Restrictions on exports and reexports to parties named on Entity List specifically apply to activities and transactions subject to the Export Administration Regulation (EAR). [1] Open Source publicly available encryption software source code, as reclassified by the US Department of Commerce, Bureau of Industry and Security (BIS) effective September 20, 2016, is "publicly available" and "published" and is not "subject to the EAR." [2]

Open Source projects involving encryption software source code are still required to send a notice of the URL to BIS and NSA to satisfy the "publicly available" notice requirement in EAR § 742.15(b).

The ASF continues to work with Apache projects and their communities to ensure their notices are up to date and are maintained in the future.[3]

Open Source software, collaboration on Open Source code, attending open telephonic or in person meetings, and providing sponsorship funds are all activities that are not subject to the EAR and therefore should have no impact on our communities.

For more information, visit http://apache.org/foundation/license-faq.html

Roman Shaposhnik
ASF Vice President Legal Affairs

We thank DLA Piper and The Linux Foundation for their legal counsel and collaboration regarding this subject. 

[1] https://www.bis.doc.gov/index.php/documents/regulations-docs/2395-effective-date-of-huawei-and-affiliates-entity-list-rule

[2] 81 Fed. Reg. 64656, 64668 (September 20, 2016). See also, https://www.bis.doc.gov/index.php/policy-guidance/encryption/223-new-encryption

[3] https://www.apache.org/licenses/exports/