On Sun, Feb 24, 2002 at 01:02:51PM -0500, Sam Hartman wrote: > I maintain openafs and krb5. Both of these programs are US origin > programs in non-us maintained by US maintainers. > I believe there are others. Didnt know that - How does that fit into the picture. > But hey, guess what? We're using a different section of the EAR to > export our crypto. In particular, we're using 15 CFR 740.13(e). > And guess what? That section says nothing about items staying > subject to the EAR after export. What i also meant was the reexportation by automation which one could interpret as a knowingly shipment to T7 countries. > I think you're confused about the definition of re-export as well. As > far as I can tell under US law, a re-export is when an item imported > to the US is exported again, not when an item exported from the US to > another country is exported again from that country. That might be a > re-export under that country's laws, but not in general under US law. Thats the US centric view - From my view this means - We are importing the crypto stuff from the US to Germany - And then ME as the mirror maintainer i export the stuff to t7 countries e.g. as mirror. Which means in the end that any upload to the main site is a knowingly export to T7 countries (in the end) > The maintainer, not Debian, is doing the export. Every time I upload > new software to pandora, I am exporting from the US. I have the > option of either violating US law or notifying the BXA of my export. > Not surprisingly, I choose to notify the BXA myself. The point i made is that in the future all incoming queues + master site may be in the US - There are hundrets of full and partial mirrors access that site and exporting to "good" parts of the world. There are some bad guys over there in Cuba (Sorry - US speech) which mirror from a site e.g. in Germany. Now - One might interpret as a knowingly exportation to T7 countries. Who is to blame ? The DPL ? No - From my guess the'll go after the individual maintainers who send stuff to the normal queue and from that on do a knowingly (multi-step) export to T7 countries. The whole point is about your control as a maintainer about the WHOLE distribution (in means of shipment) from any mirror to any mirror. You cant control that. Which means - In the end your maintained software might end up in any T7 country which you cant control. But through the automatic distribution (read: mirror) you might be held responsible for knowingly exporting it. Am i just too paranoid ? I feel uncomfortable with the point that there might be legal DoS possible against a very important part of Debian the package pool and its automatic distribution to mirrors. The other thing - What about the usage restriction ? Why does noone comment on that. Flo -- Florian Lohoff flo@rfc822.org +49-5201-669912 Nine nineth on september the 9th Welcome to the new billenium
Attachment:
pgpT7nWNTg0gD.pgp
Description: PGP signature