On Fri, May 11, 2001 at 01:51:54AM -0400, Brian Ristuccia wrote: > > > > 1) I live in the US. Therefore, do I have to send a BXA notification to the > > government (I believe license exception TSU is applicable - correct me if > > I'm > > wrong)? > > You may. Since it's easy, you probablys hould.
Really? I am not doing any static linking with libssl, only dynamic, so I don't believe that I am including any crypto. This fact, which I realized after I sent my original message (otherwise I would have mentioned it), makes me still unsure whether a BXA notification is needed. Although I would like to know whether it is in fact required, if I am not persuaded that it is not, I will notify the BXA, because it's easy and it's a good idea to be safe, as you said. > > Also, do I have to do their thing that they mention on their website > > about sending a message to the ENC Classification Review Coordinator (or, > > something like that) in addition to [EMAIL PROTECTED], and if so, how do I > > do that? > > I think the email to [EMAIL PROTECTED] is sufficient. Thanks. > > Also, is a BXA notification form sufficient to export binary .debs > > linked with libssl? > > Yes. Thanks again. > > Would anyone be able to export them, including other US > > mirror sites, so long as I provide an export of the same stuff that I notify > > the BXA about? > > Probably. It's my theory that the software is no longer export restricted > once you make the BXA notification. Thus Debian's requirement that export > restricted software get uploaded to non-us doesn't apply. Indeed, this is > how Netscape with strong crypto got uploaded to non-free instead of > non-us/non-free. There's currently an inquiry going on that will determine > if Debian's policy can be updated to clearly reflect the new regulations. I would tend to agree, though of course IANAL; I am surprised Debian's policy hasn't been updated yet. > > > > 2) Do the binary .debs go in non-US? > > Yes. Policy currently requires it. OK, I understand that this is a quirk of Debian policy, and not US law. > > What about the Debian source files? > > Same. I guess this makes sense, since there would need to be a Build-Depends on libssl-dev. (Am I right about that?) > > If I > > make additional non-ssl .debs from the same source, would they be in > > non-US or not? > > Yes, but only if the source actually contains crypto. Source or binary, > policy currently requires export restricted software to be uploaded to > non-us. Well, I don't intend to redistribute libssl, in my source or binary .debs, just dynamically link to them at compile and then run time. So do the non-ssl .debs go in the non-US/main or main? > Good luck :) Thank you! I may also download the source of some package that comes in ssl and non-ssl flavors and see how they do it. Can you suggest one? I'm thinking of lynx, myself. - Jimmy Kaplowitz [EMAIL PROTECTED]
