(LONG) Correct non-US solution

To: debian-devel@lists.debian.org
Cc: rms@gnu.org
Subject: (LONG) Correct non-US solution
From: Jonathan Walther <krooger@debian.org>
Date: Mon, 17 May 1999 00:41:04 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.990516220916.24511B-100000@localhost>

We are here to make software free.  We can make it free, or we can drive
thorns into our flesh trying to change the minds of uncaring governments.

Our current situation with the non-US section of our distribution is akin to
a form of fruitless martyrdom.  Its painful to us, but doesn't really affect
the policy of any governments involved.

I would like to propose a solution that makes the distribution of
export/import restricted software both painless to us, and as hard as
possible to any collection of entitites to stamp out.  And, for citizens who
wish to respect the law of their country, I propose that the same
measures will add simple, automatic facilities for keeping their systems
"legal", configurable dynamically.

The proposal calls for the folding of non-US into the other three
distributions so it disappears without a trace, like the morning dew in the
afternoon sun.  The changes that would make this feasible follow:

Changes to a packages control file:
----------------------------------
Two new fields are added to the control file, Import-Restricted and
Export-Restricted.  These fields take a comma delimited list of countries.

For example,

Package: ssh
Export-Restricted: United States
Import-Restricted: Russia, France

Import-Restricted lists countries where its illegal to install the software.
The user can do a `touch /etc/LEGAL` to make apt respect Import-Restricted.
Someone might also want to write a "legalize" program to deinstall illegal
software should the feds come a'knocking.  `rm /etc/LEGAL` would allow full
access again.

Export-Restricted determines which mirrors will accept the package for
redistribution.

Changes to /etc
---------------
We add a file called "country" which contains the name of the country the
box is in.  This lets the package software keep the system conformant to the
laws for the particular country its in.  It also will allow a maintainer to
easily see if a configuration works for a particular country in conjunction
with the "legalize" program.

As mentioned before, there is the "LEGAL" file, which makes the package
software respect the laws of the country its in if its present, and if
absent, the software ignores the Import-Restricted field.

Change to dupload and dinstall:
-------------------------------
If the maintainer of a package is in one of the Export-Restricted countries,
refuses upload the package.  If the server specified is in one of the
Import-Restricted countries, refuses to upload the package.

A package may be uploaded to any of the "official" servers that allow it, by
a maintainer, however the .dsc and .changes file will be uploaded to one
central server (probably master.debian.org) automatically by the script,
from which the Packages files will be generated and Mirrored.

Dinstall will be modified to account for the fact that a package may be on
another server, but the security implications of having an untrusted server
are minimal, given we have md5sums and a rejected Package won't show up in
the Packages file, thus being invisible, should a mirror maintainer decide
to unilaterally move something from Incoming to its appropriate directory
themselves.

The mirroring software will be modified to check its current packages
against the Packages list, and hunt down and download any package it is
allowed to (which it is not Export or Import restricted from) that has
changed.

Thus, server foo in France will not download the ssh package, but if the
maintainer of ssh always uploads to the Incoming on a canada.debian.org, all
mirrors that are allowed to will hit every server in the master.list that
might have the package until it finds the one (canada.debian.org) that has
it.

Changes to apt and dpkg:
---------------
Respect the presence or absence of /etc/LEGAL.  If a selected package is
Import-Restricted, it won't download or install it unless /etc/LEGAL is
missing.

Packages files:  are the same on every mirror, are NOT generated locally. If
a package isn't found on one server, apt automatically hunts for it first,
on servers in sources.list, then on servers in master.list
 
/etc/apt/sources.list will now just be taken as hints: downloads and
Packages updates will be attempted from the sites in the file, but failure
of those servers is no longer fatal; downloads will be attempted from
master.list

/usr/share/apt/master.list will contain a list of all official debian
mirrors in the same format as sources.list, with the exception that the name
of the country the server is in will be prepended to each line.  However,
the meaning of the entries are slightly different; it is a "what I provide
and where to find it" entry, as opposed to a "look here for this" entry.

This:
canada deb http://http.ca.debian.org/debian bo main
is the entry for a Canadian server that just provides the main section of
the bo release.

This:
france deb http://http.fr.debian.org/t/debian unstable main contrib non-free
france deb http://http.fr.debian.org/gin/borsch stable main contrib non-free
is the entries for a server that provides whatever is the main contrib and
nonfree sections of the current unstable, and ditto for stable, but in
different base directories.

/usr/share/apt/aliases will contain the current mapping between stable,
frozen, unstable, and their corresponding distributions (bo, hamm,
potato...) It will have the format "frozen=foo stable=bar unstable=baz"

Mirroring Software:
-------------------
Im not sure what software is currently used for synchronizing mirrors,
however, it will need to take the above policies into account.  Hopefully
our additions to the policy will make it so much easier to "stay legal" and
avoid worries about legalities that the maintainers will wish to use such
software.

Conclusion: 
-----------
The benefits of this approach to our end users, and to the world in general
are so munificent that nothing hitherto mentioned in public would mitigate
against our adoption of the above as policy.  As a humble maintainer, I
would like to thank my fellow developers for their work on this
distribution, and ask their honest opinions on what I've said.

We have been changing the world for the better by providing quality software
in our own quiet way. It is my hope that we can extend this tradition by
eliminating the non-US section from our distribution.

When a piece of software is declared illegal, it is one more chink in the
mortar the binds our community together.  By distributing this software on
to every mirror possible, we strengthen ourselves as much as possible.  The
current situation with non-US limits the mirrors that carry software that is
only illegal in a few countries.  The proposed situation would maximize
availability for everyone, and hopefully highlight the fruitlessness of
current restrictions, without any of the current pain.

Yours,

Jonathan Walther

Reply to:

Follow-Ups:
- Re: (LONG) Correct non-US solution
  - From: Richard Braakman <dark@xs4all.nl>
- Re: (LONG) Correct non-US solution
  - From: Ben Bell <bjb@deus.net>
- Re: (LONG) Correct non-US solution
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: (LONG) Correct non-US solution
  - From: Joey Hess <joey@kitenet.net>
- Re: (LONG) Correct non-US solution
  - From: Richard Stallman <rms@gnu.org>
- Re: (LONG) Correct non-US solution
  - From: Craig Sanders <cas@taz.net.au>
- Re: (LONG) Correct non-US solution
  - From: Wichert Akkerman <wichert@cs.leidenuniv.nl>

Prev by Date: Re: y2k compliance - release goal for potato ???
Next by Date: better /etc/init.d/network
Previous by thread: qt2beta available
Next by thread: Re: (LONG) Correct non-US solution
Index(es):
- Date
- Thread