Re: USA crypto rules and libssl-dependent packages

To: sharkey@ale.physics.sunysb.edu
Cc: Brian Ristuccia <brian@ristuccia.com>, debian-legal@lists.debian.org, debian-mentors@lists.debian.org
Subject: Re: USA crypto rules and libssl-dependent packages
From: Jimmy Kaplowitz <jimmy@kaplowitz.org>
Date: Fri, 11 May 2001 22:53:29 -0400
Message-id: <20010511225329.A14589@cato.kaplowitz.org>
In-reply-to: <E14yOae-000867-00@ale.physics.sunysb.edu>; from sharkey@ale.physics.sunysb.edu on Fri, May 11, 2001 at 09:53:04PM -0400
References: <20010511202812.B9641@cato.kaplowitz.org> <E14yOae-000867-00@ale.physics.sunysb.edu>

On Fri, May 11, 2001 at 09:53:04PM -0400, sharkey@ale.physics.sunysb.edu wrote:
> 
> I'm not sure that that matters.  The BXA refers to "Open Cryptographic
> Interfaces".  My understanding was that any software which contained hooks
> to call other software which actually performed encryption was regulated
> as if it contained the encryption itself, since it contains an implementation
> of a cryptographic interface.

Ah, that's very interesting. I will do the BXA notification before I
distribute my current package.

> > > Probably. It's my theory that the software is no longer export restricted
> > > once you make the BXA notification.
> 
> That's not true.  See here:
> 
> http://www.bxa.doc.gov/Encryption/lechart1.html
> 
> Under the category 'Unrestricted source code ("open source")' it contains
> an additional restriction 'may not knowingly export to the T-7'.  T-7
> is defined as: Cuba, Iran, Iraq, Libya, North Korea, Syria, and Sudan.

Also very interesting.

> Our FTP servers do not block these countries, so I don't know if we
> would still be considered compliant under these rules.  I think it's
> safer to leave everything in non-US.

I probably agree, but what about this sentence from section 2.1.5 of Debian
Policy:

A package containing a program with an interface to a cryptographic program or
a program that's dynamically linked against a cryptographic library should not
be distributed via the non-US server if it is capable of running without the
cryptographic library or program. 

I am really not sure if this applies or not; if the program is linked against
the ssl library, I doubt it can run without it, but if it isn't, which is
doable with different Makefile settings, of course it doesn't require that
library. I do see and agree with your point regarding the FTP servers. Would
it be sufficient to add a README to the servers mentioning the restrictions,
since they apply to so many different packages, and disclaiming responsibility
for violations? Or maybe this wouldn't be legally valid, because people who
use apt don't see that kind of thing.

This is written shortly before I go to bed, so excuse me if anything doesn't
make sense.

- Jimmy Kaplowitz
jimmy@kaplowitz.org

Reply to:

Follow-Ups:
- Re: USA crypto rules and libssl-dependent packages
  - From: Andrew Stribblehill <a.d.stribblehill@durham.ac.uk>

References:
- Re: USA crypto rules and libssl-dependent packages
  - From: Jimmy Kaplowitz <jimmy@kaplowitz.org>
- Re: USA crypto rules and libssl-dependent packages
  - From: sharkey@superk.physics.sunysb.edu

Prev by Date: Re: USA crypto rules and libssl-dependent packages
Next by Date: Re: USA crypto rules and libssl-dependent packages
Previous by thread: Re: USA crypto rules and libssl-dependent packages
Next by thread: Re: USA crypto rules and libssl-dependent packages
Index(es):
- Date
- Thread