[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mutt no longer in non-us?

On Thu, Nov 18, 1999 at 02:00:34AM -0800, Brian Behlendorf wrote:
> Just to make clear I'm understanding the situation; does mutt have
> anything that could be interpreted as "hooks" to encryption, even if it
> doesn't have crypto code as part of the package?  Or are scripts &
> instructions on how to add crypto to the base product provided separately
> from a non-us package?  If the former, unless something has changed, the
> U.S. considers that a crypto product.  If the latter, you're OK.  That's
> why vi/emacs/shells/kernels wouldn't be called crypto products, so long as
> they have no direct hooks themselves to encryption routines.

It will run pgp if you tell it to.  It has the support for it if you
choose to use it.

But then arguably so does bash.

> Of course, if the U.S. recently said that hooks to crypto is OK, then that
> would be cool too.  But this "hook" business is why we can't have SSL
> directives & routines in the base Apache distrib, even if we told people
> to bring over OpenSSL separately.

If you think about prime numbers near the Mexican borders the US could try
to say you're exporting crypto.  We made the decision that a simple "run
this seperate program and pipe output back to me" cannot reasonably be
considered encryption hooks.

If such is allowed to be considered encryption we must also conclude that
bash contains encryption hooks (as it too will optionally run pgp and read
its output) and so would any program which may run any arbitrary binary
and pipe its output someplace useful.

And frankly speaking for only myself as a citizen of the US and not as a
developer here, the US government can shove their crypto regs someplace
unpleasant---I refuse to comply with them on the grounds that they are an
affront to the protections guaranteed me under the first, fourth, and
fifth ammendments to the constitution and further do place myself and my
personal property at great risk when conducting wire-based transactions.

My personal feelings aside for a moment, I agree Debian has to be careful
where it treads.  I am an individual and can do whatever the hell I want
to and my actions affect myself alone.  Debian OTOH is not an individual
and its actions affect a much larger group.  That said, however, I still
believe Debian's decision to include support for the use of cryptography
in mutt found in Debian's main distribution is correct.

The software provides configuration file options which allow you to run
any arbitrary program through standard functions used for running any and
every program on the system and captures the results.  This does not
constitute hooks for encryption, though it arguably would if mutt were
somehow linked with some library which provided cryptography functions.

If the US government wants to challenge that (I suspect they're smarter
than to try) it would be simple to demonstrate that the PGP interface in
mutt is NOT a crypto hook.  And that's before you consider the rediculous
nature of the restrictions, but we don't even have to go in to that to
prove there are no crypto hooks in mutt that don't exist in bash or in
most every program for most any operating system for that matter.

- Joseph Carter         GnuPG public key:   1024D/DCF9DAB3, 2048g/3F9C2A43
- knghtbrd@debian.org   20F6 2261 F185 7A3E 79FC  44F9 8FF7 D7A3 DCF9 DAB3
<Knghtbrd> xtifr - beware of james when he's off his medication  =>

Attachment: pgpfdt_w4a2iX.pgp
Description: PGP signature

Reply to: