So, I'm wondering how effective a liability shield it is for a US-based
corporation to export such content via non-US-based distributors. It
seems odd that this would work legally, but that SPI/Debian did it for
so long sparks my interest; maybe there is a path through.
I have no idea what the Debian story is, but that is not an option for
a number of reasons. Here's the biggest reason, the same U.S.
government entity that controls our exports also controls reexport
from any other country of goods that were previously exported from the
U.S.
I've been reading http://www.debian.org/legal/cryptoinmain and it looks
like they shifted the liability to their developers personally, who
exported-by-proxy.
And this is why an unexported httpd win32 binary has sat in my home on our
US server, undistributed, for about four years ;-) At the ASF this is not
an acceptable conclusion; the ASF exists to help developers innovate, and
that includes making some legal assessments, issuing policy and then standing
behind that policy.
Bill
