Update on Rust, crates.io, and US economic sanctions

Hey folks,

There's been a lot of concern around the US economic sanctions against Iran and other countries, and especially Rust's reliance on GitHub after the changes they recently made in order to comply with the law. We've spent some time looking into this recently, and wanted to update folks on where things stand. We specifically wanted to answer two questions:

• Do the changes that GitHub has made affect any of the ways in which Rust relies on GitHub?
• Are there any changes required to crates.io in order to comply with the law?

Rust uses GitHub in 3 primary ways:

• All Rust repositories are hosted on GitHub, and a substantial amount of collaboration occurs in issues/pull requests
• The crates.io index, which is cloned by cargo is hosted on GitHub.
• The only way to create an account on crates.io is through GitHub oauth.

We've investigated whether any of these are affected. To our knowledge, individuals from sanctioned countries are still able to clone and interact with public repos, and they are also able to use their account for oauth purposes. We do not believe there are any plans to change this.

The second issue was whether changes need to be made to crates.io. We believe that we are fully in compliance with the law. We do not have any plans to add restrictions to our service. All users -- regardless of country of origin -- will continue to be able to publish crates, download crates, and use any other functions provided by crates.io.

If any of this information changes, we will re-evaluate the situation. However, at this time, we do not believe there are any changes required within any part of the Rust organization as a result of the US sanctions.

Please clarify what is meant by "interact" here. Are they able to collaborate, i.e. to comment in issues/PRs and create them?

None of those are being blocked by GitHub, no

I just became aware of what's happening thanks to your post. I do think there is some bigger issue we need to discuss in the Rust community.

There is the practical side of things: "Are there any users that can't participate in the rust code repositories?"

I think the answer is yes to this question:

• Any person who uses rust commercially, like someone who would have set up a rust company and who interacts with rust repositories "not strictly for personal communications" might see themselves excluded as far as I understand the github policy statements.

• Anybody who decides to protect their privacy and not disclose their location to github by using vpn's, proxies, tor or other means is potentially at risk of getting their account suspended without prior notice. The github policy states that people in affected countries are not allowed to do this, but since people who do this don't disclose their location, I suppose all of those are at risk.

• The Github policy also has:

  Specially Designated Nationals (SDNs) and other denied or blocked parties under U.S. and other applicable law are prohibited from accessing or using GitHub.com.

  That means that anyone can potentially face being totally excluded based on government decision without prior notice. Many western governments like to classify all radical political opposition as "terrorism", so this can affect more people than you might think.

But even if the answer to that question was "no". There is also the political question. Rust is a community. A subset of the open source community. Github claims to be an open source community.

In my opinion a community has to uphold values, and protect them from individuals, but more so from companies and governments that want to infringe those values. My values clearly include solidarity with people in the above mentioned categories, as well as solidarity beyond the "practical" issues. I will go into a bit more detail what that means below.

In this light, given recent events, I find Github proven not to be apt to host communities in which I take part. I find a US based company who will have to abide with disgraceful US foreign laws not to be safe place for communities to depend on.

Not only is doing business in the US a liability as far as political values go, further more Github has shown a complete spineless compliance with the US government and hasn't even tried in the least to resist or protect their users, whether through public or legal action. It's shown it's political values have nothing in common with other groups that even while in the US, fight back on this kind of politics, (im thinking the Electronic Frontier Foundation, riseup.net, and all others that fight along their side).

It can be noted that we all, rust community and many other open source projects/developers have become way to much dependent on a company like Github which in my opinion does not share and will not fight for our values.

I would like to propose that:

• we work out a roadmap for reducing dependence on Github and US companies (yes, Mozilla is one of those). I can immediately think of some practical goals that are within reach:
  • making sure that data we host is outside of the US, on servers from a company that does not have to abide by US law (crates.io)
  • services provided by the rust community should not require a Github account. (crates.io)
• Move Rust repositories into a safer place. The whole point of open source development is that it is a community. This community is made possible by technical means. If rust developers of affected countries and those showing active solidarity with them have to move to self hosted solutions, they will be marginalized unless the rust community as a hole joins in this solidarity. I will personally move my projects away from github, but if I set up a self hosted solution which would require people to make an account on my server in order to file issues, PR, ... I will be marginalized and see less contributions. If we want to be a community that carries values of solidarity, we will need a platform where we can all host our repositories safe from US foreign policies, which for me implies a move of the rust core repositories to a self hosted solution.

So for me active solidarity is putting the values of inclusion above the material cost for achieving them. It will be a lot of work to move everything away from github, and the argument against it will be a practical one. We are at risk of saying "the practical consequences of the current situation are limited, but it will be expensive to mitigate them". I think it's a slippery slope. What if other countries (like Russia and China) become included in the ban? How many people will that affect? Are we going to accept them being gradually sliced of our community as long as they are a small minority?

For me active solidarity is also being pro-active and making decisions with the future in mind. Creating a community that is welcoming is also creating a community that is resistant against such government interference, otherwise we create a safe haven only for a comfortable majority of people that live in western countries, benefit from financial and material privilege already and "have nothing to hide".

Another aspect of active solidarity is the public statement. By staying with github, we continue to affirm that Github is "the place to be", that if you want participate you will need an account there and that you will have to be accepted by the US Government. Creating alternatives is a statement that values of inclusion are important enough to us that we are willing to pay the material cost, and it is reducing dependence on Github and the US in general, opening a brighter future.

I'm sorry if this post isn't very well written. I'm a bit to emotional about what I just learned. I hope it's clear enough to get the key points across.

If any of this information changes, we will re-evaluate the situation.

If the situation changes, isn't it possible that it will be illegal for US citizens to participate in any way in such a re-evaluation of the situation? If so, can the situation be completely re-evaluated by non-US citizens, and potentially necessary measures performed exclusively by them ?

EDIT: For example, if the US were to introduce sanctions that would make it illegal for say iranian nationals to access github, then a US citizen that would participate or help in any way (e.g. via mentoring), in, e.g., the creation of a mirror of the crates.io index to some European country with the intent of working around the sanctions would be committing a pretty serious crime.

This question bothers me. I think what we should ask ourselves is: Do we need to change jurisdiction in order for crates.io to continue to represent/correspond to our values?

It kind of shows where priorities lie.

The physical location of crates.io's hardware does not impact the legal requirements with regards to this issue.

Are you saying that I can legally run a data center in the US, and not abide to the economic ban legislation?

I am saying that if crates.io were hosted outside of the US that would not meaningfully change our legal requirements with regards to the situation being discussed. I cannot offer legal advice on actions you might take.

As far as I can tell, if crates.io were hosted outside of the US, by a company or non-profit that does not do business in the US, there would be no legal way for the US government to interfere with the policies that crates.io choses to apply, and it would not be subject to US (trade) legislation.

With all due respect, our legal requirements are determined by consulting with legal counsel, not internals threads.

I perceive this as unfair. We conducted a legal and practical assessment of the situation, which @sgrif has summed up: currently, it has no legal and practical impact over what was before.

Questions of values are never out of scope as a project, but for the purpose of this post, they weren't relevant. I would like to kindly ask you to not push the discussion in this direction.

Yes, we do monitor such situations and their practical impact, as you may see from the number of discussions around the US travel restrictions, which have led to the Rust project not having project meetings in the US. We also assess the travel restrictions of other countries before every event and ask people where they don't want to travel to. People like to hate on the US nowadays (not without reason), but tend to ignore that similarly impacting policies are in place all around the world.

Given the current state that we are in, our priorities were always on practical impacts and we have been quite effective using that. Given tons problems and limited work, we have to make decisions where to invest our time. Moving off GitHub is currently a very low yielding project, involving tons of previous research.

Discussion tactics like the above will lead to a more cautious and less open information culture about the legal aspects of running our project. I appreciate your emotional stress that you expressed above and don't want to in any way take if from you, but I don't think the current path leads to a solution.

...there was an impression that understanding legal stuff a bit was part OSS ethos. People want to know how software works and how for example licenses work. Curiosity is natural. Seeing a discussion shut off like that is surprising

I'm not trying to shut down discussions or prevent people from being curious. This is a report on discussions with legal professionals. And I'm happy to answer any questions to the extent that I'm able. But arguing with those conclusions is not productive.

I guess it wouldn't be totally void of interest to conduct a metal experiment:

• supposing all hardware used was located outside of US
• was not run by a company doing any kind of business in US

how would that impact legal requirements? I appreciate there may be nobody on this thread with sufficient knowledge to answer, but I still find it a rather intriguing line of enquiry.

I've also seen IPFS being brought up on a diff thread. Without any regard to it being viable the further hypothetical question would be how would that impact legal matters

P.S. I actually haven't noticed 'announcements' tag on this thread. Apologies if discussion should have been done elsewhere

@atagunov These are worthwhile discussions to be had, but probably explicit and aimed and not reactive to this summary.

They are kind of aimless without talking about a specific target though. The only knowledge we can get out of these two questions is "US law would not apply, but the targets laws will" (plus any laws that have international scope).

IPFS will impact legal matters in the sense that it hasn't been tried. That means you can hope that a court doesn't make any decisions that you cannot fulfill. IMHO, that's one of the main problem with many distributed technologies here.

To be clear, the pushback is not on having these discussions, the pushback is on using a conclusion of work with a very specific question to push in other questions. We can't be the research project for that.

Doesn't stop them being enjoyable, for me at least

But as @skade points out, they deserve their own thread in a correctly-selected category, rather than hijacking an announcement thread that is reporting on status.

Just to make sure there's no confusion: No part of Rust, including crates.io is run by any company

I think it would be helpful if you could share, to the extent you are able, more details of the content of those discussions. The legal conclusions you reported were very terse: as a result of the imposition of a new batch of international sanctions by the USA, the legal requirements on "the Rust organization" regarding citizens of the sanctioned countries have not changed, "we" do not need to take any action, citizens of the sanctioned countries may continue to participate as before. The big questions I have about this are:

• Who is "we"? As far as I know "the Rust organization" is not a legal entity, so ... the sysadmins of crates.io as individuals? All crate maintainers subject to US law? Everyone who's ever contributed intellectual property to Rust core and/or crates? The Mozilla corporation or foundation? Some other legal entity I don't know about?
• Whose lawyers were consulted? More precisely, what entity received legal advice on this subject, in the precise lawyery sense of "legal advice", and if that differs from the "we" above, why was that?
• What are the legal requirements on "we", regarding citizens of countries subject to (past, present, or future) US sanctions? You said the requirements haven't changed, but that doesn't mean there aren't any.
• What laws and what facts did the lawyers consider to be relevant to their opinion that the legal requirements have not changed?

... The above is not meant to be hostile questioning on my part; not being a lawyer myself, I don't know how else to put it without losing precision. Just, these are the things I'm worried about, ways in which advice-for-"we" might turn out to be advice that gets some member of the community in trouble.