httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <>
Subject Re: restructuring mod_ssl as an overlay
Date Wed, 07 Jun 2006 21:34:40 GMT
On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
> The point is that they may want to download a web server which doesn't
> have that problem, and right now they are limited to 1.3.x.  I consider
> Web servers to be something we would want people in those countries
> to be able to download without concern.  Freedom of the press.

I'm in favour of everyone being able to download httpd :-)

> >If a person happens to live in a country which is on
> >the USA's banned list, there's nothing illegal (purely from their
> >perspective) about their act of download, US law does not apply to  
> >them.
> Right, but it does apply to us (and to Ireland as well, AFAIK) if we
> encourage people in those countries to download the web server but
> do not also provide a non-crypto alternative.
> >Surely the illegality is that the ASF exports the code to those
> >countries, and if anyone is answerable to those particular laws it is
> >any US-based exporter of the code. I just want to be clear about this
> >distinction, if it's correct.
> Mostly.  The banned countries are also banned by the EU (the
> anti-terrorism laws), so it isn't as simple as you might think.

It's not nearly so simple as that either. There's a complicated
intersection of national laws, the Wassenaar Arrangement and local
interprettation. Here in Ireland, we are extremely liberal on crypto
export due to lobbying by the local software and crypto industry.
Indeed, it's even a selling point at attracting some multinationals

Afaik, very few - if any - countries share the US list of designated
countries, Cuba being a near-universal counter-example. But that
hardly matters anyway :-)

>  1) retain the status quo, forbid distributing ssl binaries, and  
> include
>     in our documentation that people in banned countries are not  
> allowed
>     to download httpd 2.x.
>  2) split the distribution into plain and crypto parts and only have to
>     deal with the export controls within the crypto distribution.
>  3) delete mod_ssl from httpd
> Pick one.

I'm fine with number 2. But I'd prefer if we achieved it via modifying rather than creating a subproject or two and all
of the overhead that entails.

> The ASF is within US borders and is a US corp.  And, no, whatever it
> was that Debian was trying to do is not even remotely sufficient for
> the US because it just makes each developer the exporter.

Hmm, are they really that crazy?

Colm MacCárthaigh                        Public Key:

View raw message