On Thu, Nov 18, 1999 at 02:00:34AM -0800, Brian Behlendorf wrote: > Just to make clear I'm understanding the situation; does mutt have > anything that could be interpreted as "hooks" to encryption, even if it > doesn't have crypto code as part of the package? Or are scripts & > instructions on how to add crypto to the base product provided separately > from a non-us package? If the former, unless something has changed, the > U.S. considers that a crypto product. If the latter, you're OK. That's > why vi/emacs/shells/kernels wouldn't be called crypto products, so long as > they have no direct hooks themselves to encryption routines. It will run pgp if you tell it to. It has the support for it if you choose to use it. But then arguably so does bash. > Of course, if the U.S. recently said that hooks to crypto is OK, then that > would be cool too. But this "hook" business is why we can't have SSL > directives & routines in the base Apache distrib, even if we told people > to bring over OpenSSL separately. If you think about prime numbers near the Mexican borders the US could try to say you're exporting crypto. We made the decision that a simple "run this seperate program and pipe output back to me" cannot reasonably be considered encryption hooks. If such is allowed to be considered encryption we must also conclude that bash contains encryption hooks (as it too will optionally run pgp and read its output) and so would any program which may run any arbitrary binary and pipe its output someplace useful. And frankly speaking for only myself as a citizen of the US and not as a developer here, the US government can shove their crypto regs someplace unpleasant---I refuse to comply with them on the grounds that they are an affront to the protections guaranteed me under the first, fourth, and fifth ammendments to the constitution and further do place myself and my personal property at great risk when conducting wire-based transactions. My personal feelings aside for a moment, I agree Debian has to be careful where it treads. I am an individual and can do whatever the hell I want to and my actions affect myself alone. Debian OTOH is not an individual and its actions affect a much larger group. That said, however, I still believe Debian's decision to include support for the use of cryptography in mutt found in Debian's main distribution is correct. The software provides configuration file options which allow you to run any arbitrary program through standard functions used for running any and every program on the system and captures the results. This does not constitute hooks for encryption, though it arguably would if mutt were somehow linked with some library which provided cryptography functions. If the US government wants to challenge that (I suspect they're smarter than to try) it would be simple to demonstrate that the PGP interface in mutt is NOT a crypto hook. And that's before you consider the rediculous nature of the restrictions, but we don't even have to go in to that to prove there are no crypto hooks in mutt that don't exist in bash or in most every program for most any operating system for that matter. -- - Joseph Carter GnuPG public key: 1024D/DCF9DAB3, 2048g/3F9C2A43 - knghtbrd@debian.org 20F6 2261 F185 7A3E 79FC 44F9 8FF7 D7A3 DCF9 DAB3 -------------------------------------------------------------------------- <Knghtbrd> xtifr - beware of james when he's off his medication =>
Attachment:
pgpfdt_w4a2iX.pgp
Description: PGP signature