1 |
Hi guys, |
2 |
|
3 |
I'm currently helping the gentoo team work out some issues with export |
4 |
controls of strong encryption software. Currently, Gentoo is being |
5 |
developed mostly in the United States, and downloaded all over the |
6 |
world, thus the reason of this mail. |
7 |
|
8 |
Gentoo provides ebuilds, source archives, and binaries for openssl, |
9 |
gpg, and many other high-encryption packages off of its own website and |
10 |
mirrors. I'm drafting a letter to the Bureau of Export Administration |
11 |
right at the moment, but I need to propose a couple (very minor!) |
12 |
changes to the portage system. |
13 |
|
14 |
There should be a USE variable named 'agree-to-crypto', (the name |
15 |
doesn't matter). The purpose is to verify the user has read the export |
16 |
license, in this case: |
17 |
|
18 |
------------------ |
19 |
|
20 |
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY |
21 |
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING |
22 |
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS |
23 |
OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE- |
24 |
DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR |
25 |
EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY |
26 |
ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS |
27 |
WHICH APPLY TO YOU. THE AUTHORS OF GENTOO ARE NOT LIABLE FOR ANY |
28 |
VIOLATIONS YOU MAKE HERE. SO BE CAREFULLY YOURSELF, IT IS YOUR |
29 |
RESPONSIBILITY. |
30 |
|
31 |
If you agree to this license, and would like to enable high-grade |
32 |
encryption then place the variable 'agree-to-crypto' in your USE |
33 |
variable in /etc/make.conf |
34 |
|
35 |
----------------- |
36 |
Note: (Possible License, and could change) |
37 |
|
38 |
If this variable is not set, then the ebuilds affected should resort to |
39 |
building openssh/openssl/etc with export grade encryption. |
40 |
|
41 |
In addition, I propose the RESTRICT variable for ebuilds. This would |
42 |
make source archives not be mirrored on the gentoo/ibiblio site, and |
43 |
it's mirrors. |
44 |
|
45 |
Onto the subject of binary CDs. There should probably be two sets of |
46 |
binary CDs: one with high encryption, and one with export grade. To |
47 |
download the high encryption ISO, the website could ask the user if they |
48 |
agreed to the export license, or under FTP the license could be stored |
49 |
as a .message. A more simpler solution is to take out openssl/openssh |
50 |
altogether, since they are relatively small downloads. |
51 |
|
52 |
I believe this is a wise course of action. |
53 |
Any comments? additions? subtractions? |
54 |
|
55 |
Best regards, |
56 |
Ryan Phillips |
57 |
rphillips at gentoo.org |
58 |
|
59 |
[Note: I am not a lawyer, and this should not be considered legal |
60 |
advice.] |