Re: US government notification of new crypto package?

To: Paul Wise <pabs@debian.org>, debian-legal@lists.debian.org
Subject: Re: US government notification of new crypto package?
From: Steve Langasek <vorlon@debian.org>
Date: Sat, 25 Sep 2010 14:19:57 -0700
Message-id: <[🔎] 20100925211957.GA12927@virgil.dodds.net>
Mail-followup-to: Paul Wise <pabs@debian.org>, debian-legal@lists.debian.org
In-reply-to: <[🔎] 874odecbr6.fsf@gkar.ganneff.de> <[🔎] AANLkTikiQrfjXtCRrB9mQ12YcftFdrUjZ7Tb8TGx1J0w@mail.gmail.com>

On Sat, Sep 25, 2010 at 03:19:14PM +0800, Paul Wise wrote:
> On Sat, Sep 25, 2010 at 3:00 PM, Steve Langasek <vorlon@debian.org> wrote:

> > So long as the upload queue continues to reside in the US, this is true.
> > However, the current ftp team have made several proposals that seem to
> > disregard this aspect of the crypto-in-main solution; I would recommend that
> > any US-based developers who are concerned about compliance with US export
> > regs be watchful for future developments.

> Could you expand on that, which proposals are you referring to?

On Sat, Sep 25, 2010 at 01:18:21PM +0200, Joerg Jaspert wrote:
> >> > which seems to indicate I need to update the US Bureau of Export
> >> > Administration before uploading this package for the first time.
> >> > Is this still a requirement?
> >> IIRC the archive software (dak) does this automatically for every new
> >> package (or every upload, not sure) whether it contains arms^Wcrypto
> >> stuff or not so that Debian can basically ignore this problem until
> >> the requirements change.
> > So long as the upload queue continues to reside in the US, this is true.
> > However, the current ftp team have made several proposals that seem to
> > disregard this aspect of the crypto-in-main solution; I would recommend that
> > any US-based developers who are concerned about compliance with US export
> > regs be watchful for future developments.

> What the hell are you talking about?

So what I had in mind was actually not so much a "proposal" as the fact that
the ssh.upload.debian.org upload queue is now located in Canada.  That means
any US-based developer who uses this upload queue is engaged in software
export which is not covered by the Debian project's blanket notifications. 
At the time ssh.upload.debian.org was instituted, there does not appear to
have been any acknowledgement of this fact.

I also recall discussion around one of the ftp-master maintenance events of
moving ftp.upload.debian.org to UBC; but I don't find any references to
this, so this may just be my fallible memory speaking.

> And for the rest on this list: You don't need to care, the archive cares
> for you.

Well, if ssh.upload.debian.org is intended to be an example of the archive
caring for us, then my recommendation stands.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: US government notification of new crypto package?
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: US government notification of new crypto package?
Next by Date: Newsletter de www.pears-gallery.com
Previous by thread: Re: US government notification of new crypto package?
Next by thread: Re: US government notification of new crypto package?
Index(es):
- Date
- Thread