Re: USA crypto rules and libssl-dependent packages

To: Andrew Stribblehill <a.d.stribblehill@durham.ac.uk>
Cc: <debian-legal@lists.debian.org>, <debian-mentors@lists.debian.org>
Subject: Re: USA crypto rules and libssl-dependent packages
From: Steve Langasek <vorlon@netexpress.net>
Date: Mon, 14 May 2001 10:40:18 -0500 (CDT)
Message-id: <Pine.LNX.4.30.0105141026440.28435-100000@tennyson.netexpress.net>
In-reply-to: <20010514102436.B4959@womble.dur.ac.uk>

Hi Andrew,

On Mon, 14 May 2001, Andrew Stribblehill wrote:

> Quoting Jimmy Kaplowitz <jimmy@kaplowitz.org>:
> > On Fri, May 11, 2001 at 09:53:04PM -0400, sharkey@ale.physics.sunysb.edu wrote:
> <snip>
> > > Our FTP servers do not block these countries, so I don't know if we
> > > would still be considered compliant under these rules.  I think it's
> > > safer to leave everything in non-US.

> > I probably agree, but what about this sentence from section 2.1.5 of Debian
> > Policy:

> > A package containing a program with an interface to a cryptographic program or
> > a program that's dynamically linked against a cryptographic library should not
> > be distributed via the non-US server if it is capable of running without the
> > cryptographic library or program.

> This might sound like a contrived, hypothetical situation but it's
> not:

> Package hitop contains a binary, 'hitop'.
> Binary 'hitop' may dynamically load, at _runtime_, its Postgres
>   plugin, postgres.so.
> Plugin postgres.so links against libpgsql.
> libpgsql links against libssl.

> I've had a bug report filed, saying that my package breaks section
> 2.1.2 of Policy, since it build-depends against libpgsql which is in
> non-US/main.

> However, this seems to be contradicted by section 2.1.5 because
> binary 'hitop' is capable of running without libssl.

If there is a version of libpgsql in main that you can build hitop against,
which will provide the same ABI as the version in non-US/main (same library
soname, etc), then you can keep hitop in main.  If there's no version of the
postgres package that's binary-compatible with the one now in non-US/main (and
I suspect there is not, given the maintainer's comments on d-d), then hitop
must go in non-US as well:  per Policy, anything that contains (strong) crypto
must reside in non-US, and every package in main must not have a dependency
(build-time or otherwise) on anything outside of main.

This is what I understand Policy to say currently.  If this is not the intent
(if packages in main can have build-time dependencies on non-US), then Policy
needs to be clarified.

> <rant>
> I'm becoming increasingly frustrated by parochial laws in just one
> country affecting a global distribution.
> </rant>

Efforts are being made to resolve this to everyone's satisfaction.  It's not
(yet) out of the question that woody will include crypto in main by the time
of release.

Steve Langasek
postmodern programmer

Reply to:

References:
- Re: USA crypto rules and libssl-dependent packages
  - From: Andrew Stribblehill <a.d.stribblehill@durham.ac.uk>

Prev by Date: Re: USA crypto rules and libssl-dependent packages
Next by Date: Re: standard fonts and euro
Previous by thread: Re: USA crypto rules and libssl-dependent packages
Next by thread: Re: USA crypto rules and libssl-dependent packages
Index(es):
- Date
- Thread