Re: WARNING: Crypto software to be included into main Debian distribution
>>>>> "Florian" == Florian Lohoff <flo@rfc822.org> writes:
Florian> --5mCyUwZo2JvN/JJP Content-Type: text/plain;
Florian> charset=us-ascii Content-Disposition: inline
Florian> Content-Transfer-Encoding: quoted-printable
Florian> On Sat, Feb 23, 2002 at 11:32:59PM -0600, Steve Langasek
Florian> wrote:
>> US export law concerns (as it should) the transport of items
>> from within=
Florian> =20
>> the borders of the United States to areas outside those
>> borders. If=20 you're engaged in export activities from
>> another country to the T7, on=20 what grounds would you expect
>> to be prosecuted in the United States? =20 And perhaps a more
>> important question is, why do you believe moving=20 crypto into
>> main /increases/ this risk, if you already operate a non-US=
Florian> =20
>> mirror that's open to the T7?
Florian> Because currently none of the programs in non-us have
Florian> their origins in the US. So i do not export anything from
Florian> the us to the T7 countries. And yes - My mirror is open
Florian> to anyone - And i would like it to stay like this.
I maintain openafs and krb5. Both of these programs are US origin
programs in non-us maintained by US maintainers.
I believe there are others.
>> Export from the US to Europe, and export from Europe to the T7,
>> are two=
Florian> =20
>> separate acts. Unless there's something linking the two acts
>> together=20
Florian> Not when reexporting the stuff. You are not allowed to
Florian> take a tank to=20 Germany and then go on traveling to
Florian> Irak.=20
A tank is most likely governed by the ITAR (International Traffic Arms
Regulations or some such) not the EAR (Export Administration
Regulations). The ITAR is far more strict, does require I know what
the ultimate end use of the product is, etc etc. Sending a tank to
Germany and then on to Iraq would in fact be a really bad idea for an
American.
But as I said that's a totally different law. Under the EAR, for many
of the exemptions, if an item is exported under that exemption it is
released from the EAR controls. That means that if I legally export
crypto to you (let's say because you want to run a mirror in Europe) then I and the US law are completely done with the issue.
The item was exported from the US. End of story.
The item may be re-exported from your country, possibly even to T7 nations, but that's your law's problem not US law.
There are some cases where I could export stuff to you but it would
still be governed by the EAR. Those cases are explicitly mentioned in
the EAR. I believe there is such a case in 15 CFR 740.9 and 15 CFR
740.17 among others. And yes, that does mean that exemption ENC
(740.17) is not useful to Debian because it does have the transitive
properties you describe.
But hey, guess what? We're using a different section of the EAR to export our crypto. In particular, we're using 15 CFR 740.13(e). And guess what? That section says nothing about items staying subject to the EAR after export.
I think you're confused about the definition of re-export as well. As
far as I can tell under US law, a re-export is when an item imported
to the US is exported again, not when an item exported from the US to
another country is exported again from that country. That might be a
re-export under that country's laws, but not in general under US law.
Florian> Thats new to me that there are non-us packages maintained
Florian> by US citizens. If thats the case why is there no need to
Florian> have the export regulation notice on the non-us mirrors
Florian> today ?
Because that notice is for mirrors within the US, not for all mirrors.
You as a non-US mirror maintainer have no obligation to put such a
notice on your mirror ever. If you want to, you can, and people will
think you are a bit strange for subscribing to American law, but
that's your business. The non-US mirrors are not exporting from the US; any US software is already exported by the time it gets to the mirror.
The maintainer, not Debian, is doing the export. Every time I upload
new software to pandora, I am exporting from the US. I have the
option of either violating US law or notifying the BXA of my export.
Not surprisingly, I choose to notify the BXA myself.
Reply to: