[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Squeak in Debian?

> > > > I do not understand your issue about locality.  The business in question
> > > > is us, Debian.  We already have a distribution server at Berkeley, so we
> > > > already need to evaluate and comply with the laws of northern
> > > > California.
> > > 
> > > The CD distributors are not part of SPI, the non-profit that holds
> > > title to the vast resources of Debian.  In addition, the Debian
> > > mirrors only look at local law when evaluating whether to mirror
> > > Debian.  They don't look up Northern California law.
> > 
> > The individual CD distributors should not be automatically distributing
> > non-free stuff.  Thus I still do not see the issue.
> > 
> > It seems like our non-free infrastructure already needs to obey US
> > export law, so I do not see the issue with us meeting that license
> > condition.
> 
> non-free is not part of the bxa notification scheme, because the bxa
> notifications is only available for certain type of software of which
> main is a subset.  So there are still packages in non-us/non-free.
> 

I don't see why BXA notification would be required for Squeak nowadays. 
It used to have some secure hashing functions in there such as MD5 and
SHA, but I just searched and those seem to be in a separate package
nowadays.  People who want crytopgraphy routines in Squeak must now
download them separately from "SqueakMap".

Overall, I still do not see how it can be an extra burden on *Debian* to
have to follow US export regulations.  Certainly it is a DFSG issue for
our users, but that is acceptible for a non-free package.  The question
at hand is whether we feel okay using the non-free infrastructure to
distribute it.  Aren't our non-free machines following US export law,
anyway (e.g., by not including undisclosed encryption software) ?  So
long as all of the non-free machines are mirroring to each other
automatically, it seems like they must all follow the export regs of all
the countries.  Am I mistaken about this?

Along these lines, I checked, and in the U.S. at least there is a clear
understanding of what is called here "reexporting".  That is, A cannot
blithely export to C by first exporting to an intermediary B.  A->B->C
is treated much or exactly the same as A->C.  Here's the Dept. of
Commerce web site, for anyone who wants to wade through and verify: 

	http://w3.access.gpo.gov/bis/ear/ear_data.html

The good news about the above site is that the regs -- at least by my
very fast reading -- seem both to focus on crytography and to explicitly
exempt software that is publically available.  That's good, because
otherwise it would be quite onerous just to post inocuous things on a
web site.

One thing I am left wondering about is this in Squeak-L:

	"In particular, but without limitation, the Apple Software may not be
exported or reexported (i) into (or to a national or resident of) any
U.S. embargoed country or (ii) to anyone on the U.S. Treasury
Department's list of Specially Designated Nationals or the U.S.
Department of Commerce's Table of Denial Orders. "

The "in particular" implies that this is a normal export regulation for
the US.  Does anyone know?  If it is indeed normal, then what do our
non-non-US servers do about it?

-Lex
Reply to: