Not everyone understands how open source is made. I received the following email from NASA a while ago.
Subject: Curl Country of Origin and NDAA Compliance
Hello, my name is [deleted] and I am a Supply Chain Risk Management Analyst at NASA. As such, I ensure that all NASA acquisitions of Covered Articles comply with Section 208 of the Further Consolidated Appropriations Act, 2020, Public Law 116-94, enacted December 20, 2019. To do so, the Country of Origin (CoO) information must be obtained from the company that develops, produces, manufactures, or assembles the product(s). To do so, please provide an email response or a formal document (a PDF on company letterhead is preferred, but a simple statement is sufficient) specifically identifying the country, or countries, in which Curl is developed and maintained
If the country of origin is outside the United States, please provide any information you may have stating that testing is performed in the United States prior to supplying products to customers. Additionally, if available, please identify all authorized resellers of the product in question.
Lastly, please confirm that Curl is not developed by, contain components developed by, or receive substantial influence from entities prohibited by Section 889 of the 2019 NDAA. These entities include the following companies and any of their subsidiaries or affiliates:
Hytera Communications Corporation
Huawei Technologies Company
ZTE Corporation
Dahua Technology Company
Hangzhou Hikvision Digital Technology CompanyFinally, we have a time frame of 5 days for a response.
Thank you,
My answer
Okay, I first considered going with strong sarcasm in my reply due to the complete lack of understanding, and the implied threat in that last line. What would happen if I wouldn’t respond in time?
Then it struck me that this could be my chance to once and for all get a confirmation if curl is already actually used in space or not. So I went with informative and a friendly tone.
Hi [name],
I will answer to these questions below to the best of my ability, and maybe you can answer something for me?
curl (https://curl.se) is an open source project that creates two products, curl the command line tool and libcurl the library. I am the founder, lead developer and core maintainer of the project. To this date, I have done about 57% of the 26,000 changes in the source code repository. The remaining 43% have been done by 841 different volunteers and contributors from all over the world. Their names can be extracted from our git repository: https://github.com/curl/curl
You can also see that I own most, but not all, copyrights in the project.
I am a citizen of Sweden and I’ve been a citizen of Sweden during the entire time I’ve done all and any work on curl. The remaining 841 co-authors are from all over the world, but primarily from western European countries and the US. You could probably say that we live primarily “on the Internet” and not in any particular country.
We don’t have resellers. I work for an American company (wolfSSL) where we do curl support for customers world-wide.
Our testing is done universally and is not bound to any specific country or region. We test our code substantially before release.
Me knowingly, we do not have any components or code authored by people at any of the mentioned companies.
So finally my question: can you tell me anything about where or for what you use curl? Is it used in anything in space?
Regards,
Daniel
Used in space?
Of course my attempt was completely in vain and the answer back was very brief and it just said…
“We are using curl to support NASA’s mission and vision.”
Credits
Space ship image by Elias Sch. from Pixabay
Cheers to you for being a good sport.
Hi, Daniel.
I work at NASA Headquarters and can probably help give the request you received some context.
NASA uses a lot of open source software, in a lot of places. In fact, NASA (Goddard Space Flight Center) was instrumental in developing NIC software for Linux back in the day (the Beowulf project). We used Tcl for a lot of applications during the Shuttle era. Python is used in many many places, and I couldn’t tell you how many other packages and software libraries we use that are open source.
NASA contributes other open source as well, not just in the form of patches. See open.nasa.gov, api.nasa.gov, and data.nasa.gov for some examples.
The person who made the request of you would not usually know specifically where curl or other open source packages are used within our missions. As a government agency, we are required by law to research and understand the sources of all materiel, code and other items we use in our missions. If we don’t obtain this information, we are precluded from using those items. Most of those who work the supply chain risk management side of things aren’t necessarily engineers or working on specific missions, or using curl directly. That’s likely why you received the response you did. They are, however, enabling those engineers and others within NASA to use and continue to use your software, and the software of others, in our missions where applicable.
Thank you for your work, for providing that work for others to use, and for providing answers to the question of provenance for curl so that all those within NASA can continue using it.
/s.
Thanks Scott!
Scott – this is trivial, but “/s” is used on some social media sites to denote sarcasm. I did a double-take when I saw that!
Not so trivial! I re-read the whole comment after seeing the “/s” to make sure I wasn’t being bamboozled. Seriously though, thanks Scott!
“we do not have any components or code authored by people at any of the mentioned companies.” I wouldn’t have attested to that. We really have no way of knowing for certain. This is NASA’s burden not yours. On any open source project you could have, for example, Huawei developers contributing and there’s nothing wrong with that.
@Ray: You left out the “Me knowingly” prefix. I spoke the truth. I don’t know of any code in curl written by an employee of those companies. That doesn’t mean that we can’t have such code as we have a lot of code contributed anonymously and pseudonymously.
Further: if engineers from one of those companies would step forward and contribute good code to curl tomorrow, I will not have any problems to accept it. Code doesn’t have country borders.
“Me knowingly” isn’t how one would say that (it doesn’t even make sense); the phrase you want is “to the best of my knowledge and belief”.
Didn’t the brits had some raspberry pi on the ISS? They usually run with Debian based distribution… given how deeply curl is use din getting stuff working on those distributions, I would bet that curl was already on the ISS.
Yes! People have claimed many times that there have been (are?) both Ubuntu and Windows 10 installations used on the ISS, and why not Raspberry Pis, and if that is true then surely one or more of them have most likely had curl installed and perhaps even used.
I would how ever prefer to have it clarified and verified in clearer terms than that!
The keyword to search is Astro-pi it is an ESA project.
That’s really, really cool. So now, what about Area 51? Do do use curl there too?
I’m more curious about how NASA would have responded to this if Huawei had been involved in the development of the open source project. For example, Huawei has already participated in the development of the Linux kernel and made a lot of commits.