[amsat-bb] AMSAT Open Source Policy

[Bruce Perens]

Michelle, working for ORI, hired a lawyer to take up the ITAR matter with
the Federal Government, so she probably has some interesting information.

I have left your questions in, so that this will make sense to readers.

On Tue, Jul 14, 2020 at 6:08 PM Joseph Armbruster <
josepharmbruster at gmail.com> wrote:

> 1) How does AMSAT benefit by pursuing an open source policy?
>

Both ITAR and EAR have a carve-out regarding published research. EAR says
that things you publish on the Internet are not subject to the EAR. ITAR is
a bit more difficult, they want you to publish it in a journal or put it in
a library. There are lots of friendly college libraries who will put a
blu-ray disk on a shelf for you. And then, you don't have to deal with ITAR
regarding any digital data. You still have ITAR problems if you wish to
ship a satellite across a national border, so it is best to fabricate it in
the nation where it will be launched. And you must never provide defense
services, not even to the USA. That means if someone you know is clearly
working on a defense project asks a question on your mailing list, you need
to explain nicely that they should get that information elsewhere because
it would get you in trouble. And then tell the government. I think
the last one I dealt with was from a defense company in Pakistan asking
about Codec2. The government says thank you for reporting this, it's
important, but doesn't tell us any more.

The whole Open Source community operates this way, and has no problem with
ITAR. They are much bigger than AMSAT. And they make AI, cryptography, and
many other things that are listed on the United States Munitions List.

2) What are the disadvantages of AMSAT pursuing an open source policy?
>

It's really difficult to see any at this late date. Michelle and I have
been to NASA meetings where it is really clear that they embrace Open
Source internally. So does SpaceX, ULA less but Tory (CEO) is very easy to
talk with. ESA is all over Open Source and there is a Librespace guy in
European Central Bank who can make introductions for us. Legally, we could
even cooperate with nations on the embargoed list, but at that point I
would want explicit permission, no need to antagonize the government just
because the law allows you to do something.

3) Say a new project was about to start, where should all the design
> files, source code files, presentations, virtual machines, etc...
> live?
>

It's really easy to put everything on Github or Gitlab, in public mode. I
wrote a script that mirrors ORI's github repositories to its own server,
and we can just burn  a disc from that and put it in a library.

4) What license would the items be released under (this one will be
> interesting to me)?
>

The important thing is that everyone have the right to read. Then, you
satisfy the requirements in the ITAR and EAR carve-outs, *if *you also
publish it on the internet and make it available in a library. Libraries
often have web terminals, so I think that Internet is enough, but getting a
library to host a disc is easy. So even a Creative Commons license would be
adequate, but I suggest BSD if you want it to be available for commercial
use without getting modifications returned to the community, or GPL if you
would rather have modifications returned to the community. This is a short
explanation of Open Source licensing, and I could go into subtleties at
length.

I generally prefer that hardware designs be placed in the public domain.
Currently hardware is dubiously copyrightable due to 17 USC 102(b) and
court cases I could discuss at length too. It is not to our advantage for
courts to take our own example of attempting to copyright hardware designs
and decide that hardware designs are actually copyrightable.

4.a) Will the license be Free in a FreeRTOS or CGAL sortof way, where
> it's free for non-commercial use?
>

You can do that, since it is only necessary that it not be trade secret.
But everyone else doing this goes 100% Open Source, and we want to be able
to share their work and have them share ours. The fact that AMSAT-EA works
with Librespace and AMSAT-NA does not is suboptimal.

5) How can satellite security be mitigated if the source is in the
> public domain?
>

You mean command and control? The simplest answer is that you use
encryption to command the satellite, and you don't have to publish your
cryptographic key. It's data, not the software. However, I have a design
for terrestrial cryptographic signature that fits the FCC rules that
prohibit cryptography that *obscures the message. *Digital signature does
not obscure the message, it just authenticates it.

AMSAT used to use a secret data word and exclusive-OR to encrypt
communications.Very primitive and implemented in discrete logic chips. This
is explicitly permitted by FCC for satellites rather than terrestrial ham
radio. I would hope that we could do digital signature today.

> 6) Are you satisfied with the way AMSAT development currently takes place
or do you feel there is a need to change development practices?

My personal opinion is that a lot of the ITAR mess we are currently in
would go away if AMSAT went to a 100% Open Source policy like most of the
newer Amateur Space organizations. Unfortunately, we have engaged ITAR
attorneys who have only worked with proprietary companies, where trade
secret is necessary, and thus ITAR must apply. Open Source is new to them.

One of the most difficult jobs of a manager is managing legal counsel. Most
managers don't understand what counsel is saying OR what questions to ask.
And I have seen few managers that are equipped to push back or who even
understand that pushing back is possible. Sometimes you have to bring your
lawyer into new areas they have never explored - although that is less so
than 20 years ago when Open Source was new, and they are very likely to
give you the determinations that they made for some proprietary corporation
which are entirely wrong for your public benefit non-profit.

In my consulting business, which mainly services law firms and their
customers, I have met many attorneys who are up to speed on Open Source and
intellectual property. There are fewer attorneys who are up to speed on
Open Source and ITAR, and I would spend some time with them to discuss the
issues.


> 7) Do you think AMSAT would benefit by adopting an open source policy
> where all materials are placed in the public domain?
>

There are two "public domains". There is public domain in the sense of
copyright abandonment and patent and copyright expiration, and then ITAR
121 uses the words "public domain" to mean "public knowledge". In general
most Open Source communities do not use public domain, because the laws of
many nations, including the United States, do not actually define that an
affirmative dedication of a work to the public domain has legal meaning.
They define public domain only in the sense of copyright and patent
expiration. So, we have contrivances like the CC0 license to work around
that, which is a public domain declaration if the national law and court
likes that, but a liberal license otherwise. But most Open Source teams
would choose a very liberal license like the BSD, where the only real
requirements are that you preserve attribution (and everyone likes
attribution) and the license text. Or, you use the GPL where you want
companies to participate more, rather than just take your stuff and modify
it in private, never returning anything.

8) Can you see any landmines or pitfalls from doing so (technical,
> legal, etc...)?
>

I really put myself out there trying to attract the attention of the
Federal Government in protesting ORI's ITAR/EAR policy, and got no
interest. This may have been because of the Defense Distributed case, which
was about gun plans online, and I don't want to get into a 2nd
amendment discussion, but once the Federal Government lost that they didn't
have much to go after _us_ about.

The landmine is that if you need lawyers. If you don't do this, you also
need lawyers :-)

I wanted to ask about this, since it's mentioned constantly, but
> OpenSource is a reasonably loose term that means different strokes to
> different folks.


The Open Source Definition at Opensource.org is the one I wrote.

    Thanks

    Bruce
-- 
Bruce Perens - CEO at stealth startup. I'll tell you what it is eventually
:-)