[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need decision on packages with crypto hooks



On Mar 26, Christian Schwarz wrote
> The problem:
[...]
>  * Example 2: mutt's author don't want to export these hooks out of the
> US--but someone else did accidentially.

Not accidently: the way mutt is distributed prevents accidental download of
the ITAR-troubled code. 

> I see the following options:
[1. Lawyer assurance 2. Two versions 3. Move to non-US]

I have mentioned a fourth option before, but probably not very clearly.
I'll try to explain it clearly this time:
- have the packaged maintained by non-US maintainers,
- have them uploaded to a debian-non-US site
- _imported_ into the US (not covered by ITAR AFAIK)
- made available inside the US through FTP as follows:
  - on the regular FTP site, (possibly, but not necessarily with special 
    access restrictions [*])
  - put in a dir under a "private" dir with drwx--x--x rights, whose name is 
    revealed in a README.US-only, which explains that you are not allowed to
    download stuff from that dir from outside the US.

There is precedent for this option:
- It is the way mutt's author has chosen to make the PGP-hooked version
  available:
  ftp://ftp.cs.hmc.edu/pub/me/ has a US-only subdir, drwx--x--x and a
  README.US-only giving the name of the dir hidden under US-only.
- From a quick inspection, the distribution of kerberos from 
  ftp://ftp.gnu.ai.mit.edu/pub/kerberos works in similar fashion: 
  from KERBEROS.FAQ:
  | (1.3) Where can I get Kerberos version 4 or 5?
  | In the United States and Canada (*), Kerberos is available via anonymous
  | FTP from athena-dist.mit.edu (18.71.0.38). For specific instructions, cd
  | to pub/kerberos and get the file README.KRB4 (for version 4) or
  | README.KRB5_BETA5 (for version 5). Note that *YOU WILL NOT BE ABLE TO
  | RETRIEVE KERBEROS WITHOUT READING THIS FILE*.
  And of course, both these READMEs have
  | Export of this software from the United States of America may require a
  | specific license from the United States Government.  It is the
  | responsibility of any person or organization contemplating export to
  | obtain such a license before exporting.
  prominently at the top.

[*] E.g: PGP from ftp://bitsy.mit.edu/pub/pgp/ :
  | In order for the procedure to work, you must be coming from an ftp
  | client whose IP address can be reversed resolved into a legal DNS
  | name.  Furthermore, the DNS name must either be "obviously" from the
  | U.S., or is on a special exception list.

The advantages I see in this option are:
- it is convenient, both for users and developers:
  - for developers: only one version needs to be maintained.
  - for users: both US and non-US users can get the packages without
    having to go to two FTP sites.
- it makes it clear that we are concerned about ITAR, and take reasonable
  precautions to prevent crypto-export from the US.
- it followes precedent by other organizations and persons faced with
  similar problems.

Greetings,
Ray
-- 
ART  A friend of mine in Tulsa, Okla., when I was about eleven years old. 
I'd be interested to hear from him. There are so many pseudos around taking 
his name in vain. 
- The Hipcrime Vocab by Chad C. Mulligan 

Attachment: pgpPrVsq4hAVU.pgp
Description: PGP signature


Reply to: