Re: Bug#128666: Depending on non-US libs
On Sat, Jan 26, 2002 at 06:05:33PM -0500, Matt Zimmerman wrote:
> As I understand it, software which links with crypto libs must (still) be
> uploaded to non-US. I have packaged the ARIS Extractor from SecurityFocus,
> which links with libcurl to perform an HTTPS POST request. Though it seems
> to run fine with non-SSL libcurl, it cannot fulfill its intended purpose
> without SSL support.
>
> Should I:
>
> 1. Leave the dependencies as determined by the shlibs file from libcurl,
> which says that either libcurl or libcurl-ssl is OK, and upload to main.
> There is nothing in ARIS Extractor which could even be considered a hook
> to something definitively cryptographic, so this should be legal, yes?
> Of course, the software would not be useful without libcurl-ssl, and that
> is undesirable.
I'm not sure but packages that link against libraries like SSL use encription
implicitly. Since source doesn't contain crypto, then I guess a fairly safe
bet is to UL source only and let autobuilder to build all these things.
> 2. Depend on libcurl-ssl only and upload to non-US. Is this legal? (I am in
> the US, but ARIS Extractor contains no crypto)
Anyone can UL to non-us. IMHO at least.
> 3. Hand off the package to someone in the free world
This is the _safe_ choice.. but not convinient. There are too many
barely legal things and the US govt. does not seem to think before passing
these laws. Thank god I live in Canada.
Heck, how will enctription be handled in the days of Quantum computing?
HTTPS=HTTP unless new encription stuff is thought about. Maybe someting
with fractal entription? But that's not related to your post :)
- Adam
PS. It might be a good question for debian-legal.
Reply to: