Hi all I would just like to know the current status of non-US within Debian. Now, since the US export regulations for cryptographic software have been weakened, we might be able to include cryptographic software in the main distribution, eliminating non-US completely (well maybe not completely, there are still those software patents....). There are also rumors that the Linux kernel will start including cryptographic patches (such as the kerneli patch or the klips part of freeswan) very soon (shortly after opening the 2.5 branch is what I read somewhere) and OpenBSD is already including their crypto libraries in the standard distribution (as of version 2.8), so Debian might do the same. This would make the work for many developers a lot easier, because double efforts (postfix / postfix-tls, zmailer / zmailer-ssl, apache / apache-ssl, curl / curl-ssl, fetchmail / fetchmail-ssl, ipopd / ipopd-ssl, uw-imapd / uw-imapd-ssl, telnet / telnet-ssl, telnetd / telnetd-ssl, unzip / unzip-crypt, .....) would not be needed anymore. Instead, Debian could be one of the first distributions shipping crypthographic software whenever possible (this could even be part of the policy sometime: apply crypto patches when they are available for the package, but I am just dreaming a bit :-) ), bringing it security-wise a big step closer to where OpenBSD is now. And yes, ssh would be included in every default Debian installation, helping the Internet to get a bit more secure.
There is one point to consider with this: In some countries it is not allowed to use strong cryptography (France, China and a few others as far as I know) under all conditions and there are countries for which exports from the US are still restricted (Iran, Irak, .....). We would have to deal with these special situations, but I think it is time to change. At the moment, the default installation does not include any cryptographic code, which I consider to be very weak. In my opinion, every installation of Debian should include at least ssh instead of telnetd and every server daemon (pop3, imap, smtp, ftp, http, ....) should include SSL support by default. Even when doing that it will take some time for all the clients to get upgraded to use the crypto services, but it is definitely a step in the right direction. This is no official proposal, because I do not have my Debian account yet (already DAM approved). Please comment on the current situation and if you would like to change it. Maybe somebody with more knowledge about the US crypto regulations could also comment on the legal situation and what the requirements for Debian would be to ship cryptographic software (as far as I know, not much: just send a message that we ship the code and where the source is available). I have to admit that I am a bit biased in this case, maintaining the freeswan and pptpd packages and always needing to patch postfix, apache, ppp, ... for myself for the Gibraltar firewall distribution. It would be nice to have it all in the default packages. But it would love to contribute some work on making Debian more secure. best greets, Rene
