Re: unofficial mozilla 0.8 deb
On Thu, Mar 08, 2001 at 01:25:03AM +0200, Sampo Niskanen wrote:
>
> On Wed, 7 Mar 2001, Gregor Hoffleit wrote:
> > AFAIR, the new legislation said that companies could apply at
> > the government for a permission to release specific versions of
> > strong-crypto software to a world-wide public. I guess Netscape
> > did this for their communicator and since the government gave the
> > permission, anybody is now allowed to export this specific pieces of
> > software, even though they contain strong crypto.
> >
> > [Then, it would be obvious that this reasoning doesn't necessarily
> > apply to Mozilla--someone had to ask for a permission first.]
>
> If this is true, how do they define a software product? One binary? A
> very similar product? The same name?
it's not true, at least not for open source programs.
as i understand the new (actually year old) US crypto rules, for open
source / public domain / free software programs, all you have to do
is notify the US government that you're exporting it and tell them
where/how.
that's what kernel.org have done. i doubt if linus or transmeta or
anyone else involved would have take the risk if they didn't think it
was safe to do so.
there is a notice on www.kernel.org about crypto s/w:
Cryptographics Software
Due to U.S. Exports Regulations, all cryptographic software on this
site is subject to the following legal notice:
This site includes publicly available encryption source code which,
together with object code resulting from the compiling of publicly
available source code, may be exported from the United States under
License Exception "TSU" pursuant to 15 C.F.R. Section 740.13(e).
This legal notice applies to cryptographic software only. Please see
the _Bureau of Export Administration_[1] for more information about
current U.S. regulations.
[1] link to http://www.bxa.doc.gov/
you can read the new crypto rules for yourself at:
http://www.bxa.doc.gov/Encryption/pdfs/Crypto.pdf
and
http://www.bxa.doc.gov/Encryption/pdfs/EncryptionRuleOct2K.pdf
FYI, the relevant section (15 C.F.R. Section 740.13) of the new crypto
regulations says:
(e) Unrestricted encryption source code.
(1) Encryption source code controlled under 5D002, which would be
considered publicly available under § 734.3(b)(3) and which is not
subject to an express agreement for the payment of a licensing
fee or royalty for commercial production or sale of any product
developed with the source code, is released from ``EI'' controls
and may be exported or reexported without review under License
Exception TSU, provided you have submitted written notification
to BXA of the Internet location (e.g., URL or Internet address)
or a copy of the source code by the time of export. Submit the
notification to BXA and send a copy to ENC Encryption Request
Coordinator (see § 740.17(g)(5) for mailing addresses). Intellectual
property protection (e.g., copyright, patent or trademark) will not,
by itself, be construed as an express agreement for the payment of
a licensing fee or royalty for commercial production or sale of any
product developed using the source code.
(2) You may not knowingly export or reexport source code or products
developed with this source code to Cuba, Iran, Iraq, Libya, North
Korea, Sudan or Syria.
(3) Posting of the source code on the Internet (e.g., FTP or
World Wide Web site) where the source code may be downloaded by
anyone would not establish ``knowledge'' of a prohibited export
or reexport, including that described in paragraph (e)(2) of this
section. In addition, such posting would not trigger ``red flags''
necessitating the affirmative duty to inquire under the ``Know Your
Customer'' guidance provided in Supplement No. 3 to part 732 of the
EAR.
that's a pretty clear statement that it's OK to export open source
crypto just by notifying the US government in writing.
an update in October 2000 clarified the matter even further, points out
that the exemption also covers binaries compiled from open source, and
even provides an email address to send the written notifications to:
4. § 740.13 (Technology and Software Unrestricted (TSU)) clarifies
the treatment of open source object code. Object code compiled from
source code eligible for License Exception TSU can also be exported
under the provisions of License Exception TSU if the requirements
of § 740.13 are met and no fee or payment is required for object
code (other than reasonable and customary fees for reproduction and
distribution). Object code for which there is a fee or payment can
be exported under the provisions of 740.17(b)(4)(i). The intent of
this section is to release publicly available software available
without charge (e.g. ``freeware'') from control. Also in § 740.13,
crypt@bxa.doc.gov address is added to prompt exporters to notify
BXA electronically. Exporters should note the intent of the phrase
``released from EI controls'' in 740.13(e) means that 5D002 software
eligible for TSU is released from the mandatory access controls
procedures described in 734.2(b)(9)(ii).
IANAL, but that's clear as crystal to me. it even states that the intent
is "to release publicly available software from control".
craig
--
craig sanders <cas@taz.net.au>
GnuPG Key: 1024D/CD5626F0
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57 52C3 EC32 6810 CD56 26F0
Reply to: