We are here to make software free. We can make it free, or we can drive thorns into our flesh trying to change the minds of uncaring governments.
Our current situation with the non-US section of our distribution is akin to a form of fruitless martyrdom. Its painful to us, but doesn't really affect the policy of any governments involved. I would like to propose a solution that makes the distribution of export/import restricted software both painless to us, and as hard as possible to any collection of entitites to stamp out. And, for citizens who wish to respect the law of their country, I propose that the same measures will add simple, automatic facilities for keeping their systems "legal", configurable dynamically. The proposal calls for the folding of non-US into the other three distributions so it disappears without a trace, like the morning dew in the afternoon sun. The changes that would make this feasible follow: Changes to a packages control file: ---------------------------------- Two new fields are added to the control file, Import-Restricted and Export-Restricted. These fields take a comma delimited list of countries. For example, Package: ssh Export-Restricted: United States Import-Restricted: Russia, France Import-Restricted lists countries where its illegal to install the software. The user can do a `touch /etc/LEGAL` to make apt respect Import-Restricted. Someone might also want to write a "legalize" program to deinstall illegal software should the feds come a'knocking. `rm /etc/LEGAL` would allow full access again. Export-Restricted determines which mirrors will accept the package for redistribution. Changes to /etc --------------- We add a file called "country" which contains the name of the country the box is in. This lets the package software keep the system conformant to the laws for the particular country its in. It also will allow a maintainer to easily see if a configuration works for a particular country in conjunction with the "legalize" program. As mentioned before, there is the "LEGAL" file, which makes the package software respect the laws of the country its in if its present, and if absent, the software ignores the Import-Restricted field. Change to dupload and dinstall: ------------------------------- If the maintainer of a package is in one of the Export-Restricted countries, refuses upload the package. If the server specified is in one of the Import-Restricted countries, refuses to upload the package. A package may be uploaded to any of the "official" servers that allow it, by a maintainer, however the .dsc and .changes file will be uploaded to one central server (probably master.debian.org) automatically by the script, from which the Packages files will be generated and Mirrored. Dinstall will be modified to account for the fact that a package may be on another server, but the security implications of having an untrusted server are minimal, given we have md5sums and a rejected Package won't show up in the Packages file, thus being invisible, should a mirror maintainer decide to unilaterally move something from Incoming to its appropriate directory themselves. The mirroring software will be modified to check its current packages against the Packages list, and hunt down and download any package it is allowed to (which it is not Export or Import restricted from) that has changed. Thus, server foo in France will not download the ssh package, but if the maintainer of ssh always uploads to the Incoming on a canada.debian.org, all mirrors that are allowed to will hit every server in the master.list that might have the package until it finds the one (canada.debian.org) that has it. Changes to apt and dpkg: --------------- Respect the presence or absence of /etc/LEGAL. If a selected package is Import-Restricted, it won't download or install it unless /etc/LEGAL is missing. Packages files: are the same on every mirror, are NOT generated locally. If a package isn't found on one server, apt automatically hunts for it first, on servers in sources.list, then on servers in master.list /etc/apt/sources.list will now just be taken as hints: downloads and Packages updates will be attempted from the sites in the file, but failure of those servers is no longer fatal; downloads will be attempted from master.list /usr/share/apt/master.list will contain a list of all official debian mirrors in the same format as sources.list, with the exception that the name of the country the server is in will be prepended to each line. However, the meaning of the entries are slightly different; it is a "what I provide and where to find it" entry, as opposed to a "look here for this" entry. This: canada deb http://http.ca.debian.org/debian bo main is the entry for a Canadian server that just provides the main section of the bo release. This: france deb http://http.fr.debian.org/t/debian unstable main contrib non-free france deb http://http.fr.debian.org/gin/borsch stable main contrib non-free is the entries for a server that provides whatever is the main contrib and nonfree sections of the current unstable, and ditto for stable, but in different base directories. /usr/share/apt/aliases will contain the current mapping between stable, frozen, unstable, and their corresponding distributions (bo, hamm, potato...) It will have the format "frozen=foo stable=bar unstable=baz" Mirroring Software: ------------------- Im not sure what software is currently used for synchronizing mirrors, however, it will need to take the above policies into account. Hopefully our additions to the policy will make it so much easier to "stay legal" and avoid worries about legalities that the maintainers will wish to use such software. Conclusion: ----------- The benefits of this approach to our end users, and to the world in general are so munificent that nothing hitherto mentioned in public would mitigate against our adoption of the above as policy. As a humble maintainer, I would like to thank my fellow developers for their work on this distribution, and ask their honest opinions on what I've said. We have been changing the world for the better by providing quality software in our own quiet way. It is my hope that we can extend this tradition by eliminating the non-US section from our distribution. When a piece of software is declared illegal, it is one more chink in the mortar the binds our community together. By distributing this software on to every mirror possible, we strengthen ourselves as much as possible. The current situation with non-US limits the mirrors that carry software that is only illegal in a few countries. The proposed situation would maximize availability for everyone, and hopefully highlight the fruitlessness of current restrictions, without any of the current pain. Yours, Jonathan Walther
