Re: WARNING: Crypto software to be included into main Debian distribution
Hi, On Sat, Feb 23, 2002 at 06:10:04AM +, James Troup wrote: > Hi, > > Debian has recently received legal advice explaining how we can > include software with cryptographic functionality in our main archive. > This document can be found at > http://www.debian.org/legal/cryptoinmain>. [...] > BXA regulations require that you not knowingly export to embargoed > countries, as a show of good faith you may wish to consider > implementing a reverse IP lookup that identifies the computer > requesting the download, and that blocks downloads of the > cryptographic archive to countries embargoed by the United States: > Cuba (.cu), Iran (.ir), Iraq (.iq), Libya (.ly), North Korea (.kp), > Syria (.sy), Sudan (.sd) and Taliban Occupied Afghanistan. In > addition, you might consider having a separate screen prior to > download, that advises the person downloading the software as follows: > James Troup [with thanks to Sam Hartman for the text] How far is the US law whatsoever applicable outside the US ? I guess the primary mirror sites within the US might considered to be under that law but i as a non-us citizen feel very unhappy beeing put under the US laws by running a debian mirror. Also there are large parts outside the US which are not afraid of communism and accept it beeing a different "lifestyle" and thus might completely disagree with the fact not beeing allowed to export to e.g. Cuba or North Korea. This all comes down to a political issue which is forced on debian mirror sites which i feel very unhappy with. BTW: >country subject to embargo by the United States, and that you will >not use the software directly or indirectly in the design, >development, stockpiling or use of nuclear, chemical or biological >weapons or missiles. Compiled binary code that is given away free THIS btw is against the DFSG paragraph 6 which explicitly states that there might not be a "No Discrimination Against Fields of Endeavor" I vote for keeping the current situation where we dont have any govermental force on us. In the end only code matters. Flo -- Florian Lohoff [EMAIL PROTECTED] +49-5201-669912 Nine nineth on september the 9th Welcome to the new billenium pgpSbPDLRrKPP.pgp Description: PGP signature
Re: WARNING: Crypto software to be included into main Debian distribution
Florian Lohoff <[EMAIL PROTECTED]> writes: > [...] What Florian (conveniently?) cut here is the part that said: "For mirrors outside the United States there should be no new legal issues not present for those already mirroring non-US (and accordingly the rest of the mail isn't relevant to you)." > > BXA regulations require that you not knowingly export to embargoed [...] > How far is the US law whatsoever applicable outside the US ? Please try reading all of the mail before responding next time? -- James
Re: WARNING: Crypto software to be included into main Debian distribution
On Sat, Feb 23, 2002 at 07:02:19PM +, James Troup wrote: > Florian Lohoff <[EMAIL PROTECTED]> writes: > > > [...] > > What Florian (conveniently?) cut here is the part that said: > > "For mirrors outside the United States there should be no new > legal issues not present for those already mirroring non-US (and > accordingly the rest of the mail isn't relevant to you)." Sorry - that is simply not true - As an effect of the laws the fact that i knowingly export non-us to "t7" countries now has no effect. Germany has no laws on this. If we have the new crypt-in-main my export might fall back to the original uploader of the package as he/she/it is knowingly multi-step exporting packages to t7 countries. How would we handle a mirror within Lybia which is set up without our permission - It might be a multi-step mirror over some internal company mirror which we might not be able to block - How would we than protect debian developers against beeing prosecuted ? I dont like the fact that i need to put limitations on my ftp/web server for not beeing reachable from those t7 countries. There might be some deciding to stop mirroring debian instead punishing certain parts of the world which came to the us govt minds in the ages of cold war. Flo -- Florian Lohoff [EMAIL PROTECTED] +49-5201-669912 Nine nineth on september the 9th Welcome to the new billenium pgpA4tCgX1xbh.pgp Description: PGP signature
Re: WARNING: Crypto software to be included into main Debian distribution
On Sat, Feb 23, 2002 at 07:02:19PM +, James Troup wrote: > What Florian (conveniently?) cut here is the part that said: > > "For mirrors outside the United States there should be no new > legal issues not present for those already mirroring non-US (and > accordingly the rest of the mail isn't relevant to you)." DPL got life sentence for Isreali hacker bringing CDs to Lybia. Flo -- Florian Lohoff [EMAIL PROTECTED] +49-5201-669912 Nine nineth on september the 9th Welcome to the new billenium pgpZrkEMVP2Ku.pgp Description: PGP signature
Re: WARNING: Crypto software to be included into main Debian distribution
Florian Lohoff <[EMAIL PROTECTED]> writes: > Sorry - that is simply not true - In your opinion. I wasn't aware you were a layer? In any event, this is a spectacularly bad time to be raising concerns; this was an open effort from the start, all developers were invited to participate. To ignore that and come in after-the-fact arguing against the legal advice we've received (from a real lawyer) is unhelpful at best. > I dont like the fact that i need to put limitations on my ftp/web > server for not beeing reachable from those t7 countries. You _don't_ need to do so; I didn't say so in my mail, and much more to the point, our lawyer didn't say so. The fact that you seem to want to think you do, is both your invention and your problem. -- James
Re: WARNING: Crypto software to be included into main Debian distribution
[CC trimmed.] > "Florian" == Florian Lohoff <[EMAIL PROTECTED]> writes: Florian> Sorry - that is simply not true - As an effect of the Florian> laws the fact that i knowingly export non-us to "t7" Florian> countries now has no effect. Germany=20 has no laws on Florian> this. If we have the new crypt-in-main my export might Florian> fall back to the original uploader of the package as Florian> he/she/it is knowingly multi-step exporting packages to Florian> t7 countries. Except of course that multi-step exporting is legal. Well, is likely to be legal in most cases. If I'm operating a US mirror, and you tell me that you're copying my mirror outside the US for the explicit purpose of making it available to T7, then I might care. Instead, please tell me that you're hapilly setting up a mirror of my software outside the US, so anyone who wants it can get it. Then, by exporting to you, I'm not knowingly exporting to a T7 country; I'm knowingly exporting to someone outside the US who wants to make a copy of my software available. They are not bound by US laws; they may make the software available to a T7 country. The question that would come up in a US court would be whether I as a mirror operator knew that your primary purpose (or one of the major purposes) in setting up the mirror was to export to T7 country. Please don't set up a mirror with that explicit purpose; so long as there are mirrors outside the US that T7 countries can get to, we don't need special mirrors for the primary/major purpose of exporting to them. I am not a lawyer; thi is just my understanding after reading about these issues for months. I suggest that if you care you wade through the long document James pointed you at and it should become clear that even the US does not believe it can enforce US laws on non-US mirror operators exporting to people outside the US.
Re: WARNING: Crypto software to be included into main Debian distribution
On Sat, Feb 23, 2002 at 07:38:46PM +, James Troup wrote: > > I dont like the fact that i need to put limitations on my ftp/web > > server for not beeing reachable from those t7 countries. > > You _don't_ need to do so; I didn't say so in my mail, and much more > to the point, our lawyer didn't say so. The fact that you seem to > want to think you do, is both your invention and your problem. Am i misreading ? "D: If it is technically infeasible to block access from the T7 countries to a web (or ftp, etc) server, does due diligence require extreme measures? Does the defacto standard of (US) industry common-practice meet due diligence? The de facto industry standard should suffice. I hope that the government will recognize that any system devised by man can be defeated, with enough effort." The defacto industry standard is imho much higher than the also mentioned blocks of reverse mapped ip address blocking of ccTLDs. Just to mention the "Giantic" firewall built for the govt. of china. "Please keep in mind that persons in the US who may post to sites outside the US are governed by US law, even if they do so in their individual capacity. Therefore, you may want to warn persons in the US that their posting to the current crypto server outside the US are still subject to US regulations." From my reading this means - Anyone - Globally not meeting the requirement of "the de facto industry standard" of blocking access to the T7 countries will be held responsible when entering the US and/or the one actually putting the software in question into the archive will be held responsible as soon as there is knowledge of the multi-step export. Flo -- Florian Lohoff [EMAIL PROTECTED] +49-5201-669912 Nine nineth on september the 9th Welcome to the new billenium pgpE5blRpuw7z.pgp Description: PGP signature
Re: WARNING: Crypto software to be included into main Debian distribution
On Sat, Feb 23, 2002 at 03:10:02PM -0500, Sam Hartman wrote: > Except of course that multi-step exporting is legal. Well, is likely > to be legal in most cases. If I'm operating a US mirror, and you tell > me that you're copying my mirror outside the US for the explicit > purpose of making it available to T7, then I might care. It is legel as long there is no knowledge of the export. But as soon as anyone sees a mirror in one the the T7 countries we all know of the export. How should we react. Can we track down the way of ANY debian mirror world wide. Can we shut down or block any of those mirrors ? If we cant (which i assume) the debian archive itself will be immeatly polluted and is no longer usable for any debian developer as anyone making uploads to it (with crytography) will be held responsible for knowingly exporting it. > I suggest that if you care you wade through the long document James > pointed you at and it should become clear that even the US does not > believe it can enforce US laws on non-US mirror operators exporting to > people outside the US. I know that there is only little chance of these laws really coming into court. But who knows. With the scenario i described above anyone with enough enthusiasm can make a DoS against large parts of the debian workflow - Not technically - But legally. More interestingly my initial point about DFSG paragraph 6 beeing not met with crypto in main has not been taken yet. From my understanding we cant put crypto in main but in non-free - not by license but by export regulations. "Finally, you should be aware that a core set of US export controls apply to all exports of open source cryptographic software from the United States. In essence, these controls prohibit the export of open source cryptographic software under License Exception TSU to ... (3) design, development, stockpiling, production or use of nuclear, chemical or biological weapons or missiles." Flo -- Florian Lohoff [EMAIL PROTECTED] +49-5201-669912 Nine nineth on september the 9th Welcome to the new billenium pgpuAu3EDdlHz.pgp Description: PGP signature
Re: WARNING: Crypto software to be included into main Debian distribution
> "Florian" == Florian Lohoff <[EMAIL PROTECTED]> writes: Florian> --uZ3hkaAS1mZxFaxD Content-Type: text/plain; Florian> charset=us-ascii Content-Disposition: inline Florian> Content-Transfer-Encoding: quoted-printable Florian> On Sat, Feb 23, 2002 at 03:10:02PM -0500, Sam Hartman Florian> wrote: >> Except of course that multi-step exporting is legal. Well, is >> likely to be legal in most cases. If I'm operating a US >> mirror, and you tell me that you're copying my mirror outside >> the US for the explicit purpose of making it available to T7, >> then I might care. Florian> It is legel as long there is no knowledge of the Florian> export. That's not how I read the law. I think you're making assumptions that law works like software or that law is well designed. Both of these assumptions are false. If you'll present rational and explicit arguments as to why you think multi-step export is illegal, with explicit references to appropriate paragraphs in the regulations or enabling legislation then I'll be happy to respond as a matter of intellectual stemulation. But since I am not a lawyer and I do not believe you are a lawyer either, or if so, I seriously doubt you are licensed to practice law in the US, neither of us is qualified to significantly influence Debian's decisions in this matter. If you believe that you may be breaking a law then you should seek legal advice yourself. If you believe that Debian may be breaking a law, and wish to donate the time of some US lawyer who supports your position, Debian would be foolish to ignore your donation.
Re: WARNING: Crypto software to be included into main Debian distribution
On Sun, Feb 24, 2002 at 12:08:59AM +0100, Florian Lohoff wrote: > On Sat, Feb 23, 2002 at 07:38:46PM +, James Troup wrote: > > > I dont like the fact that i need to put limitations on my ftp/web > > > server for not beeing reachable from those t7 countries. > > > > You _don't_ need to do so; I didn't say so in my mail, and much more > > to the point, our lawyer didn't say so. The fact that you seem to > > want to think you do, is both your invention and your problem. > Am i misreading ? > "D: If it is technically infeasible to block access from the T7 > countries to a web (or ftp, etc) server, does due diligence require > extreme measures? Does the defacto standard of (US) industry > common-practice meet due diligence? > The de facto industry standard should suffice. I hope that the > government will recognize that any system devised by man can be > defeated, with enough effort." > The defacto industry standard is imho much higher than the also > mentioned blocks of reverse mapped ip address blocking of ccTLDs. > Just to mention the "Giantic" firewall built for the govt. of china. > "Please keep in mind that persons in the US who may post to sites > outside the US are governed by US law, even if they do so in their > individual capacity. Therefore, you may want to warn persons in the US > that their posting to the current crypto server outside the US are still > subject to US regulations." > From my reading this means - Anyone - Globally not meeting the > requirement of "the de facto industry standard" of blocking access > to the T7 countries will be held responsible when entering the US > and/or the one actually putting the software in question into > the archive will be held responsible as soon as there is knowledge > of the multi-step export. US export law concerns (as it should) the transport of items from within the borders of the United States to areas outside those borders. If you're engaged in export activities from another country to the T7, on what grounds would you expect to be prosecuted in the United States? And perhaps a more important question is, why do you believe moving crypto into main /increases/ this risk, if you already operate a non-US mirror that's open to the T7? Export from the US to Europe, and export from Europe to the T7, are two separate acts. Unless there's something linking the two acts together -- such as intent on the part of the person exporting from the US -- I don't see any reason for this to be considered equivalent to an export from the US to the T7. If there was such a reason, you would already be at risk today, because there are non-US packages maintained by US developers. Even so, the much greater danger would be to the Americans involved, both for being easier for the Feds to get ahold of, and for playing a larger role in the actual export... Steve Langasek postmodern programmer pgpvJgFiIzuUn.pgp Description: PGP signature
