| 1 |
On Wed, 2002-04-17 at 21:50, Ryan Phillips wrote: |
| 2 |
> Gentoo provides ebuilds, source archives, and binaries for openssl, |
| 3 |
> gpg, and many other high-encryption packages off of its own website and |
| 4 |
Binaries and source could be a problem, however ebuilds are irrelevant |
| 5 |
-- they contain no cryptographical information in and of themselves, and |
| 6 |
do not enable anyone to encrypt anything with high-encryption. |
| 7 |
|
| 8 |
> PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY |
| 9 |
> SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING |
| 10 |
> TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS |
| 11 |
> OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE- |
| 12 |
> DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR |
| 13 |
> EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY |
| 14 |
> ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS |
| 15 |
> WHICH APPLY TO YOU. THE AUTHORS OF GENTOO ARE NOT LIABLE FOR ANY |
| 16 |
> VIOLATIONS YOU MAKE HERE. SO BE CAREFULLY YOURSELF, IT IS YOUR |
| 17 |
> RESPONSIBILITY. |
| 18 |
even your disclaimer doesnt mention ebuilds -- ebuilds arent considered |
| 19 |
'technical details'. |
| 20 |
|
| 21 |
> In addition, I propose the RESTRICT variable for ebuilds. This would |
| 22 |
> make source archives not be mirrored on the gentoo/ibiblio site, and |
| 23 |
> it's mirrors. |
| 24 |
THIS is a very good idea. Especially for things like openssl, and the |
| 25 |
proposed ebuild of cryptoapi. If its not on our mirrors, its not our |
| 26 |
problem to enforce export controls. |
| 27 |
|
| 28 |
> Onto the subject of binary CDs. There should probably be two sets of |
| 29 |
> binary CDs: one with high encryption, and one with export grade. To |
| 30 |
> download the high encryption ISO, the website could ask the user if they |
| 31 |
> agreed to the export license, or under FTP the license could be stored |
| 32 |
> as a .message. A more simpler solution is to take out openssl/openssh |
| 33 |
> altogether, since they are relatively small downloads. |
| 34 |
Keeping in mind, that no matter what license you make people agree to, |
| 35 |
in some cases, its simply illegal to export encryption technology |
| 36 |
outside the US above a certain grade. Forget about import restrictions |
| 37 |
on the user's side, unless you have explicit permission from the |
| 38 |
government, you cannot even offer encryption technology (binaries or |
| 39 |
source code) above a certain grade outside the US. |
| 40 |
|
| 41 |
As I said, as long as we don't mirror the stuff, we don't have to worry |
| 42 |
about export restrictions -- all we're exporting is something saying 'we |
| 43 |
got it from here, and if it works for you, great! heres how to build |
| 44 |
it', but thats not illegal (its covered under the first amendment). |
| 45 |
|
| 46 |
As for the ISO's, if you have a high and low encryption ISO, then you |
| 47 |
will have to make some reasonable measure to ensure the person |
| 48 |
downloading the high encryption ISO is in the united states. Keeping in |
| 49 |
mind, this does not apply to all packages -- some packages (eg. mozilla) |
| 50 |
have permission to be distributed internationally by whomever. |
| 51 |
|
| 52 |
I would go with your suggestion of removing anything thats export |
| 53 |
controlled from the ISO, and letting the user emerge it. |
| 54 |
|
| 55 |
> Best regards, |
| 56 |
> Ryan Phillips |
| 57 |
> rphillips at gentoo.org |
| 58 |
|
| 59 |
> [Note: I am not a lawyer, and this should not be considered legal |
| 60 |
> advice.] |
| 61 |
Nor am I, but my company has had to deal with encryption export laws |
| 62 |
before, and I myself write something with encryption technology in it. |
| 63 |
|
| 64 |
-- |
| 65 |
PreZ |
| 66 |
Systems Administrator |
| 67 |
GOTH.NET |
| 68 |
|
| 69 |
Goth Code '98: tSKeba5qaSabsaaaGbaa75KAASWGuajmsvbieqcL4BaaLb3F4 |
| 70 |
nId5mefqmDjmmgm#haxthgzpj4GiysNkycSRGHabiabOkauNSW |
| 71 |
|
| 72 |
GOTH.NET - http://www.goth.net |
| 73 |
Free online resource for the gothic community. |
Archives