Do US Cryptographic Laws Affect Github?
I started writing this blog post as a rant against the Python Pyramid framework that requires all contributors to get agreement from Agendaless.com before submitting cryptographic software to the repository but then I had another thought.
Since Github is an American company they are legally required to not export certain cryptographic software. Thus any open source project that makes use of Github (or indeed any source code repository based in the US) is going to fall under US export law. I know for a fact that certain projects (OpenBSD and OpenSSH spring immediately to mind) take great pains to ensure that none of their cryptographic software is developed in places where it is export restricted to ensure that they can produce the best software possible. So from their point of view I can easily see why they would wish to avoid sites such as Github.
It is hard to see whether the US government could in fact force Github to limit the type of software that they did export though without irreparably damaging their business. The fact that Github has become so popular in the open source world is testament to the great service that they provide but I doubt many open source projects would sacrifice security just to use said service.
So is this really an issue? I have yet to hear of Github or any other company offering the same kind of service removing or limiting the export of cryptographic software, yet the sword of Damocles will forever be hanging over your head should you choose to use it.
Perhaps more open source software will make use of something like Gitorious which allows you to host your own repositories in a fairly pleasant manner.