httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: restructuring mod_ssl as an overlay
Date Fri, 09 Jun 2006 22:25:29 GMT
On Jun 9, 2006, at 3:56 AM, Colm MacCarthaigh wrote:

> On Fri, Jun 09, 2006 at 12:29:06PM +0200, Plüm, Rüdiger, VF EITO  
> wrote:
>>> -----Ursprüngliche Nachricht-----
>>> Von: Joe Orton [
>>>
>>> Would only committers count as "participating" in the project
>>> for this
>>> purpose, do you think?  Random people submitting patches would not?
>>
>> Stupid question: How can someone who is not allowed to download  
>> the sources
>> can submit patches? :-).
>
> There is *nothing* preventing them from downloading and using our
> sources. That's a non-issue :-)

Right, the only issue is the ASF knowingly exporting to a known
person in the banned category.  For that reason, we may be better
off publishing all the disclaimers for every project and tell the
recipients to self-enforce.  We have no way of knowing where
people are geographically located or what their citizenship may be,
unless they insist on telling us.  Everything else is covered by
the TSU exception because our technical discussions are limited
to public lists.

    http://www.access.gpo.gov/bis/ear/txt/740.txt

In case anyone is wondering, yes we have talked to lawyers, several
times, and the result was partial -- we do qualify for the TSU
exception.  However, even the lawyers neglected to mention that
TSU section 740.13.e.2(ii) excludes

      (ii) Any knowing export or reexport to a
    country listed in Country Group E:1 in
    Supplement No. 1 to part 740 of the EAR.

and the "best practice" of publishing export guidelines on the
website to cover that paragraph is a relatively recent invention.

The only way to get a definitive ruling is to ask BIS for one
(the western regional office is in my town) prior to the first export.
The ASF has, instead, been operating according to the published
regulation in the EAR note

      Note to paragraph (e).  Posting encryption
    source code and corresponding object code on the
    Internet (e.g., FTP or World Wide Web site)
    where it may be downloaded by anyone neither
    establishes "knowledge" of a prohibited export or
    reexport for purposes of this paragraph, nor
    triggers any "red flags" necessitating the
    affirmative duty to inquire under the "Know Your
    Customer" guidance provided in Supplement No.
    3 to part 732 of the EAR.

being sufficient to represent guidance from BIS that what we have been
doing is allowed.

In addition, section 744.9 (Restrictions on technical assistance
by U.S. persons with respect to encryption items) applies
to those of us residing in, or citizen of, the U.S. and the presence
of the TSU exception to our work makes that okay as well [woohoo,
it also solves the issue of ASF folks speaking at conferences].

The Country Group E:1 can be found in

    http://www.access.gpo.gov/bis/ear/pdf/740spir.pdf

Today's list says Cuba, Iran, North Korea, Libya, Sudan, and Syria,
with Cuba, Iran, and Sudan being subject to a separate, comprehensive
embargo as well.

After reading through this again, I've decided to change my vote
from "undecided" to keeping the product as is and adding the export
notices to our site.  Otherwise, I wouldn't know what to do about
the comprehensive embargoes even if we split the project.

....Roy
Mime
View raw message