1 |
On Wed, 2002-04-17 at 21:50, Ryan Phillips wrote: |
2 |
> Gentoo provides ebuilds, source archives, and binaries for openssl, |
3 |
> gpg, and many other high-encryption packages off of its own website and |
4 |
Binaries and source could be a problem, however ebuilds are irrelevant |
5 |
-- they contain no cryptographical information in and of themselves, and |
6 |
do not enable anyone to encrypt anything with high-encryption. |
7 |
|
8 |
> PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY |
9 |
> SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING |
10 |
> TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS |
11 |
> OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE- |
12 |
> DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR |
13 |
> EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY |
14 |
> ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS |
15 |
> WHICH APPLY TO YOU. THE AUTHORS OF GENTOO ARE NOT LIABLE FOR ANY |
16 |
> VIOLATIONS YOU MAKE HERE. SO BE CAREFULLY YOURSELF, IT IS YOUR |
17 |
> RESPONSIBILITY. |
18 |
even your disclaimer doesnt mention ebuilds -- ebuilds arent considered |
19 |
'technical details'. |
20 |
|
21 |
> In addition, I propose the RESTRICT variable for ebuilds. This would |
22 |
> make source archives not be mirrored on the gentoo/ibiblio site, and |
23 |
> it's mirrors. |
24 |
THIS is a very good idea. Especially for things like openssl, and the |
25 |
proposed ebuild of cryptoapi. If its not on our mirrors, its not our |
26 |
problem to enforce export controls. |
27 |
|
28 |
> Onto the subject of binary CDs. There should probably be two sets of |
29 |
> binary CDs: one with high encryption, and one with export grade. To |
30 |
> download the high encryption ISO, the website could ask the user if they |
31 |
> agreed to the export license, or under FTP the license could be stored |
32 |
> as a .message. A more simpler solution is to take out openssl/openssh |
33 |
> altogether, since they are relatively small downloads. |
34 |
Keeping in mind, that no matter what license you make people agree to, |
35 |
in some cases, its simply illegal to export encryption technology |
36 |
outside the US above a certain grade. Forget about import restrictions |
37 |
on the user's side, unless you have explicit permission from the |
38 |
government, you cannot even offer encryption technology (binaries or |
39 |
source code) above a certain grade outside the US. |
40 |
|
41 |
As I said, as long as we don't mirror the stuff, we don't have to worry |
42 |
about export restrictions -- all we're exporting is something saying 'we |
43 |
got it from here, and if it works for you, great! heres how to build |
44 |
it', but thats not illegal (its covered under the first amendment). |
45 |
|
46 |
As for the ISO's, if you have a high and low encryption ISO, then you |
47 |
will have to make some reasonable measure to ensure the person |
48 |
downloading the high encryption ISO is in the united states. Keeping in |
49 |
mind, this does not apply to all packages -- some packages (eg. mozilla) |
50 |
have permission to be distributed internationally by whomever. |
51 |
|
52 |
I would go with your suggestion of removing anything thats export |
53 |
controlled from the ISO, and letting the user emerge it. |
54 |
|
55 |
> Best regards, |
56 |
> Ryan Phillips |
57 |
> rphillips at gentoo.org |
58 |
|
59 |
> [Note: I am not a lawyer, and this should not be considered legal |
60 |
> advice.] |
61 |
Nor am I, but my company has had to deal with encryption export laws |
62 |
before, and I myself write something with encryption technology in it. |
63 |
|
64 |
-- |
65 |
PreZ |
66 |
Systems Administrator |
67 |
GOTH.NET |
68 |
|
69 |
Goth Code '98: tSKeba5qaSabsaaaGbaa75KAASWGuajmsvbieqcL4BaaLb3F4 |
70 |
nId5mefqmDjmmgm#haxthgzpj4GiysNkycSRGHabiabOkauNSW |
71 |
|
72 |
GOTH.NET - http://www.goth.net |
73 |
Free online resource for the gothic community. |