A covered entity includes "any person who provides ... a method to facilitate a communication or the processing or storage of data." FOSS encryption libraries could be considered a method of processing data.

If signed into law, this could compel maintainers to design libraries with gov't decryption in mind.

Given that courts have ruled open-source crypto code to be constitutionally protected speech, it might be difficult to make that stick.

https://en.wikipedia.org/wiki/Source_code#Legal_issues_in_th...

The case in question (Bernstein v. United States) is fascinating: https://epic.org/crypto/export_controls/bernstein_decision_9...

Would protected speech mean you could use some non compliant code to provide services or just that you could publish it?

I don't know, but the bill doesn't appear to cover end users. Cloud-based services would probably have to deal with it, but not people running software on their own computers.

How could this be enforced, assuming the library developers are scattered throughout the world?

Worst case scenario, all US developers drop off the project, or contribute anonymously.

Just decryption. It isn't government only just mandated by them ANYONE can use it.

Agreed. Those familiar with encryption understand that a single security incident resulting in the theft of such a backdoor key is all it would take. The attack would cascade to any company that implemented the library.

It would seem that no US person could package or distribute such open source crypto without becoming a covered entity.

Red Hat would be.

Consider the amount of funding RH and Sun Microsystems have put into the linux desktop. Imagine if they were now required to provide technical assistance to people attempting to surveil through the tools they've invented.