Re: [Pharo-dev] [Pharo-users] About strange email related to smalltalkhub read-only on squeak-dev

[Norbert Hartl]

Stef,

that is a second problem. The main problem to me is solving the crypto stuff 
once and for all. And then I would like to know why people like Ron say things 
like this.

But yes, shouldn't go without explanation/reaction!

Norbert


> Am 03.06.2020 um 00:13 schrieb Stéphane Ducasse :
> 
> What I do not like is that people say " group but they keep kicking me out of 
> their mailing list ” when this is absolutely not true!
> 
> We can discuss and can argue even violently but we do not lie. 
> 
> S. 
> 
> 
> 
>> On 31 May 2020, at 19:38, Bruce O'Neel > > wrote:
>> 
>> 
>> Hi,
>> 
>> So addressing only the crypto software issue and with the caveat that I am 
>> also not a lawyer but I have had to deal with certain aspects of this in the 
>> past
>> 
>> Crypto software is one of those bizarre dual use items in terms of arms 
>> imports and exports.  While we as geeks just think of this is software or 
>> mathematics and might be confused as to why governments care, governments do 
>> care deeply about this.  And their way of expressing how much they care 
>> about this issue is by passing laws and prosecuting folks.
>> 
>> One of the easiest ways to get in trouble is for one to make the software 
>> available to residents and/or citizens of certain countries as well as 
>> available to people on a long list kept by different governments.  We can 
>> have a long debate about the morality of this concept but those who make the 
>> laws have decided that is the law.  And often these laws are crafted such 
>> that the executive can change important details on short notice and that 
>> puts the risk of prosecution at the whims of different world leaders.  
>> 
>> The license that the software is released under is not important.   
>> 
>> What Ron is stating is that squeak source supplied some additional 
>> protections to prevent accidentally making the software available to folks 
>> who the US feels should not have access.
>> 
>> If you have moved the software to another hosting provider without the 
>> permission or knowledge of the author, and therefore the owner of the 
>> software, you have put that person at additional risk.  In addition you and 
>> the hosting provider are taking on additional risk.
>> 
>> If it was moved to GitHub I strongly recommend reviewing their policies on 
>> trade controls and what risks you assume.
>> 
>> https://help.github.com/en/github/site-policy/github-and-trade-controls 
>> 
>> 
>> Finally I would strongly recommend talking to a competent legal advisor who 
>> is deeply familiar with the details of these laws.  They are complex and 
>> highly variable between different parts of the world.
>> 
>> I know this seems like a lot of trouble and wasted time but you can spend a 
>> giant amount of time and money defending oneself from arms trafficking 
>> charges.
>> 
>> cheers
>> 
>> bruce
>> 
>> 30 May 2020 14:43 Stéphane Ducasse > > wrote:
>> Hi all
>> 
>> This is the week-end and we worked super well yesterday during the sprint. 
>> Lot of good enhancements - Thanks a lot to all the participants. 
>> I not really happy to be forced to do it on a sunny saturday but I’m doing 
>> it to clarify points.
>> 
>> Esteban sent me this text that was posted on Squeak-Dev (I personally do not 
>> read squeak related forums because 
>> I have not the time and my focus is Pharo, its consortium, my team, my 
>> research and my family). 
>> 
>> We have to react because 
>> - We do not really at ***all** understand this email
>> - We did not kicked anybody from our mailing-list from ages - so ron is 
>> lying. In the past we even had discussion with ron - so we do not 
>> really understand. May be we got problem to log on our mailing-lists. 
>> We have no idea because we are working and not looking at such things.   
>> - When we migrated smalltalkhub to readonly we payed attention to make sure 
>> that private projects stay private.
>> We did not migrated smalltalkhub for fun. We MUST do it or it will be done 
>> by our infrastructure!
>> - Now the cryptography packages are MIT and they are public anyway. So again 
>> we do not understand anything. 
>> 
>> We do not get why Ron contacted us because we announced the migration 
>> publicly way in advance and we will keep 
>> the Smalltalkhub frozen repo for at least next 5 years. 
>> 
>> I feel really sorry to hear such kind of email because we do not want to 
>> fight with anybody. 
>> Our goal is to make sure that people can work with Pharo and expand their 
>> business and knowledge. 
>> We are working hard to make sure that people can invent their future with 
>> Pharo and people that know us personally 
>> know that we are not lying.
>> 
>> S
>> 
>> 
>> 
>>> Hi all,
>>> 
>>> I've tried to work with the Pharo group but they keep kicking me out of 
>>> their mailing list.  I've already 

Re: [Pharo-dev] [Pharo-users] About strange email related to smalltalkhub read-only on squeak-dev

[Stéphane Ducasse]

What I do not like is that people say " group but they keep kicking me out of 
their mailing list ” when this is absolutely not true!

We can discuss and can argue even violently but we do not lie. 

S. 



> On 31 May 2020, at 19:38, Bruce O'Neel  wrote:
> 
> 
> Hi,
> 
> So addressing only the crypto software issue and with the caveat that I am 
> also not a lawyer but I have had to deal with certain aspects of this in the 
> past
> 
> Crypto software is one of those bizarre dual use items in terms of arms 
> imports and exports.  While we as geeks just think of this is software or 
> mathematics and might be confused as to why governments care, governments do 
> care deeply about this.  And their way of expressing how much they care about 
> this issue is by passing laws and prosecuting folks.
> 
> One of the easiest ways to get in trouble is for one to make the software 
> available to residents and/or citizens of certain countries as well as 
> available to people on a long list kept by different governments.  We can 
> have a long debate about the morality of this concept but those who make the 
> laws have decided that is the law.  And often these laws are crafted such 
> that the executive can change important details on short notice and that puts 
> the risk of prosecution at the whims of different world leaders.  
> 
> The license that the software is released under is not important.   
> 
> What Ron is stating is that squeak source supplied some additional 
> protections to prevent accidentally making the software available to folks 
> who the US feels should not have access.
> 
> If you have moved the software to another hosting provider without the 
> permission or knowledge of the author, and therefore the owner of the 
> software, you have put that person at additional risk.  In addition you and 
> the hosting provider are taking on additional risk.
> 
> If it was moved to GitHub I strongly recommend reviewing their policies on 
> trade controls and what risks you assume.
> 
> https://help.github.com/en/github/site-policy/github-and-trade-controls 
> 
> 
> Finally I would strongly recommend talking to a competent legal advisor who 
> is deeply familiar with the details of these laws.  They are complex and 
> highly variable between different parts of the world.
> 
> I know this seems like a lot of trouble and wasted time but you can spend a 
> giant amount of time and money defending oneself from arms trafficking 
> charges.
> 
> cheers
> 
> bruce
> 
> 30 May 2020 14:43 Stéphane Ducasse  wrote:
> Hi all
> 
> This is the week-end and we worked super well yesterday during the sprint. 
> Lot of good enhancements - Thanks a lot to all the participants. 
> I not really happy to be forced to do it on a sunny saturday but I’m doing it 
> to clarify points.
> 
> Esteban sent me this text that was posted on Squeak-Dev (I personally do not 
> read squeak related forums because 
> I have not the time and my focus is Pharo, its consortium, my team, my 
> research and my family). 
> 
> We have to react because 
> - We do not really at ***all** understand this email
> - We did not kicked anybody from our mailing-list from ages - so ron is 
> lying. In the past we even had discussion with ron - so we do not 
> really understand. May be we got problem to log on our mailing-lists. 
> We have no idea because we are working and not looking at such things.   
> - When we migrated smalltalkhub to readonly we payed attention to make sure 
> that private projects stay private.
> We did not migrated smalltalkhub for fun. We MUST do it or it will be done by 
> our infrastructure!
> - Now the cryptography packages are MIT and they are public anyway. So again 
> we do not understand anything. 
> 
> We do not get why Ron contacted us because we announced the migration 
> publicly way in advance and we will keep 
> the Smalltalkhub frozen repo for at least next 5 years. 
> 
> I feel really sorry to hear such kind of email because we do not want to 
> fight with anybody. 
> Our goal is to make sure that people can work with Pharo and expand their 
> business and knowledge. 
> We are working hard to make sure that people can invent their future with 
> Pharo and people that know us personally 
> know that we are not lying.
> 
> S
> 
> 
> 
>> Hi all,
>> 
>> I've tried to work with the Pharo group but they keep kicking me out of 
>> their mailing list.  I've already mentioned this a number of times to the 
>> Pharo group but nobody seems to care.  
>> 
>> BOLD BOLD BOLD PLEASE TAKE THIS SERIOUSLY  BOLD BOLD BOLD
>> 
>> I am not a lawyer but we used very good lawyers to make the squeaksource 
>> repository a safe place to do cryptography work.  If you are working on 
>> cryptography DO NOT POST your code anywhere except squeaksource.  Especially 
>> if you are in the USA.  The ONLY repository that is approved to host our 
>> cryptography code in the 

Re: [Pharo-dev] [Pharo-users] About strange email related to smalltalkhub read-only on squeak-dev

[Esteban Lorenzano]

Yes, also the project is MIT so… anyone has the right to take it and use 
it/modify it/etc. with the only constraint of mention all the contributors.

But anyway, for me the most important question is: How far are we to provide 
good FFI bindings to a security library (like openssl or/and others) that will 
allow us to escape this situation? I really prefer not to have a hard to 
maintain solution that will also annoy the original authors who put its code in 
MIT but didn’t realise the implications of it.

Esteban

> On 1 Jun 2020, at 08:59, Sven Van Caekenberghe  wrote:
> 
> 
> 
>> On 1 Jun 2020, at 06:39, Jerry Kott  wrote:
>> 
>> If you read the text of the EAR and take into account all other facts, I 
>> think that the notion that anyone should get into trouble by copying open 
>> source Smalltalk crypto libraries to other repositories is just a pure FUD. 
>> This software is open source, it is publicly available including the source 
>> code, it is hosted on a domain that is controlled by a non-US entity, and 
>> it’s easily accessible in its current form from countries that are currently 
>> on the US ‘vorboten’ list.
> 
> Indeed.
> 
> 

Re: [Pharo-dev] [Pharo-users] About strange email related to smalltalkhub read-only on squeak-dev

[Sven Van Caekenberghe]

> On 1 Jun 2020, at 06:39, Jerry Kott  wrote:
> 
> If you read the text of the EAR and take into account all other facts, I 
> think that the notion that anyone should get into trouble by copying open 
> source Smalltalk crypto libraries to other repositories is just a pure FUD. 
> This software is open source, it is publicly available including the source 
> code, it is hosted on a domain that is controlled by a non-US entity, and 
> it’s easily accessible in its current form from countries that are currently 
> on the US ‘vorboten’ list.

Indeed.

Re: [Pharo-dev] [Pharo-users] About strange email related to smalltalkhub read-only on squeak-dev

[Richard Sargent]

Thanks, Bruce. The part about (the possibility that) squeak source is
configured to restrict distribution was the missing piece for me. I had
previously assumed (hah!) that it would be available to anyone anywhere.


On Sun, May 31, 2020, 10:39 Bruce O'Neel  wrote:

>
> Hi,
>
> So addressing only the crypto software issue and with the caveat that I am
> also not a lawyer but I have had to deal with certain aspects of this in
> the past
>
> Crypto software is one of those bizarre dual use items in terms of arms
> imports and exports.  While we as geeks just think of this is software or
> mathematics and might be confused as to why governments care, governments
> do care deeply about this.  And their way of expressing how much they care
> about this issue is by passing laws and prosecuting folks.
>
> One of the easiest ways to get in trouble is for one to make the software
> available to residents and/or citizens of certain countries as well as
> available to people on a long list kept by different governments.  We can
> have a long debate about the morality of this concept but those who make
> the laws have decided that is the law.  And often these laws are crafted
> such that the executive can change important details on short notice and
> that puts the risk of prosecution at the whims of different world leaders.
>
> The license that the software is released under is not important.
>
> What Ron is stating is that squeak source supplied some additional
> protections to prevent accidentally making the software available to folks
> who the US feels should not have access.
>
> If you have moved the software to another hosting provider without the
> permission or knowledge of the author, and therefore the owner of the
> software, you have put that person at additional risk.  In addition you and
> the hosting provider are taking on additional risk.
>
> If it was moved to GitHub I strongly recommend reviewing their policies on
> trade controls and what risks you assume.
>
> https://help.github.com/en/github/site-policy/github-and-trade-controls
>
>
> Finally I would strongly recommend talking to a competent legal advisor
> who is deeply familiar with the details of these laws.  They are complex
> and highly variable between different parts of the world.
>
> I know this seems like a lot of trouble and wasted time but you can spend
> a giant amount of time and money defending oneself from arms trafficking
> charges.
>
> cheers
>
> bruce
>
> *30 May 2020 14:43 Stéphane Ducasse  > wrote:*
>
> Hi all
>
> This is the week-end and we worked super well yesterday during the sprint.
> Lot of good enhancements - Thanks a lot to all the participants.
> I not really happy to be forced to do it on a sunny saturday but I’m doing
> it to clarify points.
>
> Esteban sent me this text that was posted on Squeak-Dev (I personally do
> not read squeak related forums because
> I have not the time and my focus is Pharo, its consortium, my team, my
> research and my family).
>
> We have to react because
> - We do not really at ***all** understand this email
> - We did not kicked anybody from our mailing-list from ages - so ron is
> lying. In the past we even had discussion with ron - so we do not
> really understand. May be we got problem to log on our mailing-lists.
> We have no idea because we are working and not looking at such things.
> - When we migrated smalltalkhub to readonly we payed attention to make
> sure that private projects stay private.
> We did not migrated smalltalkhub for fun. We MUST do it or it will be done
> by our infrastructure!
> - Now the cryptography packages are MIT and they are public anyway. So
> again we do not understand anything.
>
> We do not get why Ron contacted us because we announced the migration
> publicly way in advance and we will keep
> the Smalltalkhub frozen repo for at least next 5 years.
>
> I feel really sorry to hear such kind of email because we do not want to
> fight with anybody.
> Our goal is to make sure that people can work with Pharo and expand their
> business and knowledge.
> We are working hard to make sure that people can invent their future with
> Pharo and people that know us personally
> know that we are not lying.
>
> S
>
>
>
> Hi all,
>
> I've tried to work with the Pharo group but they keep kicking me out of
> their mailing list.  I've already mentioned this a number of times to the
> Pharo group but nobody seems to care.
>
> BOLD BOLD BOLD PLEASE TAKE THIS SERIOUSLY  BOLD BOLD BOLD
>
> I am not a lawyer but we used very good lawyers to make the squeaksource
> repository a safe place to do cryptography work.  If you are working on
> cryptography DO NOT POST your code anywhere except squeaksource.
> Especially if you are in the USA.  The ONLY repository that is approved to
> host our cryptography code in the USA and therefore not subject to criminal
> violations is squeaksource.  It is a CRIME in the USA to move code and make
> it available on the internet for