WARNING: Crypto software to be included into main Debian distribution
Hi,
Debian has recently received legal advice explaining how we can
include software with cryptographic functionality in our main archive.
This document can be found at
<URL:http://www.debian.org/legal/cryptoinmain>.
In accordance with this advice we plan to include cryptographic
software in our main archive (at some point after March 8th). This
will allow us to integrate security software such as OpenSSH, SSL
support, and many other enhancements into our operating system.
Since you are mirroring the Debian distribution you may be wondering
what impact, if any, this will have on you. Obviously you will notice
the new software entering the main archive. If you mirror non-US, you
also may notice some software dropped from the non-US distribution as
it moves into main. The primary concern however is likely to be legal
impact. For mirrors outside the United States there should be no new
legal issues not present for those already mirroring non-US (and
accordingly the rest of the mail isn't relevant to you).
The software in Debian's main archive is all publicly available in the
sense of section 740.13(e) of the US EAR. This means that it can be
exported from the United States if Debian files export notification at
the time of export. According to the legal advice Debian received,
mirrors do not need to send in their own notifications. Debian will
send in a notification that covers our master archive and any mirrors
of that archive. We will also update this notification as we add
software.
BXA regulations require that you not knowingly export to embargoed
countries, as a show of good faith you may wish to consider
implementing a reverse IP lookup that identifies the computer
requesting the download, and that blocks downloads of the
cryptographic archive to countries embargoed by the United States:
Cuba (.cu), Iran (.ir), Iraq (.iq), Libya (.ly), North Korea (.kp),
Syria (.sy), Sudan (.sd) and Taliban Occupied Afghanistan. In
addition, you might consider having a separate screen prior to
download, that advises the person downloading the software as follows:
This software is subject to U.S. export controls applicable to open
source software that includes encryption. Debian has filed the
notification with the Bureau of Export Administration and the
National Security Agency that is required prior to export under the
provisions of License Exception TSU of the U.S. Export
Administration Regulations. Consistent with the requirements of
License Exception TSU, you represent and warrant that you are
eligible to receive this software, that you are not located in a
country subject to embargo by the United States, and that you will
not use the software directly or indirectly in the design,
development, stockpiling or use of nuclear, chemical or biological
weapons or missiles. Compiled binary code that is given away free
of charge may be re-exported under the provisions of License
Exception TSU. However, additional technical review and other
requirements may apply to commercial products incorporating this
code, prior to export from the United States. For additional
information, please refer to www.bxa.doc.gov.
If you have any questions about this new policy, please let us know.
NB: I am not a lawyer and this mail is not legal advice.
--
James [with thanks to Sam Hartman for the text]
Reply to: