[gentoo-dev] Encryption Export

[gentoo-dev] Encryption Export

[Ryan Phillips]

[-- Attachment #1: Type: text/plain, Size: 2571 bytes --]

Hi guys,

  I'm currently helping the gentoo team work out some issues with export
controls of strong encryption software.  Currently, Gentoo is being
developed mostly in the United States, and downloaded all over the
world, thus the reason of this mail.

  Gentoo provides ebuilds, source archives, and binaries for openssl,
gpg, and many other high-encryption packages off of its own website and
mirrors.  I'm drafting a letter to the Bureau of Export Administration
right at the moment, but I need to propose a couple (very minor!)
changes to the portage system.

  There should be a USE variable named 'agree-to-crypto', (the name
doesn't matter).  The purpose is to verify the user has read the export
license, in this case:

------------------

PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS
OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-
DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR
EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY
ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS
WHICH APPLY TO YOU. THE AUTHORS OF GENTOO ARE NOT LIABLE FOR ANY
VIOLATIONS YOU MAKE HERE. SO BE CAREFULLY YOURSELF, IT IS YOUR
RESPONSIBILITY.  

If you agree to this license, and would like to enable high-grade
encryption then place the variable 'agree-to-crypto' in your USE
variable in /etc/make.conf

----------------- 
Note: (Possible License, and could change)

If this variable is not set, then the ebuilds affected should resort to
building openssh/openssl/etc with export grade encryption.

In addition, I propose the RESTRICT variable for ebuilds.  This would
make source archives not be mirrored on the gentoo/ibiblio site, and
it's mirrors.  

Onto the subject of binary CDs.  There should probably be two sets of
binary CDs: one with high encryption, and one with export grade.  To
download the high encryption ISO, the website could ask the user if they
agreed to the export license, or under FTP the license could be stored
as a .message.  A more simpler solution is to take out openssl/openssh
altogether, since they are relatively small downloads.

I believe this is a wise course of action.  
Any comments? additions? subtractions?

Best regards,
Ryan Phillips
rphillips at gentoo.org

[Note: I am not a lawyer, and this should not be considered legal
advice.]


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 524 bytes --]

Re: [gentoo-dev] Encryption Export

[Preston A. Elder]

[-- Attachment #1: Type: text/plain, Size: 3654 bytes --]

On Wed, 2002-04-17 at 21:50, Ryan Phillips wrote:
>   Gentoo provides ebuilds, source archives, and binaries for openssl,
> gpg, and many other high-encryption packages off of its own website and
Binaries and source could be a problem, however ebuilds are irrelevant
-- they contain no cryptographical information in and of themselves, and
do not enable anyone to encrypt anything with high-encryption.

> PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
> SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
> TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS
> OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-
> DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR
> EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY
> ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS
> WHICH APPLY TO YOU. THE AUTHORS OF GENTOO ARE NOT LIABLE FOR ANY
> VIOLATIONS YOU MAKE HERE. SO BE CAREFULLY YOURSELF, IT IS YOUR
> RESPONSIBILITY.  
even your disclaimer doesnt mention ebuilds -- ebuilds arent considered
'technical details'.

> In addition, I propose the RESTRICT variable for ebuilds.  This would
> make source archives not be mirrored on the gentoo/ibiblio site, and
> it's mirrors.  
THIS is a very good idea.  Especially for things like openssl, and the
proposed ebuild of cryptoapi.  If its not on our mirrors, its not our
problem to enforce export controls.

> Onto the subject of binary CDs.  There should probably be two sets of
> binary CDs: one with high encryption, and one with export grade.  To
> download the high encryption ISO, the website could ask the user if they
> agreed to the export license, or under FTP the license could be stored
> as a .message.  A more simpler solution is to take out openssl/openssh
> altogether, since they are relatively small downloads.
Keeping in mind, that no matter what license you make people agree to,
in some cases, its simply illegal to export encryption technology
outside the US above a certain grade.  Forget about import restrictions
on the user's side, unless you have explicit permission from the
government, you cannot even offer encryption technology (binaries or
source code) above a certain grade outside the US.

As I said, as long as we don't mirror the stuff, we don't have to worry
about export restrictions -- all we're exporting is something saying 'we
got it from here, and if it works for you, great! heres how to build
it', but thats not illegal (its covered under the first amendment).

As for the ISO's, if you have a high and low encryption ISO, then you
will have to make some reasonable measure to ensure the person
downloading the high encryption ISO is in the united states.  Keeping in
mind, this does not apply to all packages -- some packages (eg. mozilla)
have permission to be distributed internationally by whomever.

I would go with your suggestion of removing anything thats export
controlled from the ISO, and letting the user emerge it.

> Best regards,
> Ryan Phillips
> rphillips at gentoo.org

> [Note: I am not a lawyer, and this should not be considered legal
> advice.]
Nor am I, but my company has had to deal with encryption export laws
before, and I myself write something with encryption technology in it.

-- 
PreZ
Systems Administrator
GOTH.NET

Goth Code '98:   tSKeba5qaSabsaaaGbaa75KAASWGuajmsvbieqcL4BaaLb3F4
                 nId5mefqmDjmmgm#haxthgzpj4GiysNkycSRGHabiabOkauNSW

GOTH.NET - http://www.goth.net
Free online resource for the gothic community.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Encryption Export

[Ryan Phillips]

[-- Attachment #1: Type: text/plain, Size: 3604 bytes --]

On Wed, 2002-04-17 at 19:06, Preston A. Elder wrote:
> On Wed, 2002-04-17 at 21:50, Ryan Phillips wrote:
> >   Gentoo provides ebuilds, source archives, and binaries for openssl,
> > gpg, and many other high-encryption packages off of its own website and
> Binaries and source could be a problem, however ebuilds are irrelevant
> -- they contain no cryptographical information in and of themselves, and
> do not enable anyone to encrypt anything with high-encryption.

This is true.  Binaries and sourcecode are the problem.  We currently
mirror openssl/openssh/gpg all on ibiblio which is located in the US.

> 
> > PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
> > SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
> > TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS
> > OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-
> > DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR

> even your disclaimer doesnt mention ebuilds -- ebuilds arent considered
> 'technical details'.

see above.

> > Onto the subject of binary CDs.  There should probably be two sets of
> > binary CDs: one with high encryption, and one with export grade.  To
> > download the high encryption ISO, the website could ask the user if they
> > agreed to the export license, or under FTP the license could be stored
> > as a .message.  A more simpler solution is to take out openssl/openssh
> > altogether, since they are relatively small downloads.
> Keeping in mind, that no matter what license you make people agree to,
> in some cases, its simply illegal to export encryption technology
> outside the US above a certain grade.  Forget about import restrictions
> on the user's side, unless you have explicit permission from the
> government, you cannot even offer encryption technology (binaries or
> source code) above a certain grade outside the US.

Not true.  I'm working on a letter to the BXA right now.  I called them
up, we can distribute source and binaries as long as their is sourcecode
to go along with them.  We cannot export to the 'bad' country list
knowingly.

The export laws were relaxed on opensource software.  

> 
> As I said, as long as we don't mirror the stuff, we don't have to worry
> about export restrictions -- all we're exporting is something saying 'we
> got it from here, and if it works for you, great! heres how to build
> it', but thats not illegal (its covered under the first amendment).
> 

we currently export sourcecode and binaries...  The ebuilds are not the
issue.

> As for the ISO's, if you have a high and low encryption ISO, then you
> will have to make some reasonable measure to ensure the person
> downloading the high encryption ISO is in the united states.  Keeping in
> mind, this does not apply to all packages -- some packages (eg. mozilla)
> have permission to be distributed internationally by whomever.

Read the unrestricted export license on the BXA website.  The export
license only covers open licensed applications and source.  The BXA
names it TSU. http://www.bxa.doc.gov/Encryption/guidance.htm

> I would go with your suggestion of removing anything thats export
> controlled from the ISO, and letting the user emerge it.

Agreed.

> > [Note: I am not a lawyer, and this should not be considered legal
> > advice.]
> Nor am I, but my company has had to deal with encryption export laws
> before, and I myself write something with encryption technology in it.
> 

As do I here.

-Ryan


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 524 bytes --]

Re: [gentoo-dev] Encryption Export

[Ryan Phillips]

I neglected to mention that source archives found in ebuilds are
automatically synced with ibiblio.  That is the reason why ebuilds need
to be handled carefully at this stage.  Once the changes are done to
portage, then we will have much more freedom.

-ryan

On Wed, 2002-04-17 at 20:18, Ryan Phillips wrote:
*snip*

[gentoo-dev] Re: Encryption Export

[Paul]

Ryan Phillips <ryan.phillips@csus.edu>, on Wed Apr 17, 2002 [08:38:50 PM] said:
> I neglected to mention that source archives found in ebuilds are
> automatically synced with ibiblio.  That is the reason why ebuilds need
> to be handled carefully at this stage.  Once the changes are done to
> portage, then we will have much more freedom.
> 
> -ryan
> 

	Hi;

	I assume you are familiar with the work of the debian
people in this area, but it may be illuminating for others.

http://www.debian.org/legal/cryptoinmain

Paul
set@pobox.com

RE: [gentoo-dev] Encryption Export

[Todd Wright]

> On Wed, 2002-04-17 at 21:50, Ryan Phillips wrote:
> >   Gentoo provides ebuilds, source archives, and binaries for openssl,
> > gpg, and many other high-encryption packages off of its own website and

> > PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
> > SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
> > TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS
> > OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-

Preston Elder wrote:
> Binaries and source could be a problem, however ebuilds are irrelevant


Prez,

I know you'll know this... Didnt the USA remove or relax the restrictons on software encryption exports last year, such that software was no longer considered a 'munition'? I was fairly sure they did, however I dont recall the detail. Is this still relevant ?

-- _--_|\ --------- Todd Wright -- wylie@geekasylum.org --------
  /      \                  
  \_.--._* <---    http://www.dreams.darker.net/~wylie/
        v       Mobile: +61-403-796-001    Ph: +61-2-9521-8677
----------------------------------------------------------------

RE: [gentoo-dev] Encryption Export

[Todd Wright]

In my previous post I wrote:

> Prez,
> 
> I know you'll know this... Didnt the USA remove or relax the 
> restrictons on software encryption exports last year, such that 
> software was no longer considered a 'munition'? I was fairly sure 
> they did, however I dont recall the detail. Is this still relevant ?

Uh, ignore me, I see that question has been answered already. Appologies im short on time and not reading everything properly b4 posting. I was concerned that maybe people were remembering the old restrictions. Its a whole different ball game now, but still one to be mindfull of.

-- _--_|\ --------- Todd Wright -- wylie@geekasylum.org --------
  /      \                  
  \_.--._* <---    http://www.dreams.darker.net/~wylie/
        v       Mobile: +61-403-796-001    Ph: +61-2-9521-8677
----------------------------------------------------------------