[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Cryptographic software in main archive

Hello world,

So, crypto-in-main is a happening thing, as those of you who happened
to look at the changelog of gnupg of libssl in today's i386/unstable
upgrade will have noticed.

The deal is this. Ages ago (January 2000?) the US government decided
that cryptographic software was actually already available outside
the US and that it wouldn't matter too much if the controls were
relaxed. So they were, to the point where open source cryptographic
software can be exported from the US, as long as you notify the Bureau
of Export Administration.  Of course, the changes are a twisty morass of
regulations, all different, so unlike some other free software groups,
Debian's been reluctant to just go ahead and start doing it. Mid last
year, we got serious about getting legal advice to actually get this
done, and late last year we actually got appropriate advice from a
competent attorney that satisfied our qualms, and in the past few months,
we finished the requisite changes to our archive software, and in the
past few days, we actually went ahead and put cryptographic software
(namely openssl, openssh and gnupg) in the archive.

For reference:

  Legal advice: http://www.debian.org/legal/cryptoinmain

  Archive changes: http://lists.debian.org/debian-devel-announce/2002/

  Mirror notification: http://lists.debian.org/debian-mirrors/2002/

  Notifications: http://ftp-master.debian.org/crypto-in-main/

What this basically means is that we're now willing to accept
cryptographic software uploaded to ftp-master (ftp.debian.org as opposed
to nonus.debian.org, auric as opposed to pandora, main as opposed to
non-US/main), with the following caveats:

	* This is only for packages in main, not contrib, nor non-free

	* For woody, we're only accepting packages that've already been
	  in non-US. eg, while it would be nice to just have an SSL
	  enabled postfix in main, we're instead going to play it safe
	  and leave postfix without SSL, and have postfix-tls (with SSL)
	  sitting in the archive next to it. Naturally, this restriction
	  will be lifted after woody's released.

	* Your initial upload should do as little as possible other than
	  move the package to main. Uploads that do nothing but change
	  the section: from non-US to one of the main sections will be
	  approved fairly quickly.

	* You should refrain from uploading to main until everything your
	  package depends upon has also been uploaded to main.

	* There are a whole bunch of GPLed programs that link against
	  libssl. This isn't okay, see the OpenSSL FAQ's response:
	  We've been lax about this in the past, we'll try to get this
	  right as packages are uploaded to main.

	* There're a number of packages with patent problems and similar,
	  these either should have the patented code removed, or
	  shouldn't be moved from non-US for the moment. OpenSSL has
	  had its patented sections removed (matching what Red Hat does)
	  for a while now, for reference.

Hopefully that covers everything. Mainly, be careful, don't give yourself
any room to make any mistakes.

What happens once you've uploaded is this:

	* The package gets moved from /org/ftp.debian.org/queue/unchecked
	  to queue/new (within about 15m of the upload), and everything
	  but the .changes is made readable only by ftpmaster to ensure
	  any crypto software doesn't get accidently exported before
	  it's been notified about.

	* ftpmaster processes the new package, checks its copyright, and
	  adds the overrides. We'll be grepping for "moved into main"
	  or so to make this a bit quicker.

	* The archive software sends off the appropriate notifications,
	  moves the package to queue/accepted (which is visible on
	  http://incoming.debian.org/) and makes it readable. The email
	  notification to crypt@bxa.doc.gov goes straight there, the
	  printed notifications are being batched up and posted weekly.

	* Once a day, everything in queue/accepted gets moved into
	  the archive proper and mirrored.

Kudos particularly go to:

	Ben Collins (as DPL) for getting something actually happening.

	Sam Hartman for preparing all the questions for the lawyer.

	Hewlett-Packard Linux Systems Operation for helping us obtain
	  expert legal advice in the area.

	LaMont Jones for liasing with said expert lawyer.

	James Troup for redoing the archive structure so we don't have to
	  expect everyone on the Internet to help us avoid breaking the
	  export regulations.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

  ``Debian: giving you the power to shoot yourself in each 
       toe individually.'' -- with kudos to Greg Lehey

Attachment: pgpOoNPHMTGJs.pgp
Description: PGP signature

Reply to: