inquiry on Git GUI for Windows 2.30.0

inquiry on Git GUI for Windows 2.30.0

[Doggett, Thomas C. (GSFC-705.0)[TELOPHASE CORP]]

Hello, 

My name is Thomas Doggett and I am a Supply Chain Risk Management Coordinator at NASA.  As such, I ensure that all NASA acquisitions of Covered Articles comply with Section 208 of the Further Consolidated Appropriations Act, 2020, Public Law 116-94, enacted December 20, 2019.  To do so, the Country of Origin (CoO) information must be obtained from the company that develops, produces, manufactures, or assembles the product(s).  Specifically, identify the country where each of the following products were developed, manufactured, and assembled:
 
Git GUI for Windows 2.30.0  
 
If the CoO is outside the United States, please provide any information you may have stating that testing is performed in the United States prior to supplying products to customers. Additionally, if available, please identify all authorized resellers of the product(s) in question.
 
Lastly, as required by Section 889 of the Fiscal Year 2019 National Defense Authorization Act (NDAA) please 

1.) advise if the product(s) in question is/are not manufactured by, contain components manufactured by or substantial influence from prohibited entities - Huawei, ZTE, Hytera, Hikvision, and Dahua and their subsidiaries and affiliates, and, 

2.) advise if your organization has the covered telecommunications and/or video surveillance equipment or services as a substantial or essential component of any system, or as critical technology as part of any system within the organization.

Product / Service Description: Git GUI for Windows 2.30.0
Model Number	(if applicable): 2.30.0
Country (or Countries) of Origin: [[please provide your answer here]]
NDAA Section 889, Part A Compliant (Y, N, N/A) : [[please provide your answer here - (Y, N, N/A) ]]
NDAA Section 889, Part B Compliant (Y, N) : [[please provide your answer here - (Y, N) ]]	

Is final testing performed in the United States?: 		

Recognizing that these questions don't fit open source software very well, will add that I've tried some workarounds - like your affiliation with the Software Freedom Conservancy, but their entry on SAM.gov is expired (current entries would have NDAA attestations on them).

For these purposes, the country of origin of software is the country where the software was compiled and converted into object code.

Thanks,

 
Thomas Doggett 
SCRM Analyst | NASA 
 
Supply Chain Risk Management (SCRM) 
Office of Cybersecurity Services (OCSS) 
Office of the Chief Information Officer (OCIO) 
"The cosmos is within us. We are made of star-stuff" - Carl Sagan 
 
(703).244.8719 
https://inside.nasa.gov/ocio/security/OCSS/SCRM  

Re: inquiry on Git GUI for Windows 2.30.0

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 5490 bytes --]

On 2021-02-12 at 15:20:07, Doggett, Thomas C. (GSFC-705.0)[TELOPHASE CORP] wrote:
> Hello,
> 
> My name is Thomas Doggett and I am a Supply Chain Risk Management Coordinator at NASA.  As such, I ensure that all NASA acquisitions of Covered Articles comply with Section 208 of the Further Consolidated Appropriations Act, 2020, Public Law 116-94, enacted December 20, 2019.  To do so, the Country of Origin (CoO) information must be obtained from the company that develops, produces, manufactures, or assembles the product(s).  Specifically, identify the country where each of the following products were developed, manufactured, and assembled:
> 
> Git GUI for Windows 2.30.0

You are referring to what is probably part of Git for Windows and should
be addressed to the Git for Windows project at
https://github.com/git-for-windows/git/.  They provide the Windows
binaries, since the Git project doesn't provide binaries of any sort.
The vast majority of the code for Git GUI is shared between the two
projects, though.

> If the CoO is outside the United States, please provide any information you may have stating that testing is performed in the United States prior to supplying products to customers. Additionally, if available, please identify all authorized resellers of the product(s) in question.
> 
> Lastly, as required by Section 889 of the Fiscal Year 2019 National Defense Authorization Act (NDAA) please
> 
> 1.) advise if the product(s) in question is/are not manufactured by, contain components manufactured by or substantial influence from prohibited entities - Huawei, ZTE, Hytera, Hikvision, and Dahua and their subsidiaries and affiliates, and,
> 
> 2.) advise if your organization has the covered telecommunications and/or video surveillance equipment or services as a substantial or essential component of any system, or as critical technology as part of any system within the organization.
> 
> Product / Service Description: Git GUI for Windows 2.30.0
> Model Number	(if applicable): 2.30.0
> Country (or Countries) of Origin: [[please provide your answer here]]
> NDAA Section 889, Part A Compliant (Y, N, N/A) : [[please provide your answer here - (Y, N, N/A) ]]
> NDAA Section 889, Part B Compliant (Y, N) : [[please provide your answer here - (Y, N) ]]
> 
> Is final testing performed in the United States?:
> 
> Recognizing that these questions don't fit open source software very well, will add that I've tried some workarounds - like your affiliation with the Software Freedom Conservancy, but their entry on SAM.gov is expired (current entries would have NDAA attestations on them).
> 
> For these purposes, the country of origin of software is the country where the software was compiled and converted into object code.

I will just say that since Git is open source software, it's a bit rude
of you to ask us to do your compliance paperwork for you, since it's
significant work with no other benefit you are not paying us for, and
we're otherwise under no obligation to do so.  Many contributors
contribute to Git on their own time and equipment in order to benefit
the community and aren't in need of additional paperwork.  Since we
provide open source software, if you need a version that is compiled or
tested in a particular locale or a particular way, you are of course
free to do so on your own systems at your own expense, or hire an
appropriate party to do it for you, such as 18F[0].

Moreover, in many cases the code could have been compiled on an
ephemeral cloud server in one of many locations, so the information you
seek may not even be knowable.  Major Linux distros such as Debian even
compile packages for different architectures in different locations:
amd64 packages are compiled in Austria, Greece, the United States, or
Canada, but the ppc64el packages from the same source code might be in
either the United States or Brazil, and different versions, including
security updates, may be compiled on different systems in different
countries.

Git, and Git for Windows, have numerous contributors from all over the
world, and we appreciate all of their contributions, regardless of their
respective nationalities.  We don't inquire about where people do their
development work, since that information, given our respective projects
and the context of open source software, is irrelevant and asking would
be seen as invasive.  As a result, that information is also probably
unknowable.  (For example, I don't recall which countries I, personally,
have done Git development in, although I know the number is greater than
one.)

Before you head over to Git for Windows, I should also point out that
the main Git for Windows maintainer, while residing out of the United
States, is a colleague and a respected member of this community, and I
very much value his contributions to this project and that one.  Your
questions, even if required by law, seem like they might come off as
offensive or insensitive, and so I'd encourage you to be very careful
treading here to avoid offense.  In that vein, I would also advise you
to read and understand the codes of conduct for Git and Git for Windows.

So to get at least some of the information you seek here, you'd have to
ask the Git for Windows project, but don't be surprised if the
maintainers aren't delighted you came by.

[0] https://18f.gsa.gov/
-- 
brian m. carlson (he/him or they/them)
Houston, Texas, US

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

RE: [EXTERNAL] Re: inquiry on Git GUI for Windows 2.30.0

[Doggett, Thomas C. (GSFC-705.0)[TELOPHASE CORP]]

Brian,

Thank you for your response.  Totally understand where you are coming from.  We are working out how to both comply with the law as written and the requests of NASA employees for us to clear open source software for their use.

Speaking personally, my background is both in academia (planetary science) - where using open source software was integral to our daily work... and before that as a foreign service brat who lived across Eurasia and Africa growing up, so I get both how asking these questions to a non-US citizen and/or open source programmer instead of corporate officers can come across... and also why our NASA community needs this software for their work.  I will work out how to better preface to our standard inquiry for both this specific instance and open source software in general.

I am also going to clarify with the end user whether they want Git GUI or GIT SCM before proceeding any further, because the information they submitted is clearly muddled.

- Thomas

-----Original Message-----
From: brian m. carlson <sandals@crustytoothpaste.net> 
Sent: Friday, February 12, 2021 8:17 PM
To: Doggett, Thomas C. (GSFC-705.0)[TELOPHASE CORP] <thomas.c.doggett@nasa.gov>
Cc: git@vger.kernel.org; Zhang, Cynthia X. (GSFC-705.0)[TELOPHASE CORP] <cynthia.x.zhang@nasa.gov>
Subject: [EXTERNAL] Re: inquiry on Git GUI for Windows 2.30.0

On 2021-02-12 at 15:20:07, Doggett, Thomas C. (GSFC-705.0)[TELOPHASE CORP] wrote:
> Hello,
> 
> My name is Thomas Doggett and I am a Supply Chain Risk Management Coordinator at NASA.  As such, I ensure that all NASA acquisitions of Covered Articles comply with Section 208 of the Further Consolidated Appropriations Act, 2020, Public Law 116-94, enacted December 20, 2019.  To do so, the Country of Origin (CoO) information must be obtained from the company that develops, produces, manufactures, or assembles the product(s).  Specifically, identify the country where each of the following products were developed, manufactured, and assembled:
> 
> Git GUI for Windows 2.30.0

You are referring to what is probably part of Git for Windows and should be addressed to the Git for Windows project at https://github.com/git-for-windows/git/.  They provide the Windows binaries, since the Git project doesn't provide binaries of any sort.
The vast majority of the code for Git GUI is shared between the two projects, though.

> If the CoO is outside the United States, please provide any information you may have stating that testing is performed in the United States prior to supplying products to customers. Additionally, if available, please identify all authorized resellers of the product(s) in question.
> 
> Lastly, as required by Section 889 of the Fiscal Year 2019 National 
> Defense Authorization Act (NDAA) please
> 
> 1.) advise if the product(s) in question is/are not manufactured by, 
> contain components manufactured by or substantial influence from 
> prohibited entities - Huawei, ZTE, Hytera, Hikvision, and Dahua and 
> their subsidiaries and affiliates, and,
> 
> 2.) advise if your organization has the covered telecommunications and/or video surveillance equipment or services as a substantial or essential component of any system, or as critical technology as part of any system within the organization.
> 
> Product / Service Description: Git GUI for Windows 2.30.0
> Model Number	(if applicable): 2.30.0
> Country (or Countries) of Origin: [[please provide your answer here]] 
> NDAA Section 889, Part A Compliant (Y, N, N/A) : [[please provide your 
> answer here - (Y, N, N/A) ]] NDAA Section 889, Part B Compliant (Y, N) 
> : [[please provide your answer here - (Y, N) ]]
> 
> Is final testing performed in the United States?:
> 
> Recognizing that these questions don't fit open source software very well, will add that I've tried some workarounds - like your affiliation with the Software Freedom Conservancy, but their entry on SAM.gov is expired (current entries would have NDAA attestations on them).
> 
> For these purposes, the country of origin of software is the country where the software was compiled and converted into object code.

I will just say that since Git is open source software, it's a bit rude of you to ask us to do your compliance paperwork for you, since it's significant work with no other benefit you are not paying us for, and we're otherwise under no obligation to do so.  Many contributors contribute to Git on their own time and equipment in order to benefit the community and aren't in need of additional paperwork.  Since we provide open source software, if you need a version that is compiled or tested in a particular locale or a particular way, you are of course free to do so on your own systems at your own expense, or hire an appropriate party to do it for you, such as 18F[0].

Moreover, in many cases the code could have been compiled on an ephemeral cloud server in one of many locations, so the information you seek may not even be knowable.  Major Linux distros such as Debian even compile packages for different architectures in different locations:
amd64 packages are compiled in Austria, Greece, the United States, or Canada, but the ppc64el packages from the same source code might be in either the United States or Brazil, and different versions, including security updates, may be compiled on different systems in different countries.

Git, and Git for Windows, have numerous contributors from all over the world, and we appreciate all of their contributions, regardless of their respective nationalities.  We don't inquire about where people do their development work, since that information, given our respective projects and the context of open source software, is irrelevant and asking would be seen as invasive.  As a result, that information is also probably unknowable.  (For example, I don't recall which countries I, personally, have done Git development in, although I know the number is greater than
one.)

Before you head over to Git for Windows, I should also point out that the main Git for Windows maintainer, while residing out of the United States, is a colleague and a respected member of this community, and I very much value his contributions to this project and that one.  Your questions, even if required by law, seem like they might come off as offensive or insensitive, and so I'd encourage you to be very careful treading here to avoid offense.  In that vein, I would also advise you to read and understand the codes of conduct for Git and Git for Windows.

So to get at least some of the information you seek here, you'd have to ask the Git for Windows project, but don't be surprised if the maintainers aren't delighted you came by.

[0] https://18f.gsa.gov/
--
brian m. carlson (he/him or they/them)
Houston, Texas, US