Re: Debian Crypto in Main document...
On Tue, Jun 12, 2001 at 12:55:47AM -0400, Ben Collins - DPL wrote:
> What I would like to do is have the Tech-CTTE review this document for
> technical completeness. In otherwords, make sure that we have not
> overlooked any details that may be important with regard to this
> documents purpose.
>
> I am not asking the committee to make any judgements, legal or
> otherwise, as to whether cryptographic software can be placed in main,
> nor am I asking the committee to make any presumtions on the outcome
> of this endeavor. We simply need to reflect Debian's current technical
> status in complete detail, in so much as this document's purpose
> requires.
[this is what we've been doing so far]
> I'd like a summary of the committee's suggestions and findings by the
> end of the coming weekend (Sunday, May 17, 2001).
[this is what we need to do now -- wrapping up the vote as soon
as we can, though Sunday is just a suggestion, not a requirement.]
Note that Ben included an sgml version of the document, "for diff'ing".
I'm going to take that as an implication that he'd prefer that we submit
diffs against the sgml document.
Here's "my" first draft at a proposal (scare quotes around "my" because
I included, almost verbatim, a couple paragraphs that Manoj wrote).
Feel free to ammend it. Feel free to submit better drafts (for the
purposes of our voting, I'll formally consider such proposals to be
ammendments -- you don't need to include any special language to make
it so). [I'm not calling for votes yet.]
============================== Proposal A ==============================
*** debian-crypto.sgml Fri Jun 15 11:31:33 2001
--- debian-crypto-revised.sgml Fri Jun 15 11:31:03 2001
***************
*** 33,39 ****
groups that copy the Debian software onto
<glossterm>mirrors</glossterm> so that people around the world can
download and use it. Others make and sell CDs of Debian. All
! these groups might be accountable to a greater or lesser extent for the decisions Debian makes. We want to conduct ourselves in a manner that minimizes the liability for all parties.
</para>
<para> As with all operating system vendors, Debian needs to
include cryptographic software. This software provides security,
--- 33,42 ----
groups that copy the Debian software onto
<glossterm>mirrors</glossterm> so that people around the world can
download and use it. Others make and sell CDs of Debian. All
! these groups might be accountable to a greater or lesser extent
! for the decisions Debian makes. We want to conduct ourselves in
! a manner that minimizes the liability for all parties and, within
! that constraint, maximizes the value of our efforts.
</para>
<para> As with all operating system vendors, Debian needs to
include cryptographic software. This software provides security,
***************
*** 43,49 ****
developers in following export control regulations if they upload
software to the non-US archive or to prevent them from uploading software. We would like to
move cryptographic software from the server outside the US onto
! our main server in the US. The rest of this document will
focus on the main server within the US and on its mirrors and
copies around the world. It's important to realize that there is
currently a parallel structure set up to deal with the non-US server. </para>
--- 46,69 ----
developers in following export control regulations if they upload
software to the non-US archive or to prevent them from uploading software. We would like to
move cryptographic software from the server outside the US onto
! our main server in the US.</para>
!
! <para>With the increasing networked nature of the work, and the fact
! that more and more critical functions are being placed on computing
! platforms, and the unfortunate growth of mischief and deliberate
! malice, security is going to be increasingly important. Cryptography
! is an important corner stone of a number of security processes. Any
! OS that does not make an effort to seamlessly integrate cryptography
! is unlikely to be competitive.</para>
!
! <para>Putting all software on a single source, and the corresponding
! ability to create a single set of CD's that have integrated
! cryptographic support makes it easier for the users, makes it easier
! for CD vendors, simplifies the task of developers uploading software
! to these sites, and simplifies the task of replicating the software
! repositories on the internet.</para>
!
! <para>The rest of this document will
focus on the main server within the US and on its mirrors and
copies around the world. It's important to realize that there is
currently a parallel structure set up to deal with the non-US server. </para>
***************
*** 146,151 ****
--- 166,175 ----
<para>Adding and changing DFSG-free cryptographic software
on our CVS server.</para>
</listitem>
+ <listitem>
+ <para>Any reactions we'd have to have to any changes in
+ cryptographic regulations (or laws).</para>
+ </listitem>
</itemizedlist>
</para>
</sect1>
***************
*** 160,165 ****
--- 184,197 ----
possible as it creates more work for us and for the government,
but we want to notify as often as necessary to follow the
regulations. </para>
+ <para> If we move our cryptographic software into this country,
+ and the laws or regulations change to be more restrictive, what
+ are we likely to lose? Would we have to destroy any software,
+ or CDs? Would we have to remove it from our master or secondary
+ sites? If we use the increased availability of cryptographic
+ software to improve the security of the rest of the system, and
+ the cryptographic legal climate worsens, would be likely to have
+ to discard all copies of such software in the U.S.?</para>
<Para> In order of decreasing preference, we would like
to notify:
<itemizedlist>
======================================================================
[Also, informally, we should probably remind Ben that there's a
<glossterm>mirrors</glossterm>, but no definition for that term.]
Thanks,
--
Raul
Reply to: