[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Status of non-US

Hi all

I would just like to know the current status of non-US within Debian. Now, since
the US export regulations for cryptographic software have been weakened, we
might be able to include cryptographic software in the main distribution,
eliminating non-US completely (well maybe not completely, there are still those
software patents....). There are also rumors that the Linux kernel will start
including cryptographic patches (such as the kerneli patch or the klips part of
freeswan) very soon (shortly after opening the 2.5 branch is what I read
somewhere) and OpenBSD is already including their crypto libraries in the
standard distribution (as of version 2.8), so Debian might do the same. 
This would make the work for many developers a lot easier, because double
efforts (postfix / postfix-tls, zmailer / zmailer-ssl, apache / apache-ssl, curl
/ curl-ssl, fetchmail / fetchmail-ssl, ipopd / ipopd-ssl, uw-imapd /
uw-imapd-ssl, telnet / telnet-ssl, telnetd / telnetd-ssl, unzip / unzip-crypt,
.....) would not be needed anymore. Instead, Debian could be one of the first
distributions shipping crypthographic software whenever possible (this could
even be part of the policy sometime: apply crypto patches when they are
available for the package, but I am just dreaming a bit :-) ), bringing it
security-wise a big step closer to where OpenBSD is now. And yes, ssh would be
included in every default Debian installation, helping the Internet to get a bit
more secure.

There is one point to consider with this: In some countries it is not allowed to
use strong cryptography (France, China and a few others as far as I know) under
all conditions and there are countries for which exports from the US are still
restricted (Iran, Irak, .....). We would have to deal with these special
situations, but I think it is time to change. At the moment, the default
installation does not include any cryptographic code, which I consider to be
very weak. In my opinion, every installation of Debian should include at least
ssh instead of telnetd and every server daemon (pop3, imap, smtp, ftp, http,
....) should include SSL support by default. Even when doing that it will take
some time for all the clients to get upgraded to use the crypto services, but it
is definitely a step in the right direction.

This is no official proposal, because I do not have my Debian account yet
(already DAM approved). Please comment on the current situation and if you would
like to change it. Maybe somebody with more knowledge about the US crypto
regulations could also comment on the legal situation and what the requirements
for Debian would be to ship cryptographic software (as far as I know, not much:
just send a message that we ship the code and where the source is available). I
have to admit that I am a bit biased in this case, maintaining the freeswan and
pptpd packages and always needing to patch postfix, apache, ppp, ... for myself
for the Gibraltar firewall distribution. It would be nice to have it all in the
default packages. But it would love to contribute some work on making Debian
more secure.

best greets,

Reply to: