Cryptographic Software in Debian's Main Archive

Cine writes: "James Troup and Sam Hartman recently sent a note to all debian mirror maintainers, to inform them about the current situation and future plans. Sometime after March 8th, crypto software like OpenSSH, SSL support, and many other enhancements will be integrated into the debian main archive. This is in accordance to legal advice the Debian project received."

Crypto

[Ashcrow]

Crypto helps aid in privacy, and privacy should be available to everyone no matter who they are or where they live.

Hope it works out

[Mr_Person]

The Debian team has been working on this for a long time. Hopefully it will make installations and upgrades quicker as the servers can now be on the same continent :-).

One thing that was interesting is that under section 740.13(e) of the US EAR, the software can be exported as long as the people that are exporting it file for export notification. Apparently one thing that they were worried about was whether or not the individual mirrors had to each file or if Debian could just file for the main archives and all the mirrors. According to their legal advice that should be okay. Let's just hope that they don't have any legal problems with it in the future.

This advice is bogus.

[Anonymous Coward]

According to the link, as soon as you sell the software you have to file various things.

This restricts people from selling debian.

Which makes life hard for CD distributors, and is in contradiction with the GPL.

Note: I do not sell debian( or any software ).

And to think...

[ghack]

...most projects are un-aware of the fact that open source is exempt. I suppose projects such as openbsd, based in other countries, still have the advantage though - defining when software is sold for a fee is difficult. is a fee only for media, or for a compilation, etc, still under this open source clause?

IP address based restrictions

[cabbey]

From the lawyer's response:

Simply posting cryptographic software on a server that may be accessible from an embargoed country does not constitute ``knowledge'' that the software has been exported there. Therefore, criminal liability would not apply to the act of posting. We recommend that you perform IP checking and deny downloads to known embargoed countries. This due diligence also would provide a defense to a claim of civil liability. If you find out that your software has been downloaded to a prohibited destination, then I recommend that you block future downloads to that specific site unless and until you obtain a license from BXA.

This is the second time I've seen this "recomendation" come out of a legal organization, in almost exactly the same wording no less. I've got to believe therefore that they are pulling it from some other source, such as an official regulation or other document.

Does anyone have such a list though? Can anyone provide a copy of it? Is it even technically possible to generate? In real time, or even close? I mean sure, it's technically trivial to implement this blocking, just a few iptables/ipchains commands, or some entries in the firewall's firmware... but I think getting that list to begin with is nearly impossible. How do you know where the other end of the phone line that is dialed into some modem bank on the other side of the net is?

In the last instance that I saw this (an external server at work) corporate legal was threatening to pull the plug if the admins didn't provide proof they were doing this. After much head scratching and searching the net my sugested response was that they would be happy to implement this just as soon as the legal department provided them with such a list.

I'm told they never heard back from legal on that topic.