[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Netscape/Fortify/Crypto (was: Bug#67331: potato bugs)

[cutting down on CCs and CCing debian-legal instead - the thread
should probably continue there]

Ethan Benson <erbenson@alaska.net> writes:

> no there is still weak and strong encryption versions of netscape, you
> still must go though a click through page stating that you are not
> downloading from Iraq or other `terrorist' nation.  
> the debian packages are simply using the weak export binaries instead
> of the strong crypto version. 
> so you either need fortify (not available) or you have to download and
> install netscape manually (eschew the .debs).

This is a bad situation: Fortify will not support newer Netscapes
because the strong-crypto versions are available for download. But
Debian still distributes the weak versions.

I think the project needs to come to a conclusion how we can
distribute crypto-software under the new export-regulations.

For example, anybody outside the US could download the strong Navigator
and (N)MU it into non-US. Would she breach her "agreement" with
Netscape by accepting the fact that non-us.debian.org can be freely
accessed from Iraq et al? Would that make her a possible subject of
prosecution in the US? By state authorities, or would Netscape have to

What about adopting a fortify-like strategy? A developer outside of
the US would download the weak and strong programs and generate from
that a package that patched the weak version into the strong variant.
Fortify didn't get sued, AFAIK, even when the regulations were more

Some consent about what is acceptable would be very desirable.


Attachment: signature.ng
Description: PGP signature

Reply to: