Do you believe that trade regulations such as ITAR apply to publicly-available open source software? I do not¹, and it appears that your employees do not believe this either.
GitHub is currently hosting multiple GPS implementations² that are clearly against this line in your ToS, in addition to also being against ITAR by not implementing speed limits for missiles:
"GitHub may not be used for purposes prohibited under applicable export control laws, including purposes related to the development, production, or use of […] long range missiles or unmanned aerial vehicles."
I think you should probably make a blog post explaining GitHub's stance on this issue.
[2]: One of which is https://github.com/gnss-sdr/gnss-sdr. This repository does not implement ITAR-required GPS speed limits. Even if it was ITAR-compliant, the limits could easily be removed as it is open source software.
----------------------------
Update: GitHub has updated their ToS to remove this line. It was present on July 27, 2019. The issue still stands with this current statement from their ToS ( https://help.github.com/en/github/site-policy/github-and-tra...), which forbids ITAR-regulated software:
"Users are responsible for ensuring that the content they develop and share on GitHub.com complies with the U.S. export control laws, including the EAR and the U.S. International Traffic in Arms Regulations (ITAR). The cloud-hosted service offering available at GitHub.com has not been designed to host data subject to the ITAR and does not currently offer the ability to restrict repository access by country."
Whether it's open source or not is irrelevant. ITAR software cannot legally live on GitHub.com in any case -- it doesn't matter if the repos are public or private. [But a GitHub Enterprise install (self-hosted version only) can be compliant.]
I'm confused by your request for the company's stance, since it's not something up for debate... there is no room for them to take a stance on complying with the law. It's not up to GitHub at all.
If it's publicly available open source, it can't contain ITAR.
If there is existing open source that doesn't contain ITAR, then that's fine because it's beyond the scope of ITAR, so ITAR doesn't apply to that scenario. [Maybe this is the case you're mentioning?]
If it is ITAR, it can't possibly be publicly available open source. [How could it be possible to have publicly-available open source software that is also restricted to being only shared with U.S. citizens?]
Of course an ITAR project could pull in publicly available open source (e.g., dependencies), but that doesn't sounds like what's being discussed here.
We can sensibly speak of tech that "would be" an ITAR violation to deliver "if it were not" open source. This is exactly the scenario under discussion. It seems very clear from the linked page that, e.g., GPS code that is released as free/open is, in fact, not restricted by ITAR.
There is a certain unrealistic arrogance to the US approach to ITAR and software that seems to assume only US Persons could create technology on the list.
GPS receiver systems are the classic there: Russia, China and Europe all have their own GNSS. China runs the semiconductor industry and is quite capable of producing whatever unrestricted GNSS devices they choose. Therefore why restrict US companies?
Same with satellite tech, there may be some US specific tricks but there is a reason ITAR free satellite designs already exist and are multiplying. ITAR tries to protect too much and is killing US market share by being stupidly annoying.
The difference is companies actually get in a LOT of trouble for sanctions violations. When was the last time someone was prosecuted for an illegal GPS implementation?
You don't need an open source GPS radio for that, just fly a bit slower. The upper limit is plenty fast for weapons, 1900 km/h isn't much of a limitation, neither is 59,000 ft of altitude.
If you can understand the equations and engineering needed to build a cruise missile the GPS equations will not daunt you. Getting the final approach to have a useful Circular Error Probable at anything low enough for an assassination would be more of a technical challenge than the coarse guidance. Unless you had someone shining a designator you’d need real-time machine vision. To say nothing of designing an airframe that can perform precision manoeuvres at speed without breaking up.
While it is definitely possible to reverse-engineer and modify the software/firmware of existing proprietary GPS systems, I'd argue that the distinction between this and changing an open source project is not meaningless.
Changing a couple lines of well-documented source code in an open source project before compiling is arguably a much lower bar to pass.
It depends. For most reasonable firmware, trying to figure out how to compile the stupid thing is generally harder than finding and byte patching a condition in a binary blob.
"GitHub may not be used for purposes prohibited under applicable export control laws, including purposes related to the development, production, or use of […] long range missiles or unmanned aerial vehicles."
I think you should probably make a blog post explaining GitHub's stance on this issue.
[1]: https://www.unr.edu/sponsored-projects/compliance/export-con...
[2]: One of which is https://github.com/gnss-sdr/gnss-sdr. This repository does not implement ITAR-required GPS speed limits. Even if it was ITAR-compliant, the limits could easily be removed as it is open source software.
----------------------------
Update: GitHub has updated their ToS to remove this line. It was present on July 27, 2019. The issue still stands with this current statement from their ToS ( https://help.github.com/en/github/site-policy/github-and-tra...), which forbids ITAR-regulated software:
"Users are responsible for ensuring that the content they develop and share on GitHub.com complies with the U.S. export control laws, including the EAR and the U.S. International Traffic in Arms Regulations (ITAR). The cloud-hosted service offering available at GitHub.com has not been designed to host data subject to the ITAR and does not currently offer the ability to restrict repository access by country."