHub FAQ [1], but it "looks" like they may only
>> be enforcing export compliance for their own products (they are an entity
>> that might be targeted). We are doing the same thing for quay.io and I
>> could talk to the quay people to have this turned on if you wanted to
>> distribute there (aka then quay.io would block those countries for you).
>> Quay.io has a roadmap item to give people a "check box" to turn this on,
>> but it doesn't exist yet and appears delayed. The short term solution is
>> "ask quay.io to turn it on behind the scenes" - sub optimal, but still
>> good that it's available.
>>
>> [1]: https://docs.docker.com/docker-hub/publish/publisher_faq/
>>
>> Best Regards
>> Scott M
>>
>>
>> On Tuesday, June 18, 2019 at 2:42:00 PM UTC-4, Scott McCarty wrote:
>>>
>>> Oleg & Fred,
>>> Very good question. I am actually not sure myself, exactly what
>>> these restrictions mean. I am going to run it by one of our lawyers and get
>>> back to you. I will try and get more clarity...
>>>
>>> Best Regards
>>> Scott M
>>>
>>> On Tuesday, June 18, 2019 at 10:00:32 AM UTC-4, Oleg Nenashev wrote:
>>>>
>>>> FTR https://github.com/jenkinsci/docker/pull/826 for CentOS.
>>>>
>>>> Regarding UBI, I have the same concern as Fred. We have no tools to
>>>> enforce the Export limitations on DockerHub. I am also not sure that
>>>> restricting specific countries according to US laws is compliant with how
>>>> the Jenkins open-source project operates. IIRC we used to have contributors
>>>> from the countries restricted by US.
>>>>
>>>> Best regards,
>>>> Oleg
>>>>
>>>>
>>>> On Monday, June 17, 2019 at 7:01:48 PM UTC+2, Fred Blaise wrote:
>>>>>
>>>>> Hi Scott,
>>>>>
>>>>> What do you think of the export restrictions in the EULA? (some ref:
>>>>> https://www.law.cornell.edu/cfr/text/15/740.17)
>>>>>
>>>>> Any chance you could confirm internally with Redhat that UBI is 100%
>>>>> fit for Jenkins open-source?
>>>>>
>>>>> Thank you.
>>>>> Best,
>>>>> fred
>>>>>
>>>>> On Wednesday, May 15, 2019 at 11:14:40 PM UTC+2, Scott McCarty wrote:
>>>>>>
>>>>>> All,
>>>>>> I saw this thread a while back, but couldn't respond until after
>>>>>> we launched UBI publicly. UBI follows the RHEL lifecycle, but has the
>>>>>> added
>>>>>> bonus that 1. new versions come out before CentOS and 2. receives
>>>>>> RHEL updates (exact same RPMS). You can build on think of it as CentOS+
>>>>>> when ran anywhere, with the added bonus that it can be run on
>>>>>> RHEL/OpenShift and be fully supported by Red Hat. It's distributed under
>>>>>> a
>>>>>> different EULA than other Red Hat which does allow redistribution of Red
>>>>>> Hat trademarks in the content set (YUM/RPMS, images, etc). Also, we will
>>>>>> likely add packages in the future, but will never remove them. Feel free
>>>>>> to
>>>>>> ping me if you have any questions ([email protected]) or this
>>>>>> email...
>>>>>>
>>>>>> -
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image
>>>>>> -
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://access.redhat.com/containers/#/product/5c180b28bed8bd75a2c29a63
>>>>>>
>>>>>> Scott M (@fatherlinux)
>>>>>>
>>>>>> On Friday, May 10, 2019 at 4:09:56 AM UTC-4, Oleg Nenashev wrote:
>>>>>>>
>>>>>>> FYI there is a pull request for CentOS image in Jenkins Docker
>>>>>>> packages
>>>>>>> https://github.com/jenkinsci/docker/pull/826
>>>>>>>
>>>>>>> On Wednesday, February 27, 2019 at 5:29:20 PM UTC+1, R Tyler Croy
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> (replies inline)
>>>>>>>>
>>>>>>>> On Wed, 27 Feb 2019, Olblak wrote:
>>>>>>>>
>>>>>>>> > But I am wondering, instead of going with Centos why not using
>>>>>>>> this PPA <https://launchpad.net/~openjdk-r/+archive/ubuntu/ppa>
>>>>>>>> with ubuntu?
>>>>>>>> > This would imply a smaller breaking change
>>>>>>>>
>>>>>>>> I do not believe that Jenkins should rely on any PPA (Personal
>>>>>>>> Package
>>>>>>>> Archive), they have a tendency of growing stale unlike mainstream
>>>>>>>> official
>>>>>>>> packages.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> GitHub: https://github.com/rtyler
>>>>>>>>
>>>>>>>> GPG Key ID: 0F2298A980EE31ACCA0A7825E5C92681BEF6CEA2
>>>>>>>>
>>>>>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-dev/6c0842d2-7e1c-4e00-97a0-3fea4eac979f%40googlegroups.com
>> <https://groups.google.com/d/msgid/jenkinsci-dev/6c0842d2-7e1c-4e00-97a0-3fea4eac979f%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAPNh5Ty7%3DoO%2BJCXaokqyPrthE4xKLZvG981b4dT%2BoH85f4XBaQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/jenkinsci-dev/CAPNh5Ty7%3DoO%2BJCXaokqyPrthE4xKLZvG981b4dT%2BoH85f4XBaQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/CA%2B%3DsWc3CDosG8wNndtpsxVM0MyMVzf%2BicTB%3Dv9Ygu3C9-JPLeA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
