need decision on packages with crypto hooks
-----BEGIN PGP SIGNED MESSAGE-----
Hi Daniel!
There was a long discussion about "packages with crypto hooks" without a
result. J.H.M.Dassen, the maintainer of mutt, asked me as Policy Manager
to make that decision but I don't think I'm authorative for this.
Note that I don't really want to start the discussion again.
Here are the details:
References:
* Bug #7257
* Thread "copyright/export issues for mailers with pgp hooks (bug #7257)"
in debian-devel
The problem:
* The US law "ITAR" restricts export of crypto software.
* It is unclear to all developers so far if this law applies to "crypto
programs" only or to programs with "crypto hooks" (i.e. support/interface
to crypto programs) too.
* Example 1: NCSA or Mosaic (the developer didn't know) took PGP hooks
our of their httpd.
* Example 2: mutt's author don't want to export these hooks out of the
US--but someone else did accidentially.
Packages affected:
* most (if not all) email programs (elm, mutt, pinepgp, mh, etc.)
* other programs with email capabilities (emacs, etc.)
* other programs with crypto hooks (perl with PGP i/f?, etc.)
I see the following options:
1. We find a US-lawyer that can assure us that exporting the hooks only
is not a problem. We could leave the packages on the master site (and move
mutt from non-us to master) then.
==> Everything would be easy for us and also for the users, but we risk
of having to fight for our decision (i.e. if a court doesn't believe us).
I'm not sure if this is appropriate.
2. We create two versions of all affected programs, one with the crypto
hook and one without. The latter could be kept on master while the first
has to go to our non-us site.
==> Much work for us and confusion to our users. But this is a safe way
for us.
3. We move all affected programs to the non-us site.
==> Not much work for us but a _big_ confusion to our users.
Open questions:
* How are our competitors (RedHat, etc.) handling this?
* Is there a Debian lawyer that could answer this?
* What are our criteria for programs with crypto hooks, i.e. is emacs an
affected program?
Please: I don't want to start the discussion again since the old one
didn't bring us to a solution. But if I made any mistakes in my summary or
if I forgot something important everyone should feel free to speak up NOW!
I've got the whole discussion of debian-devel here in my mail archive. So
if someone needs to get the files I can make them available (they should
also be accessable through master's mail archive).
Thanks for your time,
Chris
- -- _,, Christian Schwarz
/ o \__ schwarz@monet.m.isar.de, schwarz@schwarz-online.com,
! ___; schwarz@debian.org, schwarz@mathematik.tu-muenchen.de
\ /
\\\______/ ! PGP-fp: 8F 61 EB 6D CF 23 CA D7 34 05 14 5C C8 DC 22 BA
\ / http://fatman.mathematik.tu-muenchen.de/~schwarz/
- -.-.,---,-,-..---,-,-.,----.-.-
"DIE ENTE BLEIBT DRAUSSEN!"
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: latin1
iQCVAwUBMzlT+E4c72jvRVaFAQEzpgP/bYWa/dX2qB4T/3G5MmOrEiN+kJFULYT5
iduMe/hvjLx3dMlqwhf+7YZGFFIxdkfvkR4i3SUMPxtkQOS5Sfxm8bLPuyRp4BDK
LHV6JTkj39V3HZjPdtn5nCbb++Ug2m7r8/rYoDPSGPqoTernEhoCo/fa/FYq1Fq1
AgFw2m2rNOw=
=5Hvg
-----END PGP SIGNATURE-----
Reply to: