Re: What "Personal Security Manager"?
On Fri, Nov 17, 2000 at 10:49:57AM -0500, Dale Scheetz wrote:
> My first guess would be because of some security algorithms. This has
> always been a nagging problem for free software. Folks like Netscape and
> M$ can produce integrated security systems (I presume they have a license
> for doing so), but we must carefully put all our security code in an
> offshore repository, making integration near impossible.
This is not true, and has not been true for many months now. All we must
do is agree that we will not do anything special to cause people in
certain US-blacklisted countries to aquire it from us. These countries we
have a general trade embargo against anyway, so it's already illegal to
give them Debian. Of course, all we can do is put a disclaimer that our
non-US software contains cryptographic software which downloading in
certain countries may be illegal under US (and other) laws.
The only other thing we must do is send a notification to the government
that we are doing this - we must do it for ftp.debian.org, but not for
mirrors necessarily. Why this is required is anybody's guess. Several
other non-US packages have already been included in main despite the fact
that some of them directly include crypto code. The fact that we have
done this coupled with the fact that we decided not to jump through these
minor hoops - or even seek legal advise on the issue - could put us at
some risk.
IMO, despite the conspiracy theories that can be derived from the
requirement that we register our primary access site with the US gov't,
there is absolutely no reason Debian cannot at this point fold non-US into
main. It is only blind paranoia and stubbornness (the US blacklist - many
say they don't want Debian to limit its US mirrors to not willfully
serving countries such as Iraq and Cuba that the US gov't just doesn't
like in this manner. Fact is though, it's already illegal to distribute
Debian to those countries anyway from the US, so who gives a rip anyhow?)
The only way this sorry state of affairs gets resolved is if people become
aware that it is NOT illegal to distribute crypto from US sites to a world
audience anymore provided you do a couple of very simple things so the
gov't knows where to send the death commandos when the black helicopters
attack and free thought is outlawed. (heh)
If a simple reading of the regulations is insufficient, companies have
sought legal advice on this matter and determined it legal to distribute
the stuff with a disclaimer on the site. Kernel.org determined the same.
If you ask me (which you didn't I realize), this is worth Debian paying a
lawyer for advice if it's necessary so we can do away with this split
archive.
</rant>
> I have often thought it would be useful for Debian to apply for a
> munitions export license so we could integrate security into the
> distribution in the same seamless fashion the proprietary vendors do.
> Is this a job for SPI?
See above, all that is necessary nowadays is notification.
--
Joseph Carter <knghtbrd@debian.org> GnuPG key 1024D/DCF9DAB3
Debian GNU/Linux (http://www.debian.org/) 20F6 2261 F185 7A3E 79FC
The QuakeForge Project (http://quakeforge.net/) 44F9 8FF7 D7A3 DCF9 DAB3
<doogie> there is one bad thing about having a cell phone.
<doogie> I can be reached at any time. :|
<wmono> that's why I leave mine off at all times. ;>
Reply to: