Sameer Parekh wrote:
> > > b) I would like the OpenSSL project to require that all contributors
> > > warrant that the code they are contributing does not violate export
> > > controls.
> >
> > So long as _I_ don't have to collect these warranties, I can't see why
> > this should be a problem. I do wonder what the value of a warranty from
> > an anonymous contributor is, though.
>
> That's another question. Should we accept anonymous
> contributions? I think that accepting anonymous contributions opens up
> a can of worms, but I am hesitant to restrict that.
Quite. It seems to me that restricting that is restricting people's
right to free speech. So long as we still get the warranty, well, the
question of who signed it is not one that concerns me. This also applies
to nyms, of course.
> > > c) Due to 'scienter' requirements, if the OpenSSL project knowingly
> > > accepted a contribution from a US person, even if that person
> > > warranted that the code was free of export restrictions, OpenSSL would
> > > be tainted, and multinationals would not be allowed to use the code.
> >
> > What are "scienter" requirements?
>
> Scienter is legal-speak for knowledge... If a multinational
> distributes export-restricted US-source products internationally with
> full knowledge that the product was restricted, then they are
> hosed. However, if to the best of their knowledge, after having
> engaged in a good faith due diligence effort to determine the source
> of the product, they determine that it is not of US origin, then they
> are clear.
OK. Is this explicitly stated somewhere, or is it an interpretation of
regs? Has it been tested in court?
> > Here we have a serious departure - why do I have to enforce US law? I
> > really don't see why that is my problem. I also don't see how I can
> > realistically do this - how do I know the nationality of each
> > contributor? The way I see it, this is something US people have to do
> > voluntarily - I can't enforce it. If a US person really wanted to
> > contribute source they could easily fool me into accepting it.
> >
> > Cheers,
>
> You don't need to worry about someone fooling you. If a US
> person contributes code and manages to fool everyone into thinking
> that they are a foreign person, then it shouldn't be a
> problem. However, if we at some point find out that this person was in
> fact a US person, we'd have to back out all of that person's
> contributions.
I see where you are coming from. I still don't want to get involved in
finding ways to _prevent_ export - that's just a distraction of
expertise, and a futile task, but I'm more than happy to have people
warrant that they haven't done anything they shouldn't have, though I
don't promise I'm going to police that particularly vigorously - I
certainly won't get in the way of anyone who wants to.
I suspect that there are people around who are going to disagree on what
can and can't be exported, though, and I really am not at all sure how
we can judge who is correct. For starters, we already see one camp that
says "any source in OpenSSL is unexportable", and another that says
"non-crypto sources (e.g. ASN.1) are exportable". I have a feeling
someone has also said that docco is unexportable except in printed form
(which, of course, patches are, too, aren't they? Perhaps we should just
find volunteers willing to transcribe faxed patches?).
Anyone got any suggestions as to how we resolve this?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
