On Mon, Feb 25, 2002 at 07:22:07PM -0800, Thomas Bushnell, BSG wrote: > Walter Landry <wlandry@ucsd.edu> writes: > > tb@becket.net (Thomas Bushnell, BSG) wrote: > > > "You might consider" is a far cry from "you must". I don't think you > > > understand how lawyers give recommendations. > > Are you suggesting that Debian not do those things? Is Debian going > > to distribute crypto without doing reverse IP lookups and without the > > use restrictions? > The use restrictions are contrary to our own existing policies, so we > can't take that recommendation. I would not object to the reverse IP > lookups, but if it's any real hassle, we could drop that too. The long and short of it is, that's a recommendation from the lawyer to us -- and from us to the mirror operators -- to implement reverse-IP lookups as a precautionary measure. Debian (SPI) itself does not operate even a *handful* of the mirror sites that offer the Debian archive to the world. The legal advice we received says nothing to the effect that we should not allow people to mirror our archive unless they do this. If someone wants to *not* implement reverse-IP checks -- whether they're inside the US or outside -- that's fine, so long as they understand the consequences of that decision. So if a mirror operator objects on moral grounds to blocking the T7, fine -- don't block the T7. OTOH, don't expect SPI to come charging to the rescue on account of your decision to engage in civil disobedience. As for use restrictions, I disagree that asking someone who downloads Debian from within the US to warrant that they are not planning to use the software to build nukes or biological weapons, etc., etc., is a use restriction in any meaningful sense of the word. First, mirror operators are expected (by the local authorities, if not necessarily by Debian) to comply with local law all the time. If local law enjoins a mirror operator from distributing Debian to certain parties, does that mean Debian is imposing use restrictions? Currently, we can't distribute crypto from US-based mirrors at all. Is /that/ a use restriction? No; it just means that people have to download certain programs from certain locations. Likewise, having crypto in main isn't a use restriction: the people who want to use Debian for its superior Open Source bomb-building capabilities either download it from an overseas archive, or they <gasp> lie and download it from a US mirror anyway. And if the user warrants by reading the archive banner and continuing to download anyway that they are not under control of a foreign government that's hell-bent on devouring all that is sacred to our apple pies, then our involvement ends there. If they go out and start building xearth-powered nuclear devices, that's between them and the US government. We (Debian, SPI, mirror operators) are not placing any legally-binding restrictions on their use of the software. We're just covering our own asses. > Right. At the moment we have an *absolute* policy against mirrors in > the US--which hurts us in a jillion ways. We can easily replace that > with something much looser, and simply not advertise or go out of our > way to support any mirrors that might exist in T7 countries. Precisely. Steve Langasek postmodern programmer
Attachment:
pgpdY6sEDb8G6.pgp
Description: PGP signature