[PHP-DEV] [Discuss] Impact of E.O 14071 on PHP

Mailing Lists php.internals
1

It was recently brought to my attention that the USA has passed an Executive Order which prohibits Russian citizens from contributing to software used in the USA.

Reference material;
https://ofac.treasury.gov/media/932951/download?inline
https://ofac.treasury.gov/faqs/1187

The Linux Kernel has recently had to act on this #6e90b675cf94 github mirror
Mailing list https://lwn.net/Articles/995186/

Has PHP internals reviewed this, do we need to review this, are there any if any steps we must take?

From what I have been reading + excerpts from linux group, PHP has to take action to comply with this order.

2

The notion that just because Putin engages in war, his countrymen cannot contribute to FOSS is totally absurd. Linus and the US can sanction whomsoever they wish but that has no bearing on what PHP does or must do.

Cheers,
Bilge

On Thu, 24 Oct 2024, 01:28 fennic log, <fenniclog@gmail.com> wrote:

It was recently brought to my attention that the USA has passed an Executive Order which prohibits Russian citizens from contributing to software used in the USA.

Reference material;
https://ofac.treasury.gov/media/932951/download?inline
https://ofac.treasury.gov/faqs/1187

The Linux Kernel has recently had to act on this #6e90b675cf94 github mirror
Mailing list https://lwn.net/Articles/995186/

Has PHP internals reviewed this, do we need to review this, are there any if any steps we must take?

From what I have been reading + excerpts from linux group, PHP has to take action to comply with this order.

3

On Thu, 24 Oct 2024, at 01:25, fennic log wrote:

It was recently brought to my attention that the USA has passed an Executive Order which prohibits Russian citizens from contributing to software used in the USA. […]

From what I have been reading + excerpts from linux group, PHP has to take action to comply with this order.

The order prohibits “United States persons” from investing in or selling services to any person located in or business owned within Russia.

It makes no mention of what Russian citizens may do with their time, what (unpaid) contributions United States people can accept, or anything about what software/services are used inside the USA. Even if it did, there would still be a question of juristiction.

The Linux Foundation is incorporated in Oregon, USA. If they perceive themselves as owning the Linux project, or as providing it to businesses, or as paying for engineers working on Linux, then I can see why they might need to act on this order. It seems like they would need to close ties with (paid) contributors and vendors from Russia, as they would otherwise be paying (investing in) people or businesses in Russia for IT services, which the order prohibits.

Which of these aspects apply to PHP?

– Timo

[0] https://en.wikipedia.org/wiki/Executive_Order_14071

4

On Thu, Oct 24, 2024, at 02:25, fennic log wrote:

It was recently brought to my attention that the USA has passed an Executive Order which prohibits Russian citizens from contributing to software used in the USA.

Reference material;

https://ofac.treasury.gov/media/932951/download?inline

https://ofac.treasury.gov/faqs/1187

The Linux Kernel has recently had to act on this #6e90b675cf94 github mirror

Mailing list https://lwn.net/Articles/995186/

Has PHP internals reviewed this, do we need to review this, are there any if any steps we must take?

From what I have been reading + excerpts from linux group, PHP has to take action to comply with this order.

I am not a lawyer, but it’s my understanding that from growing up in the US that the President’s orders only apply to the executive branch. (And ChatGPT seems to agree with me, for whatever that is worth).

The President does not and cannot create laws that everyone must follow. However, if the PHP Foundation accepts and performs US Government contracts, this might possibly affect them.

— Rob

5

From: Krinkle <krinkle@fastmail.com>
Sent: Thursday, October 24, 2024 3:44 AM

On Thu, 24 Oct 2024, at 01:25, fennic log wrote:
> It was recently brought to my attention that the USA has passed an Executive Order which prohibits Russian citizens from contributing to software used in the USA. […]
>
> From what I have been reading + excerpts from linux group, PHP has to take action to comply with this order.

The order prohibits "United States persons" from investing in or selling services to any person located in or business owned within Russia.

It makes no mention of what Russian citizens may do with their time, what (unpaid) contributions United States people can accept, or anything about what software/services are used inside the USA. Even if it did, there would still be a question of juristiction.

The Linux Foundation is incorporated in Oregon, USA. If they perceive themselves as owning the Linux project, or as providing it to businesses, or as paying for engineers working on Linux, then I can see why they might need to act on this order. It seems like they would need to close ties with (paid) contributors and vendors from Russia, as they would otherwise be paying (investing in) people or businesses in Russia for IT services, which the order prohibits.

Which of these aspects apply to PHP?

Yesterday I came across this video from Brian Lunduke [1][2] that suggests it may have to do with legal precedent around GPL licensed software. It sounds like a complex legal matter that would probably best be assessed by a lawyer familiar with US trade laws. Linus apparently was also advised by legal people to take this step. [3] This might also be relevant for the PHP Foundation and Perforce. Maybe they can help assess the situation.

--
Kind regards,
Vincent de Lau

[1]: Shared post - Sanctions Hit Linux Kernel, Russian Programmers Banned
[2]: https://www.youtube.com/watch?v=L5Ec5jrpLVk
[3]: https://www.phoronix.com/news/Linus-Torvalds-Russian-Devs

6

On Thu, 24 Oct 2024 at 13:20, Vincent de Lau <vincent@delau.nl> wrote:

From: Krinkle <krinkle@fastmail.com>
Sent: Thursday, October 24, 2024 3:44 AM

On Thu, 24 Oct 2024, at 01:25, fennic log wrote:

It was recently brought to my attention that the USA has passed an Executive Order which prohibits Russian citizens from contributing to software used in the USA. […]

From what I have been reading + excerpts from linux group, PHP has to take action to comply with this order.

The order prohibits “United States persons” from investing in or selling services to any person located in or business owned within Russia.

It makes no mention of what Russian citizens may do with their time, what (unpaid) contributions United States people can accept, or anything about what software/services are used inside the USA. Even if it did, there would still be a question of juristiction.

The Linux Foundation is incorporated in Oregon, USA. If they perceive themselves as owning the Linux project, or as providing it to businesses, or as paying for engineers working on Linux, then I can see why they might need to act on this order. It seems like they would need to close ties with (paid) contributors and vendors from Russia, as they would otherwise be paying (investing in) people or businesses in Russia for IT services, which the order prohibits.

Which of these aspects apply to PHP?

Yesterday I came across this video from Brian Lunduke 1 that suggests it may have to do with legal precedent around GPL licensed software. It sounds like a complex legal matter that would probably best be assessed by a lawyer familiar with US trade laws. Linus apparently was also advised by legal people to take this step. 3 This might also be relevant for the PHP Foundation and Perforce. Maybe they can help assess the situation.


Kind regards,
Vincent de Lau

It’s also worth adding, US government uses PHP on various government and agency websites.

Such examples include;
https://www.dni.gov/index.php
https://www.usa.gov/index.php
https://www.eia.gov/index.php

etc etc.
Which means they could have a very deep interest in PHP complying with those orders. Which is what might have happened with linux, safe to assume the US government uses linux in various systems and really pushed linux to comply with the order.

7

Does the US government also fund the PHP Project or just use it? To what extent does their funding go? What is their contribution that makes it worth excluding an entire nation worth of volunteers?

AFAIK, the PHP project is not an american corporation and as such is not subject to USA executive orders?

···

Marco Deleu

8

On 24 October 2024 13:20:17 BST, Vincent de Lau <vincent@delau.nl> wrote:

Linus apparently was also advised by legal people to take this step. [Linux Hardware Reviews & Performance Benchmarks, Open-Source News - Phoronix] This might also be relevant for the PHP Foundation and Perforce. Maybe they can help assess the situation.

A further update has now been posted on that site: https://www.phoronix.com/news/Linux-Compliance-Requirements

A few key points:

- The sanctions under consideration are those against companies and individuals on the Specially Designated Nationals list, and not any blanket ban on Russian contributors, as speculated on this thread and elsewhere. A searchable database of those affected is here: https://sanctionssearch.ofac.treas.gov/

- The action was taken under specific legal advice, but the full policy is still being finalised. It's not clear if the lack of pre-warning was also legal advice, or just poor communication skills.

- Exactly who received this advice, and who would be in breach of US law if no action was taken, is still unclear to me. The quoted email just says that "all of the Linux infrastructure and a lot of its maintainers are in the US". The Linux Foundation is apparently incorporated as a non-profit in California, but it's not clear if that's actually the issue here.

Anyone employed *full time* by the PHP Foundation or Zend by Perforce is by definition not going to be an employee of a sanctioned Russian (or other) company.

I'm not clear whether it's relevant to *other* contributions that the PHP Foundation, via the Open Source Collective, has financial / legal existence in California.

All of this is absolutely something that should be examined by a practising lawyer, and we should not take any action based on speculation.

Regards,
Rowan Tommins
[IMSoP]

9

Here’s an article from a trusted source about it in a little more detail as well.

https://www.zdnet.com/article/why-remove-russian-maintainers-of-linux-kernel-heres-what-torvalds-says/

“While this action has removed these maintainers from their official roles, it does not bar them entirely from contributing to the Linux kernel. They can still propose changes and be reinstated – if they meet yet-to-be-specified documentation requirements in the future.”

On Oct 23 2024, at 7:25 pm, fennic log fenniclog@gmail.com wrote:

It was recently brought to my attention that the USA has passed an Executive Order which prohibits Russian citizens from contributing to software used in the USA.

Reference material;
https://ofac.treasury.gov/media/932951/download?inline
https://ofac.treasury.gov/faqs/1187

The Linux Kernel has recently had to act on this #6e90b675cf94 github mirror
Mailing list https://lwn.net/Articles/995186/

Has PHP internals reviewed this, do we need to review this, are there any if any steps we must take?

From what I have been reading + excerpts from linux group, PHP has to take action to comply with this order.