[EMAIL PROTECTED] (Thomas Bushnell, BSG) wrote: > Walter Landry <[EMAIL PROTECTED]> writes: > > > [EMAIL PROTECTED] (Thomas Bushnell, BSG) wrote: > > > "You might consider" is a far cry from "you must". I don't think you > > > understand how lawyers give recommendations. > > > > Are you suggesting that Debian not do those things? Is Debian going > > to distribute crypto without doing reverse IP lookups and without the > > use restrictions? > > The use restrictions are contrary to our own existing policies, so we > can't take that recommendation.
These restrictions are in place whether or not we tell people about them. As US residents, we are prohibited from exporting the software to people who are using it for nuclear, biological, or chemical warfare. Whether or not we put a notice on the website is immaterial. To make it completely clear, I quote ...these controls prohibit the export of open source cryptographic software under License Exception TSU to (1) prohibited parties (listed at http://www.bxa.doc.gov/DPL/Default.shtm, (2) prohibited countries (currently Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria and Taliban Occupied Afghanistan) and (3) design, development, stockpiling, production or use of nuclear, chemical or biological weapons or missiles. And to answer a question posed by Steve Langsek, yes, people can lie. People have always been able to break licenses. Just because it is difficult to police doesn't make it irrelevant. Debian still has to make it a condition that people don't make nukes with the software. > I would not object to the reverse IP lookups, but if it's any real > hassle, we could drop that too. What part of We recommend that you perform IP checking and deny downloads to known embargoed countries. This due diligence also would provide a defense to a claim of civil liability. don't you understand? > > What Debian does now is that it distributes all crypto stuff from > > servers outside of the US. If Debian distributes from the US, then it > > has to have a policy that official mirrors are not allowed in the T7. > > That is a significant change. Some people will think that it is worth > > it. Some will not. > > Right. At the moment we have an *absolute* policy against mirrors in > the US--which hurts us in a jillion ways. We can easily replace that > with something much looser, and simply not advertise or go out of our > way to support any mirrors that might exist in T7 countries. You obviously think it is worth it. I might even agree with you. Or I might not. Certainly not everyone agrees with you. Florian, for example. As an additional point, Debian may still have to have a non-us archive for the non-free programs. Granted, there aren't many things there (fortify, pgp, rsaref, ssh-non-free, and speak-freely). I think speak-freely will actually qualify under the export controls as free software, since (I think) what makes it non-free is that it implements IDEA. I don't know about the others, but I wouldn't object to just dropping them from the archive. But then, I'm a radical ;) Regards, Walter Landry [EMAIL PROTECTED]
