[cutting down on CCs and CCing debian-legal instead - the thread should probably continue there] Ethan Benson <erbenson@alaska.net> writes: > no there is still weak and strong encryption versions of netscape, you > still must go though a click through page stating that you are not > downloading from Iraq or other `terrorist' nation. > > the debian packages are simply using the weak export binaries instead > of the strong crypto version. > > so you either need fortify (not available) or you have to download and > install netscape manually (eschew the .debs). This is a bad situation: Fortify will not support newer Netscapes because the strong-crypto versions are available for download. But Debian still distributes the weak versions. I think the project needs to come to a conclusion how we can distribute crypto-software under the new export-regulations. For example, anybody outside the US could download the strong Navigator and (N)MU it into non-US. Would she breach her "agreement" with Netscape by accepting the fact that non-us.debian.org can be freely accessed from Iraq et al? Would that make her a possible subject of prosecution in the US? By state authorities, or would Netscape have to sue? What about adopting a fortify-like strategy? A developer outside of the US would download the weak and strong programs and generate from that a package that patched the weak version into the strong variant. Fortify didn't get sued, AFAIK, even when the regulations were more strict. Some consent about what is acceptable would be very desirable. -- Robbe
Attachment:
signature.ng
Description: PGP signature