Hello world,
So, crypto-in-main is a happening thing, as those of you who happened
to look at the changelog of gnupg of libssl in today's i386/unstable
upgrade will have noticed.
The deal is this. Ages ago (January 2000?) the US government decided
that cryptographic software was actually already available outside
the US and that it wouldn't matter too much if the controls were
relaxed. So they were, to the point where open source cryptographic
software can be exported from the US, as long as you notify the Bureau
of Export Administration. Of course, the changes are a twisty morass of
regulations, all different, so unlike some other free software groups,
Debian's been reluctant to just go ahead and start doing it. Mid last
year, we got serious about getting legal advice to actually get this
done, and late last year we actually got appropriate advice from a
competent attorney that satisfied our qualms, and in the past few months,
we finished the requisite changes to our archive software, and in the
past few days, we actually went ahead and put cryptographic software
(namely openssl, openssh and gnupg) in the archive.
For reference:
Legal advice: http://www.debian.org/legal/cryptoinmain
Archive changes: http://lists.debian.org/debian-devel-announce/2002/
debian-devel-announce-200202/msg00006.html
Mirror notification: http://lists.debian.org/debian-mirrors/2002/
debian-mirrors-200202/msg00001.html
Notifications: http://ftp-master.debian.org/crypto-in-main/
What this basically means is that we're now willing to accept
cryptographic software uploaded to ftp-master (ftp.debian.org as opposed
to nonus.debian.org, auric as opposed to pandora, main as opposed to
non-US/main), with the following caveats:
* This is only for packages in main, not contrib, nor non-free
* For woody, we're only accepting packages that've already been
in non-US. eg, while it would be nice to just have an SSL
enabled postfix in main, we're instead going to play it safe
and leave postfix without SSL, and have postfix-tls (with SSL)
sitting in the archive next to it. Naturally, this restriction
will be lifted after woody's released.
* Your initial upload should do as little as possible other than
move the package to main. Uploads that do nothing but change
the section: from non-US to one of the main sections will be
approved fairly quickly.
* You should refrain from uploading to main until everything your
package depends upon has also been uploaded to main.
* There are a whole bunch of GPLed programs that link against
libssl. This isn't okay, see the OpenSSL FAQ's response:
http://www.openssl.org/support/faq.html#LEGAL2
We've been lax about this in the past, we'll try to get this
right as packages are uploaded to main.
* There're a number of packages with patent problems and similar,
these either should have the patented code removed, or
shouldn't be moved from non-US for the moment. OpenSSL has
had its patented sections removed (matching what Red Hat does)
for a while now, for reference.
Hopefully that covers everything. Mainly, be careful, don't give yourself
any room to make any mistakes.
What happens once you've uploaded is this:
* The package gets moved from /org/ftp.debian.org/queue/unchecked
to queue/new (within about 15m of the upload), and everything
but the .changes is made readable only by ftpmaster to ensure
any crypto software doesn't get accidently exported before
it's been notified about.
* ftpmaster processes the new package, checks its copyright, and
adds the overrides. We'll be grepping for "moved into main"
or so to make this a bit quicker.
* The archive software sends off the appropriate notifications,
moves the package to queue/accepted (which is visible on
http://incoming.debian.org/) and makes it readable. The email
notification to crypt@bxa.doc.gov goes straight there, the
printed notifications are being batched up and posted weekly.
* Once a day, everything in queue/accepted gets moved into
the archive proper and mirrored.
Kudos particularly go to:
Ben Collins (as DPL) for getting something actually happening.
Sam Hartman for preparing all the questions for the lawyer.
Hewlett-Packard Linux Systems Operation for helping us obtain
expert legal advice in the area.
LaMont Jones for liasing with said expert lawyer.
James Troup for redoing the archive structure so we don't have to
expect everyone on the Internet to help us avoid breaking the
export regulations.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``Debian: giving you the power to shoot yourself in each
toe individually.'' -- with kudos to Greg Lehey
Attachment:
pgpOoNPHMTGJs.pgp
Description: PGP signature