[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: WARNING: Crypto software to be included into main Debian distribution

tb@becket.net (Thomas Bushnell, BSG) wrote:
> Walter Landry <wlandry@ucsd.edu> writes:
> 
> > tb@becket.net (Thomas Bushnell, BSG) wrote:
> > > "You might consider" is a far cry from "you must".  I don't think you
> > > understand how lawyers give recommendations. 
> > 
> > Are you suggesting that Debian not do those things?  Is Debian going
> > to distribute crypto without doing reverse IP lookups and without the
> > use restrictions?
> 
> The use restrictions are contrary to our own existing policies, so we
> can't take that recommendation.

These restrictions are in place whether or not we tell people about
them.  As US residents, we are prohibited from exporting the software
to people who are using it for nuclear, biological, or chemical
warfare.  Whether or not we put a notice on the website is immaterial.
To make it completely clear, I quote

  ...these controls prohibit the export of open source cryptographic
  software under License Exception TSU to (1) prohibited parties
  (listed at http://www.bxa.doc.gov/DPL/Default.shtm, (2) prohibited
  countries (currently Cuba, Iran, Iraq, Libya, North Korea, Sudan,
  Syria and Taliban Occupied Afghanistan) and (3) design, development,
  stockpiling, production or use of nuclear, chemical or biological
  weapons or missiles.

And to answer a question posed by Steve Langsek, yes, people can lie.
People have always been able to break licenses.  Just because it is
difficult to police doesn't make it irrelevant.  Debian still has to
make it a condition that people don't make nukes with the software.

> I would not object to the reverse IP lookups, but if it's any real
> hassle, we could drop that too.

What part of 

  We recommend that you perform IP checking and deny downloads to
  known embargoed countries. This due diligence also would provide a
  defense to a claim of civil liability.

don't you understand?

> > What Debian does now is that it distributes all crypto stuff from
> > servers outside of the US.  If Debian distributes from the US, then it
> > has to have a policy that official mirrors are not allowed in the T7.
> > That is a significant change.  Some people will think that it is worth
> > it.  Some will not.
> 
> Right.  At the moment we have an *absolute* policy against mirrors in
> the US--which hurts us in a jillion ways.  We can easily replace that
> with something much looser, and simply not advertise or go out of our
> way to support any mirrors that might exist in T7 countries.

You obviously think it is worth it.  I might even agree with you.  Or
I might not.  Certainly not everyone agrees with you.  Florian, for
example.

As an additional point, Debian may still have to have a non-us archive
for the non-free programs.  Granted, there aren't many things there
(fortify, pgp, rsaref, ssh-non-free, and speak-freely).  I think
speak-freely will actually qualify under the export controls as free
software, since (I think) what makes it non-free is that it implements
IDEA.  I don't know about the others, but I wouldn't object to just
dropping them from the archive.  But then, I'm a radical ;)

Regards,
Walter Landry
wlandry@ucsd.edu
Reply to: