Re: several questions /Debian Source Code build 11.3/related to Unrestricted Encryption Source Code Notification Commodity

To: debian-project@lists.debian.org
Subject: Re: several questions /Debian Source Code build 11.3/related to Unrestricted Encryption Source Code Notification Commodity
From: "Andrew M.A. Cater" <amacater@einval.com>
Date: Wed, 13 Apr 2022 14:14:25 +0000
Message-id: <[🔎] YlbawXxbX67Ptv2K@einval.com>
In-reply-to: <[🔎] CABDd9Jmnnh3E7K6MO=MdLirwunMTtATvAqoLBBAOqLXN5Ow6vQ@mail.gmail.com>
References: <[🔎] CABDd9Jmnnh3E7K6MO=MdLirwunMTtATvAqoLBBAOqLXN5Ow6vQ@mail.gmail.com>

On Wed, Apr 13, 2022 at 04:44:02PM +0300, Екатерина Лапшина wrote:
> Good afternoon!
> 
> 

Good afternoon, Ekaterina
> 
> We are planning to use Debian Source Code build 11.3 (the “Software”) in
> Russia and have several questions related to Unrestricted Encryption Source
> Code Notification Commodity (
> https://www.debian.org/legal/notificationforarchive, “Notification”) and
> export restrictions of the US Export Control Act ("EAR").
> 
> 

Only source code: no binaries? The source code requirement is an old one - see
below - and effectively disappeared a long time ago.

This all dates initiallly from 200/2001 - Ben Collins was the Debian Project
Leader then.

The legal opinion then from US lawyers is at https://www.debian.org/legal/cryptoinmain.en.html.

At one point, we maintained cryptographic software in a separate "non-US" 
archive. That's not been necessary for approximately 15 or 20 years.

> 
> In your Notification you mention that Debian is free access code
> (accordingly we suppose that it can be EAR99 or Not subject to EAR). At the
> same time you refer to the exception TSU specified in Part 740.13 EAR
> (however, paragraph e(1) is missing in the text we saw
> https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-740/section-740.13).
> You also refer to the cryptography functionality thank can trigger
> exception ENC as well
> 

The review by the NSA went long ago. Debian has treated the code as being
exportable worldwide but has not normally accepted new official mirrors in 
countries subject to US sanctions like Iran, Syria or Cuba.

I'm unaware of Russian law at the moment: it is possible that import and
use in Russia would be legitimate under Russian law.
> 
> 
> Accordingly we would like to know whether:
> 
> (1)   the Software can be freely distributed, including in Russia, due to
> being EAR99 or Not subject to EAR
>

This appears to be the case, at least de facto.

> (2)   the Software is subject to other ECCN (please specify, which one) and
> can be distributed only subject to exceptions (TSU, ENC or other - please
> specify)
> 

Various people have asked about ECCN over the years: it seems that our 
software is acceptable for US export and import. I am NOT a registered lawyer
- none of this should be taken as legal advice.
> 
> 
> Thank you

With every good wish, as ever,

Andy Cater

Reply to:

Follow-Ups:
- Re: several questions /Debian Source Code build 11.3/related to Unrestricted Encryption Source Code Notification Commodity
  - From: Paul Wise <pabs@debian.org>

References:
- several questions /Debian Source Code build 11.3/related to Unrestricted Encryption Source Code Notification Commodity
  - From: Екатерина Лапшина <ekater896@gmail.com>

Prev by Date: several questions /Debian Source Code build 11.3/related to Unrestricted Encryption Source Code Notification Commodity
Next by Date: Re: We need to define a path for Debian to climate neutrality
Previous by thread: several questions /Debian Source Code build 11.3/related to Unrestricted Encryption Source Code Notification Commodity
Next by thread: Re: several questions /Debian Source Code build 11.3/related to Unrestricted Encryption Source Code Notification Commodity
Index(es):
- Date
- Thread