> My problem with this is that it requires the OpenSSL project to be aware
> of export restrictions in other jurisdictions. If we really have to be
> aware, then so be it, but I'd be _much_ happier if we could only worry
> about our own. Can we not protect the codebase simply by asking that
> people don't pollute it? Further, can we not back out any contributions
> that turn out to be polluting?
We can do both of these things.
>
> > b) I would like the OpenSSL project to require that all contributors
> > warrant that the code they are contributing does not violate export
> > controls.
>
> So long as _I_ don't have to collect these warranties, I can't see why
> this should be a problem. I do wonder what the value of a warranty from
> an anonymous contributor is, though.
That's another question. Should we accept anonymous
contributions? I think that accepting anonymous contributions opens up
a can of worms, but I am hesitant to restrict that.
>
> > c) Due to 'scienter' requirements, if the OpenSSL project knowingly
> > accepted a contribution from a US person, even if that person
> > warranted that the code was free of export restrictions, OpenSSL would
> > be tainted, and multinationals would not be allowed to use the code.
>
> What are "scienter" requirements?
Scienter is legal-speak for knowledge... If a multinational
distributes export-restricted US-source products internationally with
full knowledge that the product was restricted, then they are
hosed. However, if to the best of their knowledge, after having
engaged in a good faith due diligence effort to determine the source
of the product, they determine that it is not of US origin, then they
are clear.
>
> Here we have a serious departure - why do I have to enforce US law? I
> really don't see why that is my problem. I also don't see how I can
> realistically do this - how do I know the nationality of each
> contributor? The way I see it, this is something US people have to do
> voluntarily - I can't enforce it. If a US person really wanted to
> contribute source they could easily fool me into accepting it.
>
> Cheers,
You don't need to worry about someone fooling you. If a US
person contributes code and manages to fool everyone into thinking
that they are a foreign person, then it shouldn't be a
problem. However, if we at some point find out that this person was in
fact a US person, we'd have to back out all of that person's
contributions.
--
[EMAIL PROTECTED] 510 291 2283
The BPM Group http://www.bpm.ai/~sameer/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
