[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unofficial mozilla 0.8 deb

This issue has been done to death.  Basically, there's a notification
requirement in the BXA rules.  Nobody that can do it wants to, and nobody
that wants to do it can.

On Fri, 9 Mar 2001, Craig Sanders wrote:

>On Thu, Mar 08, 2001 at 01:25:03AM +0200, Sampo Niskanen wrote:
>> On Wed, 7 Mar 2001, Gregor Hoffleit wrote:
>> > AFAIR, the new legislation said that companies could apply at
>> > the government for a permission to release specific versions of
>> > strong-crypto software to a world-wide public. I guess Netscape
>> > did this for their communicator and since the government gave the
>> > permission, anybody is now allowed to export this specific pieces of
>> > software, even though they contain strong crypto.
>> >
>> > [Then, it would be obvious that this reasoning doesn't necessarily
>> > apply to Mozilla--someone had to ask for a permission first.]
>> If this is true, how do they define a software product? One binary? A
>> very similar product? The same name?
>it's not true, at least not for open source programs.
>as i understand the new (actually year old) US crypto rules, for open
>source / public domain / free software programs, all you have to do
>is notify the US government that you're exporting it and tell them
>that's what kernel.org have done. i doubt if linus or transmeta or
>anyone else involved would have take the risk if they didn't think it
>was safe to do so.
>there is a notice on www.kernel.org about crypto s/w:
>    Cryptographics Software
>    Due to U.S. Exports Regulations, all cryptographic software on this
>    site is subject to the following legal notice:
>    This site includes publicly available encryption source code which,
>    together with object code resulting from the compiling of publicly
>    available source code, may be exported from the United States under
>    License Exception "TSU" pursuant to 15 C.F.R. Section 740.13(e).
>    This legal notice applies to cryptographic software only. Please see
>    the _Bureau of Export Administration_[1] for more information about
>    current U.S. regulations.
>[1] link to http://www.bxa.doc.gov/
>you can read the new crypto rules for yourself at:
>FYI, the relevant section (15 C.F.R. Section 740.13) of the new crypto
>regulations says:
>    (e) Unrestricted encryption source code.
>    (1) Encryption source code controlled under 5D002, which would be
>    considered publicly available under § 734.3(b)(3) and which is not
>    subject to an express agreement for the payment of a licensing
>    fee or royalty for commercial production or sale of any product
>    developed with the source code, is released from ``EI'' controls
>    and may be exported or reexported without review under License
>    Exception TSU, provided you have submitted written notification
>    to BXA of the Internet location (e.g.,  URL or Internet address)
>    or a copy of the source code by the time of export.  Submit the
>    notification to BXA and send a copy to ENC Encryption Request
>    Coordinator (see § 740.17(g)(5) for mailing addresses). Intellectual
>    property protection (e.g., copyright, patent or trademark) will not,
>    by itself, be construed as an express agreement for the payment of
>    a licensing fee or royalty for commercial production or sale of any
>    product developed using the source code.
>    (2) You may not knowingly export or reexport source code or products
>    developed with this source code to Cuba, Iran, Iraq, Libya, North
>    Korea, Sudan or Syria.
>    (3) Posting of the source code on the Internet (e.g., FTP or
>    World Wide Web site) where the source code may be downloaded by
>    anyone would not establish ``knowledge'' of a prohibited export
>    or reexport, including that described in paragraph (e)(2) of this
>    section. In addition, such posting would not trigger ``red flags''
>    necessitating the affirmative duty to inquire under the ``Know Your
>    Customer'' guidance provided in Supplement No. 3 to part 732 of the
>    EAR.
>that's a pretty clear statement that it's OK to export open source
>crypto just by notifying the US government in writing.
>an update in October 2000 clarified the matter even further, points out
>that the exemption also covers binaries compiled from open source, and
>even provides an email address to send the written notifications to:
>    4. § 740.13 (Technology and Software Unrestricted (TSU)) clarifies
>    the treatment of open source object code.  Object code compiled from
>    source code eligible for License Exception TSU can also be exported
>    under the provisions of License Exception TSU if the requirements
>    of § 740.13 are met and no fee or payment is required for object
>    code (other than reasonable and customary fees for reproduction and
>    distribution). Object code for which there is a fee or payment can
>    be exported under the provisions of 740.17(b)(4)(i). The intent of
>    this section is to release publicly available software available
>    without charge (e.g. ``freeware'') from control. Also in § 740.13,
>    crypt@bxa.doc.gov address is added to prompt exporters to notify
>    BXA electronically. Exporters should note the intent of the phrase
>    ``released from EI controls'' in 740.13(e) means that 5D002 software
>    eligible for TSU is released from the mandatory access controls
>    procedures described in 734.2(b)(9)(ii).
>IANAL, but that's clear as crystal to me. it even states that the intent
>is "to release publicly available software from control".
>craig sanders <cas@taz.net.au>
>      GnuPG Key: 1024D/CD5626F0
>Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57  52C3 EC32 6810 CD56 26F0

The Internet must be a medium for it is neither Rare nor Well done!
<a href="mailto:galt@inconnu.isu.edu";>John Galt </a>

Reply to: