Re: non-us

[Richard Braakman <dark@xs4all.nl>]

On Sun, Mar 18, 2001 at 12:02:03AM -1000, Brian Russo wrote:
> >(3) You may not knowingly export or reexport source code or
> >products developed with this source code to Cuba, Iran, Iraq,
> >Libya, North Korea, Sudan or Syria.

What exactly does this part mean?  What happens if there is a Debian
mirror in one of these countries?

> >(4) Posting of the source code or corresponding object code on
> >the Internet (e.g., FTP or World Wide Web site) where it may be
> >downloaded by anyone would not establish "knowledge" of a
> >prohibited export or reexport, including that described in
> >paragraph (e)(2) of this section.  In addition, such posting
> >would not trigger "red flags" necessitating the affirmative duty
> >to inquire under the "Know Your Customer" guidance provided in
> >Supplement No. 3 to part 732 of the EAR.

(What is in paragraph (e)(2)?)

I don't think this protects you from "knowledge" if you know that
there is a mirror system that does the prohibited export.

> so, i as a US resident, can upload stuff to non-us
> provided I follow the instructions (notifying BXA)

Remember that URLs of Debian packages are not very stable, because
they get replaced by new versions.  You may want to mail them a
new copy of the source code every time you upload, just to be sure.

> I just don't want to get Debian involved.
> Personally I do not see how it would be a problem.
> As Debian would not be exporting. I would.
> i.e. when I upload to pandora.

I think that if you upload to pandora it will not be a problem, we
already have crypto packages there that were originally exported
from the U.S.  (IIRC the OCR approach was not used with pgp 2.6)
Though in those cases we don't actually know who exported it, I
don't know if that makes a difference.

Richard Braakman