On Wed, 2002-04-17 at 19:06, Preston A. Elder wrote:
> On Wed, 2002-04-17 at 21:50, Ryan Phillips wrote:
> >   Gentoo provides ebuilds, source archives, and binaries for openssl,
> > gpg, and many other high-encryption packages off of its own website and
> Binaries and source could be a problem, however ebuilds are irrelevant
> -- they contain no cryptographical information in and of themselves, and
> do not enable anyone to encrypt anything with high-encryption.

This is true.  Binaries and sourcecode are the problem.  We currently
mirror openssl/openssh/gpg all on ibiblio which is located in the US.

> 
> > PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
> > SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
> > TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS
> > OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-
> > DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR

> even your disclaimer doesnt mention ebuilds -- ebuilds arent considered
> 'technical details'.

see above.

> > Onto the subject of binary CDs.  There should probably be two sets of
> > binary CDs: one with high encryption, and one with export grade.  To
> > download the high encryption ISO, the website could ask the user if they
> > agreed to the export license, or under FTP the license could be stored
> > as a .message.  A more simpler solution is to take out openssl/openssh
> > altogether, since they are relatively small downloads.
> Keeping in mind, that no matter what license you make people agree to,
> in some cases, its simply illegal to export encryption technology
> outside the US above a certain grade.  Forget about import restrictions
> on the user's side, unless you have explicit permission from the
> government, you cannot even offer encryption technology (binaries or
> source code) above a certain grade outside the US.

Not true.  I'm working on a letter to the BXA right now.  I called them
up, we can distribute source and binaries as long as their is sourcecode
to go along with them.  We cannot export to the 'bad' country list
knowingly.

The export laws were relaxed on opensource software.  

> 
> As I said, as long as we don't mirror the stuff, we don't have to worry
> about export restrictions -- all we're exporting is something saying 'we
> got it from here, and if it works for you, great! heres how to build
> it', but thats not illegal (its covered under the first amendment).
> 

we currently export sourcecode and binaries...  The ebuilds are not the
issue.

> As for the ISO's, if you have a high and low encryption ISO, then you
> will have to make some reasonable measure to ensure the person
> downloading the high encryption ISO is in the united states.  Keeping in
> mind, this does not apply to all packages -- some packages (eg. mozilla)
> have permission to be distributed internationally by whomever.

Read the unrestricted export license on the BXA website.  The export
license only covers open licensed applications and source.  The BXA
names it TSU. http://www.bxa.doc.gov/Encryption/guidance.htm

> I would go with your suggestion of removing anything thats export
> controlled from the ISO, and letting the user emerge it.

Agreed.

> > [Note: I am not a lawyer, and this should not be considered legal
> > advice.]
> Nor am I, but my company has had to deal with encryption export laws
> before, and I myself write something with encryption technology in it.
> 

As do I here.

-Ryan