| 1 |
On Wed, 2002-04-17 at 19:06, Preston A. Elder wrote: |
| 2 |
> On Wed, 2002-04-17 at 21:50, Ryan Phillips wrote: |
| 3 |
> > Gentoo provides ebuilds, source archives, and binaries for openssl, |
| 4 |
> > gpg, and many other high-encryption packages off of its own website and |
| 5 |
> Binaries and source could be a problem, however ebuilds are irrelevant |
| 6 |
> -- they contain no cryptographical information in and of themselves, and |
| 7 |
> do not enable anyone to encrypt anything with high-encryption. |
| 8 |
|
| 9 |
This is true. Binaries and sourcecode are the problem. We currently |
| 10 |
mirror openssl/openssh/gpg all on ibiblio which is located in the US. |
| 11 |
|
| 12 |
> |
| 13 |
> > PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY |
| 14 |
> > SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING |
| 15 |
> > TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS |
| 16 |
> > OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE- |
| 17 |
> > DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR |
| 18 |
|
| 19 |
> even your disclaimer doesnt mention ebuilds -- ebuilds arent considered |
| 20 |
> 'technical details'. |
| 21 |
|
| 22 |
see above. |
| 23 |
|
| 24 |
> > Onto the subject of binary CDs. There should probably be two sets of |
| 25 |
> > binary CDs: one with high encryption, and one with export grade. To |
| 26 |
> > download the high encryption ISO, the website could ask the user if they |
| 27 |
> > agreed to the export license, or under FTP the license could be stored |
| 28 |
> > as a .message. A more simpler solution is to take out openssl/openssh |
| 29 |
> > altogether, since they are relatively small downloads. |
| 30 |
> Keeping in mind, that no matter what license you make people agree to, |
| 31 |
> in some cases, its simply illegal to export encryption technology |
| 32 |
> outside the US above a certain grade. Forget about import restrictions |
| 33 |
> on the user's side, unless you have explicit permission from the |
| 34 |
> government, you cannot even offer encryption technology (binaries or |
| 35 |
> source code) above a certain grade outside the US. |
| 36 |
|
| 37 |
Not true. I'm working on a letter to the BXA right now. I called them |
| 38 |
up, we can distribute source and binaries as long as their is sourcecode |
| 39 |
to go along with them. We cannot export to the 'bad' country list |
| 40 |
knowingly. |
| 41 |
|
| 42 |
The export laws were relaxed on opensource software. |
| 43 |
|
| 44 |
> |
| 45 |
> As I said, as long as we don't mirror the stuff, we don't have to worry |
| 46 |
> about export restrictions -- all we're exporting is something saying 'we |
| 47 |
> got it from here, and if it works for you, great! heres how to build |
| 48 |
> it', but thats not illegal (its covered under the first amendment). |
| 49 |
> |
| 50 |
|
| 51 |
we currently export sourcecode and binaries... The ebuilds are not the |
| 52 |
issue. |
| 53 |
|
| 54 |
> As for the ISO's, if you have a high and low encryption ISO, then you |
| 55 |
> will have to make some reasonable measure to ensure the person |
| 56 |
> downloading the high encryption ISO is in the united states. Keeping in |
| 57 |
> mind, this does not apply to all packages -- some packages (eg. mozilla) |
| 58 |
> have permission to be distributed internationally by whomever. |
| 59 |
|
| 60 |
Read the unrestricted export license on the BXA website. The export |
| 61 |
license only covers open licensed applications and source. The BXA |
| 62 |
names it TSU. http://www.bxa.doc.gov/Encryption/guidance.htm |
| 63 |
|
| 64 |
> I would go with your suggestion of removing anything thats export |
| 65 |
> controlled from the ISO, and letting the user emerge it. |
| 66 |
|
| 67 |
Agreed. |
| 68 |
|
| 69 |
> > [Note: I am not a lawyer, and this should not be considered legal |
| 70 |
> > advice.] |
| 71 |
> Nor am I, but my company has had to deal with encryption export laws |
| 72 |
> before, and I myself write something with encryption technology in it. |
| 73 |
> |
| 74 |
|
| 75 |
As do I here. |
| 76 |
|
| 77 |
-Ryan |
Archives