Re: USA crypto rules and libssl-dependent packages

[Andrew Stribblehill <a.d.stribblehill@durham.ac.uk>]

Quoting Jimmy Kaplowitz <jimmy@kaplowitz.org>:
> On Fri, May 11, 2001 at 09:53:04PM -0400, sharkey@ale.physics.sunysb.edu wrote:
<snip>
> > Our FTP servers do not block these countries, so I don't know if we
> > would still be considered compliant under these rules.  I think it's
> > safer to leave everything in non-US.
> 
> I probably agree, but what about this sentence from section 2.1.5 of Debian
> Policy:
> 
> A package containing a program with an interface to a cryptographic program or
> a program that's dynamically linked against a cryptographic library should not
> be distributed via the non-US server if it is capable of running without the
> cryptographic library or program. 

This might sound like a contrived, hypothetical situation but it's
not:

Package hitop contains a binary, 'hitop'.
Binary 'hitop' may dynamically load, at _runtime_, its Postgres
  plugin, postgres.so.
Plugin postgres.so links against libpgsql.
libpgsql links against libssl.

I've had a bug report filed, saying that my package breaks section
2.1.2 of Policy, since it build-depends against libpgsql which is in
non-US/main.

However, this seems to be contradicted by section 2.1.5 because
binary 'hitop' is capable of running without libssl.

<rant>
I'm becoming increasingly frustrated by parochial laws in just one
country affecting a global distribution.
</rant>

-- 
Andrew Stribblehill <ads@debian.org>
Systems programmer, IT Service, University of Durham, England