For context on why any account flagging is ever necessary, unfortunately, every company in the world is required to comply with US sanctions if they do any business at all in the United States, e.g. serving US-based customers. This includes even interacting with US banking infrastructure. So being headquartered somewhere else doesn't help; you have to comply. And US sanctions as written do not allow us to provide commercial services or services which could be used commercially to sanctioned countries.
We are taking the broadest possible interpretation of US sanctions law to allow as much access to GitHub as possible and we are, as far as I know, the only major vendor to offer public repo access in US-sanctioned countries like Iran, Syria, and Cuba. I'm proud that we are taking this strong position to ensure developers everywhere can participate in open source.
I wish we could also offer access to private repos and still comply with government requirements. We have been advocating and will continue to advocate for broader developer access with the various government agencies involved.
Only the thing was that PayPal wouldn’t actually confirm exactly what was triggering their automated system, we had to infer that ourselves by looking for commonalities between the flagged payments. Even when we identified the problem they refused to give any confirmation at all other than to re-enable our account.
But really, if your project is mature enough and you have the bandwidth, just host it yourself. Gogs, Gitlab, cgit .. lots of FOSS implementations to choose from.
We saw another story like this come across the front page this week. The author is less well known (also happens to reside in Russia), and claimed that he had trouble even getting an e-mail response from the given support pathways for appeal. Sounds like it eventually got sorted out, but not without much waiting and effort from the maintainer.
So when GitHub CEO Mr. Friedman jumps in and pats himself on the back for getting this account restored in less than an hour, I can only roll my eyes. To try to sell it like this is an 'average' response to these type of appeals is a little disingenuous.
If I were starting a company today, I would absolutely self-host my repository to guarantee my business is never harmed by some automated flag that could total lock me out of my own work. We use GitLab Community Edition at my company. It is fantastic, and we are in full control.
You should check out RhodeCode too for self-hosting your own code, with extra security features to make sure it's well protected
"GitHub may not be used for purposes prohibited under applicable export control laws, including purposes related to the development, production, or use of […] long range missiles or unmanned aerial vehicles."
I think you should probably make a blog post explaining GitHub's stance on this issue.
: One of which is https://github.com/gnss-sdr/gnss-sdr. This repository does not implement ITAR-required GPS speed limits. Even if it was ITAR-compliant, the limits could easily be removed as it is open source software.
Update: GitHub has updated their ToS to remove this line. It was present on July 27, 2019. The issue still stands with this current statement from their ToS ( https://help.github.com/en/github/site-policy/github-and-tra...), which forbids ITAR-regulated software:
"Users are responsible for ensuring that the content they develop and share on GitHub.com complies with the U.S. export control laws, including the EAR and the U.S. International Traffic in Arms Regulations (ITAR). The cloud-hosted service offering available at GitHub.com has not been designed to host data subject to the ITAR and does not currently offer the ability to restrict repository access by country."
Whether it's open source or not is irrelevant. ITAR software cannot legally live on GitHub.com in any case -- it doesn't matter if the repos are public or private. [But a GitHub Enterprise install (self-hosted version only) can be compliant.]
I'm confused by your request for the company's stance, since it's not something up for debate... there is no room for them to take a stance on complying with the law. It's not up to GitHub at all.
If there is existing open source that doesn't contain ITAR, then that's fine because it's beyond the scope of ITAR, so ITAR doesn't apply to that scenario. [Maybe this is the case you're mentioning?]
If it is ITAR, it can't possibly be publicly available open source. [How could it be possible to have publicly-available open source software that is also restricted to being only shared with U.S. citizens?]
Of course an ITAR project could pull in publicly available open source (e.g., dependencies), but that doesn't sounds like what's being discussed here.
We can sensibly speak of tech that "would be" an ITAR violation to deliver "if it were not" open source. This is exactly the scenario under discussion. It seems very clear from the linked page that, e.g., GPS code that is released as free/open is, in fact, not restricted by ITAR.
GPS receiver systems are the classic there: Russia, China and Europe all have their own GNSS. China runs the semiconductor industry and is quite capable of producing whatever unrestricted GNSS devices they choose. Therefore why restrict US companies?
Same with satellite tech, there may be some US specific tricks but there is a reason ITAR free satellite designs already exist and are multiplying. ITAR tries to protect too much and is killing US market share by being stupidly annoying.
Given the current tech level available to hobbyists, this isn't that far fetched.
To someone willing to spend more than a couple minutes, the fact that it's open source is quite meaningless.
Changing a couple lines of well-documented source code in an open source project before compiling is arguably a much lower bar to pass.
You should also add North Korea to that list. Three years ago I spent a semester in Pyongyang teaching a course on open source software development, and as part of the course students created git repos and contributed to other repos that are hosted on github.
So that you're not put in an awkward position, though, I won't tell you which repos these are :)
And, well, trade sanctions, which is why the parent comment wondered if they used VPNs.
> I woke up this morning and you shut off the Aurelia site, archived tons of our repos, and I can no longer access admin settings. You sited US trade sanctions and sent me a non-descriptive email with no remediation information. What is going on? This is devastating for us!
"No remediation information," to me sounds like Twitter outrage was the remedy.
A follow up reply is this:
> The project has been public for 5yrs+, managed by a US company, whose owner is even a GitHub Insider and long time open source leader (15+ yrs).
Okay, there's the terrible mistake. It targeted someone with credentials, not a nobody.
> If an individual user or organization administrator believes that they have been flagged in error, then that user has the opportunity to appeal the flag by providing verification information to GitHub. If GitHub receives sufficient information to verify that the user or organization is not affiliated with a U.S.-sanctioned jurisdiction or otherwise restricted by U.S. economic sanctions, then the flag will be removed. Please see individual account appeals request form and organizational account appeals request form.
Your post upthread was inferring the existence of multiple similar mistakes and demanding that GitHub prove they are impossible. They can't. It wasn't supposed to happen in the first place. It was a mistake.
This statement is so wide-sweeping as to be patently false. Some sanctions target specific activities. Others target specific entities that may or may not be entire countries. Many sanctions do not apply to information and communication services. To make such a wide statememt as you did suggests you're oversimplifying to placate the masses. Either way, not a good look.
I wonder though, as cool as it is that the CEO of Github posts here, maybe you shouldn't be making this comment. Now a bunch of commentators have raised similar issues and you are now obligated to some degree to contact your legal and engineering teams to look into it - this may result in you having to take down MORE content which was clearly nobody's intention. Rock meet hard place.
You mean after they went semi-viral on Twitter and landed on the HN front page. But I'm sure it doesn't happen again (to this repository, for this reason, in this year; everything else is on the table).
Using Twitter, FB, HN etc as your support-priority-queue system is a terrible idea.
You comment is only relevant to those posts who are used as a last resort, usually after waiting days or weeks without any human response. AFAICT the tweet was done pretty much simultaneously, perhaps in an attempt to hasten response time.
Yeah, because it got traction on HN and Twitter. Pretty much the same happened to somebody else just three days ago, and, wouldn't you know it, after their rant  made it to the HN front page , Github finally reacted to the appeal after having spent a week ignoring it.
If you expect to ever have troubles with GitHub, you better have a following or some luck to be posting at the right time.
How come DHL is able to ship packages to sanctioned countries? I understand there are some limitations to what can be sent there from the US, but it seems like they are able to do so from other countries. Is the DHL US a separate entity or is there something else I'm missing?
> DHL offers worldwide services, including deliveries to countries such as Iraq, Afghanistan and Myanmar (formerly Burma). As it is German-owned, DHL is not affected by U.S. embargoes or sanctions and will ship to Cuba and North Korea. However, there are strict codes for delivering to North Korea, as the country has shaky relations with the West. As DHL is no longer a United States company, it is not allowed to make domestic flights between U.S. airports. DHL contracts these services to other providers.
> DHL ended domestic pickup and delivery service in the United States in 2009
Thanks, and I'm sure this will be cleared up, but it is really strange how this flagging is taking place..
They have unlimited resources more or less to review sanctions cases, they choose to spend them on buybacks, and executive bonuses, and private jets. They are not ever going to take the time to do this properly because the interests of their users are their last priority.
Sounds like a great time to get off the github platform as soon as possible before your repos dissappear because some iranian guy posted an issue.
Note they didn't mention why they incorrectly flagged the repo or take any responisbility for doing so, or make any claim that it's not going to happen in the future. They just claim it's the government's fault. Bullshit.
Does this mean that users in sanctioned countries can create accounts and use the site noncommercially as normal, just as long as they don’t have private repos? It was my understanding that you will nuke ANY account possessed by someone from a sanctioned country.
PS: Please stop doing business with ICE.