Package: ssh
Export-Restricted: United States
Import-Restricted: Russia, France
ssh is a bad example, since it is non-free software everywhere in the
world. It is restricted by its developers. Version 2 is even more
restricted than version 1.
However, the general idea seems like a reasonable one, as long as we
make the checking *optional*. We want to make it easy for people
to avoid patented software; but we should not take this so far
that we become patent enforcers!
Changes to apt and dpkg:
---------------
Respect the presence or absence of /etc/LEGAL. If a selected package is
Import-Restricted, it won't download or install it unless /etc/LEGAL is
missing.
I think that is going too far--it should ask the user what to do.
If a person wants to risk using encryption in Russia, or
feels that RSADSI is not likely to sue him for using RSA in the US,
he or she should be able to say "go ahead".
I see a possible discrepancy (or else maybe I have misunderstood
something) in these two statements:
Export-Restricted determines which mirrors will accept the package for
redistribution.
Change to dupload and dinstall:
-------------------------------
If the maintainer of a package is in one of the Export-Restricted
countries, refuses upload the package.
No package should ever be maintained by someone in a country from
which it can't be exported--that would be shooting ourselves in the
foot. If this is properly checked when packages are accepted, then
there should be no need to check the maintainer's country for upload.
So the Export-Restricted field that should be checked is the one
on the server. The server should not accept a package which it cannot
export.
