Cryptographic Software in Debian's Main Archive

Cine writes: "James Troup and Sam Hartman recently sent a note to all debian mirror maintainers, to inform them about the current situation and future plans. Sometime after March 8th, crypto software like OpenSSH, SSL support, and many other enhancements will be integrated into the debian main archive. This is in accordance to legal advice the Debian project received."

[OT?] Debconf 2002 announced

[illusion_2K]

Perhaps this is a bit offtopic, but Debconf 2002 was also announced [debian.org] today. Will holding it in Canada make a difference crypto-wise? Probably not, but it should be a rockin' good time for participants anyway.

It's also been conveniently scheduled to coincide nicely with the Ottawa Linux Symposium [linuxsymposium.org]. Other than that, more info will be forthcoming within the next couple of weeks.

Re:IP address based restrictions

[Mr_Person]

Does anyone have such a list though? Can anyone provide a copy of it? Is it even technically possible to generate? In real time, or even close?

Well, the Debian announcement says this:

BXA regulations require that you not knowingly export to embargoed countries, as a show of good faith you may wish to consider implementing a reverse IP lookup that identifies the computer requesting the download, and that blocks downloads of the cryptographic archive to countries embargoed by the United States: Cuba (.cu), Iran (.ir), Iraq (.iq), Libya (.ly), North Korea (.kp), Syria (.sy), Sudan (.sd) and Taliban Occupied Afghanistan.

I know it's not an IP list, but it would be fairly simple to impliment - just block those TLD's. I suppose it would slow your server down some, having to reverse resolve every IP that connects to it. As far as updating the list, that shouldn't be too hard - all you have to do is have your lawyer give you a call every time a country is added or removed from the list (how often does that happen?) and just add their ccTLD to the block list. Or, just did a quick Google search and you can get a list from the U.S. Department of State [pmdtc.org].

Re:IP address based restrictions

[cabbey]

The list of contries is easy to get sure, but as you said: the reverse lookups (1) will kill your server and (2) will open you up to more DOS attacks . Just imagine a dns server that doesn't properly close connections, forcing them to time out, now imagine two or three of them configured into a delegation round robin... a few incoming requests and your machine grinds itself into dust trying to resolve the reverse IP... get enough of those and you'll tie up enough socket resources to choke the machine. Also a reverse DNS entry isn't a requirement, many networks don't provide them. Working from domain names just doesn't seem technically feasible... pulling netblocks from iana maybe more doable, but still isn't even close to 100% accurate.

Re:IP address based restrictions

[fferreres]

No reverse lookups needed. There are publicly available IP mappings databases. If the IP has been assigned to a banned country, then it IS in the list.

I suggest the debian maintainers should check at LEAST this site.

http://caida.org

If you want to testdrive the acuracy of the mappings, why not check if it works fine for your connection. Just inset your IP number and go!:

http://netgeo.caida.org/perl/netgeo.cgi?target=& me thod=getCountry&nonblocking=true";

This is just a bad idea.

[njdj]

For the Debian end user, getting stuff like OpenSSH has been very easy, contrary to what some posters have said. There is little or no benefit for most end users in this change; and a huge increase in trouble and inconvenience for some end users, who happen to be citizens or residents of a country like Cuba that the Bush regime doesn't currently like.

US crypto regulations are not only a nuisance, they're also volatile. "Things are getting better", we hear. Bullshit. Things are changing unpredictably. Few people (and certainly no software developers) have any idea what US policy will be next year.

The only sensible policy is to keep the crypto archive in a country that has never had export regulations for crypto software (there are many).

Re:no real effect

[Ray Dassen]

Unless I am missing something, this won't have any real effect on end users.

It will have benefits for end users, though probably not highly visible ones.

Cryptographic software packaged for Debian is available (and has been for a long time already) through non-us.debian.org [debian.org], but crypto-in-main will make further integration of crypto possible. A number of packages in main will get enhanced functionality once crypto is in main. E.g. CVS can start supporting Kerberos for authentication.

The functionality enhancements made possible by crypto-in-main are not limited to the direct benefits of crypto, as I can illustrate with the Gnumeric [debian.org] package. The Gnumeric spreadsheet can be built to be able to fetch data from databases using GDA [debian.org], the GNU Data Access library. Currently the Debian package is not built with GDA support. The reason for this is that Debian's GDA packages are on non-US (because their source package requires the PostgreSQL development package; PostgreSQL is on non-US as it is built with SSL support). Once we have crypto-in-main, I can build Gnumeric packages that have GDA support (probably in a separate plugin package).