[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: USA crypto rules and libssl-dependent packages

On Fri, May 11, 2001 at 01:51:54AM -0400, Brian Ristuccia wrote:
> > 
> > 1) I live in the US. Therefore, do I have to send a BXA notification to the
> > government (I believe license exception TSU is applicable - correct me if I'm
> > wrong)?
> 
> You may. Since it's easy, you probablys hould. 

Really? I am not doing any static linking with libssl, only dynamic, so I
don't believe that I am including any crypto. This fact, which I realized
after I sent my original message (otherwise I would have mentioned it), makes
me still unsure whether a BXA notification is needed. Although I would like
to know whether it is in fact required, if I am not persuaded that it is not,
I will notify the BXA, because it's easy and it's a good idea to be safe, as
you said.

> > Also, do I have to do their thing that they mention on their website
> > about sending a message to the ENC Classification Review Coordinator (or,
> > something like that) in addition to crypto@bxa.doc.gov, and if so, how do I
> > do that? 
> 
> I think the email to crypto@bxa.doc.gov is sufficient. 

Thanks.

> > Also, is a BXA notification form sufficient to export binary .debs
> > linked with libssl? 
> 
> Yes. 

Thanks again.

> > Would anyone be able to export them, including other US
> > mirror sites, so long as I provide an export of the same stuff that I notify
> > the BXA about?
> 
> Probably. It's my theory that the software is no longer export restricted
> once you make the BXA notification. Thus Debian's requirement that export
> restricted software get uploaded to non-us doesn't apply. Indeed, this is
> how Netscape with strong crypto got uploaded to non-free instead of
> non-us/non-free. There's currently an inquiry going on that will determine
> if Debian's policy can be updated to clearly reflect the new regulations.

I would tend to agree, though of course IANAL; I am surprised Debian's policy
hasn't been updated yet.

> > 
> > 2) Do the binary .debs go in non-US? 
> 
> Yes. Policy currently requires it.

OK, I understand that this is a quirk of Debian policy, and not US law.

> > What about the Debian source files? 
> 
> Same.

I guess this makes sense, since there would need to be a Build-Depends on
libssl-dev. (Am I right about that?)

> > If I
> > make additional non-ssl .debs from the same source, would they be in
> > non-US or not? 
> 
> Yes, but only if the source actually contains crypto. Source or binary,
> policy currently requires export restricted software to be uploaded to
> non-us.

Well, I don't intend to redistribute libssl, in my source or binary .debs,
just dynamically link to them at compile and then run time. So do the non-ssl
.debs go in the non-US/main or main? 

> Good luck :)

Thank you! I may also download the source of some package that comes in ssl
and non-ssl flavors and see how they do it. Can you suggest one? I'm thinking
of lynx, myself.

- Jimmy Kaplowitz
jimmy@kaplowitz.org
Reply to: