On Mar 26, Christian Schwarz wrote > The problem: [...] > * Example 2: mutt's author don't want to export these hooks out of the > US--but someone else did accidentially. Not accidently: the way mutt is distributed prevents accidental download of the ITAR-troubled code. > I see the following options: [1. Lawyer assurance 2. Two versions 3. Move to non-US] I have mentioned a fourth option before, but probably not very clearly. I'll try to explain it clearly this time: - have the packaged maintained by non-US maintainers, - have them uploaded to a debian-non-US site - _imported_ into the US (not covered by ITAR AFAIK) - made available inside the US through FTP as follows: - on the regular FTP site, (possibly, but not necessarily with special access restrictions [*]) - put in a dir under a "private" dir with drwx--x--x rights, whose name is revealed in a README.US-only, which explains that you are not allowed to download stuff from that dir from outside the US. There is precedent for this option: - It is the way mutt's author has chosen to make the PGP-hooked version available: ftp://ftp.cs.hmc.edu/pub/me/ has a US-only subdir, drwx--x--x and a README.US-only giving the name of the dir hidden under US-only. - From a quick inspection, the distribution of kerberos from ftp://ftp.gnu.ai.mit.edu/pub/kerberos works in similar fashion: from KERBEROS.FAQ: | (1.3) Where can I get Kerberos version 4 or 5? | In the United States and Canada (*), Kerberos is available via anonymous | FTP from athena-dist.mit.edu (18.71.0.38). For specific instructions, cd | to pub/kerberos and get the file README.KRB4 (for version 4) or | README.KRB5_BETA5 (for version 5). Note that *YOU WILL NOT BE ABLE TO | RETRIEVE KERBEROS WITHOUT READING THIS FILE*. And of course, both these READMEs have | Export of this software from the United States of America may require a | specific license from the United States Government. It is the | responsibility of any person or organization contemplating export to | obtain such a license before exporting. prominently at the top. [*] E.g: PGP from ftp://bitsy.mit.edu/pub/pgp/ : | In order for the procedure to work, you must be coming from an ftp | client whose IP address can be reversed resolved into a legal DNS | name. Furthermore, the DNS name must either be "obviously" from the | U.S., or is on a special exception list. The advantages I see in this option are: - it is convenient, both for users and developers: - for developers: only one version needs to be maintained. - for users: both US and non-US users can get the packages without having to go to two FTP sites. - it makes it clear that we are concerned about ITAR, and take reasonable precautions to prevent crypto-export from the US. - it followes precedent by other organizations and persons faced with similar problems. Greetings, Ray -- ART A friend of mine in Tulsa, Okla., when I was about eleven years old. I'd be interested to hear from him. There are so many pseudos around taking his name in vain. - The Hipcrime Vocab by Chad C. Mulligan
Attachment:
pgpWAGhW19Is3.pgp
Description: PGP signature