Re: USA crypto rules and libssl-dependent packages

To: Jimmy Kaplowitz <jimmy@kaplowitz.org>
Cc: debian-legal@lists.debian.org, debian-mentors@lists.debian.org
Subject: Re: USA crypto rules and libssl-dependent packages
From: Brian Ristuccia <brian@ristuccia.com>
Date: Fri, 11 May 2001 01:51:54 -0400
Message-id: <20010511015154.I641@osiris.978.org>
In-reply-to: <20010510192744.A31988@cato.kaplowitz.org>; from jimmy@kaplowitz.org on Thu, May 10, 2001 at 07:27:44PM -0400
References: <20010510192744.A31988@cato.kaplowitz.org>

On Thu, May 10, 2001 at 07:27:44PM -0400, Jimmy Kaplowitz wrote:
> Hi. I am a novice Debian package maintainer, in the queue for becoming an
> official developer. I am maintaining a package called althea, which is an
> IMAP email client for GTK+. They have recently added support for SSL through
> linking to libssl (from OpenSSL). This is configurable based on the values
> of a couple variables in the Makefile. I have a couple of questions:
> 
> 1) I live in the US. Therefore, do I have to send a BXA notification to the
> government (I believe license exception TSU is applicable - correct me if I'm
> wrong)?

You may. Since it's easy, you probablys hould. 

> Also, do I have to do their thing that they mention on their website
> about sending a message to the ENC Classification Review Coordinator (or,
> something like that) in addition to crypto@bxa.doc.gov, and if so, how do I
> do that? 

I think the email to crypto@bxa.doc.gov is sufficient. 

> Also, is a BXA notification form sufficient to export binary .debs
> linked with libssl? 

Yes. 

> Would anyone be able to export them, including other US
> mirror sites, so long as I provide an export of the same stuff that I notify
> the BXA about?

Probably. It's my theory that the software is no longer export restricted
once you make the BXA notification. Thus Debian's requirement that export
restricted software get uploaded to non-us doesn't apply. Indeed, this is
how Netscape with strong crypto got uploaded to non-free instead of
non-us/non-free. There's currently an inquiry going on that will determine
if Debian's policy can be updated to clearly reflect the new regulations.

> 
> 2) Do the binary .debs go in non-US? 

Yes. Policy currently requires it.

> What about the Debian source files? 

Same.

> If I
> make additional non-ssl .debs from the same source, would they be in
> non-US or not? 

Yes, but only if the source actually contains crypto. Source or binary,
policy currently requires export restricted software to be uploaded to
non-us.

> [other stuff omitted]

Good luck :)

-- 
Brian Ristuccia
brian@ristuccia.com
bristucc@cs.uml.edu

Attachment: pgpF_ozpL1lEu.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: USA crypto rules and libssl-dependent packages
  - From: Jimmy Kaplowitz <jimmy@kaplowitz.org>

References:
- USA crypto rules and libssl-dependent packages
  - From: Jimmy Kaplowitz <jimmy@kaplowitz.org>

Prev by Date: USA crypto rules and libssl-dependent packages
Next by Date: lame (again!)
Previous by thread: USA crypto rules and libssl-dependent packages
Next by thread: Re: USA crypto rules and libssl-dependent packages
Index(es):
- Date
- Thread