Re: ITP: libmpeg3 -- an mpeg audio and video decoding library
On Sun, 1 Apr 2001, Joshua Haberman wrote:
> * Brian Ristuccia (firstname.lastname@example.org) wrote:
> > On Sun, Apr 01, 2001 at 07:06:57PM -0700, Joshua Haberman wrote:
> > > There is one legality issue regarding this library: it contains DeCSS
> > > code. The tarball contains a stub file that can be substituted for the
> > > source file containing DeCSS code, however the upstream tarball will
> > > still have the DeCSS code in it. How should I resolve this?
> > libcss and other CSS implementations contain cryptography, so it needs to go
> > in non-us unless you complete a BXA export notification form.
> I was just planning to strip the CSS code from the archive altogether to
> sidestep the issue, because I assumed distributing CSS code would be a
> But if I left it in and sectioned it as non-us/main, would I even be
> able to legally package it as a person located in the borders of the US?
> What's the difference between me uploading it to Netherlands and a user
> from the Netherlands apt-get'ting it from a US mirror? I suppose this is
> a basic question, but I couldn't find it in any of the references or
If you upload it to the Netherlands, you are personally doing the exporting,
and if they government goes after anyone, it's you.
If you upload it to a server in the US and people in the Netherlands download
it from there, there's a possibility that Debian would be held responsible for
any 'illicit' exports.
Since Debian as a group has not made a decision yet to integrate crypto into
main (i.e., has not decided yet to accept the potential liability that comes
from exporting cryptographic software), it is my understanding that, BXA
announcement or not, you should not upload crypto to main. As an individual,
however, you are free to upload crypto software to non-US; in which case, you
personally are the agent responsible for exporting the software, and you
should take steps to ensure that you comply with current export laws.
That at least is my understanding of the current state of affairs. If my
understanding is out-of-date, and BXA notification is indeed now considered
sufficient for developers to upload cryptographic code to main, I welcome
someone to correct me.