[MERGE] Support for Putty SSH implementation

John Arbash Meinel john at arbash-meinel.com
Thu Jan 18 17:45:46 GMT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lars Wirzenius wrote:
> On to, 2007-01-18 at 16:58 +0100, Wouter van Heyst wrote:
>> I very much doubt that. The Debian project has switched to including
>> crypto in main, while previously crypto was in a non-US section. If
>> Debian can, Python surely can.
> 
> The issue is not quite simple, though. See
> http://www.debian.org/legal/cryptoinmain for details.
> 

With a quick read through, this section stood out:


Open source refers to software that is available to the public without
restriction free of charge, under a GNU-style license agreement. Debian
would appear to fall into this category. The old regulations allowed the
export of open source to any end-user without a technical review,
provided that the person making the open source available filed a
contemporaneous notification with BXA and the National Security Agency
(“NSA”). However, the old regulations were silent with respect to
restrictions (if any) on the export of compiled executable software
derived from open source.

Under the new US Regulations, not only the open source, but also the
compiled executable software derived from open source, is eligible for
export under the same conditions as the open source itself, provided
that the compiled executable is available without restriction and free
of charge. Unfortunately, if you include the compiled executable
software into a product that you distribute for a fee, then the
resulting product is subject to all of the rules that apply to
commercial software programs. For example, they must be submitted to BXA
and NSA for a one-time technical review, described above.



So it sounds like if you bundle crypto, you always have to tell the BXA.
And if you charge anything for a product, and there is any crypto in it,
you have to submit it to the BXA and NSA for review.

Which sounds to me like if python included crypto in the stdlib. Then
anyone who writes a product on top of python would have to inform the
BXA. And if you tried to charge a fee for it, then you would have to
submit it for review.

At least as close as I can tell, having python.org submit it for review
is not sufficient for something like 'paramiko' to not need to also
submit their code for review.

Though we have a few other workarounds. Like the fact that we distribute
.py files and not .pyc files. So even though they are executable in
their basic form, they are considered source, so we aren't distributing
a compiled executable...

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFr7JJJdeBCYSNAAMRAkNZAJ9M0PZKeq7l+FWtKC8UD1Wb6q6JuQCfVpC/
BBHdoha1l+rgd3N1TLrQHTs=
=Wre0
-----END PGP SIGNATURE-----

More information about the bazaar mailing list