1 |
On Wed, 2002-04-17 at 19:06, Preston A. Elder wrote: |
2 |
> On Wed, 2002-04-17 at 21:50, Ryan Phillips wrote: |
3 |
> > Gentoo provides ebuilds, source archives, and binaries for openssl, |
4 |
> > gpg, and many other high-encryption packages off of its own website and |
5 |
> Binaries and source could be a problem, however ebuilds are irrelevant |
6 |
> -- they contain no cryptographical information in and of themselves, and |
7 |
> do not enable anyone to encrypt anything with high-encryption. |
8 |
|
9 |
This is true. Binaries and sourcecode are the problem. We currently |
10 |
mirror openssl/openssh/gpg all on ibiblio which is located in the US. |
11 |
|
12 |
> |
13 |
> > PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY |
14 |
> > SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING |
15 |
> > TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS |
16 |
> > OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE- |
17 |
> > DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR |
18 |
|
19 |
> even your disclaimer doesnt mention ebuilds -- ebuilds arent considered |
20 |
> 'technical details'. |
21 |
|
22 |
see above. |
23 |
|
24 |
> > Onto the subject of binary CDs. There should probably be two sets of |
25 |
> > binary CDs: one with high encryption, and one with export grade. To |
26 |
> > download the high encryption ISO, the website could ask the user if they |
27 |
> > agreed to the export license, or under FTP the license could be stored |
28 |
> > as a .message. A more simpler solution is to take out openssl/openssh |
29 |
> > altogether, since they are relatively small downloads. |
30 |
> Keeping in mind, that no matter what license you make people agree to, |
31 |
> in some cases, its simply illegal to export encryption technology |
32 |
> outside the US above a certain grade. Forget about import restrictions |
33 |
> on the user's side, unless you have explicit permission from the |
34 |
> government, you cannot even offer encryption technology (binaries or |
35 |
> source code) above a certain grade outside the US. |
36 |
|
37 |
Not true. I'm working on a letter to the BXA right now. I called them |
38 |
up, we can distribute source and binaries as long as their is sourcecode |
39 |
to go along with them. We cannot export to the 'bad' country list |
40 |
knowingly. |
41 |
|
42 |
The export laws were relaxed on opensource software. |
43 |
|
44 |
> |
45 |
> As I said, as long as we don't mirror the stuff, we don't have to worry |
46 |
> about export restrictions -- all we're exporting is something saying 'we |
47 |
> got it from here, and if it works for you, great! heres how to build |
48 |
> it', but thats not illegal (its covered under the first amendment). |
49 |
> |
50 |
|
51 |
we currently export sourcecode and binaries... The ebuilds are not the |
52 |
issue. |
53 |
|
54 |
> As for the ISO's, if you have a high and low encryption ISO, then you |
55 |
> will have to make some reasonable measure to ensure the person |
56 |
> downloading the high encryption ISO is in the united states. Keeping in |
57 |
> mind, this does not apply to all packages -- some packages (eg. mozilla) |
58 |
> have permission to be distributed internationally by whomever. |
59 |
|
60 |
Read the unrestricted export license on the BXA website. The export |
61 |
license only covers open licensed applications and source. The BXA |
62 |
names it TSU. http://www.bxa.doc.gov/Encryption/guidance.htm |
63 |
|
64 |
> I would go with your suggestion of removing anything thats export |
65 |
> controlled from the ISO, and letting the user emerge it. |
66 |
|
67 |
Agreed. |
68 |
|
69 |
> > [Note: I am not a lawyer, and this should not be considered legal |
70 |
> > advice.] |
71 |
> Nor am I, but my company has had to deal with encryption export laws |
72 |
> before, and I myself write something with encryption technology in it. |
73 |
> |
74 |
|
75 |
As do I here. |
76 |
|
77 |
-Ryan |