On Mar 26, Christian Schwarz wrote
> The problem:
[...]
> * Example 2: mutt's author don't want to export these hooks out of the
> US--but someone else did accidentially.
Not accidently: the way mutt is distributed prevents accidental download of
the ITAR-troubled code.
> I see the following options:
[1. Lawyer assurance 2. Two versions 3. Move to non-US]
I have mentioned a fourth option before, but probably not very clearly.
I'll try to explain it clearly this time:
- have the packaged maintained by non-US maintainers,
- have them uploaded to a debian-non-US site
- _imported_ into the US (not covered by ITAR AFAIK)
- made available inside the US through FTP as follows:
- on the regular FTP site, (possibly, but not necessarily with special
access restrictions [*])
- put in a dir under a "private" dir with drwx--x--x rights, whose name is
revealed in a README.US-only, which explains that you are not allowed to
download stuff from that dir from outside the US.
There is precedent for this option:
- It is the way mutt's author has chosen to make the PGP-hooked version
available:
ftp://ftp.cs.hmc.edu/pub/me/ has a US-only subdir, drwx--x--x and a
README.US-only giving the name of the dir hidden under US-only.
- From a quick inspection, the distribution of kerberos from
ftp://ftp.gnu.ai.mit.edu/pub/kerberos works in similar fashion:
from KERBEROS.FAQ:
| (1.3) Where can I get Kerberos version 4 or 5?
| In the United States and Canada (*), Kerberos is available via anonymous
| FTP from athena-dist.mit.edu (18.71.0.38). For specific instructions, cd
| to pub/kerberos and get the file README.KRB4 (for version 4) or
| README.KRB5_BETA5 (for version 5). Note that *YOU WILL NOT BE ABLE TO
| RETRIEVE KERBEROS WITHOUT READING THIS FILE*.
And of course, both these READMEs have
| Export of this software from the United States of America may require a
| specific license from the United States Government. It is the
| responsibility of any person or organization contemplating export to
| obtain such a license before exporting.
prominently at the top.
[*] E.g: PGP from ftp://bitsy.mit.edu/pub/pgp/ :
| In order for the procedure to work, you must be coming from an ftp
| client whose IP address can be reversed resolved into a legal DNS
| name. Furthermore, the DNS name must either be "obviously" from the
| U.S., or is on a special exception list.
The advantages I see in this option are:
- it is convenient, both for users and developers:
- for developers: only one version needs to be maintained.
- for users: both US and non-US users can get the packages without
having to go to two FTP sites.
- it makes it clear that we are concerned about ITAR, and take reasonable
precautions to prevent crypto-export from the US.
- it followes precedent by other organizations and persons faced with
similar problems.
Greetings,
Ray
--
ART A friend of mine in Tulsa, Okla., when I was about eleven years old.
I'd be interested to hear from him. There are so many pseudos around taking
his name in vain.
- The Hipcrime Vocab by Chad C. Mulligan
Attachment:
pgpWAGhW19Is3.pgp
Description: PGP signature