Hello world, So, crypto-in-main is a happening thing, as those of you who happened to look at the changelog of gnupg of libssl in today's i386/unstable upgrade will have noticed. The deal is this. Ages ago (January 2000?) the US government decided that cryptographic software was actually already available outside the US and that it wouldn't matter too much if the controls were relaxed. So they were, to the point where open source cryptographic software can be exported from the US, as long as you notify the Bureau of Export Administration. Of course, the changes are a twisty morass of regulations, all different, so unlike some other free software groups, Debian's been reluctant to just go ahead and start doing it. Mid last year, we got serious about getting legal advice to actually get this done, and late last year we actually got appropriate advice from a competent attorney that satisfied our qualms, and in the past few months, we finished the requisite changes to our archive software, and in the past few days, we actually went ahead and put cryptographic software (namely openssl, openssh and gnupg) in the archive. For reference: Legal advice: http://www.debian.org/legal/cryptoinmain Archive changes: http://lists.debian.org/debian-devel-announce/2002/ debian-devel-announce-200202/msg00006.html Mirror notification: http://lists.debian.org/debian-mirrors/2002/ debian-mirrors-200202/msg00001.html Notifications: http://ftp-master.debian.org/crypto-in-main/ What this basically means is that we're now willing to accept cryptographic software uploaded to ftp-master (ftp.debian.org as opposed to nonus.debian.org, auric as opposed to pandora, main as opposed to non-US/main), with the following caveats: * This is only for packages in main, not contrib, nor non-free * For woody, we're only accepting packages that've already been in non-US. eg, while it would be nice to just have an SSL enabled postfix in main, we're instead going to play it safe and leave postfix without SSL, and have postfix-tls (with SSL) sitting in the archive next to it. Naturally, this restriction will be lifted after woody's released. * Your initial upload should do as little as possible other than move the package to main. Uploads that do nothing but change the section: from non-US to one of the main sections will be approved fairly quickly. * You should refrain from uploading to main until everything your package depends upon has also been uploaded to main. * There are a whole bunch of GPLed programs that link against libssl. This isn't okay, see the OpenSSL FAQ's response: http://www.openssl.org/support/faq.html#LEGAL2 We've been lax about this in the past, we'll try to get this right as packages are uploaded to main. * There're a number of packages with patent problems and similar, these either should have the patented code removed, or shouldn't be moved from non-US for the moment. OpenSSL has had its patented sections removed (matching what Red Hat does) for a while now, for reference. Hopefully that covers everything. Mainly, be careful, don't give yourself any room to make any mistakes. What happens once you've uploaded is this: * The package gets moved from /org/ftp.debian.org/queue/unchecked to queue/new (within about 15m of the upload), and everything but the .changes is made readable only by ftpmaster to ensure any crypto software doesn't get accidently exported before it's been notified about. * ftpmaster processes the new package, checks its copyright, and adds the overrides. We'll be grepping for "moved into main" or so to make this a bit quicker. * The archive software sends off the appropriate notifications, moves the package to queue/accepted (which is visible on http://incoming.debian.org/) and makes it readable. The email notification to crypt@bxa.doc.gov goes straight there, the printed notifications are being batched up and posted weekly. * Once a day, everything in queue/accepted gets moved into the archive proper and mirrored. Kudos particularly go to: Ben Collins (as DPL) for getting something actually happening. Sam Hartman for preparing all the questions for the lawyer. Hewlett-Packard Linux Systems Operation for helping us obtain expert legal advice in the area. LaMont Jones for liasing with said expert lawyer. James Troup for redoing the archive structure so we don't have to expect everyone on the Internet to help us avoid breaking the export regulations. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``Debian: giving you the power to shoot yourself in each toe individually.'' -- with kudos to Greg Lehey
Attachment:
pgpOoNPHMTGJs.pgp
Description: PGP signature