![[RSS]](/static/img/feed-icon-14x14.2168a573d0d4.png){kind=icon}
Conservancy Blogby on May 17, 2026
Years ago, copyleft violations were often a mere misunderstanding; vendors intended to comply but made mistakes. In those “before times”, a simple request and short discussion often led to the complete, Corresponding Source (“CCS”) for the the distributed binary works (or, in the case of network-service copyleft, the deployed systems).
Today, nearly all copyleft violations are done with forethought (and frequently nefarious) intent. As such, the most common form of violation is not what we call “no-source-or-offer” or even “offer-fail”, but rather “incomplete-ccs”. That last form of violation is unforunately most complicated to resolve.
An “incomplete-ccs” violation means that the vendor has released some subset of required copylefted materials, but has purposely held back some necessary parts. For example, vendors sometimes provide byte-for-byte upstream source versions (absent their own changes entirely). Upstream sources obviously lack the vendors' “scripts used to control compilation and installation of the executable”. Even when some scripts are included, they are often not the actual scripts used to compile and install, but instead they're an alternative, incomplete version — often created specifically to thrwart efforts to recompile and install. Occasionally, vendors also withhold source code for some key modules, libraries, or other components governed by the copyleft license. Unsurprisingly — in general — vendors withhold the most interesting and most difficult to reimplement parts of the complete, Corresponding Source. Users are left with mere pieces of what the license agreement promises; users have immense difficulty reproducing the build and installing it. In network-service copyleft licenses (like the AGPLv3), users further struggle to properly deploy the service for self-hosting — a right that AGPLv3 guarantees.
These incomplete CCS “candidates” often exhibit “truthiness”. (Stephen Colbert wittily dubbed “truthiness” to refer to false or misleading material that appears to have the quality of truth at first glance — just enough that most won't bother to “trust but verify”.) When we enforce copyleft licenses in “incomplete-ccs” scenarios, we face a protracted argument with most vendors who insist — usually for some seemingly plausible but actually altogether specious reason — that the previous CCS candidate that they provided truly is complete and Corresponding Source. The average number of “rounds” of incompleteness reports that we send until reaching actual, valid CCS is approximately fifteen (on average).
We have spent many years pondering and refining advice for the users and consumers of these products. The users face the worst conundrum here: they sit confused with a copylefted binary and/or object code — yet they cannot effectively exercise their own rights under copyleft nor can they redistribute any object code to anyone else until they have proper CCS.
Fortunately, all is not lost. Here are a few simple facts (which apply to all known copyleft licenses — including the AGPL, LGPL, GPL, and copyleft-next):
For example,
AGPLv3§1
states You may make, run and propagate covered works that you do not
convey, without conditions … a "covered work" [is defined as]
either the unmodified Program or a work based on the Program
.
AGPLv3§4 goes on to state: [y]ou may convey verbatim copies of the
Program's source code as you receive it, in any medium
.
AGPLv3§5 grants that you may convey a work based on the Program, or
the modifications to produce it from the Program, in the form of source
code under the terms of section 4
. The list of requirements you must
meet when doing so under AGPLv3§5 are easy. (Summarizing AGPLv3§5(a-d): they
require that you add/maintain certain required textual notices,
and outbound-license the whole Covered Work under AGPLv3 itself.)
In short, there's no need to think twice if all you're doing is redistributing a copylefted work in pure Source Code form.
This License explicitly affirms your unlimited permission to run
the unmodified Program … You may make, run and propagate covered
works that you do not convey, without conditions
(AGPLv3§2). Other copyleft licenses have similar language.
Do take care not to give someone else direct access to the machine where you do this, and firewall the system so only you can access it via a network. If you distribute and/or convey the software to third parties (or deploy to others a network-service-copylefted system), there may be other parts of the copyleft license that will create obligations for you.
This concept can be counter-intuitive at first, but is extremely important when a vendor continues to provide incomplete/non-corresponding source code for a long time. If the vendor shipped portions of the work in non-source form only (for example, Linux modules in Object Code (i.e., .ko file) format), those files must be distributed under the copyleft license pursuant to its terms. While you face difficulty1 if you personally want to redistribute the non-source form of the software, your rights to analyze, modify, examine, reverse-engineer, or “figure out” those non-source components remain unimpeded due to your rights under the copyleft license.
Similarly, if the violator is withholding (all or some of) “the scripts used to control compilation and installation” — and you have the patience to painstakingly reproduce the build and install the software — you are fully permitted to try.
If you are lucky enough to succeed in your reverse-engineering effort and yield a non-source form that has clear and correct CCS that you can provide yourself, then you can make your own binary/Object Code distribution and redistribute2 all of it together (i.e., pursuant to AGPLv3§6).
These are three of the ways you can still exercise a few of your software freedoms and rights even when vendors have curtailed them by a copyleft violation. This isn't an exhaustive list; rather, it represents the most common “real world” scenarios that users and consumers face against badly behaved vendors.
Keep in mind that vendors will regularly bully users and inaccurately claim these rights don't exist. And it can get nasty!: we've seen violating vendors send DMCA takedown notices, get lawyers to send cease and desist letters, and even publicly shame the brave users who engage in the activities above. If this happens to you, keep your nerve, and remember that all copyleft licenses are irrevocable — vendors don't get to change their mind about your rights after the fact.
Finally, please never hesitate to reach out to us at SFC if you have other scenarios that you face and wonder what your rights are under copyleft, or if you face bullying, harassment, or other further bad behavior from vendors who refuse to grant users the rights they deserve under copyleft. ∎
As always, the usual disclaimers apply: Software Freedom Conservancy is not a law firm, I am not a lawyer, and the advice in this post is not legal advice. You may indeed face legal action by violators even if the rights and permissions that you exercise are obvious. You may wish to consult legal counsel in these situations, and we particularly recommend that you do so if you engage in any distribution and/or software deployment commercially.
1 Note that most copyleft licenses give extra rights to users who wish to non-commerically redistribute object code forms received from their upstream. With most copyleft licenses (and certainly with the GPL Agreements), if you want to redistribute Object Code components just as a vendor gave them to you, you are permitted to simply pass along the offer for CCS from the upstream commercial entity (e.g., see AGPLv3§6(c)). As such, we at SFC usually feel comfortable freely redistributing non-source forms of software that we know are violating; and, we simply point to the upstream violator. When we do so, we encourage users to demand source from the vendor. However, we at SFC do this kind of work every day. We urge anyone who wants to imitate our behavior in this regard to discuss privately with us first, and also consult legal counsel. (NB: Since we're not a law firm, we can't be your legal counsel).
2 The
OpenWrt origin story provides an
excellent historical example of a burgeoning
FOSS project following
these three guidelines. In early 2004, Cisco's Linksys
released incomplete and non-corresponding source code for its
WRT54G router (— following a six-month copyleft enforcement action that I led).
While that release was not CCS, it was juuust enough to allow the newly
formed OpenWrt project to reverse-engineer the build and installation
systems (by making their own with buildroot). Furthermore,
OpenWrt redistributed a binary Linux module (.ko file) for which Broadcom
(Linksys' vendor) refused to release CCS. To my knowledge,
Broadcom never took any action against OpenWrt on this matter —
likely because Broadcom itself violated GPLv2, and they did not want to draw attention
to their own nefarious behavior. Furthermore, OpenWrt's distribution was
non-commercial and therefore Broadcom had no “profits” to go
after. (By contrast, for SFC's OpenWrt One router, we made sure that no third-party
upstream non-compliant binaries were included — not only because we'd never
sell (or even encourage use) of a product that violated, but also because it's
very
risky to sell software that violates copyleft.)
by on April 16, 2026
This article discusses a current-headlines situation regarding Affero General Public License, version 3, Section 7, paragraph 4 (AGPLv3§7¶4.). I begin however with an explanation of the problem that clause sought to solve and how the clause works. This may seem an estoric license issue, but in fact this issue regularly impacts users today — particularly with the advent of “badgeware” (software that allows redistribution but includes annoying advertising that cannot be removed). Hopefully, this explanation helps readers understand the importance of the issue and gain vigilance when reviewing potential “further restrictions” placed on their copylefted software.
I began my work in copyleft licensing and policy in the late 1990s. In those days, there was a growing problem regarding usage of the GNU General Public License, version 2 (GPLv2) that threatened the software freedom and rights of users. It's a nefarious licensing slight-of-hand that works as follows:
The vendor seems to offer the software under a copyleft license. There's
a copy of GPLv2
in the top-level directory of the source code in a file called
GPLv2. All seems in order, and folks excitedly
engage in their right to copy, modify, and install modified versions of the
software. Maybe a few even think of a viable business idea that would
include (usually permissible) commercial redistribution of the software
for profit.
Unfortunately, someone notices a file
called LICENSE in the top-level directory that says:
Copyright (©) 1999, Sneaky Company, Inc.
This software is licensed under GPLv2, except that commercial modification and redistribution is strictly prohibited.
They've sadly discovered a self-contradictory license. Unfortunately, under GPLv2, these users are basically stuck; they have to go with the strictest possible interpretation given the self-contradiction. In essence, the licensor giveth, but the licensor immediately taketh away. In those days, these users couldn't start their business; they'd have to find or write another codebase.
I was tangentially involved with the drafting of GPLv3. On my list of issues to raise with the drafters was this very issue. By the time of GPLv3 drafting (circa 2006), this problem was rampant. Users were quite confused when they saw these self-contradictory licenses.
The solution was not obvious. Both GPLv2 and the earliest drafts GPLv3-family of licenses
(which includes GPLv3,
AGPLv3, and
LGPLv3)
already had this clause: You may not impose any further
restrictions on the recipients' exercise of the rights granted herein
(quoting the GPLv2 version; the
GPLv3/AGPLv3 version varies slightly).
The problem: this only prevented downstream licensors from imposing further restrictions. If a sole entity is the original author, copyright holder and initial licensor of the work — and if they hold those powers exclusively — typically that entity may issue a self-contradictory (or even completely incoherent) license. In that case, downstream licensees are awash with legal uncertainty. So, that “may not impose” clause just does not solve this particular problem.
A new clause was needed. Later drafts of the GPLv3 (which is almost textually identically to AGPLv3 — only §13 differ between the two licenses) included a fascinating solution in §7¶4:
If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term.
Copyleft is indeed most inventive when it empowers the downstream user (who, of course, is often just the next entity in a long distribution chain of (both commercial and noncommercial) software sharing). AGPLv3§7¶4 is an innovative and very necessary clause that liberates users who face the situation described at the start of this article. Had our excited new business seen this …
Copyright (©) 2008, Sneaky Company, Inc.… they could simply toss away the additional restriction like so …
This software is licensed under AGPLv3, except that commercial modification and redistribution is strictly prohibited.
Copyright (©) 2008, Sneaky Company, Inc.… and copy, modify, redistribute, redistribute modified versions and/or install modified versions of the software freely under AGPLv3's pure terms.
This software is licensed under AGPLv3, except that commercial modification and redistribution is strictly prohibited.
There remains one drawback to this solution: it demands courage from the user that strikes the “Further Restriction”. In theory, all is well and safe. In practice, the types of companies that pursue tactics like self-contradictory licenses and “gotcha” further restrictions are also the most predatory, unfriendly, litigious, and aggressive businesses. One who exercises their clear and correct rights under AGPLv3 will certainly face public condemnation, and possibly frivolous litigation.
For years, the Neo4j case was the primary exemplar of this phenomenon. SFC followed the case closely, I served as an expert witness for the Defendant, and SFC filed an amicus brief on the appeal. The lower court decision was highly problematic, and the case concluded with a voluntary dismissal (and as such has not been heard by any Appeals court). Thus, while the lower court decision does not create bad precedent, it also does not offer any good precedent for those corageous users who exercise this particular right.
(Full disclosure: SFC runs a self-hosted Nextcloud instance — but other than being fans of their work and satisfied users — we have no formal relationship with Nextcloud (or IONOS). We also certainly have no relationship whatsoever with Onlyoffice or Ascensio System SIA.)
A few weeks ago, yet another saga in the history of AGPLv3§7¶4 began. Ascensio System SIA published Onlyoffice with the sneakiest “Further Restriction” that I've ever seen. Ascensio's further restriction states:
Pursuant to Section 7(b) of the License you must retain the original Product logo when distributing the program.
Pursuant to Section 7(e) we decline to grant you any rights under trademark law for use of our trademarks.
This restriction is particularly nefarious because it is dressed in the trappings of explicitly permissible requirements in AGPLv3§7.
In addition to our beloved AGPLv3§7¶4, the rest of AGPLv3§7 includes some provisions designed for cross-FOSS-license compatibility. During the GPLv3 drafting process, a survey was conducted of all popular FOSS licenses. In the spirit of making sure no terms of GPLv3 inadvertently contradict a requirement in one of those licenses, AGPLv3§7(a-f) were devised for maximal cross-FOSS-license compatibility.
For example, the 3-Clause-BSD license's third clause states:
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission
Now, get ready for Onlyoffice's trick, which takes three moves:
The trick is “too clever by half”. Ascensio have indeed created a self-contradictory license, since the users are prohibited from displaying the trademarked logo, yet the users are also forbidden to remove the code that displays that trademark logo.
We thought through this problem already years ago during AGPLv3's drafting. In fact, I recall much discussion to verify there were no strange interactions between 7(b) and 7(e) — and there are not. AGPLv3§7(b,e) states (including relevant definitions from earlier sections):
An interactive user interface displays “Appropriate Legal Notices” to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. …
Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:…
[7]b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or …
[7]e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks;
Nota bene: there is a very short list of things that a licensor can require
downstream licensees preserve. Logos, advertising, and similar are not on the list. Badgeware
is not a reasonable legal notice
.
Nextcloud has partnered with IONOS to fork Onlyoffice to create Euro-Office. To my knowledge, this codebase complies completely with the valid AGPLv3§7(e) requirement: Ascensio's trademarks have been scrubbed from the sources. However, since what Ascensio purports as a license term supplement pursant to AGPLv3§7(b) is actually a backdoor Further Restriction, Nextcloud and IONOS are completely within their rights (pursuant to AGPLv3§7¶4) to remove that further restriction.
As expected, Ascensio published an unfair, inaccurate, aggressive, and community-unfriendly response. I predicted long ago that adjudication of AGPLv3§7¶4 would require nerves of steel. This unwarranted denigration of an upstanding member of commercial FOSS community — Nextcloud — demands condemnation and Nextcloud deserves our thanks for confronting this bully.
As I did in the Neo4j case, I've told Nextcloud that I'm available as an expert witness if they end up in litigation with Ascensio. I hope, however, that Ascensio will realize their error, remove the further restriction themselves, and embrace the value of AGPLv3. Pure AGPLv3 was designed to faciliate web service business models. Our community would quickly and gladly embrace Onlyoffice, help its upstream development, and welcome them to the FOSS community. ∎
About the author: Bradley M. Kühn is a lifelong FOSS activist and has focused his career on FOSS licensing generally, and copyleft licensing in particular. Kühn invented the Affero clause in the original AGPLv1, and co-drafted AGPLv3§13.
Bradley is not a lawyer, SFC is not a law firm, and this article is not legal advice.
by on April 15, 2026
Update: This blog post received significant immediate response — with strong reactions in multiple directions. Everyone on SFC's Copyleft Team has carefully considered for four years (i.e., since our policy fellow Bradley's 2022 article) what policies might make sense given the advent of LLM-assisted coding tools. We're now looking toward formulating formal policy recommendations with input from you. We believe movements are best built not by one person's proclamations, but rather through collaborations and planning for the best way forward together.
Below, I get us started by sharing my personal thoughts. Please come to a video chat session on one of the following days to discuss with us if you can (more details on the chats at the end of the post):
$ date -d '2026-04-21 15:00 UTC'
$ date -d '2026-04-28 23:00 UTC'
If you cannot attend these chats, and are already in personal contact with any SFC staffer, we all welcome you to chat with them or book a call — they would be happy to discuss. You can also reach out to <info@sfconservancy.org> and someone from our staff will engage in a slower email thread with you. As always, SFC never dictates mandatory policies on our member projects or our community. We look forward to hearing what you think at the sessions! My initial ideas follow:
Many people may recall Eternal September (in 1993) — when Usenet membership increased overwhelmingly — marking the annual September rush of student joins. The ensuing moderation challenges changed the culture of Usenet (the largest Internet discussion fora back then). Many early Usenet adopters left quickly. While this onslaught of “newbies” knew little of Usenet's traditional cultural norms, they nonetheless benefited greatly from these novel connections to discuss and learn together with people worldwide. The times were turbulent then, but eventually revised cultural norms emerged that benefited both the Eternal September arrivals and the old guard who stuck it out. Usenet (while less popular than it once was) survives today as the only widespread store-and-forward discussion fora optimized for low-bandwidth, spotty connectivity.
Today, another similar cultural change is afoot. I call it Eternal November. November 2025 — the month of Opus 4.5's release — has been widely identified as a similar inflection point: LLM-backed generative AI coding tools made a substantial leap to increased usefulness. A new wave of software developers — unfamiliar with traditional FOSS development culture — are adopting these systems quickly and making many (sometimes disastrous) mistakes. Some refuse to learn historical cultural norms, and others are genuinely confused (like all newbies) at the hostile responses.
We're all tempted — as some were in 1993 — to shun these “newbies” and reject their contributions aggressively. But what is really going on here? As in 1993, good and well-intentioned people just discovered newly interesting and hitherto unexplored ways to interact and engage with computing. FOSS's old guard reasonably feels angst, concern, and legitimate fear. We curated our norms over decades. But these norms are not sacrosanct. I urge us to reluctantly but seriously embrace this opportunity. We have much to teach these newcomers, and we must resist our arrogance of experience and assumptions that they've nothing to teach us.
I encourage all of us in the FOSS community to welcome the new software developers who've adopted these tools, investigate their motivations, and seriously consider cautiously and carefully discussing their workflows and consider if they may ultimately benefit FOSS. Seasoned software developers understand the benefits and limitations of LLM-assisted coding tools: we've studied for a few years the maintainability costs they incur, and the dangers of their flagrant, undisciplined use. We should give a try at explaining this to the newcomers. For example, if it comes from an individual (i.e., not a bot), an AI slop pull-request often offers an opportunity to educate a newcomer as to what they did wrong. Indeed, most FOSS developers that I know submitted a human-written-slop as their first contribution to a project. The ones who stayed are the ones who had an experienced developer explain what they did wrong — so they could improve and try again.
FOSS maintainers have decried for decades how few upstream contributions they receive. Maintainers today mostly bemoan the “AI slop”, and I agree that the slop is (at its absolute best) raw material to help make an actual contribution and (at its worst) tantamount to spam. Nevertheless, we must seek the goal of engagement to increase human collaboration (and thus maintainability). It is our job to recognize these opportunities, to communicate them, and to help new software developers build maintainable projects with us. It's a tall order: since the inception of FOSS, we've always needed to perpetually service the airplane while flying it: maintain the projects we have, while also creating the FOSS communities of the future for those projects. Only this approach has ensured FOSS will thrive and flourish. This is no time to give up that time-honored and documented successful approach.
The tiresome onslaught of slop (at least that presented by real humans) stems from a fundamental newbie confusion — but we can help newbies understand! We've always accepted (and encouraged) folks to keep private forks if they really like a patch that upstream determined was slop. My friend and colleague Bradley told me years ago that he maintained a personal fork of rsync for most of the 1990s because his extremely sloppy first-of-his-life submitted patch was rejected by upstream. Users who make a sloppy change that “works for them” should never be shunned; instead, they should be educated to make their own Git repository and rebase off upstream to their heart's content.
This is not to say we shouldn't encourage people to improve their behavior so they can contribute to and join FOSS projects. However, we do need to recognize when someone is ready and interested in doing that (and willing to put in a bit of extra time to help others), and when they just want to do a thing on their own, and that's fine for them. In the latter cases, we have always simply asked them to please stop sending us what they've got.
By recognizing what new technologies can do well, and what they can't, and how this differs from the technologies of the past, we can not only adapt our communities to these changes, but also take advantage of the new wave of people who are excited about our craft. It took time, but we adapted to the Eternal September. We can learn from that experience and do it again. The first steps are to recognize rapid changes, consider how they can benefit society, and then patiently and open-mindedly bring our ideals and extensive knowledge to the table to accelerate that positive change — while politely warning of the drawbacks (which are obvious to us but not to the newcomers).
There are many issues with LLM-backed generative AI coding tools; this blog post puts forward a few ideas about one of dozens of issues we now face (or will face in the near future). But every hope of improvement must begin somewhere. Therefore, if you help lead a FOSS project, or if you are using LLM-backed generative AI coding agents and want to learn to help rather than hinder upstream, please join us to discuss your concerns and the need to help welcome these new people to your communities in a manner that is productive. We will be running a series of interactive video chats, starting on April 21 at 15:00 UTC and April 28 at 23:00 UTC, in this room. SFC staff and volunteers will discuss these issues with the public. We'll consider how we can adapt FOSS projects to improve pro-AI contributor onboarding and how to better understand how newcomers are using and making software these days. Please also follow us using the linksa at the bottom of the page to learn about future such chats. SFC has dedicated 20 years already to successfully making FOSS the best it can be. We plan to do the same for the next 20 years, by understanding the needs of billions of new software developers, and welcoming them to our community with grace and education.
by on April 2, 2026
Last week, the Federal Communications Commission in the United States (the FCC) banned the sale of all new models of home routers not made in the U.S., which is ... all of them. The stated reason for this is that routers "pose an unacceptable risk to the national security of the U.S. or the safety and security of U.S. persons." A router manufacturer can apply for a "Conditional Approval" exemption to try and convince U.S. government bodies that their router should be allowed into the U.S., but this requires "A detailed, time-bound plan to establish or expand manufacturing in the United States" and "A description of committed and planned capital expenditures, financing, or other investments dedicated to U.S.-based manufacturing and assembly", and "an update on the status of their onshoring plan once a quarter" among other impractical asks. Devices built in the U.S. generally cost at least twice as much as devices built in Asia (see the Librem 5 (USA) for example) because U.S. manufacturing facilities are not ready with the scale and efficiency required to enable competitive pricing. The reason we chose to build the OpenWrt One in Asia is that it makes sure the device is as feasible as possible for people around the world to purchase. We expect it will take decades before the U.S. is ready to produce competitively-priced devices - user freedom can't wait that long.
And, in case you were hoping to buy an OpenWrt One, don't worry: the One has already received FCC approval so there is no change to its availability in the U.S. Naturally, we are concerned about the effect this has on any new hardware that SFC might develop, but this decision by the FCC does not create any near-term problems for us, or for FOSS generally.
We do applaud the FCC for recognizing how important home routers are to people's security. While the rulemaking is misguided, it's absolutely correct that the proprietary router manufacturers be accountable in relation to the hardware and software that individuals bring into their homes and their lives. We believe that manufacturers of routers that are primarily FOSS are in a much better position to evaluate the security of their devices, and so we analyzed the rulemaking taking into specific account its software aspects.
While the FCC decision focuses mainly on hardware, there are also some requirements for software. In particular, the FCC has hinted that it may restrict updates to existing hardware, in particular that existing routers "may continue to receive software and firmware updates that mitigate harm to U.S. consumers at least until March 1, 2027".
Since software updates to already-FCC-approved devices do not require a new FCC approval, it appears the FCC is trying to move beyond its usual authorization procedures to restrict what manufacturers are allowed to push to existing routers. However, the FCC notably does not restrict software changes made by owners of routers in the U.S. In particular, there is no indication that updates people make to their own routers, using software they have sourced themselves, would run afoul of any past or present FCC rule.
As a result, we do not believe that this new FCC decision affects whether and how people can run OpenWrt or other user-selected firmware updates on routers they have already purchased. Not only is this an important right in relation to our ownership and control of our own devices, it also ensures that people can keep their routers secure for far longer than the manufacturer may choose to provide security updates, by allowing them to install up-to-date community software that supports routers for 10, 15, or even more years after their initial release date, as OpenWrt does for many devices.
This leads us back to the stated goal of the FCC in making these changes: to ensure that routers do not "pose an unacceptable risk to ... the safety and security of U.S. persons." We certainly agree that all persons (including U.S. persons) should use technology that is safe and secure. And there are standards that exist to ensure this is the case, such as NIST IR 8425A, which the U.S. government already paid to research and produce and, alongside NIST, is recommended by Consumer Reports and other right-to-repair groups already. We have been assessing our existing processes (for OpenWrt, and especially the OpenWrt One) against NIST IR 8425A, and are now accelerating those efforts to ensure we can show that routers using OpenWrt are indeed safe and secure, as determined by independent bodies. This not only helps U.S. persons, but everyone around the world, as OpenWrt is available to anyone regardless of whether they are in the U.S. or not. We strongly encourage any regulation targeting safety and security to take a holistic view, recognizing that safety and security in our technology does not depend on what country we are in, but rather on common properties of the hardware and software we use, and a shared understanding of what technological safety and security means for all humans.
We have reached out to the FCC for clarity on this topic, and look forward to updating this post with their reply.
[1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69