[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: non-us

On Sun, Mar 18, 2001 at 02:23:57PM +0200, Richard Braakman wrote:
> On Sun, Mar 18, 2001 at 12:02:03AM -1000, Brian Russo wrote:
> > >(3) You may not knowingly export or reexport source code or
> > >products developed with this source code to Cuba, Iran, Iraq,
> > >Libya, North Korea, Sudan or Syria.
> What exactly does this part mean?  What happens if there is a Debian
> mirror in one of these countries?

I think this means, that I cannot directly export to those countries,
once it reaches pandora, it is 'exported' and what happens after that
point is not subject to US law.
when they say "reexport" I think they mean that the US cannot be used
as a 'bounce'
 i.e. export into US, then reexport into one of those countries.

truly though, i'm not sure, this section is a bit fuzzy.
me need lawyer hm.

> > >(4) Posting of the source code or corresponding object code on
> > >the Internet (e.g., FTP or World Wide Web site) where it may be
> > >downloaded by anyone would not establish "knowledge" of a
> > >prohibited export or reexport, including that described in
> > >paragraph (e)(2) of this section.  In addition, such posting
> > >would not trigger "red flags" necessitating the affirmative duty
> > >to inquire under the "Know Your Customer" guidance provided in
> > >Supplement No. 3 to part 732 of the EAR.
> (What is in paragraph (e)(2)?)

(2)  Object code resulting from the compiling of source code
which would be considered publicly available can be exported
under TSU if the requirements of this section are otherwise met
and no fee or payment (other than reasonable and customary fees
for reproduction and distribution) is required for the object
code.  See §740.17(b)(4)(i) for the treatment of object code
where a fee or payment is required.

basically just says that these terms apply for binaries
(object code), as long as it is also 'free'.

> I don't think this protects you from "knowledge" if you know that
> there is a mirror system that does the prohibited export.

that's a good point, again i think this one of those cases where
interpretation is crucial.

> > so, i as a US resident, can upload stuff to non-us
> > provided I follow the instructions (notifying BXA)
> Remember that URLs of Debian packages are not very stable, because
> they get replaced by new versions.  You may want to mail them a
> new copy of the source code every time you upload, just to be sure.

yes this is what i was planning on .

> > I just don't want to get Debian involved.
> > Personally I do not see how it would be a problem.
> > As Debian would not be exporting. I would.
> > i.e. when I upload to pandora.
> I think that if you upload to pandora it will not be a problem, we
> already have crypto packages there that were originally exported
> from the U.S.  (IIRC the OCR approach was not used with pgp 2.6)
> Though in those cases we don't actually know who exported it, I
> don't know if that makes a difference.

Specifically I would be reexporting samhain, and its component code.
it contains, tiger (hash), rijndael (aes), and has 'hooks' to gpg.
Probably md5 also, don't quite recall though, I think they replaced 
it withtiger (faster).

its developed in germany, tiger is developed in israel and UK
(joint by 2 people), aes was in europe also, and 
since all are available outside the US I don't really think
there would be much point in them harassing me about it, of course *shrug*

anyway, its a while before that package is releasable anyway
still time to brood.

Brian Russo      <brusso@phys.hawaii.edu>
Debian/GNU Linux <wolfie@debian.org> http://www.debian.org
LPSG "member"    <wolfie@lpsg.org>   http://www.lpsg.org

Reply to: